Azure Question posted in
The official documentation to get you started can be found here.

I am deploying some azure policy assignment using terraform via gitlab ci/cd

enter image description hereI am deploying some azure policy assignment using Terra-form via git-lab Ci/Cd, and our state-file is git-lab managed when i am applying these policies i am getting error 1 resource is already exist.

already exists – to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_subscription_policy_assignment" for more information.

Tags:

2

Answers


  1. 0

    I tried to azure policy assignment using Terraform and I was able to provision the requirement successfully.

    The error message you’re encountering in Terraform indicates that the Azure Policy Assignment you’re trying to create already exists in the Azure environment, but it’s not present in your Terraform state file. Terraform needs to have a record of all managed resources in the state file to operate correctly.

    Import the Existing Policy Assignment: You need to import the existing policy assignment into your Terraform state. You can do this with the terraform import command, which will require the ID of the existing policy assignment in Azure. The import command will look something like this (replace <POLICY_ASSIGNMENT_ID> with the actual ID):

    terraform import azurerm_subscription_policy_assignment.gitlab[<INDEX>] /subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/policyAssignments/<POLICY_ASSIGNMENT_NAME>

    The <INDEX> would be the index of your for_each loop where this particular resource is defined.

    My demo configuration tried to check the incident with preexisting subscription policy assignment info in my local

    enter image description here

    My terraform configuration:

    provider "azurerm" {
  features {}
}

data "azurerm_subscription" "current" {}

resource "azurerm_policy_definition" "example" {
  name         = "only-deploy-in-westeurope"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Allowed resource types"

  policy_rule = <<POLICY_RULE
 {
    "if": {
      "not": {
        "field": "location",
        "equals": "westeurope"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

resource "azurerm_subscription_policy_assignment" "example" {
  name                 = "testpolicyvk"
  policy_definition_id = azurerm_policy_definition.example.id
  subscription_id      = data.azurerm_subscription.current.id
}

    Output:

    enter image description here

    Now I run the command to import the infrastructure into my remote statefile

    terraform import azurerm_policy_definition.example /subscriptions/{subscription-id}/providers/Microsoft.Authorization/policyDefinitions/{policy-definition-name}

    Now I run the commands

    enter image description here

    then continue with terraform commands later on.

    Login or Signup to reply.
  2. 0

    To import you can use the import block in your tf file:

    import {
    to = azurerm_subscription_policy_assignment.gitlab
    id = "/subscriptions/<YOUR SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyAssignments/aks-privescal"
}

resource "azurerm_subscription_policy_assignment" "gitlab " {
  for_each             = { for i, sub_id in var.subscription_ids : i => sub_id }
  name                 = "aks-privescal"
  policy_definition_id = data.azurerm_policy_definition_built_in.msc_aks_privescal.id
  subscription_id      = each.value
  display_name         = "Kubernetes clusters should not allow container privilege escalation"
  location             = "westeurope"
  count                = each.value
  parameters           = jsonencode({})
  identity { type = "SystemAssigned" }
}

    After that, you can simply run the terraform apply and it will import into your tfstate file. If desired, you can later remove the import block, and it should keep the imported policy in your state file, or you can also keep it to know the history of this resource.

    https://camargo-wes.medium.com/how-to-import-an-existing-azure-resource-into-your-terraform-state-with-azure-storage-backend-2f6cbdee5927

    https://developer.hashicorp.com/terraform/language/import

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search