-
Notifications
You must be signed in to change notification settings - Fork 581
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changing root_parent_id results in Management Groups not being deployed #190
Comments
Hey @lpmulligan, Thanks for raising an issue 👍 I have just tested this myself and it worked okay for me: As you can see highlighted in orange. My TF file looked like this: # We strongly recommend using the required_providers block to set the
# Azure Provider source and version being used.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.77.0"
}
}
}
provider "azurerm" {
features {}
}
# You can use the azurerm_client_config data resource to dynamically
# extract connection settings from the provider configuration.
data "azurerm_client_config" "core" {}
# Call the caf-enterprise-scale module directly from the Terraform Registry
# pinning to the latest version
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "1.0.0"
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = "jt-102021-landingzones"
root_id = "190"
root_name = "GH Issue 190 Test"
deploy_demo_landing_zones = true
} Are you able to share your TF file/s and a simple diagram of your Management Group hierarchy? (please redact any sensitive information) Look forward to hearing from you Thanks Jack |
@jtracey93. Thanks for double-checking this for me. I did try this deployment in two separate Azure tenants to make sure I didn't miss something. The second tenant being my MSDN one. I got the same results; hence, I opened up this issue. A few things:
You'll notice that I don't have access to all the MGs in the tree like you do...nor like I do in my MSDN sub!
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "1.0.0"
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = "ELZDemo"
root_id = "eslz"
root_name = "Enterprise-Scale LZ"
deploy_demo_landing_zones = true
}
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "1.0.0"
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = "jt-102021-landingzones"
root_id = "190"
root_name = "GH Issue 190 Test"
deploy_demo_landing_zones = true
} Results in the TF plan saying it's going to create the MG groups as expected even though the parent MG "jt-102021-landingzones" doesn't exist. However, if I change
Sincerely, Larry |
Hey @lpmulligan, Thanks for the excellent write up, really useful. Let me review and investigate further and we'll come back to you 👍 Cheers Jack |
Also just tried the same hierarchy above with an SPN that only has RBAC as below:
Still got a correct plan of 191 resources |
Hey @lpmulligan, So from digging through the module a little deeper tonight we think we may of found the reason why this is happening. These 2 lines in
On the line, from the first link, we are building all of the maps for the Management Groups to be created by the module, but we are evaluating if the But in the second link we have some logic that says if the So when combined your So what are we going to do...? Good question, we need to do some further testing of some potential fixes and we also need to just check "why" we implemented the logic to start with an we will then make a PR to fix. Give us a few days and we will come back to you 👍 Hope that all makes sense, and feel free to reach out with any further questions or queries Thanks Jack (also thanks to @krowlandson for the late night discussion to review my thinking 👍) |
Well shoot. I thought I had it. I think it's something in my environment not related to the code. I just had a co-worker change the MG ID from ELZDemo to eslz-demo and it works. However, your test shows that my hypothesis was wrong which is fine. Something's up with my setup...I don't know where but feel free to close this issue. Thanks for your assistance. |
You certainly led us down the right path, so thank you 👍 We will leave this open so we can track the bug fix 👍 If you have another issue, feel free to open a another issue on the repo. Happy to help 👍 |
@lpmulligan - just to add that it may have worked if you just set As per @jtracey93's follow up, we have found the point where this is going wrong for you in the code and will work on getting this resolved in a future release. We first need to work out the impact of the fix though, as we may cause unexpected changes if someone has inadvertently used the incorrect casing somewhere within their config and the following is automatically "correcting" this:
We need to be careful to understand whether changing this will cause deployments with incorrect config to fail, or to redeploy Management Groups. |
* Update Library Templates (automated) * Update Policy Assignment and `management` logic for new `Deploy_ASCDF_Config` policy (previously `Deploy_ASC_Config`) * Add control for oss databases (fixes #131) **BREAKING CHANGE** * Update planned values for OPA tests * Update logic for `parent_management_group` field on Management Group configuration (fixes #190) Co-authored-by: github-actions <action@github.com> Co-authored-by: Kevin Rowlandson <kevin.rowlandson@microsoft.com>
Community Note
Versions
terraform: 1.0.8
azure provider: 2.80.0
module: 1.0.0
Description
I'm trying to deploy an Enterprise Scale LZ deployment within an existing EA structure. I've been assigned owner to a Management Group 3 levels down from the Tenant Root Group. I would like to deploy a stock ES LZ within that management group. Changing root_parent_id from:
to
Results in all the
resource "azurerm_management_group" "level_1", resource "azurerm_management_group" "level_2", etc resources being skipped.
Manually creating the Management Groups under "ELZDemo" by hand allows the core management
terraform apply
to run successfully.Steps to Reproduce
root_parent_id = data.azurerm_client_config.core.tenant_id
in main.tfterraform plan
root_parent_id = "ELZDemo"
Screenshots
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: