Top / Microsoft Azure / Azure Policy / Assignment

Azure Policy Assignment

This page shows how to write Terraform and Azure Resource Manager for Policy Assignment and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_policy_assignment (Terraform)

The Assignment in Policy can be configured in Terraform with the resource name azurerm_policy_assignment. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

04-policy_assignment.tf#L4
resource "azurerm_policy_assignment" "tag_governance" {
  name                 = "tag_governance"
  scope                = data.azurerm_subscription.current.id
  policy_definition_id = azurerm_policy_set_definition.tag_governance.id
  description          = "Assignment of the Tag Governance initiative to subscription."
  display_name         = "Tag Governance"
governance.tf#L2
resource "azurerm_policy_assignment" "policy-assignment" {
  name                 = "5345bb39-67dc-4960-a1bf-427e16b9a0bd"
  scope                = "/subscriptions/add-subscription-id"
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd"
}
# Postgres geo replication policy assignment
policy.tf#L38
resource "azurerm_policy_assignment" "kube-no-privileged" {
  name                 = "kube-no-privileged"
  scope                = azurerm_resource_group.demo.id
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4"
  description          = "Exceptions for some namespaces"
  display_name         = "Kubernetes - do not allow privileged containers"
main.tf#L1
resource "azurerm_policy_assignment" "monitoring_governance" {
  name                 = "monitoring_governance"
  scope                = data.azurerm_subscription.current.id
  policy_definition_id = var.monitoring_governance_policyset_id
  description          = "Assignment of the Monitoring Governance initiative to subscription."
  display_name         = "Monitoring Governance"
policy_assignments.tf#L1
resource "azurerm_policy_assignment" "deny" {
  name                 = "non-prod_deny"
  scope                = azurerm_management_group.non-prod.id
  policy_definition_id = azurerm_policy_set_definition.deny.id
  description          = "Deny policy initiative assignment for UAT subscriptions(s) - location and SKUs."
  display_name         = "Default deny initiative for Non-Prod"
03-policy-assignment.tf#L1
resource "azurerm_policy_assignment" "Diagnostic_Logs" {
  name                 = "Diagnostic_Logs"
  scope                = azurerm_resource_group.main.id
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"

}
main.tf#L1
resource "azurerm_policy_assignment" "tag_governance" {
  name                 = "tag_governance"
  scope                = data.azurerm_subscription.current.id
  policy_definition_id = var.tag_governance_policyset_id
  description          = "Assignment of the Tag Governance initiative to subscription."
  display_name         = "Tag Governance"
main.tf#L5
resource "azurerm_policy_assignment" "Policy-1" {
  name  = "example-policy-assignment"
  scope = var.resid
  # policy_definition_id = data.azurerm_policy_set_definition.example.id
  policy_definition_id = data.azurerm_policy_set_definition.azure_monitor.id
  description          = "Policy assignement to monitor all vms"
assignments.tf#L3
resource "azurerm_policy_assignment" "azpol-EnableAuthentication_functionApp" {
  name                 = "azpol-FunAppEnableAuth"
  policy_definition_id = data.azurerm_policy_definition.azpoldef-EnableAuthentication_functionApp.id
  scope = data.azurerm_resource_group.rg.id

  metadata = <<METADATA
main.tf#L1
resource "azurerm_policy_assignment" "monitoring_governance" {
  name                 = "monitoring_governance"
  scope                = data.azurerm_subscription.current.id
  policy_definition_id = var.monitoring_governance_policyset_id
  description          = "Assignment of the Monitoring Governance initiative to subscription."
  display_name         = "Monitoring Governance"

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Configures the specified Policy Definition at the specified Scope. Also, Policy Set Definitions are supported. !> Note: The azurerm_policy_assignment resource has been deprecated in favour of the azurerm_management_group_policy_assignment, azurerm_resource_policy_assignment, azurerm_resource_group_policy_assignment and azurerm_subscription_policy_assignment resources and will be removed in v3.0 of the Azure Provider.

>> from Terraform Registry

Microsoft.Authorization/policyAssignments (Azure Resource Manager)

The policyAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/policyAssignments. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

deploy.json#L106
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "location": "[parameters('location')]",
            "properties": {
                "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
policyAzureArcBuiltins.json#L37
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
            "apiVersion": "2019-09-01",
            "location": "[parameters('azureLocation')]",
            "identity": {
                "type": "SystemAssigned"
policyAzureArcBuiltins.json#L37
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
            "apiVersion": "2019-09-01",
            "location": "[parameters('azureLocation')]",
            "identity": {
                "type": "SystemAssigned"
deploy.json#L107
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "location": "[parameters('location')]",
            "properties": {
                "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
lz-production.json#L103
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').deployVmBackup]",
            "location": "[deployment().location]",
            "identity": {
                "type": "SystemAssigned"
lz-development.json#L103
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').deployVmBackup]",
            "location": "[deployment().location]",
            "identity": {
                "type": "SystemAssigned"
lz-nonproduction.json#L103
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').deployVmBackup]",
            "location": "[deployment().location]",
            "identity": {
                "type": "SystemAssigned"
lz.json#L103
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').deployVmBackup]",
            "location": "[deployment().location]",
            "identity": {
                "type": "SystemAssigned"
lz.json#L147
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').denyRdp]",
            "properties": {
                "description": "Deny-RDP-from-Internet",
                "displayName": "Deny-RDP-from-Internet",
kubernetes.aks.deploy.json#L145
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "[guid('diagnositcs-enabled-for-aks-cluster')]",
      "apiVersion": "2018-05-01",
      "properties": {
        "scope": "[resourceGroup().id]",
        "policyDefinitionId": "[concat('/providers/Microsoft.Authorization/policyDefinitions/', guid('diagnositcs-enabled-for-aks-cluster'))]"

The Other Related Azure Policy Resources

Frequently asked questions

What is Azure Policy Assignment?

Azure Policy Assignment is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Policy Assignment?

For Terraform, the krishrocks1904/terraform-gets-started, davidmitchell2019/azure-postgres-terraform-inspec-terratest-ansible and tkubica12/kubernetes-demo source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the lolittle/azure, microsoft/azure_arc and karlochacon/my-arc-repo source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents