update azurerm_policy_assignment - allow scopes of policy set defin…

…ition without `subscription/<id>` (#6792) Fixes #6671
hashicorp · May 7, 2020 · 893307f · 893307f
1 parent 382e56f
commit 893307f
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 8 deletions.
diff --git a/azurerm/internal/services/policy/parse/set_definition.go b/azurerm/internal/services/policy/parse/set_definition.go
@@ -12,8 +12,10 @@ type PolicySetDefinitionId struct {
 
 // TODO: This parsing function is currently suppressing case difference due to github issue: https://github.com/Azure/azure-rest-api-specs/issues/8353
 func PolicySetDefinitionID(input string) (*PolicySetDefinitionId, error) {
-	// in general, the id of a set definition should be:
-	// {scope}/providers/Microsoft.Authorization/policySetDefinitions/set1
+	// in general, the id of a set definition should be (for custom policy set definition):
+	// {scope}/providers/Microsoft.Authorization/policySetDefinitions/{name}
+	// and for built-in policy-set-definition
+	// /providers/Microsoft.Authorization/policySetDefinitions/{name}
 	regex := regexp.MustCompile(`/providers/[Mm]icrosoft\.[Aa]uthorization/policy[Ss]et[Dd]efinitions/`)
 	if !regex.MatchString(input) {
 		return nil, fmt.Errorf("unable to parse Policy Set Definition ID %q", input)
@@ -31,6 +33,12 @@ func PolicySetDefinitionID(input string) (*PolicySetDefinitionId, error) {
 		return nil, fmt.Errorf("unable to parse Policy Set Definition ID %q: set definition name is empty", input)
 	}
 
+	if scope == "" {
+		return &PolicySetDefinitionId{
+			Name: name,
+		}, nil
+	}
+
 	scopeId, err := PolicyScopeID(scope)
 	if err != nil {
 		return nil, fmt.Errorf("unable to parse Policy Set Definition ID %q: %+v", input, err)

diff --git a/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go b/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go
@@ -47,6 +47,25 @@ func TestAccAzureRMPolicyAssignment_basicBuiltin(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMPolicyAssignment_basicBuiltInSet(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_policy_assignment", "test")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMPolicyAssignmentDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAzureRMPolicyAssignment_basicBuiltInSet(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMPolicyAssignmentExists(data.ResourceName),
+				),
+			},
+			data.ImportStep(),
+		},
+	})
+}
+
 func TestAccAzureRMPolicyAssignment_requiresImport(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_policy_assignment", "test")
 	resource.ParallelTest(t, resource.TestCase{
@@ -208,6 +227,34 @@ resource "azurerm_policy_assignment" "test" {
 `, data.RandomInteger, data.Locations.Primary)
 }
 
+func testAzureRMPolicyAssignment_basicBuiltInSet(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit Windows VMs with a pending reboot"
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%[1]d"
+  location = "%[2]s"
+}
+
+resource "azurerm_policy_assignment" "test" {
+  name                 = "acctestpa-%[1]d"
+  location             = azurerm_resource_group.test.location
+  scope                = azurerm_resource_group.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+`, data.RandomInteger, data.Locations.Primary)
+}
+
 func testAzureRMPolicyAssignment_basicBuiltin(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {

diff --git a/azurerm/internal/services/policy/tests/policy_set_definition_data_source_test.go b/azurerm/internal/services/policy/tests/policy_set_definition_data_source_test.go
@@ -8,7 +8,7 @@ import (
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance"
 )
 
-func TestAccDataSourceAzureRMPolicySetDefinition_byName(t *testing.T) {
+func TestAccDataSourceAzureRMPolicySetDefinition_builtIn(t *testing.T) {
 	data := acceptance.BuildTestData(t, "data.azurerm_policy_set_definition", "test")
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -17,7 +17,29 @@ func TestAccDataSourceAzureRMPolicySetDefinition_byName(t *testing.T) {
 		CheckDestroy: testCheckAzureRMPolicySetDefinitionDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAzureRMPolicySetDefinition_byName(data),
+				Config: testAccDataSourceAzureRMPolicySetDefinition_builtIn("Audit Windows VMs with a pending reboot"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(data.ResourceName, "name", "c96b2a9c-6fab-4ac2-ae21-502143491cd4"),
+					resource.TestCheckResourceAttr(data.ResourceName, "displayName", "Audit Windows VMs with a pending reboot"),
+					resource.TestCheckResourceAttr(data.ResourceName, "policy_type", "BuiltIn"),
+					resource.TestCheckResourceAttrSet(data.ResourceName, "parameters"),
+					resource.TestCheckResourceAttrSet(data.ResourceName, "policy_definitions"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceAzureRMPolicySetDefinition_customByName(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_policy_set_definition", "test")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMPolicySetDefinitionDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceAzureRMPolicySetDefinition_customByName(data),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(data.ResourceName, "name", fmt.Sprintf("acctestPolSet-%d", data.RandomInteger)),
 					resource.TestCheckResourceAttr(data.ResourceName, "display_name", fmt.Sprintf("acctestPolSet-display-%d", data.RandomInteger)),
@@ -30,7 +52,7 @@ func TestAccDataSourceAzureRMPolicySetDefinition_byName(t *testing.T) {
 	})
 }
 
-func TestAccDataSourceAzureRMPolicySetDefinition_byDisplayName(t *testing.T) {
+func TestAccDataSourceAzureRMPolicySetDefinition_customByDisplayName(t *testing.T) {
 	data := acceptance.BuildTestData(t, "data.azurerm_policy_set_definition", "test")
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -39,7 +61,7 @@ func TestAccDataSourceAzureRMPolicySetDefinition_byDisplayName(t *testing.T) {
 		CheckDestroy: testCheckAzureRMPolicySetDefinitionDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAzureRMPolicySetDefinition_byDisplayName(data),
+				Config: testAccDataSourceAzureRMPolicySetDefinition_customByDisplayName(data),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(data.ResourceName, "name", fmt.Sprintf("acctestPolSet-%d", data.RandomInteger)),
 					resource.TestCheckResourceAttr(data.ResourceName, "display_name", fmt.Sprintf("acctestPolSet-display-%d", data.RandomInteger)),
@@ -52,7 +74,19 @@ func TestAccDataSourceAzureRMPolicySetDefinition_byDisplayName(t *testing.T) {
 	})
 }
 
-func testAccDataSourceAzureRMPolicySetDefinition_byName(data acceptance.TestData) string {
+func testAccDataSourceAzureRMPolicySetDefinition_builtIn(name string) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "%s"
+}
+`, name)
+}
+
+func testAccDataSourceAzureRMPolicySetDefinition_customByName(data acceptance.TestData) string {
 	template := testAzureRMPolicySetDefinition_custom(data)
 	return fmt.Sprintf(`
 %s
@@ -63,7 +97,7 @@ data "azurerm_policy_set_definition" "test" {
 `, template)
 }
 
-func testAccDataSourceAzureRMPolicySetDefinition_byDisplayName(data acceptance.TestData) string {
+func testAccDataSourceAzureRMPolicySetDefinition_customByDisplayName(data acceptance.TestData) string {
 	template := testAzureRMPolicySetDefinition_custom(data)
 	return fmt.Sprintf(`
 %s