Azure Policy Definition
This page shows how to write Terraform and Azure Resource Manager for Policy Definition and write them securely.
azurerm_policy_definition (Terraform)
The Definition in Policy can be configured in Terraform with the resource name azurerm_policy_definition
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_policy_definition" "require-tag-owner-on-rg" {
name = "require-tag-owner-on-rg"
policy_type = "Custom"
mode = "All"
display_name = "Require tag 'owner' on resource group"
management_group_name = var.management-group-name
resource "azurerm_policy_definition" "mf-chm-allowedlocations" {
name = "mf-chm-allowedlocations"
display_name = "mf-chm-allowedlocations"
policy_type = "Custom"
mode = "Indexed"
description = "Polityka wymuszająca tworzenie zasobów w określonym regionie."
resource "azurerm_policy_definition" "CHM-AllowedLocations" {
name = "CHM-AllowedLocations"
display_name = "CHM-AllowedLocations"
policy_type = "Custom"
mode = "Indexed"
description = "Polityka wymuszająca tworzenie zasobów w określonym regionie."
resource "azurerm_policy_definition" "add_monitor_tier_tag-test-dev-Qa" {
name = "add_monitor_tier_tag-test-dev-Qa"
policy_type = "Custom"
mode = "Indexed"
display_name = "Add monitor_tier tag to VM resources - Test, Dev and QA"
resource "azurerm_policy_definition" "mf-chm-allowedlocations" {
name = "mf-chm-allowedlocations"
display_name = "mf-chm-allowedlocations"
policy_type = "Custom"
mode = "Indexed"
description = "Polityka wymuszająca tworzenie zasobów w określonym regionie."
resource "azurerm_policy_definition" "CHM-AllowedLocations" {
name = "CHM-AllowedLocations"
display_name = "CHM-AllowedLocations"
policy_type = "Custom"
mode = "Indexed"
description = "Polityka wymuszająca tworzenie zasobów w określonym regionie."
resource "azurerm_policy_definition" "azure_iam_noCustomSubsOwnerRoles_0001" {
name = "Custom - No custom subscription owner roles are created"
policy_type = "Custom"
mode = "All"
display_name = "Custom - No custom subscription owner roles are created"
metadata = <<METADATA
resource "azurerm_policy_definition" "policy-definition_Deny-PublicEndpoint-CosmosDB" {
name = join(" - ", ["TF - Deny-PublicEndpoint-CosmosDB", var.affix])
policy_type = "Custom"
mode = "All"
display_name = join(" - ", ["TF - Deny-PublicEndpoint-CosmosDB", var.affix])
provider = azurerm.ScDc-GCPASS-ICAS-Dev
resource "azurerm_policy_definition" "policy-definition_Deny-PublicEndpoint-CosmosDB" {
name = "TF - Deny-PublicEndpoint-CosmosDB - GK"
policy_type = "Custom"
mode = "All"
display_name = "TF - Deny-PublicEndpoint-CosmosDB - GK"
provider = azurerm.ScSc-PBMMCTOSandbox
resource "azurerm_policy_definition" "auditemptytagvalue" {
name = "auditEmptyTagValue"
display_name = "Audit tag exists and has a value"
description = "This policy audits that a tag exists and has a non-empty value."
policy_type = "Custom"
mode = "Indexed"
Parameters
-
description
optional - string -
display_name
required - string -
id
optional computed - string -
management_group_id
optional computed - string -
management_group_name
optional computed - string -
metadata
optional computed - string -
mode
required - string -
name
required - string -
parameters
optional - string -
policy_rule
optional - string -
policy_type
required - string -
timeouts
single block
Explanation in Terraform Registry
Manages a policy rule definition on a management group or your provider subscription. Policy definitions do not take effect until they are assigned to a scope using a Policy Assignment.
Microsoft.Authorization/policyDefinitions (Azure Resource Manager)
The policyDefinitions in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/policyDefinitions
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[guid('diagnositcs-enabled-for-aks-cluster')]",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "Diagnositcs Enabled for AKS Cluster",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "[afc] Apply diagnostic settings for Network Interfaces - Log Analytics",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "nic-diag-policy",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "Apply diagnostic settings for Network Interfaces",
"type": "Microsoft.Authorization/policyDefinitions"
},
{
"id": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"name": "7433c107-6db4-4ad1-b57a-a76dce0154a1",
"properties": {
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "COCloud: Apply diagnostic settings for Network Interfaces - Log Analytics",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "Apply diagnostic settings for Network Interfaces - Log Analytics",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2019-09-01",
"properties": "[parameters('input1')]"
},
{
"name": "Deploy-vNET-Spoke",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2018-05-01",
"name": "[variables('nicDiagPolicyName')]",
"dependsOn": [],
"properties": {
"displayName": "Apply diagnostic settings for Network Interfaces - Log Analytics",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "[afc] Apply diagnostic settings for Network Interfaces - Log Analytics",
Frequently asked questions
What is Azure Policy Definition?
Azure Policy Definition is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Policy Definition?
For Terraform, the tkubica12/azure-sandbox-governance, jakubramut/tf_azure and jakubramut/tf_azure source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the dipolimene/Template-Samples, lolittle/azure and AzureDeployment/azure-deploy source code examples are useful. See the Azure Resource Manager Example section for further details.