azurerm_policy_assignment fails to remediate resources correctly

[Mahir-Isikli]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

• Terraform v1.0.5
• provider.azurerm v2.74.0

Affected Resource(s)

• azurerm_policy_remediation
• azurerm_policy_assignment

Terraform Configuration Files

resource "azurerm_subscription_policy_assignment" "diagnosticAssignment" {
    name                    = "deploy-kv-diagnostics-test"
    subscription_id         = data.azurerm_subscription.current.id
    policy_definition_id    = azurerm_policy_definition.customDiagnosticPolicy.id
    description             = "Deploys the diagnostic settings for Key Vault to stream to a specific regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated."
    display_name            = "Deploy Diagnostic Settings for Key Vault to specific Event Hub"
    location                = azurerm_resource_group.stageResourceGroup.location

    parameters = jsonencode({
        "eventHubRuleId": {
        "value": data.azurerm_eventhub_namespace_authorization_rule.diagnosticSettingEventHubPush.id,
        },
        "eventHubLocation": {
        "value": data.azurerm_eventhub.keyVaultLogs.id,
        },
        #Need to specify an eventhub, otherwise a new one will be created
        "eventHubName": {
        "value": "keyvaultlogs"
        },
    })

    identity {
      type = "SystemAssigned"
    }
}

resource "azurerm_role_assignment" "roleAssignementLogAnalyticsContributor" {
  scope                = azurerm_subscription_policy_assignment.diagnosticAssignment.subscription_id
  role_definition_name = "Log Analytics Contributor"
  principal_id         = azurerm_subscription_policy_assignment.diagnosticAssignment.identity[0].principal_id
}

resource "azurerm_policy_remediation" "remediateDiagnosticSettings" {
  name                    = "remeditationfordiagnosticsettings"
  scope                   = azurerm_subscription_policy_assignment.diagnosticAssignment.subscription_id
  policy_assignment_id    = azurerm_subscription_policy_assignment.diagnosticAssignment.id
  location_filters        = ["westeurope"]
  resource_discovery_mode = "ReEvaluateCompliance"
}

The above will create a policy assignment, a remediation task and a role assignment and associated managed identity required to perform the actions specified in the "deployIfNotExists" in the JSON file at:

https://github.com/Mahir-Isikli/makeitrepeatable/blob/main/configurationPolicyAssignment/policyrule.json

Expected Behaviour

When the policy assignment is made, a managed identity should be created and granted permission with the explicit role assignment to deploy missing resources with a policy remediation in line with the deployIfNotExists condition

Actual Behaviour

Policy definition is created and assigned, but the remediation task does not deploy any missing resources.

Steps to Reproduce

1. Clone https://github.com/Mahir-Isikli/makeitrepeatable
2. Create policy definition and policy assignment
3. Login to Azure portal and go to Policy > Remediation
4. Create a remediation task for the policy - Note message "The managed identity for this assignment does not have the appropriate permissions to remediate these resources. To add these permissions, go to the Edit Assignment page for this Policy and re-save it."
5. Edit policy definition > Remediation > Note the blank field under "The identity currently has the following permissions"

References

• 6486

[aristosvo]

Hi @Mahir-Isikli! A few questions to get the investigation started, I don't have time to spin it up all myself.

• Is the Role Assignment visible in Azure Portal? What happens with that assignment if you apply the manual fix?
• It might be that you'd need to use object_id instead of principal_id for the right effect:

  resource "azurerm_role_assignment" "roleAssignementLogAnalyticsContributor" {
  ...
  principal_id         = azurerm_subscription_policy_assignment.diagnosticAssignment.identity[0].object_id
  }

• It might help to add a depends_on to make sure the role is assigned at the moment the remediation is created:

  
  resource "azurerm_policy_remediation" "remediateDiagnosticSettings" {
  ...
  depends_on = [azurerm_role_assignment.roleAssignementLogAnalyticsContributor]
  }

[Mahir-Isikli]

Hi @aristosvo!

The role assignment is visible in the Azure Portal. Applying the manual fix does not change anything.

I get the following error when I try to use object_ id instead of principal_id:

Error: Unsupported attribute on components/policyAssignment.tf line 260, in resource "azurerm_role_assignment" "roleAssignementLogAnalyticsContributor": 260: principal_id = azurerm_subscription_policy_assignment.diagnosticAssignment.identity[0].object_id This object has no argument, nested block, or exported attribute named "object_id".

