search

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code
MIT License
147 stars 69 forks source link

Role Definitions are not assigned to System Managed Identities #62

Closed ashkuren closed 1 year ago

ashkuren commented 1 year ago

Role Definitions are not assigned to System Managed Identities

Prerequisites

Context

Expected Behavior

Policy Assignment has a Managed Identity and Permissions assigned.

Current Behavior

Policy Assignment has a Managed Identity that does not have any permissions. image

Possible Root Cause

https://github.com/gettek/terraform-azurerm-policy-as-code/blob/9e050095c54393a3b90e6b60a6b3916bec5734c6/modules/def_assignment/variables.tf#L165 local.identity_type == { type = "SystemAssigned" } is always evaluates to false and therefore local.role_definition_ids is always an empty list.

Possibly related: https://github.com/hashicorp/terraform/issues/27643

Possible Solution

role_definition_ids = var.skip_role_assignment == false && local.identity_type.type == "SystemAssigned" ? try(coalescelist(var.role_definition_ids, lookup(jsondecode(var.definition.policy_rule).then.details, "roleDefinitionIds", [])), []) : []

Steps to Reproduce

Create any policy assignment with definition that contains roleDefinitionIds.

gettek commented 1 year ago

Thank you for raising, overlooked this in my tests...

Should be fixed in working branch 2.7.1, could you kindly retry and report back. Thanks

ashkuren commented 1 year ago

Works as expected now. Thank you for quick fix.