Azure Policy Resource Group Policy Assignment
This page shows how to write Terraform and Azure Resource Manager for Policy Resource Group Policy Assignment and write them securely.
azurerm_resource_group_policy_assignment (Terraform)
The Resource Group Policy Assignment in Policy can be configured in Terraform with the resource name azurerm_resource_group_policy_assignment. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_resource_group_policy_assignment" "ap-001-location-ukwest" {
name = azurerm_policy_definition.ap-001-location-ukwest.name
display_name = azurerm_policy_definition.ap-001-location-ukwest.display_name
resource_group_id = azurerm_resource_group.rg-main.id
policy_definition_id = azurerm_policy_definition.ap-001-location-ukwest.id
}
resource "azurerm_resource_group_policy_assignment" "tf-st25-jr-chm-allowedresources-rg-ass" {
name = "tf-st25-jr-chm-allowedresources-rg-ass"
resource_group_id = azurerm_resource_group.tf-st25-jr01-rg.id
policy_definition_id = azurerm_policy_definition.tf-st25-jr-chm-allowedresources.id
description = "Przypisanie polityki tf-st25-jr-chm-allowedresources do subskrypcji"
display_name = "tf-st25-jr-chm-allowedresources-rg-ass"
resource "azurerm_resource_group_policy_assignment" "region" {
name = "region-assignment"
resource_group_id = azurerm_resource_group.mdp.id
policy_definition_id = azurerm_policy_definition.region.id
description = "Policy Assignment for valid Azure Region assignments"
display_name = "region-assignment"
resource "azurerm_resource_group_policy_assignment" "nzism" {
count = var.resource_group_name == null ? 0 : 1
name = "nzism-rg"
policy_definition_id = data.azurerm_policy_set_definition.nzism.id
resource_group_id = azurerm_resource_group.scope[0].id
location = var.location
Parameters
The following arguments are supported:
name- (Required) The name which should be used for this Policy Assignment. Changing this forces a new Policy Assignment to be created.policy_definition_id- (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.resource_group_id- (Required) The ID of the Resource Group where this Policy Assignment should be created. Changing this forces a new Policy Assignment to be created.
description- (Optional) A description which should be used for this Policy Assignment.display_name- (Optional) The Display Name for this Policy Assignment.enforce- (Optional) Specifies if this Policy should be enforced or not?identity- (Optional) Anidentityblock as defined below.
-> Note: The location field must also be specified when identity is specified.
location- (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.metadata- (Optional) A JSON mapping of any Metadata for this Policy.not_scopes- (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.parameters- (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.
A identity block supports the following:
type- (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value isSystemAssigned.
In addition to the Arguments listed above - the following Attributes are exported:
id- The ID of the Resource Group Policy Assignment.
The identity block exports the following:
principal_id- The Principal ID of the Policy Assignment for this Resource Group.tenant_id- The Tenant ID of the Policy Assignment for this Resource Group.
Explanation in Terraform Registry
Manages a Resource Group Policy Assignment.
Microsoft.Authorization/policyAssignments (Azure Resource Manager)
The policyAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/policyAssignments. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
"apiVersion": "2019-09-01",
"location": "[parameters('azureLocation')]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
"apiVersion": "2019-09-01",
"location": "[parameters('azureLocation')]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').denyRdp]",
"properties": {
"description": "Deny-RDP-from-Internet",
"displayName": "Deny-RDP-from-Internet",
"type": "Microsoft.Authorization/policyAssignments",
"name": "[guid('diagnositcs-enabled-for-aks-cluster')]",
"apiVersion": "2018-05-01",
"properties": {
"scope": "[resourceGroup().id]",
"policyDefinitionId": "[concat('/providers/Microsoft.Authorization/policyDefinitions/', guid('diagnositcs-enabled-for-aks-cluster'))]"
Frequently asked questions
What is Azure Policy Resource Group Policy Assignment?
Azure Policy Resource Group Policy Assignment is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Policy Resource Group Policy Assignment?
For Terraform, the tdtheautomator/terraform-azure-policies, jakubramut/tf_azure and sfibich/terraform-modern-data-platform source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the lolittle/azure, microsoft/azure_arc and karlochacon/my-arc-repo source code examples are useful. See the Azure Resource Manager Example section for further details.
