terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Archetype_config_overrides not working on extended archetype

Open nyanhp opened this issue 11 months ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.7.4

azure provider: 3.95.0

module: ~>5.0.0

Description

Describe the bug

Using archetype_config_overrides, the landing-zones archetype is not overridden with regards to policy assignments. Other archetypes like the platform can be successfully modified. What I suspect is that the extension to the landing zones might be the reason.

Why do both? We use the same project to manage multiple root ids. The extensions are used globally if you will, the overrides are used per root id. I've not found anything in the docs regarding the merging behavior.

Steps to Reproduce

Create an extension archetype_extension_es_landing_zones.tmpl.json in your library folder.

{
    "extend_es_landing_zones": {
        "policy_assignments": [
            "Deploy-Private-DNS-Zones"
        ],
        "policy_definitions": [],
        "policy_set_definitions": [],
        "role_definitions": [],
        "archetype_config": {
            "access_control": {},
            "parameters": {}
        }
    }
}

Plan changes, notice that no changes are planned for the landing-zones MG that pertain to changing the enforcement mode of Deny-Subnet-Without-Nsg.

module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "~>5.0.0"

  default_location = var.default_location

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm.connectivity
    azurerm.management   = azurerm.management
    azurerm.identity     = azurerm.identity
  }

  root_parent_id               = data.azurerm_client_config.core.tenant_id
  root_id                      = var.root_id
  root_name                    = var.root_name
  subscription_id_connectivity = local.subscriptions.connectivity
  subscription_id_management   = local.subscriptions.management
  subscription_id_identity     = local.subscriptions.identity

  strict_subscription_association = false

  deploy_core_landing_zones        = true
  deploy_connectivity_resources    = true
  deploy_identity_resources        = true
  deploy_management_resources      = true
  configure_connectivity_resources = local.network_config
  configure_identity_resources     = local.identity_config
  configure_management_resources   = local.management_config
  disable_telemetry                = true
  library_path                     = "${path.module}/../configurationdata/es_lib"

  archetype_config_overrides = {
    "${var.root_id}-platform" = {
      parameters = {}
      enforcement_mode = {
        Enforce-GR-KeyVault = false
      }
    }
    "${var.root_id}-landing-zones" = {
      parameters = {}
      enforcement_mode = {
        Deny-Subnet-Without-Nsg = false
      }
    }
  }

  custom_landing_zones = yamldecode(templatefile("${path.module}/../configurationdata/${var.root_id}/nonstandard-management-groups.yml", {
    rootid = var.root_id
  }))
}

Screenshots

Additional context

nyanhp avatar Mar 14 '24 10:03 nyanhp