Open jhauray opened 3 years ago
Same problem here when trying to assign a custom policy set to management group. No problem when trying to assign the same policy set on subscription level, only with management group assignment.
Tried to use azurerm_policy_assignment
instead but same problem.
I can also reproduce it locally, thank you @jhauray for the detailed reproduce step :+1:
Meanwhile, I've submit an issue towards the Azure policy repo: https://github.com/Azure/azure-policy/issues/918
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
azurerm_management_group_policy_assignment
Terraform Configuration Files
Debug Output
https://gist.github.com/jhauray/9cf6e5e4193912b958d33abb744e90df
Panic Output
Expected Behaviour
azurerm_management_group_policy_assignment
shoud be created without error, even ifazurerm_management_group
is created in the same Terraform code. If dataazurerm_policy_definition
is readable on the "management group" scope, the "policy assignment" provisionning must be successful.Actual Behaviour
Resource
azurerm_management_group
is well created, dataazurerm_policy_definition
are correctly read. But`azurerm_management_group_policy_assignment
fail, with this error message :Currently, I use a workaround with
time_sleep
resource to add a delay between "policy definitions read", and "policy assignment creation" :Steps to Reproduce
terraform apply
the previous configuration, to create a child Management Group to your "parent" MG, and aazurerm_management_group_policy_assignment
, usine your custom roleazurerm_policy_definition
.Important Factoids
References
0000