New Resource: azurerm_policy_definition

[jaymitre]

The goal of this change is to allow CRUD operations to be performed on azure policies using terraform.

[tombuildsstuff]

hey @jaymitre

Thanks for this PR - I've taken a look through and left some comments in-line but this is mostly looking good; if we can fix up those issues this should be good to merge :)

Thanks!

[tombuildsstuff]

given the API response will always return these inside the Properties object, can we read these from there and add a nil check to handle bad Swagger/API responses (for older resources or future swagger changes) e.g.

if props := resp.DefinitionProperties; props != nil {
  d.Set(“policy_type”, props.PolicyType)
  # ...
}

[tombuildsstuff]

can we make this “acctestpol-%d”

[tombuildsstuff]

can we pin this to the tag “v14.5.0” which will allow us to merge this PR once #1006 has been merged

[tombuildsstuff]

minor can we order these based on internal then external using “goimports”

[tombuildsstuff]

Given the ID should be in the format:

/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}

based on what I can see in the SDK - I think we should be able to use the built in functions here:

We can access this via:

id, err := parseAzureResourceID(d.Id())
if err != nil {
  return nil
}

return id.Path["policyDefinitions"]

[jaymitre]

When we use parseAzureResourceID we get an error that a resource group isn't in the id string.

[tombuildsstuff]

in which case can we return just the last segment of this? given we can guarantee there's only 6 segments in the URI (once it's split based on /) we should be able to make this:

components := strings.Split(path, "/")

if len(components) != 6 {
  return nil, fmt.Errorf("Azure Policy Definition Id should have 6 segments, got %d: '%s'", len(components), path)
}

return components[5]

[tombuildsstuff]

can we update the name to match the other tests? e.g. TestAccAzureRMPolicyDefinition_basic

[tombuildsstuff]

can we add some documentation for this resource in the website folder?

[tombuildsstuff]

can we name this “registerPolicyClients” since this’ll register other types of clients (such as role assignments) in the future too

[tombuildsstuff]

Can we update the name of this to be consistent with the other resources? eg testCheckAzureRMPolicyDefinitionDestroy

[jaymitre]

Thank you for taking a look at the PR and for your helpful feedback. I made a commit to update the PR based on your feedback.

[tombuildsstuff]

missed this earlier - can we make this Policy Resources?

[tombuildsstuff]

can we update azure_policy_definition -> azurerm_policy_definition

[jaymitre]

Updated the naming. Thank you.

[tombuildsstuff]

hey @jaymitre

Thanks for pushing those updates - I've left a couple of minor comments but this now mostly LGTM.

Just to let you know that since this PR is making use of v14 of the Azure SDK for Go, we'll need to hold off merging it until after #1006 has been merged (which next week).

Thanks!

[tombuildsstuff]

we don't need to set id here - since it's already set in the Create method above

[jaymitre]

Hey @tombuildsstuff, made a few changes with to address your remaining comments.

[tombuildsstuff]

hey @jaymitre

Thanks for pushing those updates :)

I've left a couple of minor comments but this now otherwise LGTM; so that we can get this merged I'm going to push a couple of commits to fix those issues and pin this to v12.5 of the Azure SDK for Go (since we're currently blocked upgrading to v14/v15) - I hope you don't mind!

Thanks!

[tombuildsstuff]

minor can we quote these values e.g. "BuiltIn, Custom and NotSpecified"

[tombuildsstuff]

(same here) can we quote these values e.g. All, Indexed or NotSpecified

[tombuildsstuff]

minor defenition -> definition

[tombuildsstuff]

minor could we update testPolict to be testPolicy? :)

[tombuildsstuff]

hey @jaymitre

Thanks for pushing those updates - I've opened a PR on your fork (since I don't have permissions to push to your fork's master branch) which includes a couple of bug fixes I noticed when testing this PR - if we can merge that in then this PR should be good to merge :)

Thanks!

[jaymitre]

@tombuildsstuff Thank you for taking the time to review the PR and make those fixes. Your changes have been merged.

[tombuildsstuff]

LGTM - thanks for merging that in :)

Thanks!

[tombuildsstuff]

Tests pass:

$ acctests azurerm TestAccAzureRMPolicyDefinition_
=== RUN   TestAccAzureRMPolicyDefinition_importBasic
--- PASS: TestAccAzureRMPolicyDefinition_importBasic (26.40s)
=== RUN   TestAccAzureRMPolicyDefinition_basic
--- PASS: TestAccAzureRMPolicyDefinition_basic (15.08s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	41.519s

[JasonNguyenTX]

Hello, does it support for policy tier? Currently it seems that the default assignment tier is free. I would like to see if it can support standard tier

[JasonNguyenTX]

Also does it support retrieving existing builtin policy definition? ie: "Allowed locations" def

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!