search

Azure / terraform-azurerm-caf-enterprise-scale

Azure landing zones Terraform module
https://aka.ms/alz/tf
MIT License
785 stars 510 forks source link

Bug Report/ How to : Not able to create Custom Policy definition and assignment using Custom Landing Zones #998

Closed praveenambati1233 closed 2 weeks ago

praveenambati1233 commented 2 weeks ago

terraform: 1.7.0 azure provider: 3.74.0 module: latest

I am trying to create custom policy in custom archetype with custom landing zones. However, I am getting below error 

│ Error: Invalid index
│ 
│   on .terraform/modules/core.alz/modules/archetypes/locals.policy_assignments.tf line 100, in locals:
│  100:       template    = local.archetype_policy_assignments_map[policy_assignment]
│     ├────────────────
│     │ local.archetype_policy_assignments_map is object with 51 attributes
│ 
│ The given key does not identify an element in this collection value.

Below is my configuration

Custom ArcheType

{
  "my_archetype": {
      "policy_assignments": [
        "Allowed-VM-Sizes"
      ],
      "policy_definitions": [
        "Allowed-VM-Sizes"
      ],
      "policy_set_definitions": [],
      "role_definitions": [],
      "archetype_config": {
          "parameters": {},
          "access_control": {}
      }
  }
}

Custom Policy Definition

{
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Allowed-VM-Sizes",
  "apiVersion": "2021-06-01",
  "properties": {
    "displayName": "Allowed VM Sizes",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "This policy restricts the VM sizes that can be deployed in the subscription.",
    "version": "1.0.0",
    "parameters": {
      "allowedVmSizes": {
        "type": "Array",
        "metadata": {
          "description": "List of allowed VM sizes.",
          "displayName": "Allowed VM Sizes"
        },
        "allowedValues": [
          "Standard_B1s",
          "Standard_B1ms",
          "Standard_B2s"
        ],
        "defaultValue": [
          "Standard_B1s",
          "Standard_B1ms",
          "Standard_B2s"
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "deny",
        "details": {
          "fields": [
            {
              "field": "Microsoft.Compute/virtualMachines/sku.name",
              "in": "[parameters('allowedVmSizes')]"
            }
          ]
        }
      }
    }
  }
}

Custom Policy Assignment 

{
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "Enforce-Allowed-VM-Sizes",
  "apiVersion": "2021-06-01",
  "properties": {
    "displayName": "Enforce Allowed VM Sizes",
    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Allowed-VM-Sizes",
    "parameters": {
      "allowedVmSizes": {
        "value": [
          "Standard_B1s",
          "Standard_B1ms",
          "Standard_B2s"
        ]
      }
    },
    "nonComplianceMessages": [
      {
        "message": "Only certain VM sizes are allowed in this subscription."
      }
    ]
  }

}

settings.json

locals {
  custom_landing_zones = {
    (var.root_id) = {
      display_name               = "${var.root_id}"
      parent_management_group_id = "${var.tenant_id}"
      subscription_ids           = []
      archetype_config = {
        archetype_id   = "default_empty"
        parameters     = {}
        access_control = {}
      }
    }

    "${var.root_id}-online-example-1" = {
      display_name               = "${upper(var.root_id)} Online Example 1"
      parent_management_group_id = var.root_id
      subscription_ids           = []
      archetype_config = {
        archetype_id = "my_archetype"
        parameters = {}
        access_control = {}
      }
    }
  }
}
matt-FFFFFF commented 2 weeks ago

Hi,

You have to use the json name property in your archetype definitions.

In your case the assignment is named Enforce-Allowed-VM-Sizes.