Hi,
I need to deploy Azure policies using Terraform. We had the tf files created, but with some policies we need to use the policy_rule argument.
We have 3 original files:
main.tf
data "azurerm_policy_definition" "policy" {
display_name = var.POLICY_NAME
}
data "azurerm_resource_group" "policy" {
for_each = { for excluded_scope in var.EXCLUDED_SCOPES : excluded_scope => excluded_scope }
name = each.value
}
resource "azurerm_policy_assignment" "policy" {
name = var.NAME == "" ? var.POLICY_NAME : var.NAME
scope = var.SCOPE_ID
policy_definition_id = data.azurerm_policy_definition.policy.id
location = var.LOCATION
description = var.DESCRIPTION
display_name = var.DISPLAY_NAME
parameters = var.PARAMETERS
not_scopes = [for excluded_scope in data.azurerm_resource_group.policy : excluded_scope.id]
dynamic "identity" {
for_each = var.IDENTITY_TYPE != null ? [""] : []
content {
type = var.IDENTITY_TYPE
}
}
}
outputs.tf
output "policy_id" {
value = azurerm_policy_assignment.policy.id
}
# output "policy_sp_id" {
# value = azurerm_policy_assignment.policy.identity[0].principal_id
# }
output "identity" {
value = azurerm_policy_assignment.policy.identity
}
and variables.tf
variable "NAME" {}
variable "SCOPE_ID" {}
variable "POLICY_NAME" {}
variable "IDENTITY_TYPE" { default = null }
variable "LOCATION" { default = null }
variable "DESCRIPTION" { default = null }
variable "DISPLAY_NAME" { default = null }
variable "PARAMETERS" { default = null }
variable "EXCLUDED_SCOPES" {
type = list(string)
default = []
}
Our first policy to deploy uses this file:
module "TLSminVersion" {
source = "./policy"
NAME = "TLS Min Version"
DISPLAY_NAME = "TLS Min Version"
SCOPE_ID = azurerm_management_group.GTMotive.id
POLICY_NAME = "TLS Min Version"
/* POLICY_TYPE = "Custom" FALTA DECLARAR ESTO EN LAS VARIABLES Y EN MAIN */
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"notEquals": "TLS1_2"
},
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "audit"
}
}
POLICY_RULE
}
But policy_rule argument was not originally added to our files, so I modified the variables.tf file:
variable "NAME" {}
variable "SCOPE_ID" {}
variable "POLICY_NAME" {}
variable "IDENTITY_TYPE" { default = null }
variable "LOCATION" { default = null }
variable "DESCRIPTION" { default = null }
variable "DISPLAY_NAME" { default = null }
variable "PARAMETERS" { default = null }
variable "POLICY_RULE" { default = null }
variable "EXCLUDED_SCOPES" {
type = list(string)
default = []
}
It was deployed by terraform with no issues.
Then I thought that I need to add the same variable to main.tf:
data "azurerm_policy_definition" "policy" {
display_name = var.POLICY_NAME
}
data "azurerm_resource_group" "policy" {
for_each = { for excluded_scope in var.EXCLUDED_SCOPES : excluded_scope => excluded_scope }
name = each.value
}
resource "azurerm_policy_assignment" "policy" {
name = var.NAME == "" ? var.POLICY_NAME : var.NAME
scope = var.SCOPE_ID
policy_definition_id = data.azurerm_policy_definition.policy.id
location = var.LOCATION
description = var.DESCRIPTION
display_name = var.DISPLAY_NAME
parameters = var.PARAMETERS
policy_rule = var.POLICY_RULE
not_scopes = [for excluded_scope in data.azurerm_resource_group.policy : excluded_scope.id]
dynamic "identity" {
for_each = var.IDENTITY_TYPE != null ? [""] : []
content {
type = var.IDENTITY_TYPE
}
}
}
But this was the result:
Error: Unsupported argument
on policy/main.tf line 18, in resource “azurerm_policy_assignment” “policy”:
18: policy_rule = var.POLICY_RULEAn argument named “policy_rule” is not expected here.
Anyone knows why it shows this error?
Thanks!