Policy Assignment and managed identity

Terraform Providers Azure
1

Hi everyone

My assignment looks like this:

resource “azurerm_policy_assignment” “AssRGTags” {
name = “AssRGTags”
scope = azurerm_management_group.mymanagementgroup.id
policy_definition_id = azurerm_policy_set_definition.level01RGTagsHeredity.id
description = “Policy Assignment RG Tag Heredity”
display_name = “AssRGTagsHeredityDevInt”
location = “westeurope”

parameters = <<PARAMETERS
    {  }
PARAMETERS

depends_on                      = [azurerm_policy_set_definition.level01RGTagsHeredity]
identity {
    type                        = "**SystemAssigned**"
}

}

The Definition and the Assignment looks very well, but if i try to start a “Remediation Task”, following Error-Message appears:

The managed identity for this assignment does not have the appropriate permissions to remediate these resources. To add these permissions, go to the Edit Assignment page for this Policy and re-save it.

How can i deploy an Assignment with the proper Permissons set?

thanx for any Ideas …

Adrian

2

Were you able to fix this?

3

…i’m also experiencing the same issue. any fix to this?

4

Long story short:
If
you deploy Azure Policy/ Azure Initiative assignment at Azure Management Group level in non-portal way (ARM Templates/ Terraform
Then
take care of role assignment for MSI created during an assignment on your own.

The best way is to assign a role at required scope by using: https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html

I wrote an article explaining other workaround ways here:
https://automate.guru/fix-msi-role-assignment/

1 Like