I am running into a issue where I am trying to set up an assignment policy for Access Package in Microsoft Azure. The code works fine when I remove the assignment_review_settings, but adding it gives me this error
│ Error: Could not update access package assignment policy with ID: "b7f7086a-42e1-47f1-9597-99d4bf9875a8"
│
│ with azuread_access_package_assignment_policy.policy,
│ on ap-policy.tf line 4, in resource "azuread_access_package_assignment_policy" "policy":
│ 4: resource azuread_access_package_assignment_policy policy {
│
│ AccessPackageAssignmentPolicyClient.BaseClient.Put(): unexpected status 400 with OData error: ArgumentNullException: Value cannot be null.
│ Parameter name: value
From what I understand on the Terraform documentation for assignment_review_settings the only thing that is required is the duration in days variable. When I run an empty assignment_review_settings block, I get this error.
╷
│ Error: `duration_in_days`, `review_frequency`, `access_review_timeout_behavior` must be set when review is enabled
│
│ with azuread_access_package_assignment_policy.policy,
│ on ap-policy.tf line 4, in resource "azuread_access_package_assignment_policy" "policy":
│ 4: resource azuread_access_package_assignment_policy policy {
│
╵
I've added all three of those variables along with the enabled variable and I still get the same error. Does anyone have any experience with setting up the assignment review settings block for an access package ID?
main.tf:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
azuredevops = {
source = "microsoft/azuredevops"
}
}
}
provider azurerm {
features {}
}
provider azuredevops {}
access-package.tf:
# Access Package Catalog Variables
variable catalog_description {
description = "The description of the access package catalog."
default = "Test Access Pacakge created in Terraform"
type = string
}
variable externally_visible {
description = "Whether the access packages in this catalog can be requested by users outside the tenant"
type = bool
default = false
}
variable ap_description {
description = "The description of the access package."
default = "Test Access Pacakge created in Terraform"
type = string
}
variable "hidden" { default = false }
resource azuread_access_package_catalog catalog {
display_name = "apc-"
description = var.catalog_description
externally_visible = var.externally_visible
}
resource azuread_access_package access_package {
catalog_id = azuread_access_package_catalog.catalog.id
display_name = "ap-"
description = var.ap_description
hidden = var.hidden
}
azuread-group.tf:
# Azure AD Group Variables
variable ad_description {default = "Azure AD Group created in Terraform."}
variable rd_description {default = "This is a custom role created via Terraform"}
variable prevent_duplicate_names {default = true }
variable security_enabled {default = true }
variable assignable_to_role {default = false }
resource azuread_group group {
display_name = "apadg-"
description = var.ap_description
prevent_duplicate_names = var.prevent_duplicate_names
security_enabled = var.security_enabled
assignable_to_role = var.assignable_to_role
members = [data.azuread_user.user1.id, data.azuread_user.user2.id]
}
data azuread_user user1 {
object_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
data azuread_user user2 {
object_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
ap-policy.tf:
variable policy_display_name {default = "apap-"}
variable policy_description {default = "Test Access Package Assignment Policy created in Terraform"}
resource azuread_access_package_assignment_policy policy {
access_package_id = azuread_access_package.access_package.id
display_name = var.policy_display_name
description = var.policy_description
duration_in_days = 30
requestor_settings {
scope_type = "AllExistingDirectoryMemberUsers"
}
approval_settings {
approval_required = true
requestor_justification_required = true
approval_stage {
approval_timeout_in_days = 14
primary_approver {
object_id = azuread_group.group.id
subject_type = "groupMembers"
}
alternative_approver {
object_id = azuread_group.group.id
subject_type = "groupMembers"
backup = true
}
}
}
assignment_review_settings {
enabled = true
duration_in_days = 14
review_frequency = "halfyearly"
access_review_timeout_behavior = "removeAccess"
}
question {
required = true
text {
default_text = "This is a question."
}
}
}
Trying to apply access_package_policy to access package in Azure Environment. Removing the assignment_review_setting block will apply the policy with no issues. But adding it gives an error saying that a value is set to null. Looking at the requirements, I don't see any variables being required other than duration_in_days.
I figured it out. When setting up a assignment_review_settings block, you need to have a review_type block which can be set to "Manager", "Reviewers", or "Self"
They are all pretty explanatory but if you want to set the block to your self it needs to look like this:
assignment_review_settings {
enabled = true
review_frequency = "weekly"
duration_in_days = 3
review_type = "Self"
access_review_timeout_behavior = "keepAccess"
}
If you want it to be assigned to a reviewer it needs to look like this:
assignment_review_settings {
enabled = true
review_frequency = "weekly"
duration_in_days = 3
review_type = "Reviewers"
access_review_timeout_behavior = "keepAccess"
reviewer {
object_id = azuread_group.group.id
subject_type = "groupMembers"
}
}
Finally, if you want to set it to the manger setting, then it needs two reviewers. A primary and a backup:
assignment_review_settings {
enabled = true
review_frequency = "weekly"
duration_in_days = 3
review_type = "Manager"
access_review_timeout_behavior = "keepAccess"
reviewer {
object_id = azuread_group.group.id
subject_type = "groupMembers"
}
reviewer {
object_id = azuread_group.group.id
subject_type = "groupMembers"
backup = true
}
}