Azure Policy Definition
This page shows how to write Terraform and Azure Resource Manager for Policy Definition and write them securely.
azurerm_policy_definition (Terraform)
The Definition in Policy can be configured in Terraform with the resource name azurerm_policy_definition. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
policyDefinitions.tf#L4
resource "azurerm_policy_definition" "require-tag-owner-on-rg" {
name = "require-tag-owner-on-rg"
policy_type = "Custom"
mode = "All"
display_name = "Require tag 'owner' on resource group"
management_group_name = var.management-group-name
policy-def.tf#L1
resource "azurerm_policy_definition" "mf-chm-allowedlocations" {
name = "mf-chm-allowedlocations"
display_name = "mf-chm-allowedlocations"
policy_type = "Custom"
mode = "Indexed"
description = "Polityka wymuszająca tworzenie zasobów w określonym regionie."
policy-def.tf#L1
resource "azurerm_policy_definition" "CHM-AllowedLocations" {
name = "CHM-AllowedLocations"
display_name = "CHM-AllowedLocations"
policy_type = "Custom"
mode = "Indexed"
description = "Polityka wymuszająca tworzenie zasobów w określonym regionie."
main.tf#L22
resource "azurerm_policy_definition" "add_monitor_tier_tag-test-dev-Qa" {
name = "add_monitor_tier_tag-test-dev-Qa"
policy_type = "Custom"
mode = "Indexed"
display_name = "Add monitor_tier tag to VM resources - Test, Dev and QA"
policy-def.tf#L1
resource "azurerm_policy_definition" "mf-chm-allowedlocations" {
name = "mf-chm-allowedlocations"
display_name = "mf-chm-allowedlocations"
policy_type = "Custom"
mode = "Indexed"
description = "Polityka wymuszająca tworzenie zasobów w określonym regionie."
policy-def.tf#L1
resource "azurerm_policy_definition" "CHM-AllowedLocations" {
name = "CHM-AllowedLocations"
display_name = "CHM-AllowedLocations"
policy_type = "Custom"
mode = "Indexed"
description = "Polityka wymuszająca tworzenie zasobów w określonym regionie."
azure_MVP_policies.tf#L14
resource "azurerm_policy_definition" "azure_iam_noCustomSubsOwnerRoles_0001" {
name = "Custom - No custom subscription owner roles are created"
policy_type = "Custom"
mode = "All"
display_name = "Custom - No custom subscription owner roles are created"
metadata = <<METADATA
policy_Deny-PublicEndpoints.tf#L3
resource "azurerm_policy_definition" "policy-definition_Deny-PublicEndpoint-CosmosDB" {
name = join(" - ", ["TF - Deny-PublicEndpoint-CosmosDB", var.affix])
policy_type = "Custom"
mode = "All"
display_name = join(" - ", ["TF - Deny-PublicEndpoint-CosmosDB", var.affix])
provider = azurerm.ScDc-GCPASS-ICAS-Dev
policy_Deny-PublicEndpoints.tf#L3
resource "azurerm_policy_definition" "policy-definition_Deny-PublicEndpoint-CosmosDB" {
name = "TF - Deny-PublicEndpoint-CosmosDB - GK"
policy_type = "Custom"
mode = "All"
display_name = "TF - Deny-PublicEndpoint-CosmosDB - GK"
provider = azurerm.ScSc-PBMMCTOSandbox
custom_policies.tf#L1
resource "azurerm_policy_definition" "auditemptytagvalue" {
name = "auditEmptyTagValue"
display_name = "Audit tag exists and has a value"
description = "This policy audits that a tag exists and has a non-empty value."
policy_type = "Custom"
mode = "Indexed"
Parameters
-
descriptionoptional - string -
display_namerequired - string -
idoptional computed - string -
management_group_idoptional computed - string -
management_group_nameoptional computed - string -
metadataoptional computed - string -
moderequired - string -
namerequired - string -
parametersoptional - string -
policy_ruleoptional - string -
policy_typerequired - string -
timeoutssingle block
Explanation in Terraform Registry
Manages a policy rule definition on a management group or your provider subscription. Policy definitions do not take effect until they are assigned to a scope using a Policy Assignment.
Microsoft.Authorization/policyDefinitions (Azure Resource Manager)
The policyDefinitions in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/policyDefinitions. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
reportToLogAzure.json#L135
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
kubernetes.aks.deploy.json#L9
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[guid('diagnositcs-enabled-for-aks-cluster')]",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "Diagnositcs Enabled for AKS Cluster",
policy.afc.diagnostic.settings.azuredeploy.json#L68
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "[afc] Apply diagnostic settings for Network Interfaces - Log Analytics",
Apply_Diagnostic_settings.json#L20
"type": "Microsoft.Authorization/policyDefinitions",
"name": "nic-diag-policy",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "Apply diagnostic settings for Network Interfaces",
azure.com_resources-policyDefinitions_2018-05-01.json#L153
"type": "Microsoft.Authorization/policyDefinitions"
},
{
"id": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"name": "7433c107-6db4-4ad1-b57a-a76dce0154a1",
"properties": {
diaglogs.policy.definition.azuredeploy.json#L68
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "COCloud: Apply diagnostic settings for Network Interfaces - Log Analytics",
policy.definition.azuredeploy.json#L68
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "Apply diagnostic settings for Network Interfaces - Log Analytics",
ARM-ManagementGroup-DeployPolicyDefs-vNET-Hub-and-Spoke.json#L23
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2019-09-01",
"properties": "[parameters('input1')]"
},
{
"name": "Deploy-vNET-Spoke",
Enable_Diagnostics_OnAll_resources.json#L68
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2018-05-01",
"name": "[variables('nicDiagPolicyName')]",
"dependsOn": [],
"properties": {
"displayName": "Apply diagnostic settings for Network Interfaces - Log Analytics",
policy.afc.diagnostic.settings.azuredeploy.json#L68
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('nicDiagPolicyName')]",
"apiVersion": "2018-05-01",
"dependsOn": [],
"properties": {
"displayName": "[afc] Apply diagnostic settings for Network Interfaces - Log Analytics",
Frequently asked questions
What is Azure Policy Definition?
Azure Policy Definition is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Policy Definition?
For Terraform, the tkubica12/azure-sandbox-governance, jakubramut/tf_azure and jakubramut/tf_azure source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the dipolimene/Template-Samples, lolittle/azure and AzureDeployment/azure-deploy source code examples are useful. See the Azure Resource Manager Example section for further details.
