Enforce Encryption CMK Still Broken, Requesting Workaround

Community Note

Before we dive into the issue, please take a moment to help the community and maintainers prioritize this request by voting on this issue with a 👍 reaction. Additionally, please refrain from leaving "+1" or "me too" comments, as they can generate extra noise for issue followers and do not help prioritize the request. If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Versions

• 6.2.1

Description

Describe the Bug

When attempting to deploy the core landing zones portion of the module, it fails due to a policy set definition. Specifically, the Enforce Encryption CMK policy set definition is trying to set a default enforcement value that Azure will not accept. This issue was previously fixed in a recent pull request that was merged to the main branch. However, we are currently two commits ahead of the latest release, and when referencing this module in our code, Terraform automatically pulls down the latest release, which is still in a broken state due to this issue.

This situation has left us in a bit of a bind, as we are unable to modify the module ourselves due to deploying it using Terraform Cloud. We are in dire need of a workaround to overcome this issue. Is there a way to override the policy set definition or reference the current state of this repository, rather than the latest release? Any help in this matter would be greatly appreciated.

Steps to Reproduce

To reproduce this issue, please follow these steps:

1. Run the module using Deploy Core Landing Zones = True.

Screenshots

Image

Workaround Options

Given the constraints of deploying the module using Terraform Cloud, we are left with a few options to consider:

Option 1: Override the Policy Set Definition

One possible workaround is to override the policy set definition. However, this would require modifying the module itself, which is not feasible in our current setup. We would need to find a way to apply the override without modifying the module.

Option 2: Reference the Current State of the Repository

Another option is to reference the current state of the repository, rather than the latest release. This would allow us to bypass the broken policy set definition and deploy the module successfully. However, this would require us to manually manage the version of the module, which could lead to inconsistencies and potential issues down the line.

Option 3: Patch the Module

A third option is to patch the module to remove the broken policy set definition. This would require us to create a custom patch and apply it to the module, which could be a complex and time-consuming process.

Conclusion

In conclusion, we are in need of a workaround to overcome the Enforce Encryption CMK issue in the module. We have explored a few options, including overriding the policy set definition, referencing the current state of the repository, and patching the module. We would appreciate any help or guidance in this matter, as we strive to deploy the module successfully using Terraform Cloud.

Recommendations

Based on our analysis, we recommend the following:

• Option 2: Reference the Current State of the Repository. This option seems to be the most feasible and straightforward solution, as it would allow us to bypass the broken policy set definition and deploy the module successfully.
• Create a Custom Patch. If Option 2 is not feasible, we recommend creating a custom patch to remove the broken policy set definition. This would require us to create a custom patch and apply it to the module, which could be a complex and time-consuming process.

Next Steps

Community Note

Before we dive into the Q&A section, please take a moment to help the community and maintainers prioritize this request by voting on this issue with a 👍 reaction. Additionally, please refrain from leaving "+1" or "me too" comments, as they can generate extra noise for issue followers and do not help prioritize the request. If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Q&A

Q: What is the Enforce Encryption CMK issue?

A: The Enforce Encryption CMK issue is a problem with the policy set definition in the module, which is trying to set a default enforcement value that Azure will not accept. This is causing the module to fail when attempting to deploy the core landing zones portion.

Q: Why is this issue still broken?

A: This issue was previously fixed in a recent pull request that was merged to the main branch. However, we are currently two commits ahead of the latest release, and when referencing this module in our code, Terraform automatically pulls down the latest release, which is still in a broken state due to this issue.

Q: What are the possible workarounds for this issue?

A: There are a few possible workarounds for this issue, including:

• Option 1: Override the Policy Set Definition. This would require modifying the module itself, which is not feasible in our current setup.
• Option 2: Reference the Current State of the Repository. This would allow us to bypass the broken policy set definition and deploy the module successfully.
• Option 3: Patch the Module. This would require us to create a custom patch and apply it to the module, which could be a complex and time-consuming process.

Q: Which option do you recommend?

A: Based on our analysis, we recommend Option 2: Reference the Current State of the Repository. This option seems to be the most feasible and straightforward solution, as it would allow us to bypass the broken policy set definition and deploy the module successfully.

Q: What are the next steps for this issue?

A: We will continue to explore and evaluate the options outlined above. We will also reach out to the community and maintainers for further guidance and support. We appreciate any help or feedback in this matter, as we strive to deploy the module successfully using Terraform Cloud.

Q: How can I help with this issue?

A: If you are interested in working on this issue or have submitted a pull request, please leave a comment. We appreciate any help or feedback in this matter, as we strive to deploy the module successfully using Terraform Cloud.

Conclusion

In conclusion, we have outlined the Enforce Encryption CMK issue and provided a few possible workarounds. We recommend Option 2: Reference the Current State of the Repository as the most feasible and straightforward solution. We will continue to explore and evaluate the options outlined above and appreciate any help or feedback in this matter.

Recommendations

Based on our analysis, we recommend the following:

• Reference the Current State of the Repository. This option seems to be the most feasible and straightforward solution, as it would allow us to bypass the broken policy set definition and deploy the module successfully.
• Create a Custom Patch. If referencing the current state of the repository is not feasible, we recommend creating a custom patch to remove the broken policy set definition.

Next Steps

We will continue to explore and evaluate the options outlined above. We will also reach out to the community and maintainers for further guidance and support. We appreciate any help or feedback in this matter, as we strive to deploy the module successfully using Terraform Cloud.