design / use of policy_definition_reference in azurerm_policy_set_definition

[tbugfinder]

Hello,

I'm wondering about the design of implementation #7018 and marking previous options as deprecated.
Looking at deprecating policy_definitions in favor of policy_definition_reference it is getting impossible to write a generic terraform module to support use of dynamic policy_definition_reference as keys are too broad to be pre-defined.

Could anybody share how they use dynamic policy_definition_reference within a generic policy terraform module?

Thanks.

[ArcturusZhang]

Hi @tbugfinder thanks for this issue!

It should be possible to use dynamic policy_definition_reference in terraform modules. I just tried this very simple module:

variable "policy_name" {
    type = string
}

variable "policy_type" {
    type = string
}

variable "policy_display_name" {
    type = string
}

variable "parameters" {
    type = string
}

variable "definition_references" {
  type = list(object({
    policy_definition_id = string
    parameters = map(string)
    reference_id = string
  }))
}

resource "azurerm_policy_set_definition" "test" {
  name         = var.policy_name
  policy_type  = var.policy_type
  display_name = var.policy_display_name

  parameters = var.parameters

  dynamic "policy_definition_reference" {
    for_each = toset(var.definition_references)

    content {
        policy_definition_id = policy_definition_reference.key.policy_definition_id
        parameters = policy_definition_reference.key.parameters
        reference_id = policy_definition_reference.key.reference_id
    }
  }
}

output "policy_definition_reference_ids" {
    value = azurerm_policy_set_definition.test.policy_definition_reference.*.reference_id
}

In this module, I defined some primitive variables like name, policy_type, display_name, parameters and a list of objects which corresponds to the policy_definition_reference set. And since there is an output value reference_id (and for reference, this output is the reason why we have to deprecate the old attribute policy_definitions), I also add an output to accumulate all of the policy_definition_reference_ids.

To use this simple module, I tried this

provider "azurerm" {
    features {}
    version = ">=2.21.0"
}

module "test" {
    source = "../module"
    policy_name = "test-policy"
    policy_type = "Custom"
    policy_display_name = "test-display-name"
    parameters = <<PARAMETERS
    {
        "allowedLocations": {
            "type": "Array",
            "metadata": {
                "description": "The list of allowed locations for resources.",
                "displayName": "Allowed locations",
                "strongType": "location"
            }
        }
    }
PARAMETERS
    definition_references = [
        {
            policy_definition_id = "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/policy1"
            parameters = {
                logsEnabled = "[parameters('logsEnabled')]"
            }
            reference_id = null
        },
        {
            policy_definition_id = "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/policy2"
            parameters = {
                logsEnabled = "[parameters('logsEnabled')]"
            }
            reference_id = null
        }
    ]
}

output "reference_ids" {
    value = module.test.policy_definition_reference_ids
}

And then run a terraform plan (I cannot terraform apply since the policy_definition_ids are dummy) and get the expected result:

Terraform will perform the following actions:

  # module.test.azurerm_policy_set_definition.test will be created
  + resource "azurerm_policy_set_definition" "test" {
      + display_name          = "test-display-name"
      + id                    = (known after apply)
      + management_group_id   = (known after apply)
      + management_group_name = (known after apply)
      + metadata              = (known after apply)
      + name                  = "test-policy"
      + parameters            = jsonencode(
            {
              + allowedLocations = {
                  + metadata = {
                      + description = "The list of allowed locations for resources."
                      + displayName = "Allowed locations"
                      + strongType  = "location"
                    }
                  + type     = "Array"
                }
            }
        )
      + policy_definitions    = (known after apply)
      + policy_type           = "Custom"

      + policy_definition_reference {
          + parameters           = {
              + "logsEnabled" = "[parameters('logsEnabled')]"
            }
          + policy_definition_id = "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/policy1"
          + reference_id         = (known after apply)
        }
      + policy_definition_reference {
          + parameters           = {
              + "logsEnabled" = "[parameters('logsEnabled')]"
            }
          + policy_definition_id = "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/policy2"
          + reference_id         = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Hope this helps, thanks

[tbugfinder]

Hi @ArcturusZhang
thank you very much for above detailed input - that's really appreciated.
I'll replay it next week.

[tbugfinder]

Hi @ArcturusZhang ,
thank you very much for the detailed guidance. Having that I was able to apply it successfully.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!