Adding built-in policies to the initiative doesn't work

[thelumlaa]

Trying to replicate the example from the repo with a few little adjustments, here's the code i'm trying to make work:

Defining locals for mass processing of json files in a given folder

locals {
    iam_json_files = fileset("${path.module}/../../policies/IdentityAndAccess/", "*.json")   
    iam_json_data  = { for f in local.iam_json_files : f=> jsondecode(file("${path.module}/../../policies/IdentityAndAccess/${f}")) }
    asc_json_files = fileset("${path.module}/../../policies/Security Center/", "*.json")   
    asc_json_data  = { for f in local.asc_json_files : f=> jsondecode(file("${path.module}/../../policies/Security Center/${f}")) }
}

iterating through json files to declare policy definition resources for each one of them

module iam_test {
  source              = "../../modules/definition"
  for_each            = local.iam_json_data
  policy_description  = each.value.properties.description
  policy_name         = "${each.key}"
  display_name        = each.value.properties.displayName
  policy_category     = each.value.properties.metadata.category
  policy_rule         = each.value.properties.policyRule
  management_group_id = data.azurerm_management_group.org.id
  policy_parameters   = each.value.properties.parameters
  policy_mode         = each.value.properties.mode
  policy_metadata     = each.value.properties.metadata
}

module asc_test {
  source              = "../../modules/definition"
  for_each            = local.asc_json_data
  policy_description  = each.value.properties.description
  policy_name         = "${each.key}"
  display_name        = each.value.properties.displayName
  policy_category     = each.value.properties.metadata.category
  policy_rule         = each.value.properties.policyRule
  management_group_id = data.azurerm_management_group.org.id
  policy_parameters   = each.value.properties.parameters
  policy_mode         = each.value.properties.mode
  policy_metadata     = each.value.properties.metadata
}

combining the definitions into initiatives

module asc_test_initiative {
  source                  = "../../modules/initiative"
  initiative_name         = "asc_test_initiative"
  initiative_display_name = "ASC_builtin_test"
  initiative_description  = "BuiltIn Policy Test for ASC"
  initiative_category     = "Security Center"
  management_group_id     = data.azurerm_management_group.org.id

  member_definitions = [
    [for i in module.asc_test : i.definition],
    data.azurerm_policy_definition.owners_mfa_enabled
  ]
}

module iam_test_initiative {
  source                  = "../../modules/initiative"
  initiative_name         = "iam_test_initiative"
  initiative_display_name = "IAM_builtin_test"
  initiative_description  = "BuiltIn Policy Test for IAM"
  initiative_category     = "IdentityAndAccess"
  management_group_id     = data.azurerm_management_group.org.id

  member_definitions = [
    [for i in module.iam_test : i.definition],
    data.azurerm_policy_definition.owners_mfa_enabled
  ]
}

assigning the initiatives

module asc_assign_initiative {
  source                 = "../../modules/set_assignment"
  initiative             = module.asc_test_initiative.initiative
  assignment_scope       = data.azurerm_management_group.org.id
  assignment_effect      = "AuditIfNotExists"

  # resource remediation options
  skip_role_assignment   = false
  skip_remediation       = false

  # assignment_parameters = {
  # }
}

module iam_assign_initiative {
  source                 = "../../modules/set_assignment"
  initiative             = module.iam_test_initiative.initiative
  assignment_scope       = data.azurerm_management_group.org.id
  assignment_effect      = "AuditIfNotExists"

  # resource remediation options
  skip_role_assignment   = false
  skip_remediation       = false

  # assignment_parameters = {
  # }
}

Naturally, the code executes and shows all my locally stored custom policy definitions in the plan to be deployed, but when it reaches data resource in member_definitions, it fails:

Plan: 2 to add, 0 to change, 0 to destroy.
╷
│ Error: Unsupported attribute
│
│   on ..\..\modules\initiative\variables.tf line 77, in locals:
│   77:     d.name => try(jsondecode(d.parameters), {})
│
│ This value does not have any attributes.

Adding merge_effects = false doesn't help either.

How can I fix this?

[gettek]

Hi @thelumlaa,

Definitions

The Definitions module has the parameter file_path which should simplify some of your code:

module "iam_test" {
  source = "..//modules/definition"
  for_each = {
    for p in fileset(path.module, "../../policies/IdentityAndAccess/*.json") :
    trimsuffix(basename(p), ".json") => pathexpand(p)
  }
  file_path           = each.value
  management_group_id = data.azurerm_management_group.org.id
}

This presumes your json files contain all the appropriate properties such as name, description, metadata etc., if not they can be overridden at run time by adding the values to the module resource above.

Initiatives

In regards to your member_definitons issue, I've not tested the below but you may need to concat() the array of built-in and custom definitions:

  member_definitions = concat(
       [for i in module.iam_test : i.definition],
       [data.azurerm_policy_definition.owners_mfa_enabled]
    )

Assignments

Final note: built-in definitions/initiatives that deploy or modify require role_definition_ids to be present on assignment:

  # built-ins that deploy/modify require role_definition_ids be present
  role_definition_ids = [
    data.azurerm_role_definition.vm_contributor.id
  ]