I m trying to import one of the Builtin Azure Policy Definit Pulumi Community #azure

I'm trying to import one of the Builtin Azure Poli...

straight-sunset-92336

04/06/2022, 8:51 AM

I'm trying to import one of the Builtin Azure Policy Definitions to use it in a Policy Assignment, but have some difficulties with the import. According to the documentation the import should be like this:

pulumi import azure-native:authorization:PolicyDefinition <name> /subscriptions/<subid>/providers/Microsoft.Authorization/policyDefinitions/<definitionid>

But the Builtin definitions are not in any subscriptions. Tested running this:

pulumi import azure-native:authorization:PolicyDefinition ActivityLogStreamToLogAnalytics /subscription/<one of my subscription id's>/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f

But it fails:

error: Preview failed: resource '/subscription/<one of my subscription id's>/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' does not exist

Any idea how I can get this definition imported?

great-queen-39697

04/06/2022, 9:12 PM

I don't, but I'm asking internally.

orange-policeman-59119

04/06/2022, 9:25 PM

azure-role-assignment_ts.ts

orange-policeman-59119

04/06/2022, 9:26 PM

Hey @straight-sunset-92336, Hmm. Import creates code & state to manage the resource, but I believe the built-in roles are immutable & can't be modified by Pulumi. I don't see that role definition when I run the Azure CLI, either, so I wonder if this might be behind a feature flag. Is this a recently added role definition to Azure? I found some code we use to manage Azure IAM here at Pulumi, and it looks like this is how we create role assignments. I modified it a bit and pasted it in as a snippet above.

straight-sunset-92336

04/07/2022, 6:48 AM

I created a ticket and got an answer that it isn't possible to import the builtin definitions.

7 Views

Open in Slack

Previous Next