Just adding the depends_on block does not change anything if I let the pipeline run. I'm making sure to wait a few minutes, just in case the policy assignment needs to start again.

[Mahir-Isikli]

Hi, @aristosvo just wanted to bump this issue again as we still would like to use this feature in prod. Thanks!

[Mahir-Isikli]

Hi again, is there any progress on this issue perhaps? Thanks!

[Mahir-Isikli]

Hey @aristosvo, any news on this?

[jraggett]

It's 2022. What's up? How long shall this go on? I'm now making my modules create assignments iteratively because the issue doesn't get fixed since APRIL 2020! https://github.com/hashicorp/terraform-provider-azurerm/issues/6486 #6486

[aristosvo]

Hi @Mahir-Isikli! I've limited time to spend on issues like this, it is free time which I spend here. Due to job changes I've not had any time left, unfortunately.

With regard to your issue, there must be something missing in the role assignments. @jraggett can possibly help you find the right assignments, as he mentioned he is able to create the assignments, although not in a perfect way. I'll do a reconstruction first based on this old issue (#6486), as it is more complete and easier for me to reproduce things with.

@jraggett Thanks for pointing to #6486. As far as I can see this is not a azurerm issue, this is how the Azure API's are working and how the policy resources are build within Azure. Although the Azure Portal masks that in a certain way, that does not mean we can fix that in the same way in Terraform. Issue #8486 was closed with a reason, this one will probably be closed with the same reason.

[jraggett]

@aristosvo yes this is absolutely an API issue. The same issue arises no matter how you programmatically apply policy. ARM, Bicep, Terraform, it all ends up requiring role assignments to be done manually whether it be more code or through portal.

[krowlandson]

Have you tried updating the Policy Assignment via the Portal and then re-running terraform plan to see what changes were made, if any? As you've already discovered, unlike all other approaches (ARM, Bicep, Terraform, etc,) the Azure Portal is able to automatically create all of the Role Assignments with the "correct" configuration for you.

There are a couple of behaviours to consider though:

• The Portal sometimes requires parameterScopes to be defined for certain parameters in the metadata to be able to correctly populate certain views. Having this is missing can result in correctly assigned parameter values not showing in various views within the Portal. This may also be why you cannot see some of the values you assigned in the screenshot above for the remediation tab. The following example shows how a Portal update to an already working assignment adds metadata used by the Portal:

  

• The Portal also only creates a Role Assignment at the scope where the Policy Assignment is created. I can see you have reproduced this in your example by creating the assignment at the same scope as the Policy Assignment but I cannot tell where the target Log Analytics workspace (or Event Hub) for your solution is located. If your policy requires remediation tasks to perform any operations against resources in another scope (for example, in another Subscription) then you will also need to grant permissions over that scope too.

[rks040888]

@Mahir-Isikli Did you find a way to fix this? I'm running into the similar issue. Terraform is saying that it has created the remediation task But I don't see it in Azure portal.

[Mahir-Isikli]

@rks040888 Hi, Sadly no, we have been blocked by this issue so far and are waiting for a response here as well.

[Patrick-Eichhorn]

Hi @krowlandson , We are not making any progress on this issue either. After manually fixing the error in the Azure portal and importing this state into Terraform, no difference is shown. It seems to be an API error from Azure. Policy Assignments created with the azure CLI az policy assignment create have the same problem.

Is there already a solution for this?

[gettek]

@Mahir-Isikli If you are still experiencing issues give these modules a try or reference the assignment logic to rule out any incorrect scope permissioning errors

Edit: another thing to check is weather you have the assignPermissions metadata set to true in your definition parameters such as below:

"workspaceId": {
  "type": "String",
  "metadata": {
    "displayName": "Log Analytics workspace Id",
    "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
    "assignPermissions": true
  }
}

📘 assignPermissions: (Optional) Set as true to have Azure portal create role assignments during policy assignment. This property is useful in case you wish to assign permissions outside the assignment scope. There's one role assignment per role definition in the policy (or per role definition in all of the policies in the initiative). The parameter value must be a valid resource or scope. Link

[jsredmond]

Has anyone ever been able to find a solution to this one?

[na-init]

Did this resolve? I am also facing similar issue. Did anyone got it working? Thanks