Hotfix 89 - The given value is not suitable for child module variable…

… "archetype_config_overrides" (#93) * Fix for #89 * Add dedicated local for prinicipal_id lookup * Fix file formatting * Add test coverage for #89
Azure · May 11, 2021 · d900eae · d900eae
1 parent 6327afa
commit d900eae
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 30 deletions.
diff --git a/locals.management_groups.tf b/locals.management_groups.tf
@@ -186,10 +186,10 @@ locals {
   }
   # Logic to determine whether to include the core Enterprise-scale
   # Management Groups as part of the deployment
-  es_core_landing_zones_to_include = local.deploy_core_landing_zones ? local.es_core_landing_zones : local.empty_map
+  es_core_landing_zones_to_include = local.deploy_core_landing_zones ? local.es_core_landing_zones : null
   # Logic to determine whether to include the demo "Landing Zone"
   # Enterprise-scale Management Groups as part of the deployment
-  es_demo_landing_zones_to_include = local.deploy_demo_landing_zones ? local.es_demo_landing_zones : local.empty_map
+  es_demo_landing_zones_to_include = local.deploy_demo_landing_zones ? local.es_demo_landing_zones : null
   # Local map containing all Management Groups to deploy
   es_landing_zones_merge = merge(
     local.es_core_landing_zones_to_include,

diff --git a/locals.policy_assignments.tf b/locals.policy_assignments.tf
@@ -210,6 +210,14 @@ locals {
   )
 }
 
+# Generate a list of principal_id values by Policy Assignment
+locals {
+  principal_id_by_policy_assignment = {
+    for pak, pav in azurerm_policy_assignment.enterprise_scale :
+    pak => pav.identity[0].principal_id
+  }
+}
+
 # Construct the array used to determine the list of
 # Role Assignments to create for the Managed Identities
 # used by Policy Assignments.
@@ -224,7 +232,7 @@ locals {
         {
           resource_id          = "${local.azurerm_policy_assignment_enterprise_scale[policy_assignment_id].scope_id}${local.provider_path.role_assignment}${uuidv5(uuidv5("url", role_definition_id), policy_assignment_id)}"
           scope_id             = local.azurerm_policy_assignment_enterprise_scale[policy_assignment_id].scope_id
-          principal_id         = try(azurerm_policy_assignment.enterprise_scale[policy_assignment_id].identity[0].principal_id, null)
+          principal_id         = try(local.principal_id_by_policy_assignment[policy_assignment_id], null)
           role_definition_name = null
           role_definition_id   = role_definition_id
         }

diff --git a/tests/deployment/lib/archetype_definitions/archetype_definition_customer_secure.json b/tests/deployment/lib/archetype_definitions/archetype_definition_customer_secure.json
@@ -0,0 +1,35 @@
+{
+    "customer_secure": {
+        "policy_assignments": [
+            "Deny-Resource-Locations",
+            "Deny-RSG-Locations",
+            "Deploy-HITRUST-HIPAA"
+        ],
+        "policy_definitions": [],
+        "policy_set_definitions": [],
+        "role_definitions": [],
+        "archetype_config": {
+            "parameters": {
+                "Deny-Resource-Locations": {
+                    "listOfAllowedLocations": [
+                        "eastus",
+                        "eastus2",
+                        "westus",
+                        "northcentralus",
+                        "southcentralus"
+                    ]
+                },
+                "Deny-RSG-Locations": {
+                    "listOfAllowedLocations": [
+                        "eastus",
+                        "eastus2",
+                        "westus",
+                        "northcentralus",
+                        "southcentralus"
+                    ]
+                }
+            },
+            "access_control": {}
+        }
+    }
+}
diff --git a/tests/deployment/lib/archetype_extensions/archetype_extension_es_root.json b/tests/deployment/lib/archetype_extensions/archetype_extension_es_root.json
@@ -17,9 +17,7 @@
                         "eastus2",
                         "westus",
                         "northcentralus",
-                        "southcentralus",
-                        "uksouth",
-                        "ukwest"
+                        "southcentralus"
                     ]
                 },
                 "Deny-RSG-Locations": {
@@ -28,9 +26,7 @@
                         "eastus2",
                         "westus",
                         "northcentralus",
-                        "southcentralus",
-                        "uksouth",
-                        "ukwest"
+                        "southcentralus"
                     ]
                 },
                 "Deploy-SQL-Auditing": {

diff --git a/tests/deployment/main.tf b/tests/deployment/main.tf
@@ -44,8 +44,30 @@ module "test_root_id_3" {
       parent_management_group_id = "${var.root_id_3}-landing-zones"
       subscription_ids           = []
       archetype_config = {
-        archetype_id   = "default_empty"
-        parameters     = {}
+        archetype_id = "customer_secure"
+        parameters = {
+          Deny-Resource-Locations = {
+            listOfAllowedLocations = [
+              "eastus",
+              "westus",
+            ]
+          }
+          Deny-RSG-Locations = {
+            listOfAllowedLocations = [
+              "eastus",
+              "westus",
+            ]
+          }
+          Deploy-HITRUST-HIPAA = {
+            CertificateThumbprints                                        = ""
+            DeployDiagnosticSettingsforNetworkSecurityGroupsrgName        = "${var.root_id_3}-rg"
+            DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix = var.root_id_3
+            installedApplicationsOnWindowsVM                              = ""
+            listOfLocations = [
+              "eastus",
+            ]
+          }
+        }
         access_control = {}
       }
     }
@@ -137,6 +159,28 @@ module "test_root_id_3" {
     root = {
       archetype_id = "es_root"
       parameters = {
+        Deny-Resource-Locations = {
+          listOfAllowedLocations = [
+            "eastus",
+            "eastus2",
+            "westus",
+            "northcentralus",
+            "southcentralus",
+            "uksouth",
+            "ukwest",
+          ]
+        }
+        Deny-RSG-Locations = {
+          listOfAllowedLocations = [
+            "eastus",
+            "eastus2",
+            "westus",
+            "northcentralus",
+            "southcentralus",
+            "uksouth",
+            "ukwest",
+          ]
+        }
         Deploy-HITRUST-HIPAA = {
           CertificateThumbprints                                        = ""
           DeployDiagnosticSettingsforNetworkSecurityGroupsrgName        = "${var.root_id_3}-rg"

diff --git a/variables.tf b/variables.tf
@@ -141,13 +141,7 @@ variable "configure_management_resources" {
 }
 
 variable "archetype_config_overrides" {
-  type = map(
-    object({
-      archetype_id   = string
-      parameters     = any
-      access_control = any
-    })
-  )
+  type        = any
   description = "If specified, will set custom Archetype configurations to the default Enterprise-scale Management Groups."
   default     = {}
 }
@@ -192,18 +186,7 @@ variable "subscription_id_management" {
 }
 
 variable "custom_landing_zones" {
-  type = map(
-    object({
-      display_name               = string
-      parent_management_group_id = string
-      subscription_ids           = list(string)
-      archetype_config = object({
-        archetype_id   = string
-        parameters     = any
-        access_control = any
-      })
-    })
-  )
+  type        = any
   description = "If specified, will deploy additional Management Groups alongside Enterprise-scale core Management Groups."
   default     = {}