Support for role_definition_ids argument in azurerm_policy_definition

[schwarzzz]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The JSON specification of an Azure policy definition contains a set of roles required for remediation (e.g. deployIfNotExists):

"details": {
    ...
    "roleDefinitionIds": [
        "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleGUID}",
        "/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"
    ]
}

The Azure portal takes these role IDs and assigns them to the managed identity during a policy assignment. When the portal is not used, role assignments need to be implemented explicitly:

When using the portal, Azure Policy automatically grants the managed identity the listed roles once assignment starts. When using an Azure software development kit (SDK), the roles must manually be granted to the managed identity.
Remediate non-compliant resources with Azure Policy.

In terraform, I need to "repeat" the role definitions in my code (e.g. by using data elements) in order to create the role assignments according to the policy definition. This is inconvenient, redundant and error prone. It would nice, if the azurerm_policy_definition resource would expose the role IDs of the definition as an argument.

Then it would be possible to write a "generic" role assignment using the policy definition's role definitions.

New or Affected Resource(s)/Data Source(s)

azurerm_policy_definition

Potential Terraform Configuration

provider "azurerm" {
  features {
  }
}

data "azurerm_subscription" "current" {
}

# Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace
data "azurerm_policy_definition" "diag_settings_for_key_vault" {
  name = "951af2fa-529b-416e-ab6e-066fd85ac459"
}

resource "azurerm_subscription_policy_assignment" "diag_settings_for_key_vault" {
  name     = "diag-settings-for-key-vault"
  location = "westeurope"

  subscription_id = data.azurerm_subscription.current
  policy_definition_id = data.azurerm_policy_definition.diag_settings_for_key_vault.id

  identity {
    type = "SystemAssigned"
  }

  parameters = <<PARAMS
    {
      "logAnalytics": {
        "value": "..."
      }
    }
PARAMS
}

resource "azurerm_role_assignment" "policy_msi" {
  for_each = data.azurerm_policy_definition.diag_settings_for_key_vault.role_definition_ids

  scope                = data.azurerm_subscription.current.id
  role_definition_name = each.value
  principal_id         = azurerm_subscription_policy_assignment.diag_settings_for_key_vault.identity[0].principal_id
}

References

• Policy assignments do not create role assignments for the managed identity; deployIfNotExist actions fail #17988

[github-actions]

This functionality has been released in v3.21.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.