Is there an example/walkthrough on how to create a Policy Initiative with multiple entries for same member_definitions

[pmatthews05]

Hi,
First of all, these modules have saved me so much time, and so simple to use. So thank you.

The readme for the Policy Initiative module states that Multiple entries of the same member_definitions are not currently supported.

💡 Note: Multiple entries of the same member_definitions are not currently supported, if you require the same definition to be present more than once you may use this module to create the initiative json which you can then edit to add unique parameter and definition references.

The note above states that you can use the module to create the initiative json, then edit to add unique parameters and definition references. Do you have an example of this? Or a walkthrough on how to do this?

[gettek]

Hi @pmatthews05, pleased to here these modules have been useful to you.

I wonder if the answer in #40 can help, it basically creates multiple copies of the same definition with a unique name each time... I don't have a walkthrough but you can use the initiative module to create the json output which in turn can be modified with unique parameter references. Be sure to set merge_parameters = false. Once the initiative is created, navigate to the Azure Portal and download / copy the json. The only caveat with this is it remains a manual task, more of an Azure limitation than Terraform. See also #37

[pmatthews05]

Hi @gettek,
Thank you for getting back to me. I've found a way of doing what I wanted to do, using a combination of standard terraform code to create initiative, then used your set_assignment module.

data "azurerm_management_group" "management_group" {
  display_name = "Sandbox"
}
data "azurerm_policy_definition" "tags_inherit_a_tag_from_rg_definition" {
  display_name = "Inherit a tag from the resource group"
}
data "azurerm_role_definition" "contributor" {
  name = "Contributor"
}

resource "azurerm_policy_set_definition" "tags_inherit_a_tag_and_value_from_rg_initiative" {
  display_name        = "Inherits Tag from Resource Group"
  name                    = "Inherit_Tag_Management"
  policy_type           = "Custom"
  management_group_id = data.azurerm_management_group.management_group.id

  parameters = <<PARAMETERS
    {
        "tagProjectId": {
            "type": "String",
            "metadata": {
                "description": "The name of ProjectId tag",
                "displayName": "Name of ProjectId tag"
            }
        },
        "tagBusinessUnit": {
            "type": "String",
            "metadata": {
                "description": "The name of BusinessUnit tag",
                "displayName": "Name of BusinessUnit tag"
            }
        }
    }
    PARAMETERS

  policy_definition_reference {
    policy_definition_id = data.azurerm_policy_definition.tags_inherit_a_tag_from_rg_definition.id
    reference_id              = "projectid"
    parameter_values     = <<VALUE
    {
      "tagName":  {"value": "[parameters('tagProjectId')]"}
    }
    VALUE
  }

  policy_definition_reference {
    policy_definition_id = data.azurerm_policy_definition.tags_inherit_a_tag_from_rg_definition.id
    reference_id              = "businessunit"
    parameter_values     = <<VALUE
    {
      "tagName":  {"value": "[parameters('tagBusinessUnit')]"}
    }
    VALUE
  }
}

module "tags_inherit_a_tag_and_value_from_rg_assignment" {
  source           = "..//modules/set_assignment"
  initiative       = azurerm_policy_set_definition.tags_inherit_a_tag_and_value_from_rg_initiative
  assignment_scope = data.azurerm_management_group.management_group.id
  assignment_display_name = "Inherit tags from Resource Group"
  assignment_name = "inherit_tags"
  role_definition_ids = [
    data.azurerm_role_definition.contributor.id
  ]
  assignment_parameters = {
    tagProjectId = "ProjectId"
    tagBusinessUnit = "BusinessUnit"
  }
}

This allowed the assignment to be created and remediate for me. I am pretty new to Terraform, isn't there a way to incorporate what I did into your initiative module?

[pmatthews05]

Updated this code, as you need to apply the reference_id otherwise the for_each for remediation fails in the module.

[gettek]

Hi @pmatthews05, this is a good solution and will certainly work. Worth noting though the other trouble with using the same definition in an initiative multiple times is when trying to differentiate compliance state in the Azure portal as mentioned here, hence my original response in #40

[pmatthews05]

@gettek finally got round to working on this again today. The above solution does now work, you need to assign the reference_id to the policy_definition_reference otherwise the plan can not determine the reference_id that would be given by Azure.

[dpb519]

I have a similar, requirement. Can you share the final code that you are using ?

[pmatthews05]

I'm unable to share the final code I'm using for my client, but the above answer has code within it, that shows an example of how it works. Is there something that is not making sense to you?

[dpb519]

I have tried out the above code and it works fine. Thanks.