Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Child modules issue #734

Open
jotpal opened this issue Sep 12, 2024 · 0 comments
Open

Child modules issue #734

jotpal opened this issue Sep 12, 2024 · 0 comments

Comments

@jotpal
Copy link

jotpal commented Sep 12, 2024

Hi, Can I please request your assistance for this issue? Thanks

As an Azure compliance policy I have two resources storage_account and management_lock, If the storage account does not have a lock then compliance should be failing. The scenario works if both the resources on the on the same module (root or child).

But in my case storage account and management lock are on different modules. I have tried the debugging option and seems like lock resource is not mounted.

  • root main.tf
module "storage_account" {
  source = "./modules/azurerm_storage_account"

  name                          = "stnpaueaalzlog007"
  resource_group_name           = azurerm_resource_group.rg.name
  location                      = azurerm_resource_group.rg.location
  account_tier                  = "Standard"
  account_replication_type      = "LRS"
  public_network_access_enabled = false
  lock_name                     = "lock-sa7"
  lock_level                    = "ReadOnly"
  notes                         = "Locked because it's needed by a third-party"
}
  • modules/azurerm_storage_account/main.tf
resource "azurerm_storage_account" "sa_acc" {
  name                          = var.name
  resource_group_name           = var.resource_group_name
  location                      = var.location
  account_tier                  = var.account_tier
  account_replication_type      = var.account_replication_type
  public_network_access_enabled = var.public_network_access_enabled
}

# Works if the module is not used
resource "azurerm_management_lock" "sa1" {
  name       = "lock-sa1"
  scope      = azurerm_storage_account.sa_acc.id
  lock_level = "CanNotDelete"
  notes      = "Locked because it's needed by a third-party"
}

# Does not work if the module is used

# module "storage_lock" {
#   source = "../azurerm_locks"
#   lock_level = "CanNotDelete"
#   scope      = azurerm_storage_account.sa_acc.id
#   lock_name  = "lock-sa1"
#   notes      = "Locked because it's needed by a third-party"
# }
  • modules/azurerm_locks
resource "azurerm_management_lock" "lock" {
  name       = var.lock_name
  scope      = var.scope
  lock_level = var.lock_level
  notes      = var.notes
}
  • Feature file
Feature: Validate lock is enabled for Storage Account

  Scenario: Ensure Azure Storage Account has lock enabled
    Given I have azurerm_storage_account defined
    Then it must have azurerm_management_lock

Please let me know if you need more info.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jotpal