Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

after upgrading to 6.0.0 terraform plan continually wants to update landing zones policy assignment config for Enforce-GR-KeyVault #1031

Open
anthonysomerset opened this issue Jul 12, 2024 · 0 comments
Open

after upgrading to 6.0.0 terraform plan continually wants to update landing zones policy assignment config for Enforce-GR-KeyVault #1031

anthonysomerset opened this issue Jul 12, 2024 · 0 comments

Comments

@anthonysomerset
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.9.2

azure provider: 3.111.0

module: 6.0.0

Description

Describe the bug

after upgrading to 6.0.0 terraform plan continually wants to update landing zones policy assignment config for Enforce-GR-KeyVault

Terraform will perform the following actions:

  # module.azure_landing_zone.module.core.module.alz.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/ct-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVault"] will be updated in-place
  ~ resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
        id                   = "/providers/Microsoft.Management/managementGroups/ct-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVault"
        name                 = "Enforce-GR-KeyVault"
      - parameters           = jsonencode({})
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Apply succeeds just fine, but next plan produces same results

Steps to Reproduce

my deployment is the level 300 - (seperate submodules for each of core, connectivity and management components)

core module code:

module "alz" {
  # To enable correct testing of our examples, we must source this
  # module locally. Please remove the local `source = "../../../../"`
  # and uncomment the remote `source` and `version` below.
  # source = "../../../../"
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "6.0.0" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }

  # Base module configuration settings
  root_parent_id   = data.azurerm_client_config.current.tenant_id
  root_id          = var.root_id
  root_name        = var.root_name
  library_path     = "${path.module}/lib"
  default_location = "southafricanorth"

  # Enable creation of the core management group hierarchy
  # and additional custom_landing_zones
  deploy_core_landing_zones = true
  custom_landing_zones      = local.custom_landing_zones
  archetype_config_overrides = local.archetype_config_overrides

  # Configuration settings for identity resources is
  # bundled with core as no resources are actually created
  # for the identity subscription
  deploy_identity_resources    = true
  configure_identity_resources = local.configure_identity_resources
  subscription_id_identity     = var.subscription_id_identity

  # The following inputs ensure that managed parameters are
  # configured correctly for policies relating to connectivity
  # resources created by the connectivity module instance and
  # to map the subscription to the correct management group,
  # but no resources are created by this module instance
  deploy_connectivity_resources    = false
  configure_connectivity_resources = var.configure_connectivity_resources
  subscription_id_connectivity     = var.subscription_id_connectivity

  # The following inputs ensure that managed parameters are
  # configured correctly for policies relating to management
  # resources created by the management module instance and
  # to map the subscription to the correct management group,
  # but no resources are created by this module instance
  deploy_management_resources     = false
  configure_management_resources  = var.configure_management_resources
  subscription_id_management      = var.subscription_id_management
  strict_subscription_association = var.strict_subscription_association

}

Screenshots

Additional context

the change appears to not be doing anything so nothing appears to be broken
it wants to delete a block that is basically empty anyway

parameters           = jsonencode({})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@anthonysomerset