Support for policy state trigger-scan

[anwarnk]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We have policies in place to deny PAAS services being created with public endpoints and only with private networks. Also, we have a policy in place that will deny creation of Private DNS Zones and have a policy to deploy if not exist into our central connectivity landing zone. The problem is that if we create a PAAS service for example Key Vault with a private endpoint using a GitHub self-hosted runner, it creates the Key Vault however fails on creating secrets, because it cannot communicate back to the Key Vault URI. The policy to create an A record in the Private DNS zone has not started, therefore the private DNS entry is not yet created. We have observed that it roughly takes 10 minutes before an entry is automatically created in Azure (although these times can vary). If we run a manual trigger scan policy "az policy state trigger-scan --resource-group resource-group-name" then it is much quicker for the policy to create a DNS entry.

We have tried the resource to remediate "azurerm_policy_remediation" with "resource_discovery_mode" set as "ReEvaluateCompliance" , with a depend on however it does not make a difference.

Is it possible to create a resource that could support policy state trigger-scan and wait for it to finish?

New or Affected Resource(s)/Data Source(s)

azurerm_policy_remediation

Potential Terraform Configuration

No response

References

No response

[lonegunmanb]

Here's a quick workaround, the following azapi resource could do the same job as az policy state trigger-scan --resource-group resource-group-name:

data azurerm_client_config current {}

resource "azapi_resource_action" "test" {
  type        = "Microsoft.PolicyInsights/policyStates@2019-10-01"
  resource_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resrouce_group_name}/providers/Microsoft.PolicyInsights/policyStates/latest"
  action      = "triggerEvaluation"
}

Does this solution work for you?

[anwarnk]

We are using OIDC, and when we add the azapi to our code it asking us to re-authenticate. The issue is we need to advise our end users with a simple way of triggering a scan, as such we have implemented the following:

resource "null_resource" "scan" { depends_on = [azurerm_private_endpoint.xxxxxxxx] provisioner "local-exec" { command = "az policy state trigger-scan --resource-group ${var.rg_name} --subscription ${var.subscription}" } }

resource "null_resource" "wait" { depends_on = [null_resource.scan]

provisioner "local-exec" { command = "sleep 5m" } }

[lonegunmanb]

Hi @anwarnk kindly ping, have you solved this issue by your approach?

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.