Azure Policy assignment

Question

Hi
I am trying to assign a policy via terraform. I am the owner of the management group however I do not understand why I am getting this exception:

Error: checking for presence of existing Policy Definition "policy_definition_uc_enforce_tag_businessunit": policy.DefinitionsClient#GetAtManagementGroup: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'live.com#**********' with object id 'ec311ed9-a620-4d3f-87bc-57b47e688fec' does not have authorization to perform action 'Microsoft.Management/managementgroups/Microsoft.Management/BOB/Microsoft.Authorization/policy_definition_uc_enforce_tag_businessunit/read' over scope '/providers/Microsoft.Management/managementgroups/providers/Microsoft.Management/managementGroups/BOB/providers/Microsoft.Authorization/policyDefinitions' or the scope is invalid. If access was recently granted, please refresh your credentials."

Any help much appreciated

Answer 1

Actually I found the problem:

I am creating the policy definitions and initiatives using Terraform. azurerm_policy_definition has an optional argument - management_group_name. I was originally just creating the definitions without providing this argument however when I wanted to assign the policy to a management group it threw the above exception. It seems you need to specify the management_group_name in the definition in order to assign the definitions to child resources.