Closed praveenambati1233 closed 3 months ago
Can you replace the policy definition id in the assignment with the correct one?
It is as below
"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Enforce-RG-Tags",
@matt-FFFFFF
So replace that with the correct resource id for the definition that you want to apply
Below is my project setup, I am not sure what exactly the resource id should be that policy assigns to all the custom landing zones ?
actually, it is able to create in all levels of the MGs but it is failing at the root MG , ideally, I don't want to create at root MG level.
Plan: 9 to add, 1 to change, 1 to destroy.
╷
│ Error: reading Policy Definition "Enforce-RG-Tags": policy.DefinitionsClient#GetAtManagementGroup: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicyDefinitionNotFound" Message="The policy definition 'Enforce-RG-Tags' could not be found."
│
│ with module.core.module.alz.data.azurerm_policy_definition.external_lookup["/providers/Microsoft.Management/managementGroups/ROOT/providers/Microsoft.Authorization/policyDefinitions/Enforce-RG-Tags"],
│ on .terraform/modules/core.alz/locals.policy_assignments.tf line 167, in data "azurerm_policy_definition" "external_lookup":
│ 167: data "azurerm_policy_definition" "external_lookup" {
Hi,
Is there a common parent management group in which you can place the policy definition?
You'll need an archetype that just contains the definition.
Then you'll need another archetype that contains the assignment that references said definition.
I have refactored everything and post the issue at https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/998
I've tried to assign one custom policy to a customs landing zone, i've followed this guide Enforce-RG-Tags. When i run terraform plan i obtain this error:
╷ │ Error: reading Policy Definition "Enforce-RG-Tags": policy.DefinitionsClient#GetAtManagementGroup: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicyDefinitionNotFound" Message="The policy definition 'Enforce-RG-Tags' could not be found." │ │ with module.enterprise_scale.data.azurerm_policy_definition.external_lookup["/providers/Microsoft.Management/managementGroups/ROOT/providers/Microsoft.Authorization/policyDefinitions/Enforce-RG-Tags"], │ on .terraform/modules/enterprise_scale/locals.policy_assignments.tf line 167, in data "azurerm_policy_definition" "external_lookup": │ 167: data "azurerm_policy_definition" "external_lookup" { │ ╵ Seems that the module try to search the policy in the Root Mgmt group.