diff --git a/azurerm/internal/services/policy/parse/set_definition.go b/azurerm/internal/services/policy/parse/set_definition.go index 2a01d4946b54..c2fcbb05482b 100644 --- a/azurerm/internal/services/policy/parse/set_definition.go +++ b/azurerm/internal/services/policy/parse/set_definition.go @@ -12,8 +12,10 @@ type PolicySetDefinitionId struct { // TODO: This parsing function is currently suppressing case difference due to github issue: https://github.com/Azure/azure-rest-api-specs/issues/8353 func PolicySetDefinitionID(input string) (*PolicySetDefinitionId, error) { - // in general, the id of a set definition should be: - // {scope}/providers/Microsoft.Authorization/policySetDefinitions/set1 + // in general, the id of a set definition should be (for custom policy set definition): + // {scope}/providers/Microsoft.Authorization/policySetDefinitions/{name} + // and for built-in policy-set-definition + // /providers/Microsoft.Authorization/policySetDefinitions/{name} regex := regexp.MustCompile(`/providers/[Mm]icrosoft\.[Aa]uthorization/policy[Ss]et[Dd]efinitions/`) if !regex.MatchString(input) { return nil, fmt.Errorf("unable to parse Policy Set Definition ID %q", input) @@ -31,6 +33,12 @@ func PolicySetDefinitionID(input string) (*PolicySetDefinitionId, error) { return nil, fmt.Errorf("unable to parse Policy Set Definition ID %q: set definition name is empty", input) } + if scope == "" { + return &PolicySetDefinitionId{ + Name: name, + }, nil + } + scopeId, err := PolicyScopeID(scope) if err != nil { return nil, fmt.Errorf("unable to parse Policy Set Definition ID %q: %+v", input, err) diff --git a/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go b/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go index 0872f410d112..d00e4568b366 100644 --- a/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go +++ b/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go @@ -47,6 +47,25 @@ func TestAccAzureRMPolicyAssignment_basicBuiltin(t *testing.T) { }) } +func TestAccAzureRMPolicyAssignment_basicBuiltInSet(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_policy_assignment", "test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acceptance.PreCheck(t) }, + Providers: acceptance.SupportedProviders, + CheckDestroy: testCheckAzureRMPolicyAssignmentDestroy, + Steps: []resource.TestStep{ + { + Config: testAzureRMPolicyAssignment_basicBuiltInSet(data), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMPolicyAssignmentExists(data.ResourceName), + ), + }, + data.ImportStep(), + }, + }) +} + func TestAccAzureRMPolicyAssignment_requiresImport(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_policy_assignment", "test") resource.ParallelTest(t, resource.TestCase{ @@ -208,6 +227,34 @@ resource "azurerm_policy_assignment" "test" { `, data.RandomInteger, data.Locations.Primary) } +func testAzureRMPolicyAssignment_basicBuiltInSet(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +data "azurerm_policy_set_definition" "test" { + display_name = "Audit Windows VMs with a pending reboot" +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-%[1]d" + location = "%[2]s" +} + +resource "azurerm_policy_assignment" "test" { + name = "acctestpa-%[1]d" + location = azurerm_resource_group.test.location + scope = azurerm_resource_group.test.id + policy_definition_id = data.azurerm_policy_set_definition.test.id + + identity { + type = "SystemAssigned" + } +} +`, data.RandomInteger, data.Locations.Primary) +} + func testAzureRMPolicyAssignment_basicBuiltin(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/azurerm/internal/services/policy/tests/policy_set_definition_data_source_test.go b/azurerm/internal/services/policy/tests/policy_set_definition_data_source_test.go index 643b3d85c544..21ea87750f4a 100644 --- a/azurerm/internal/services/policy/tests/policy_set_definition_data_source_test.go +++ b/azurerm/internal/services/policy/tests/policy_set_definition_data_source_test.go @@ -8,7 +8,7 @@ import ( "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance" ) -func TestAccDataSourceAzureRMPolicySetDefinition_byName(t *testing.T) { +func TestAccDataSourceAzureRMPolicySetDefinition_builtIn(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_policy_set_definition", "test") resource.ParallelTest(t, resource.TestCase{ @@ -17,7 +17,29 @@ func TestAccDataSourceAzureRMPolicySetDefinition_byName(t *testing.T) { CheckDestroy: testCheckAzureRMPolicySetDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccDataSourceAzureRMPolicySetDefinition_byName(data), + Config: testAccDataSourceAzureRMPolicySetDefinition_builtIn("Audit Windows VMs with a pending reboot"), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(data.ResourceName, "name", "c96b2a9c-6fab-4ac2-ae21-502143491cd4"), + resource.TestCheckResourceAttr(data.ResourceName, "displayName", "Audit Windows VMs with a pending reboot"), + resource.TestCheckResourceAttr(data.ResourceName, "policy_type", "BuiltIn"), + resource.TestCheckResourceAttrSet(data.ResourceName, "parameters"), + resource.TestCheckResourceAttrSet(data.ResourceName, "policy_definitions"), + ), + }, + }, + }) +} + +func TestAccDataSourceAzureRMPolicySetDefinition_customByName(t *testing.T) { + data := acceptance.BuildTestData(t, "data.azurerm_policy_set_definition", "test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acceptance.PreCheck(t) }, + Providers: acceptance.SupportedProviders, + CheckDestroy: testCheckAzureRMPolicySetDefinitionDestroy, + Steps: []resource.TestStep{ + { + Config: testAccDataSourceAzureRMPolicySetDefinition_customByName(data), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(data.ResourceName, "name", fmt.Sprintf("acctestPolSet-%d", data.RandomInteger)), resource.TestCheckResourceAttr(data.ResourceName, "display_name", fmt.Sprintf("acctestPolSet-display-%d", data.RandomInteger)), @@ -30,7 +52,7 @@ func TestAccDataSourceAzureRMPolicySetDefinition_byName(t *testing.T) { }) } -func TestAccDataSourceAzureRMPolicySetDefinition_byDisplayName(t *testing.T) { +func TestAccDataSourceAzureRMPolicySetDefinition_customByDisplayName(t *testing.T) { data := acceptance.BuildTestData(t, "data.azurerm_policy_set_definition", "test") resource.ParallelTest(t, resource.TestCase{ @@ -39,7 +61,7 @@ func TestAccDataSourceAzureRMPolicySetDefinition_byDisplayName(t *testing.T) { CheckDestroy: testCheckAzureRMPolicySetDefinitionDestroy, Steps: []resource.TestStep{ { - Config: testAccDataSourceAzureRMPolicySetDefinition_byDisplayName(data), + Config: testAccDataSourceAzureRMPolicySetDefinition_customByDisplayName(data), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(data.ResourceName, "name", fmt.Sprintf("acctestPolSet-%d", data.RandomInteger)), resource.TestCheckResourceAttr(data.ResourceName, "display_name", fmt.Sprintf("acctestPolSet-display-%d", data.RandomInteger)), @@ -52,7 +74,19 @@ func TestAccDataSourceAzureRMPolicySetDefinition_byDisplayName(t *testing.T) { }) } -func testAccDataSourceAzureRMPolicySetDefinition_byName(data acceptance.TestData) string { +func testAccDataSourceAzureRMPolicySetDefinition_builtIn(name string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +data "azurerm_policy_set_definition" "test" { + display_name = "%s" +} +`, name) +} + +func testAccDataSourceAzureRMPolicySetDefinition_customByName(data acceptance.TestData) string { template := testAzureRMPolicySetDefinition_custom(data) return fmt.Sprintf(` %s @@ -63,7 +97,7 @@ data "azurerm_policy_set_definition" "test" { `, template) } -func testAccDataSourceAzureRMPolicySetDefinition_byDisplayName(data acceptance.TestData) string { +func testAccDataSourceAzureRMPolicySetDefinition_customByDisplayName(data acceptance.TestData) string { template := testAzureRMPolicySetDefinition_custom(data) return fmt.Sprintf(` %s