Support for user managed Identity for policy assignment

[jayendranarumugam]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

• azurerm_subscription_policy_assignment

Potential Terraform Configuration

data "azurerm_subscription" "current" {}

resource "azurerm_policy_definition" "example" {
  name        = "only-deploy-in-westeurope"
  policy_type = "Custom"
  mode        = "All"

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "equals": "westeurope"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

resource "azurerm_user_assigned_identity" "test" {
  name                = "acctest%d"
  resource_group_name = azurerm_resource_group.test.name
  location            = azurerm_resource_group.test.location
}

resource "azurerm_subscription_policy_assignment" "example" {
  name                 = "example"
  policy_definition_id = azurerm_policy_definition.example.id
  subscription_id      = azurerm_subscription.current.id

  identity {
    type = "UserAssigned"
    identity_id = azurerm_user_assigned_identity.test.id
   }   
}

Current behaviour

Currently only system managed identity can able to pass as a parameter

References

• Azure Portal can able to support this feature

  0

[TheLeftMoose]

This is a huge problem for a system I work with. We are heavy users of Management groups and this collides with System Assigned MI's (SAMI). Assigning a policy with SAMI on a high management group level requires the SAMI to be assigned in the scope where the resource is. Easily this prorogates to 150+ direct role assignments on the resource it self, which is a challenge given only 2000 Role assignments are supported on RG level.

[JanIsaksson]

Hi

I have a declaration as below but get an error when apply. In other places it seems that I can use the Azure Subscription GUID as subscription_id but not here why?

variable sub_hub_we { description = "The Hub Subscription" type = string default = "4c19dd9e-b3c3-4ae2-a639-4dd4373a843c" } provider "azurerm" { alias = "provider-sub-hub-we" subscription_id = var.sub_hub_we tenant_id = var.azure-tenant-id features {} } resource "azurerm_subscription_policy_assignment" "az-keyvault-dispub1" { name = "az-keyvault-dispub" display_name = data.azurerm_policy_definition.az-keyvault-dispub.display_name policy_definition_id = data.azurerm_policy_definition.az-keyvault-dispub.id subscription_id = var.sub_hub_we #Not working enforce = true }

Gives the Error:

Error: "subscription_id" expected to be valid subscription ID, got "4c19dd9e-b3c3-4ae2-a639-4dd4373a843c"

on builtin-policies.tf line 238, in resource "azurerm_subscription_policy_assignment" "az-keyvault-dispub1": 238: subscription_id = var.sub_hub_we #Not working

[kaovd]

See this was added in 4 months ago on the 2021-06-01 Resource - Would require upgrading the API version thats being used - hopefully can be done without any breaking changes but have only had a 5 minute look over

https://github.com/Azure/azure-rest-api-specs/tree/main/specification/resources/resource-manager/Microsoft.Authorization/stable/2021-06-01

https://github.com/Azure/azure-rest-api-specs/pull/15181

This appears to be in preview package for policy, although likely need a RP Request for latest stable - but they appear the same (see https://github.com/Azure/azure-rest-api-specs/tree/main/specification/resources/resource-manager/Microsoft.Authorization/stable/2021-06-01)

Preview models: https://github.com/Azure/azure-sdk-for-go/blob/ec2ed6d8450ad53978efa96822bf9c9431a63ab4/services/preview/resources/mgmt/2021-06-01-preview/policy/models.go

For the RP - Items in both 2021-06-01 Stable and 2019-09-01 stable API appear the same so shouldn't be any issues

[kaovd]

Put up an RP for having 2021-06-01 in stable as well https://github.com/Azure/azure-sdk-for-go/issues/16389

[oWretch]

Duplicate of #13443.

[kaovd]

It appears the Map enum isnt marked as read only in API but children are which is quite confusing, but this is blocked until API is fixed