terraform-azurerm-policy-as-code Removing Policies from initiation set definitions causes parameters to be removed

Removing Policies from initiation set definitions causes parameters to be removed

Open AndrewSutliff-insight opened this issue 1 year ago • 2 comments

trafficstars

you should probably consider not automatically adding parameters to initiative sets based off the parameters of the member definitions. Parameters CANNOT be removed once added.

│ Error: updating Policy Set Definition "adf_initiative": policy.SetDefinitionsClient#CreateOrUpdateAtManagementGroup: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicySetParameterUpdate" Message="The existing policy has '20' parameter(s) which is greater than the count of parameter(s) '19' in the policy being added. Policy parameters cannot be removed during policy update."

This is currently causing a HUGE headache at the moment, since we can't even remove even one policy from our environment properly.

Aug 14 '24 12:08 AndrewSutliff-insight

resource "azurerm_policy_set_definition" "set" {
  name         = var.initiative_name
  display_name = var.initiative_display_name
  description  = var.initiative_description
  policy_type  = "Custom"

  management_group_id = var.management_group_id

  metadata   = jsonencode(local.metadata)
  parameters = length(local.parameters) > 0 ? jsonencode(local.parameters) : null

  dynamic "policy_definition_reference" {           
    for_each = [for d in var.member_definitions : { 
      id         = d.id
      ref_id     = replace(substr(title(replace(d.name, "/-|_|\\s/", " ")), 0, 64), "/\\s/", "")
      parameters = try(jsondecode(d.parameters), {})
      groups     = []
    }]

    content {
      policy_definition_id = policy_definition_reference.value.id
      reference_id         = policy_definition_reference.value.ref_id
      parameter_values = length(policy_definition_reference.value.parameters) > 0 ? jsonencode({
        for k in keys(policy_definition_reference.value.parameters) :
        k => {
          value = k == "effect" && var.merge_effects == false ? "[parameters('${format("%s_%s", k, policy_definition_reference.value.ref_id)}')]" : var.merge_parameters == false ? "[parameters('${format("%s_%s", k, policy_definition_reference.value.ref_id)}')]" : "[parameters('${k}')]"
        }
      }) : null
      policy_group_names = policy_definition_reference.value.groups
    }
  }

  timeouts {
    read = "10m"
  }
}

Aug 14 '24 12:08 AndrewSutliff-insight

Hi @AndrewSutliff-insight,

Which version of the modules are you using?

The latest will attempt to recreate the initiative and assignment based on replacement triggers for this very reason, which is in fact a Management API limitation.

Aug 19 '24 18:08 gettek

This issue is stale because it has been open for 30 days with no activity.

Sep 21 '24 02:09 github-actions[bot]

terraform-azurerm-policy-as-code terraform-azurerm-policy-as-code copied to clipboard

Removing Policies from initiation set definitions causes parameters to be removed

terraform-azurerm-policy-as-code
terraform-azurerm-policy-as-code copied to clipboard