search

Azure / terraform-azurerm-caf-enterprise-scale

Azure landing zones Terraform module
https://aka.ms/alz/tf
MIT License
844 stars 554 forks source link

Bug Report : Unable to create policy for custom landing zone #995

Closed praveenambati1233 closed 3 months ago

praveenambati1233 commented 3 months ago

I've tried to assign one custom policy to a customs landing zone, i've followed this guide Enforce-RG-Tags. When i run terraform plan i obtain this error:

╷ │ Error: reading Policy Definition "Enforce-RG-Tags": policy.DefinitionsClient#GetAtManagementGroup: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicyDefinitionNotFound" Message="The policy definition 'Enforce-RG-Tags' could not be found." │ │ with module.enterprise_scale.data.azurerm_policy_definition.external_lookup["/providers/Microsoft.Management/managementGroups/ROOT/providers/Microsoft.Authorization/policyDefinitions/Enforce-RG-Tags"], │ on .terraform/modules/enterprise_scale/locals.policy_assignments.tf line 167, in data "azurerm_policy_definition" "external_lookup": │ 167: data "azurerm_policy_definition" "external_lookup" { │ ╵ Seems that the module try to search the policy in the Root Mgmt group.

matt-FFFFFF commented 3 months ago

Can you replace the policy definition id in the assignment with the correct one?

praveenambati1233 commented 3 months ago

It is as below "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Enforce-RG-Tags",

@matt-FFFFFF

matt-FFFFFF commented 3 months ago

So replace that with the correct resource id for the definition that you want to apply

praveenambati1233 commented 3 months ago

Below is my project setup, I am not sure what exactly the resource id should be that policy assigns to all the custom landing zones ?

image

actually, it is able to create in all levels of the MGs but it is failing at the root MG , ideally, I don't want to create at root MG level.

Plan: 9 to add, 1 to change, 1 to destroy.
╷
│ Error: reading Policy Definition "Enforce-RG-Tags": policy.DefinitionsClient#GetAtManagementGroup: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicyDefinitionNotFound" Message="The policy definition 'Enforce-RG-Tags' could not be found."
│ 
│   with module.core.module.alz.data.azurerm_policy_definition.external_lookup["/providers/Microsoft.Management/managementGroups/ROOT/providers/Microsoft.Authorization/policyDefinitions/Enforce-RG-Tags"],
│   on .terraform/modules/core.alz/locals.policy_assignments.tf line 167, in data "azurerm_policy_definition" "external_lookup":
│  167: data "azurerm_policy_definition" "external_lookup" {
matt-FFFFFF commented 3 months ago

Hi,

Is there a common parent management group in which you can place the policy definition?

You'll need an archetype that just contains the definition.

Then you'll need another archetype that contains the assignment that references said definition.

praveenambati1233 commented 3 months ago

I have refactored everything and post the issue at https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/998