search

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code
MIT License
147 stars 69 forks source link

Removing Policies from initiation set definitions causes parameters to be removed #110

Closed AndrewSutliff-insight closed 1 month ago

AndrewSutliff-insight commented 2 months ago

you should probably consider not automatically adding parameters to initiative sets based off the parameters of the member definitions. Parameters CANNOT be removed once added.

│ Error: updating Policy Set Definition "adf_initiative": policy.SetDefinitionsClient#CreateOrUpdateAtManagementGroup: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicySetParameterUpdate" Message="The existing policy has '20' parameter(s) which is greater than the count of parameter(s) '19' in the policy being added. Policy parameters cannot be removed during policy update."

This is currently causing a HUGE headache at the moment, since we can't even remove even one policy from our environment properly.

AndrewSutliff-insight commented 2 months ago 
resource "azurerm_policy_set_definition" "set" {
  name         = var.initiative_name
  display_name = var.initiative_display_name
  description  = var.initiative_description
  policy_type  = "Custom"

  management_group_id = var.management_group_id

  metadata   = jsonencode(local.metadata)
  parameters = length(local.parameters) > 0 ? jsonencode(local.parameters) : null

  dynamic "policy_definition_reference" {           
    for_each = [for d in var.member_definitions : { 
      id         = d.id
      ref_id     = replace(substr(title(replace(d.name, "/-|_|\\s/", " ")), 0, 64), "/\\s/", "")
      parameters = try(jsondecode(d.parameters), {})
      groups     = []
    }]

    content {
      policy_definition_id = policy_definition_reference.value.id
      reference_id         = policy_definition_reference.value.ref_id
      parameter_values = length(policy_definition_reference.value.parameters) > 0 ? jsonencode({
        for k in keys(policy_definition_reference.value.parameters) :
        k => {
          value = k == "effect" && var.merge_effects == false ? "[parameters('${format("%s_%s", k, policy_definition_reference.value.ref_id)}')]" : var.merge_parameters == false ? "[parameters('${format("%s_%s", k, policy_definition_reference.value.ref_id)}')]" : "[parameters('${k}')]"
        }
      }) : null
      policy_group_names = policy_definition_reference.value.groups
    }
  }

  timeouts {
    read = "10m"
  }
}
gettek commented 2 months ago

Hi @AndrewSutliff-insight,

Which version of the modules are you using?

The latest will attempt to recreate the initiative and assignment based on replacement triggers for this very reason, which is in fact a Management API limitation.

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 30 days with no activity.