azure terraform infrastructure-as-code azure-rm

The provider hashicorp/azurerm does not support resource type "azurerm_resource_group_policy_assignment"

Im trying to set some policy rules on the Rg level with this.

My code looks like this:

locals {
  tenant_id       = "xxxxxxxxxxxx"
  subscription_id = var.env == "dev" ? "xxxxxxxx" : "xxxxxxxxxxx"
  aad_group       = "xxxxxxxxxxxxx" # az_nemolink_data_engineers
}

locals {
  common_tags = {
    "Application Name" = "${var.env == "dev" ? "dev nll-001" : "prd nll-001"}"
    "Environment"      = "${var.env == "dev" ? "DEV" : "PRD"}"
  }
  common_dns_tags = {
    "Environment" = "${var.env == "dev" ? "DEV" : ""}"
  }
}

provider "azuread" {
  client_id     = var.azure_client_id
  client_secret = var.azure_client_secret
  tenant_id     = var.azure_tenant_id
}


# PROVIDER REGISTRATION
provider "azurerm" {
  storage_use_azuread        = false
  skip_provider_registration = true
  features {}
  tenant_id       = local.tenant_id
  subscription_id = local.subscription_id
  client_id       = var.azure_client_id
  client_secret   = var.azure_client_secret
}

# LOCALS
locals {
  location = "West Europe"
}

# MODULES
module "subnet_ranges" {
  source          = "hashicorp/subnets/cidr"
  base_cidr_block = var.base_cidr_block
  networks = [
    {
      name     = "vm-endpoint"
      new_bits = 5 # 28 bits => 16 adresses
    }
  ]
}


########### Resource Group #############
resource "azurerm_resource_group" "dataplatform" {
  name     = "rg-xxx-xxx-${var.env}"
  location = "West Europe"
}


module "policy_deny_public_storage_account" {
  source = "./policies/policy_storage_account"
  count = try(var.deploy_policies.policy_deny_public_storage_account, false) == true ? 1 : 0
  resource_groups = azurerm_resource_group.dataplatform.name
}

this is my module

resource "azurerm_policy_definition" "policy_deny_public_storage_account" {
  name         = "DenyPublicStorageAccount"
  policy_type  = "Custom"
  mode         = "Indexed"
  display_name = "Restrict Public-Facing Storage Accounts - Terraform"
  description  = "This policies denies that storage accounts in the given scope can be reached from their public endpoint"
  metadata     = <<METADATA
  {
    "category": "MDP-Security"
  }
  METADATA
  policy_rule  = <<POLICY_RULE
  {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
          "notequals": "Deny"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
  POLICY_RULE
}

resource "azurerm_resource_group_policy_assignment" "deny_public_storage_accounts" {
  for_each             = var.resource_groups
  name                 = format("DenyPublicStorageAccounts-%s", each.value.name)
  resource_group_id    = each.value.id
  # not_scopes           = var.security_policy_deny_public_storage_accounts_excluded
  policy_definition_id = azurerm_policy_definition.policy_deny_public_storage_account.id
  description          = "Policy Assignment to restrict public-facing Storage Accounts"
  display_name         = format("Terraform - Deny Public-Facing Storage Accounts - %s", each.value.name)
}

│ Error: Invalid resource type │ │ on policies\policy_storage_account\main.tf line 41, in resource "azurerm_resource_group_policy_assignment" "deny_public_storage_accounts": │ 41: resource "azurerm_resource_group_policy_assignment" "deny_public_storage_accounts" { │ │ The provider hashicorp/azurerm does not support resource type "azurerm_resource_group_policy_assignment".

Am I using old version of AzureRM or do I need to use other provider?

Solution

provider hashicorp/azurerm does not support resource type "azurerm_resource_group_policy_assignment

Hello Greencolor, seems like you already found a solution to your problem, I am just posting it here for ease of other folks who are facing similar issue on SO. Please feel free to add any points / your inputs to this if required.

As per the github link azurerm_resource_group_policy_assignment is supported by azurerm from the version = "3.49.0" so make sure youre using the version greater or equal to that.

enter image description here

Seems you're using the version = "2.52.0" is very outdated. As per the HarshiCorpdoc the latest version = "4.7.0" as of today.

As MarkoE suggested in always the best practice to use the latest version provider so that most up-to-date features, improvements, and security enhancements will be up-to date.

Refer: azurerm_resource_group_policy_assignment | Resources | hashicorp/azurerm | Terraform | Terraform Registry