Policy Assignment and roleDefinitionIds

Hi!

For some diagnostic Policies assigned against the Management Group the corresponding roles are not set. There is a property named roleDefinitionIds already set of one or more Roles in the Policy definition. But after the assignment, the Managed Identity is not assigned to these roles. Do I need to do something else explicitly in the assignment?

locals {
diagnostic_policys_from_json = toset(fileset("./policy_definitions", “/policy_definition_es_deploy_diagnostics*.json”))
}

resource “azurerm_policy_definition” “diagnostics-policies” {
for_each = local.diagnostic_policys_from_json

name = jsondecode(file("./policy_definitions/{each.value}")).name policy_type = jsondecode(file("./policy_definitions/{each.value}")).properties.policyType
mode = jsondecode(file("./policy_definitions/{each.value}")).properties.mode display_name = jsondecode(file("./policy_definitions/{each.value}")).properties.displayName
description = jsondecode(file("./policy_definitions/{each.value}")).properties.description metadata = jsonencode(jsondecode(file("./policy_definitions/{each.value}")).properties.metadata)
policy_rule = jsonencode(jsondecode(file("./policy_definitions/{each.value}")).properties.policyRule) parameters = jsonencode(jsondecode(file("./policy_definitions/{each.value}")).properties.parameters)
management_group_name = azurerm_management_group.mg-postnordaz.name
}

resource “random_id” “policies_on_mg_names” {
for_each = azurerm_policy_definition.diagnostics-policies
byte_length = 10
prefix = “as-”
}

resource “azurerm_management_group_policy_assignment” “diag-policies-assign” {
for_each = azurerm_policy_definition.diagnostics-policies

name = random_id.policies_on_mg_names[each.key].hex
display_name = azurerm_policy_definition.diagnostics-policies[each.key].display_name
policy_definition_id = azurerm_policy_definition.diagnostics-policies[each.key].id
management_group_id = azurerm_management_group.mg-postnordaz.id
enforce = true
location = local.azure_location
identity {type = “SystemAssigned”}

parameters = jsonencode({
“logAnalytics”: {
“value”: azurerm_log_analytics_workspace.law-mgmt-we.id,
},
})
}