Azure Policy Assignment
This page shows how to write Terraform and Azure Resource Manager for Policy Assignment and write them securely.
azurerm_policy_assignment (Terraform)
The Assignment in Policy can be configured in Terraform with the resource name azurerm_policy_assignment
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_policy_assignment" "tag_governance" {
name = "tag_governance"
scope = data.azurerm_subscription.current.id
policy_definition_id = azurerm_policy_set_definition.tag_governance.id
description = "Assignment of the Tag Governance initiative to subscription."
display_name = "Tag Governance"
resource "azurerm_policy_assignment" "policy-assignment" {
name = "5345bb39-67dc-4960-a1bf-427e16b9a0bd"
scope = "/subscriptions/add-subscription-id"
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd"
}
# Postgres geo replication policy assignment
resource "azurerm_policy_assignment" "kube-no-privileged" {
name = "kube-no-privileged"
scope = azurerm_resource_group.demo.id
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4"
description = "Exceptions for some namespaces"
display_name = "Kubernetes - do not allow privileged containers"
resource "azurerm_policy_assignment" "monitoring_governance" {
name = "monitoring_governance"
scope = data.azurerm_subscription.current.id
policy_definition_id = var.monitoring_governance_policyset_id
description = "Assignment of the Monitoring Governance initiative to subscription."
display_name = "Monitoring Governance"
resource "azurerm_policy_assignment" "deny" {
name = "non-prod_deny"
scope = azurerm_management_group.non-prod.id
policy_definition_id = azurerm_policy_set_definition.deny.id
description = "Deny policy initiative assignment for UAT subscriptions(s) - location and SKUs."
display_name = "Default deny initiative for Non-Prod"
resource "azurerm_policy_assignment" "Diagnostic_Logs" {
name = "Diagnostic_Logs"
scope = azurerm_resource_group.main.id
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"
}
resource "azurerm_policy_assignment" "tag_governance" {
name = "tag_governance"
scope = data.azurerm_subscription.current.id
policy_definition_id = var.tag_governance_policyset_id
description = "Assignment of the Tag Governance initiative to subscription."
display_name = "Tag Governance"
resource "azurerm_policy_assignment" "Policy-1" {
name = "example-policy-assignment"
scope = var.resid
# policy_definition_id = data.azurerm_policy_set_definition.example.id
policy_definition_id = data.azurerm_policy_set_definition.azure_monitor.id
description = "Policy assignement to monitor all vms"
resource "azurerm_policy_assignment" "azpol-EnableAuthentication_functionApp" {
name = "azpol-FunAppEnableAuth"
policy_definition_id = data.azurerm_policy_definition.azpoldef-EnableAuthentication_functionApp.id
scope = data.azurerm_resource_group.rg.id
metadata = <<METADATA
resource "azurerm_policy_assignment" "monitoring_governance" {
name = "monitoring_governance"
scope = data.azurerm_subscription.current.id
policy_definition_id = var.monitoring_governance_policyset_id
description = "Assignment of the Monitoring Governance initiative to subscription."
display_name = "Monitoring Governance"
Parameters
-
description
optional - string -
display_name
optional - string -
enforcement_mode
optional - bool -
id
optional computed - string -
location
optional - string -
metadata
optional computed - string -
name
required - string -
not_scopes
optional - list of string -
parameters
optional - string -
policy_definition_id
required - string -
scope
required - string -
identity
list block-
principal_id
optional computed - string -
tenant_id
optional computed - string -
type
optional - string
-
-
timeouts
single block
Explanation in Terraform Registry
Configures the specified Policy Definition at the specified Scope. Also, Policy Set Definitions are supported. !> Note: The
azurerm_policy_assignment
resource has been deprecated in favour of theazurerm_management_group_policy_assignment
,azurerm_resource_policy_assignment
,azurerm_resource_group_policy_assignment
andazurerm_subscription_policy_assignment
resources and will be removed in v3.0 of the Azure Provider.
Microsoft.Authorization/policyAssignments (Azure Resource Manager)
The policyAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/policyAssignments
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
"apiVersion": "2019-09-01",
"location": "[parameters('azureLocation')]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
"apiVersion": "2019-09-01",
"location": "[parameters('azureLocation')]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').denyRdp]",
"properties": {
"description": "Deny-RDP-from-Internet",
"displayName": "Deny-RDP-from-Internet",
"type": "Microsoft.Authorization/policyAssignments",
"name": "[guid('diagnositcs-enabled-for-aks-cluster')]",
"apiVersion": "2018-05-01",
"properties": {
"scope": "[resourceGroup().id]",
"policyDefinitionId": "[concat('/providers/Microsoft.Authorization/policyDefinitions/', guid('diagnositcs-enabled-for-aks-cluster'))]"
Frequently asked questions
What is Azure Policy Assignment?
Azure Policy Assignment is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Policy Assignment?
For Terraform, the krishrocks1904/terraform-gets-started, davidmitchell2019/azure-postgres-terraform-inspec-terratest-ansible and tkubica12/kubernetes-demo source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the lolittle/azure, microsoft/azure_arc and karlochacon/my-arc-repo source code examples are useful. See the Azure Resource Manager Example section for further details.