Deploy ALZ custom policies when using deploy_core_landing_zones

[samrobillard]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.9.2

azure provider: 3.114

module: 6.0.0

Description

Describe the bug

I'm trying to deploy a custom management group hierarchy similar to es-lite. The Terraform plan gives those 2 errors:

Error: reading Policy Set Definition "Enforce-EncryptTransit_20240509": policy.SetDefinitionsClient#GetAtManagementGroup: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Enforce-EncryptTransit_20240509' could not be found."

Error: reading Policy Set Definition "Deploy-AUM-CheckUpdates": policy.SetDefinitionsClient#GetAtManagementGroup: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-AUM-CheckUpdates' could not be found."

Steps to Reproduce

main.tf

module "enterprise_scale" {
  source     = "Azure/caf-enterprise-scale/azurerm"
  version    = "6.0.0"

  default_location          = local.default_location
  deploy_core_landing_zones = false
  root_parent_id            = data.azurerm_client_config.core.tenant_id
  root_id                   = local.alz_root_id
  root_name                 = local.alz_root_name

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }

  archetype_config_overrides = {
    landing-zones = {
      archetype_id = "es_landing_zones"
      parameters = {
        Audit-AppGW-WAF = {
          effect = "Disabled"
        }
        Deny-IP-forwarding = {
          effect = "Audit"
        }
        Deny-MgmtPorts-Internet = {
          effect = "Audit"
        }
        Deploy-AzSqlDb-Auditing = {
          effect = "Audit"
        }
        Deploy-MDFC-DefSQL-AMA = {
          userWorkspaceResourceId = ""
        }
        Deploy-VM-Backup = {
          effect = "Disabled"
        }
        Deploy-VM-ChangeTrack = {
          effect = "Disabled"
        }
        Deploy-VM-Monitoring = {
          effect = "Audit"
        }
        Deploy-vmArc-ChangeTrack = {
          effect = "Disabled"
        }
        Deploy-vmHybr-Monitoring = {
          effect = "Disabled"
        }
        Deploy-VMSS-ChangeTrack = {
          effect = "Disabled"
        }
        Deploy-VMSS-Monitoring = {
          effect = "Audit"
        }
        Enable-DDoS-VNET = {
          effect = "Disabled"
        }
        Enforce-AKS-HTTPS = {
          effect = "Disabled"
        }
      }
      access_control = {}
    }
    platform = {
      archetype_id = "es_platform"
      parameters = {
        Deploy-VM-Backup = {
          effect = "Disabled"
        }
        Deploy-VM-ChangeTrack = {
          effect = "Disabled"
        }
        Deploy-VM-Monitoring = {
          effect = "Audit"
        }
        Deploy-vmArc-ChangeTrack = {
          effect = "Disabled"
        }
        Deploy-vmHybr-Monitoring = {
          effect = "Disabled"
        }
        Deploy-VMSS-ChangeTrack = {
          effect = "Disabled"
        }
        Deploy-VMSS-Monitoring = {
          effect = "Audit"
        }
      }
      access_control = {}
    }
  }

  custom_landing_zones = {
    "${local.alz_root_id}-platform" = {
      display_name               = "${upper(local.alz_root_name)} Platform"
      parent_management_group_id = local.alz_root_id
      subscription_ids           = []
      archetype_config = {
        archetype_id = "es_platform"
        parameters = {}
        access_control = {}
      }
    }
    "${local.alz_root_id}-platform-management" = {
      display_name               = "${upper(local.alz_root_name)} Platform Management"
      parent_management_group_id = "${local.alz_root_id}-platform"
      subscription_ids           = []
      archetype_config = {
        archetype_id   = "es_management"
        parameters     = {}
        access_control = {}
      }
    }
    "${local.alz_root_id}-landingzones" = {
      display_name               = "${upper(local.alz_root_name)} Landing Zones"
      parent_management_group_id = local.alz_root_id
      subscription_ids           = []
      archetype_config = {
        archetype_id = "es_landing_zones"
        parameters = {}
        access_control = {}
      }
    }
  }
}

It looks like the policy definitions are created on the management groups and will give an error when trying to use of the archetype without the associated management group. Is it possible to create all the policy and policy set definitions on the root management group that gets created?

Screenshots

Additional context

[gbr759]

Have you tried creating the root manually as a custom MG and assigning the es_root archetype? I think by disabling core landing zones, it also disables deploying root, so the initiatives you need aren’t available to the child MGs.