Open Mahir-Isikli opened 2 years ago
Hi @Mahir-Isikli! A few questions to get the investigation started, I don't have time to spin it up all myself.
object_id
instead of principal_id
for the right effect:
resource "azurerm_role_assignment" "roleAssignementLogAnalyticsContributor" {
...
principal_id = azurerm_subscription_policy_assignment.diagnosticAssignment.identity[0].object_id
}
depends_on
to make sure the role is assigned at the moment the remediation is created:
resource "azurerm_policy_remediation" "remediateDiagnosticSettings" {
...
depends_on = [azurerm_role_assignment.roleAssignementLogAnalyticsContributor]
}
Hi @aristosvo!
The role assignment is visible in the Azure Portal. Applying the manual fix does not change anything.
I get the following error when I try to use object_ id
instead of principal_id
:
Error: Unsupported attribute on components/policyAssignment.tf line 260, in resource "azurerm_role_assignment" "roleAssignementLogAnalyticsContributor": 260: principal_id = azurerm_subscription_policy_assignment.diagnosticAssignment.identity[0].object_id This object has no argument, nested block, or exported attribute named "object_id".
Just adding the depends_on
block does not change anything if I let the pipeline run. I'm making sure to wait a few minutes, just in case the policy assignment needs to start again.
Hi, @aristosvo just wanted to bump this issue again as we still would like to use this feature in prod. Thanks!
Hi again, is there any progress on this issue perhaps? Thanks!
Hey @aristosvo, any news on this?
It's 2022. What's up? How long shall this go on? I'm now making my modules create assignments iteratively because the issue doesn't get fixed since APRIL 2020! https://github.com/hashicorp/terraform-provider-azurerm/issues/6486 #6486
Hi @Mahir-Isikli! I've limited time to spend on issues like this, it is free time which I spend here. Due to job changes I've not had any time left, unfortunately.
With regard to your issue, there must be something missing in the role assignments. @jraggett can possibly help you find the right assignments, as he mentioned he is able to create the assignments, although not in a perfect way. I'll do a reconstruction first based on this old issue (#6486), as it is more complete and easier for me to reproduce things with.
@jraggett Thanks for pointing to #6486. As far as I can see this is not a azurerm
issue, this is how the Azure API's are working and how the policy resources are build within Azure. Although the Azure Portal masks that in a certain way, that does not mean we can fix that in the same way in Terraform. Issue #8486 was closed with a reason, this one will probably be closed with the same reason.
@aristosvo yes this is absolutely an API issue. The same issue arises no matter how you programmatically apply policy. ARM, Bicep, Terraform, it all ends up requiring role assignments to be done manually whether it be more code or through portal.
Have you tried updating the Policy Assignment via the Portal and then re-running terraform plan
to see what changes were made, if any? As you've already discovered, unlike all other approaches (ARM, Bicep, Terraform, etc,) the Azure Portal is able to automatically create all of the Role Assignments with the "correct" configuration for you.
There are a couple of behaviours to consider though:
The Portal sometimes requires parameterScopes
to be defined for certain parameters in the metadata to be able to correctly populate certain views. Having this is missing can result in correctly assigned parameter values not showing in various views within the Portal. This may also be why you cannot see some of the values you assigned in the screenshot above for the remediation tab. The following example shows how a Portal update to an already working assignment adds metadata used by the Portal:
The Portal also only creates a Role Assignment at the scope where the Policy Assignment is created. I can see you have reproduced this in your example by creating the assignment at the same scope as the Policy Assignment but I cannot tell where the target Log Analytics workspace (or Event Hub) for your solution is located. If your policy requires remediation tasks to perform any operations against resources in another scope (for example, in another Subscription) then you will also need to grant permissions over that scope too.
@Mahir-Isikli Did you find a way to fix this? I'm running into the similar issue. Terraform is saying that it has created the remediation task But I don't see it in Azure portal.
@rks040888 Hi, Sadly no, we have been blocked by this issue so far and are waiting for a response here as well.
Hi @krowlandson ,
We are not making any progress on this issue either. After manually fixing the error in the Azure portal and importing this state into Terraform, no difference is shown. It seems to be an API error from Azure. Policy Assignments created with the azure CLI az policy assignment create
have the same problem.
Is there already a solution for this?
@Mahir-Isikli If you are still experiencing issues give these modules a try or reference the assignment logic to rule out any incorrect scope permissioning errors
Edit: another thing to check is weather you have the assignPermissions
metadata set to true
in your definition parameters such as below:
"workspaceId": {
"type": "String",
"metadata": {
"displayName": "Log Analytics workspace Id",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"assignPermissions": true
}
}
๐ assignPermissions
: (Optional) Set as true to have Azure portal create role assignments during policy assignment. This property is useful in case you wish to assign permissions outside the assignment scope. There's one role assignment per role definition in the policy (or per role definition in all of the policies in the initiative). The parameter value must be a valid resource or scope. Link
Has anyone ever been able to find a solution to this one?
Did this resolve? I am also facing similar issue. Did anyone got it working? Thanks
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
azurerm_policy_remediation
azurerm_policy_assignment
Terraform Configuration Files
The above will create a policy assignment, a remediation task and a role assignment and associated managed identity required to perform the actions specified in the "deployIfNotExists" in the JSON file at:
https://github.com/Mahir-Isikli/makeitrepeatable/blob/main/configurationPolicyAssignment/policyrule.json
Expected Behaviour
When the policy assignment is made, a managed identity should be created and granted permission with the explicit role assignment to deploy missing resources with a policy remediation in line with the deployIfNotExists condition
Actual Behaviour
Policy definition is created and assigned, but the remediation task does not deploy any missing resources.
Steps to Reproduce
References
6486