Support for user managed Identity for policy assignment

[jayendranarumugam]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

• azurerm_subscription_policy_assignment

Potential Terraform Configuration

data "azurerm_subscription" "current" {}

resource "azurerm_policy_definition" "example" {
  name        = "only-deploy-in-westeurope"
  policy_type = "Custom"
  mode        = "All"

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "equals": "westeurope"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

resource "azurerm_user_assigned_identity" "test" {
  name                = "acctest%d"
  resource_group_name = azurerm_resource_group.test.name
  location            = azurerm_resource_group.test.location
}

resource "azurerm_subscription_policy_assignment" "example" {
  name                 = "example"
  policy_definition_id = azurerm_policy_definition.example.id
  subscription_id      = azurerm_subscription.current.id
   
  identity {
    type = "UserAssigned"
    identity_id = azurerm_user_assigned_identity.test.id
   }   
}

 

Current behaviour

Currently only system managed identity can able to pass as a parameter

References

• Azure Portal can able to support this feature

0

[kaovd]

See this was added in 4 months ago on the 2021-06-01 Resource - Would require upgrading the API version thats being used - hopefully can be done without any breaking changes but have only had a 5 minute look over

https://github.com/Azure/azure-rest-api-specs/tree/main/specification/resources/resource-manager/Microsoft.Authorization/stable/2021-06-01

Azure/azure-rest-api-specs#15181

This appears to be in preview package for policy, although likely need a RP Request for latest stable - but they appear the same (see https://github.com/Azure/azure-rest-api-specs/tree/main/specification/resources/resource-manager/Microsoft.Authorization/stable/2021-06-01)

Preview models: https://github.com/Azure/azure-sdk-for-go/blob/ec2ed6d8450ad53978efa96822bf9c9431a63ab4/services/preview/resources/mgmt/2021-06-01-preview/policy/models.go

For the RP - Items in both 2021-06-01 Stable and 2019-09-01 stable API appear the same so shouldn't be any issues

[kaovd]

Put up an RP for having 2021-06-01 in stable as well
Azure/azure-sdk-for-go#16389

[oWretch]

Duplicate of #13443.

[kaovd]

It appears the Map enum isnt marked as read only in API but children are which is quite confusing, but this is blocked until API is fixed