Azure Policy Policy Assignment
This page shows how to write Terraform and Azure Resource Manager for Policy Policy Assignment and write them securely.
azurerm_management_group_policy_assignment (Terraform)
The Policy Assignment in Policy can be configured in Terraform with the resource name azurerm_management_group_policy_assignment
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_management_group_policy_assignment" "nzism" {
count = var.management_group_name == null ? 0 : 1
name = "nzism-mg"
policy_definition_id = data.azurerm_policy_set_definition.nzism.id
management_group_id = data.azurerm_management_group.scope[0].id
location = var.location
resource "azurerm_management_group_policy_assignment" "assign_manamgement_policy" {
name = var.policy_name
policy_definition_id = var.policy_definition_id
management_group_id = var.management_group_id
enforce = var.enforce
parameters = var.parameters != null ? jsonencode(var.parameters) : null
resource "azurerm_management_group_policy_assignment" "route_firewall" {
name = "route_firewall"
policy_definition_id = data.azurerm_policy_definition.route_firewall.id
management_group_id = data.azurerm_management_group.policy_assignment_mgmt_group.id
description = "Policy Assignment test"
display_name = data.azurerm_policy_definition.route_firewall.display_name
resource "azurerm_management_group_policy_assignment" "disable_public_network_access" {
name = "disable_network"
policy_definition_id = data.azurerm_policy_definition.disable_public_network_access.id
management_group_id = data.azurerm_management_group.policy_assignment_mgmt_group.id
description = "Policy Assignment test"
display_name = data.azurerm_policy_definition.disable_public_network_access.display_name
resource "azurerm_management_group_policy_assignment" "private_link_sku" {
name = "private_link_sku"
policy_definition_id = data.azurerm_policy_definition.private_link_sku.id
management_group_id = data.azurerm_management_group.policy_assignment_mgmt_group.id
description = "Policy Assignment test"
display_name = data.azurerm_policy_definition.private_link_sku.display_name
resource "azurerm_management_group_policy_assignment" "vnet_injection" {
name = "vnet_injection"
policy_definition_id = data.azurerm_policy_definition.vnet_injection.id
management_group_id = data.azurerm_management_group.policy_assignment_mgmt_group.id
description = "Policy Assignment test"
display_name = data.azurerm_policy_definition.vnet_injection.display_name
resource "azurerm_management_group_policy_assignment" "aad_admin_audit" {
name = "aad_admin_audit"
policy_definition_id = data.azurerm_policy_definition.aad_admin_audit.id
management_group_id = data.azurerm_management_group.policy_assignment_mgmt_group.id
description = "Policy Assignment test"
display_name = data.azurerm_policy_definition.aad_admin_audit.display_name
resource "azurerm_management_group_policy_assignment" "deny_public_access" {
name = "sql_deny_public_access"
policy_definition_id = data.azurerm_policy_definition.sql_deny_public_access.id
management_group_id = data.azurerm_management_group.policy_assignment_mgmt_group.id
description = "Policy Assignment test"
display_name = data.azurerm_policy_definition.sql_deny_public_access.display_name
resource "azurerm_management_group_policy_assignment" "disable_access_keys" {
name = "disable_keys"
policy_definition_id = data.azurerm_policy_definition.configure_disable_access_keys.id
management_group_id = data.azurerm_management_group.policy_assignment_mgmt_group.id
description = "Policy Assignment test"
display_name = data.azurerm_policy_definition.configure_disable_access_keys.display_name
resource "azurerm_management_group_policy_assignment" "deny_inbound_udp_pres" {
name = "deny_inbound_udp_pres"
policy_definition_id = azurerm_policy_definition.default_nsg_rule.id
management_group_id = data.azurerm_management_group.policy_assignment_mgmt_group.id
description = "Policy Assignment test"
display_name = "deny_inbound_udp_pres"
Parameters
The following arguments are supported:
management_group_id
- (Required) The ID of the Management Group. Changing this forces a new Policy Assignment to be created.name
- (Required) The name which should be used for this Policy Assignment. Changing this forces a new Policy Assignment to be created.policy_definition_id
- (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.
description
- (Optional) A description which should be used for this Policy Assignment.display_name
- (Optional) The Display Name for this Policy Assignment.enforce
- (Optional) Specifies if this Policy should be enforced or not?identity
- (Optional) Anidentity
block as defined below.
-> Note: The location
field must also be specified when identity
is specified.
location
- (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.metadata
- (Optional) A JSON mapping of any Metadata for this Policy.not_scopes
- (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.parameters
- (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.
A identity
block supports the following:
type
- (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value isSystemAssigned
.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Management Group Policy Assignment.
The identity
block exports the following:
principal_id
- The Principal ID of the Policy Assignment for this Management Group.tenant_id
- The Tenant ID of the Policy Assignment for this Management Group.
Explanation in Terraform Registry
Manages a Policy Assignment to a Management Group.
Microsoft.Management/managementGroups (Azure Resource Manager)
The managementGroups in Microsoft.Management can be configured in Azure Resource Manager with the resource name Microsoft.Management/managementGroups
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
// },
// {
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('mgName')]",
"properties": {}
},
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('enterpriseScaleCompanyPrefix')]",
"properties": {}
},
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
Frequently asked questions
What is Azure Policy Policy Assignment?
Azure Policy Policy Assignment is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Policy Policy Assignment?
For Terraform, the simonbrady/azure-nzism, petemessina/policy-as-code and timwebster9/azure-policy source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the git-yrh-bloom/arm-bloom-es, geekyninja101/lz-poc-main and ZJQZ/cmp-core-public source code examples are useful. See the Azure Resource Manager Example section for further details.