嗨,我有一个带有自定义策略定义和分配的模块,我注意到如果我对其他内容进行更改,而不触及此策略模块,并重新部署整个 terraform,Terraform 正在尝试破坏策略分配,然后重新创建它。 因为我们有一个监控规则,当策略分配被激活时,它会发出不必要的警报。 我只在自定义策略定义和分配中注意到这一点,对于内置策略分配,它没有发生。我们如何解决/避免这种情况?
resource "azurerm_policy_definition" "auditresourcetag" {
name = "Audit if either of required tag is missing from a resource"
policy_type = "Custom"
mode = "Indexed"
display_name = "Audit if either of required tag is missing from a resource"
metadata = jsonencode(
{
"category" : "Tags"
})
policy_rule = jsonencode(
{
"if" : {
"anyOf" : [
{
"field" : "tags[Application]",
"exists" : false
},
{
"field" : "tags[Environment]",
"exists" : false
},
{
"field" : "tags[Managedby]",
"exists" : false
}
]
},
"then" : {
"effect" : "audit"
}
})
}
resource "azurerm_policy_assignment" "auditresourcetag" {
name = "Audit if either of required tag is missing from a resource"
scope = var.scope
policy_definition_id = azurerm_policy_definition.auditresourcetag.id
description = "Policy Assignment created via an Acceptance Test"
display_name = "Audit if either of required tag is missing from a resource"
metadata = <<METADATA
{
"category": "Tags"
}
METADATA
}
从地形计划,它显示
# module.mcs_optimise_azure.module.azure_policy[0].azurerm_policy_assignment.auditresourcetag must be replaced
-/+ resource "azurerm_policy_assignment" "auditresourcetag" {
description = "Policy Assignment created via an Acceptance Test"
display_name = "Audit if either of required tag is missing from a resource"
- updatedBy = null -> null
- updatedOn = null -> null
}
)
name = "Audit if either of required tag is missing from a resource"
- not_scopes = [] -> null
policy_definition_id = "/subscriptions/***/providers/Microsoft.Authorization/policyDefinitions/Audit if either of required tag is missing from a resource"
~ scope = "/subscriptions/***" -> (known after apply) # forces replacement
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = (known after apply)
}
}