Cannot get "management_group_id" with "azurerm_policy_definition" after upgrade Terraform Version

[TimWanierke]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.3
provider.azurerm v1.30.1

Affected Resource(s)

• azurerm_policy_definition

Terraform Configuration Files

locals {
  environment_name = terraform.workspace == "QA" ? "_QA" : ""
}

data "azurerm_management_group" "ManagementRoot" {
  group_id = terraform.workspace == "QA" ? "ManagementRoot_QA" : "ManagementRoot"
}

data "azurerm_policy_definition" "MG_Diag_NSG_DEF" {
  display_name        = MG Diagnostics Microsoft.Network-networkSecurityGroups"
  management_group_id = data.azurerm_management_group.ManagementRoot.group_id
}

resource "azurerm_policy_assignment" "MG_Diag_NSG" {
  name                 = "MG_Diag_NSG${local.environment_name}"
  scope                = data.azurerm_management_group.ManagementRoot.id
  policy_definition_id = data.azurerm_policy_definition.MG_Diag_NSG_DEF.id
  description          = "Enable Diagnostic Logs forwarding to central Log Analytics Workspace for NSG"
  display_name         = "MG Diagnostics Microsoft.Network-networkSecurityGroups"
  location             = "westeurope"

  identity {
    type = "SystemAssigned"
  }

  parameters = <<PARAMETERS
  {
    "logAnalytics": {
      "value": "/subscriptions/.../resourceGroups/RG_Monitoring_cHUB01/providers/Microsoft.OperationalInsights/workspaces/MONITORING-cHUB01"
    }
  }
  
PARAMETERS

}

Debug Output

Error: Can not parse "management_group_id" as a resource id: Cannot parse Azure ID: parse ManagementRoot_QA: invalid URI for request

Panic Output

Expected Behavior

The ID/path of Azure Policy should be returned by the resource provider "azurerm_policy_definition". When the policy definition is not stored on the tenant root the policy ID will not be returned anymore. This was working when I used the Terraform Version 0.11.

As workaround we stored the policy definition directly on the tenant root, but this is only a workaround.

Actual Behavior

Steps to Reproduce

1. terraform plan

Important Factoids

References

• #0000

[gettek]

Same issue here, had to hardcode policy_definition_id URI temporarily until fixed:

policy_definition_id = "${data.azurerm_management_group.ManagementRoot.id}/providers/Microsoft.Authorization/policySetDefinitions/MG_Diag_NSG${local.environment_name}"

[gettek]

Not sure in which version but can confirm this is now fixed!

Just ensure you specify the management group name in the data source block:

data azurerm_policy_definition def {
  name                  = local.policy_name
  management_group_name = local.definition_scope
}

[tombuildsstuff]

Closing since this has been fixed according to @gettek

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!