Azure Policy Assignment

This page shows how to write Terraform and Azure Resource Manager for Policy Assignment and write them securely.

azurerm_resource_policy_assignment (Terraform)

The Assignment in Policy can be configured in Terraform with the resource name azurerm_resource_policy_assignment. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L59
resource "azurerm_resource_policy_assignment" "policy_assignment" {
  name                 = "require-labeled-pods"
  resource_id          = data.azurerm_kubernetes_cluster.aks_cluster.id
  policy_definition_id = azurerm_policy_definition.policy.id

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • name - (Required) The name which should be used for this Policy Assignment. Changing this forces a new Resource Policy Assignment to be created.

  • policy_definition_id - (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.

  • resource_id - (Required) The ID of the Resource (or Resource Scope) where this should be applied. Changing this forces a new Resource Policy Assignment to be created.

To create a Policy Assignment at a Management Group use the azurerm_management_group_policy_assignment resource, for a Resource Group use the azurerm_resource_group_policy_assignment and for a Subscription use the azurerm_subscription_policy_assignment resource.


  • description - (Optional) A description which should be used for this Policy Assignment.

  • display_name - (Optional) The Display Name for this Policy Assignment.

  • enforce - (Optional) Specifies if this Policy should be enforced or not?

  • identity - (Optional) An identity block as defined below.

-> Note: The location field must also be specified when identity is specified.

  • location - (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.

  • metadata - (Optional) A JSON mapping of any Metadata for this Policy.

  • not_scopes - (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.

  • parameters - (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.


A identity block supports the following:

  • type - (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value is SystemAssigned.

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Resource Policy Assignment.

The identity block exports the following:

  • principal_id - The Principal ID of the Policy Assignment for this Resource.

  • tenant_id - The Tenant ID of the Policy Assignment for this Resource.

Explanation in Terraform Registry

Manages a Policy Assignment to a Resource.

Microsoft.Authorization/policyAssignments (Azure Resource Manager)

The policyAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/policyAssignments. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

deploy.json#L106
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "location": "[parameters('location')]",
            "properties": {
                "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
policyAzureArcBuiltins.json#L37
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
            "apiVersion": "2019-09-01",
            "location": "[parameters('azureLocation')]",
            "identity": {
                "type": "SystemAssigned"
policyAzureArcBuiltins.json#L37
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
            "apiVersion": "2019-09-01",
            "location": "[parameters('azureLocation')]",
            "identity": {
                "type": "SystemAssigned"
deploy.json#L107
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "location": "[parameters('location')]",
            "properties": {
                "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
lz-production.json#L103
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').deployVmBackup]",
            "location": "[deployment().location]",
            "identity": {
                "type": "SystemAssigned"
lz-development.json#L103
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').deployVmBackup]",
            "location": "[deployment().location]",
            "identity": {
                "type": "SystemAssigned"
lz-nonproduction.json#L103
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').deployVmBackup]",
            "location": "[deployment().location]",
            "identity": {
                "type": "SystemAssigned"
lz.json#L103
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').deployVmBackup]",
            "location": "[deployment().location]",
            "identity": {
                "type": "SystemAssigned"
lz.json#L147
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2018-05-01",
            "name": "[variables('policyAssignmentNames').denyRdp]",
            "properties": {
                "description": "Deny-RDP-from-Internet",
                "displayName": "Deny-RDP-from-Internet",
kubernetes.aks.deploy.json#L145
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "[guid('diagnositcs-enabled-for-aks-cluster')]",
      "apiVersion": "2018-05-01",
      "properties": {
        "scope": "[resourceGroup().id]",
        "policyDefinitionId": "[concat('/providers/Microsoft.Authorization/policyDefinitions/', guid('diagnositcs-enabled-for-aks-cluster'))]"

Frequently asked questions

What is Azure Policy Assignment?

Azure Policy Assignment is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Policy Assignment?

For Terraform, the floriandorau/opa-aks source code example is useful. See the Terraform Example section for further details.

For Azure Resource Manager, the lolittle/azure, microsoft/azure_arc and karlochacon/my-arc-repo source code examples are useful. See the Azure Resource Manager Example section for further details.