azure_policy_assignment not creating identity with appropriate permissions

[cncoats]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

$ terraform -v Terraform v0.12.3

• provider.azurerm v1.29.0
• provider.random v2.1.2

Affected Resource(s)

• azurerm_policy_assignment

Terraform Configuration Files

resource "azurerm_policy_definition" "nsg-policy" {
  name         = "Deploy Diagnostic Configuration for NSGs"
  policy_type  = "Custom"
  mode         = "Indexed"
  display_name = "Deploy Diagnostic Configuration for NSGs"

  policy_rule = <<POLICY_RULE
  {
    "if": {
          "field": "type",
          "equals": "Microsoft.Network/networkSecurityGroups"
        },
        "then": {
          "effect": "deployIfNotExists",
          "details": {
            "type": "Microsoft.Insights/diagnosticSettings",
            "name": "setbypolicy",
            "roleDefinitionIds": [
                "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "deployment": {
              "properties": {
                "mode": "incremental",
                "template": {
                  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                  "contentVersion": "1.0.0.0",
                  "parameters": {
                    "location": {
                      "type": "string"
                    },
                    "nsgName": {
                      "type": "string"
                    }
                  },
                  "resources": [
                    {
                      "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings",
                      "name": "[concat(parameters('nsgName'),'/Microsoft.Insights/setbypolicy')]",
                      "apiVersion": "2017-05-01-preview",
                      "location": "[parameters('location')]",
                      "properties": {
                        "workspaceId": "${azurerm_log_analytics_workspace.main.id}",
                        "logs": [
                          {
                            "category": "NetworkSecurityGroupEvent",
                            "enabled": true,
                            "retentionPolicy": {
                              "enabled": false,
                              "days": 0
                            }
                          },
                          {
                            "category": "NetworkSecurityGroupRuleCounter",
                            "enabled": true,
                            "retentionPolicy": {
                              "enabled": false,
                              "days": 0
                            }
                          }
                        ]
                      }
                    }
                  ]
                },
                "parameters": {
                  "location": {
                    "value": "[field('location')]"
                  },
                  "nsgName": {
                    "value": "[field('name')]"
                  }
                }
              }
            }
          }
        }
  }
  POLICY_RULE
}

 resource "azurerm_policy_assignment" "nsg" {
    name                    = "${azurerm_policy_definition.nsg-policy.name} - assignment"
    scope                   = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
    policy_definition_id    = "${azurerm_policy_definition.nsg-policy.id}"
    description             = "Policy Assignment to check NSGs for diagnostics configuration"
    display_name            = "${azurerm_policy_definition.nsg-policy.name} Assignment"
    location                = "centralus"

    identity {
        type = "SystemAssigned"
    }

    depends_on = ["azurerm_policy_definition.nsg-policy"]
}

Debug Output

Panic Output

Expected Behavior

When I create a policy assignment through the Portal on the same policy, it creates the identity with the appropriate permissions:

Actual Behavior

The assignment created by my terraform creates the following:

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[lpohel]

👍

[pingwu90]

👍 I ended up to go to portal to save assignment one more time. Then MID worked as expected from that on

[sean-keane25]

This issue still exists in the latest provider.azurerm v2.20.0 .

This MSFT doc discusses the step to configure the managed identity via portal or power-shell but doesn't cover how to accomplish it via REST API.

https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources#manually-configure-the-managed-identity

This MSFT doc docs discusses the steps to configure the managed identity via the REST API.

https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources#manually-configure-the-managed-identity

Perhaps its not currently possible via the REST API to successfully setup the managed identity based on my research that remains unclear to me.

[flobeier]

The issue still exists.

[jkroepke]

I get this issue, too.

I want to create a "deployIfNotExists" policy through terraform from the documentation. https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale

The policy is created, alle parameters have a "strongType" are empty. If I have to reset the value inside the UI, then the policy is working.

[tombuildsstuff]

Permissions can be assigned using the azurerm_role_assignment resource - where the Principal ID would be the Principal ID from the Identity block of the Policy Assignment - as such this is possible in Terraform and I'm going to close this issue for the moment.

Thanks!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.