Use resourceSelector in built in policy

Azure / terraform-azurerm-caf-enterprise-scale

Azure landing zones Terraform module

https://aka.ms/alz/tf

MIT License

876 stars 575 forks source link

Use resourceSelector in built in policy #906

Open Laudenlaruto opened 9 months ago

Laudenlaruto commented 9 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.6.6

azure provider: v3.88.0

module: 5.0.3

Description

When trying to add a resourceSelector to an existing policy assignment, terraform does not detect the change.

Describe the bug

I added an archetype_config_overrides to override the Deny-Resource-Locations to allow me to deploy static web apps in another region than the on whitelisted.

archetype_config_overrides = {
    landing-zones = {
      archetype_id = "es_landing_zones"
      resourceSelector = {
        Deny-Resource-Locations = {
          name = "Allow static web app"
          selector = {
            in   = []
            kind = "resourceType"
            not_in = [
              "Microsoft.Web/staticSites",
            ]
          }
        }
      }
    }
  }

Additional context

I can update the parameter easily but not the resource selector.

matt-FFFFFF commented 9 months ago

Thanks for reporting, we will look into this

luke-taylor commented 5 months ago

Hey @Laudenlaruto,

The functionality to override the resource selectors argument of policy assignment cannot be done using archetype_config_overrides .

If you would like to do this, specifically for your example:

Firstly, please create a new file titled exactly policy_assignment_es_deny_resource_locations.tmpl.json in your custom lib folder under policy_assignments .

Secondly, within this file, copy the contents of the original policy assignment file - located here.

Finally, append the resourceSelectors argument in properties like so:

    "properties": {
     ...
        "resourceSelectors": [
            {
                "name": "Allow static web app",
                "selectors": [
                    {
                        "kind": "resourceType",
                        "in": [ "Microsoft.Web/staticSites" ]
                    }
                ]
            }
        ]
    ...
    },

This should override the existing policy assignment with your custom requirements.