Azure Policy Assignment
This page shows how to write Terraform and Azure Resource Manager for Policy Assignment and write them securely.
azurerm_resource_policy_assignment (Terraform)
The Assignment in Policy can be configured in Terraform with the resource name azurerm_resource_policy_assignment
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_resource_policy_assignment" "policy_assignment" {
name = "require-labeled-pods"
resource_id = data.azurerm_kubernetes_cluster.aks_cluster.id
policy_definition_id = azurerm_policy_definition.policy.id
Parameters
The following arguments are supported:
name
- (Required) The name which should be used for this Policy Assignment. Changing this forces a new Resource Policy Assignment to be created.policy_definition_id
- (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.resource_id
- (Required) The ID of the Resource (or Resource Scope) where this should be applied. Changing this forces a new Resource Policy Assignment to be created.
To create a Policy Assignment at a Management Group use the
azurerm_management_group_policy_assignment
resource, for a Resource Group use theazurerm_resource_group_policy_assignment
and for a Subscription use theazurerm_subscription_policy_assignment
resource.
description
- (Optional) A description which should be used for this Policy Assignment.display_name
- (Optional) The Display Name for this Policy Assignment.enforce
- (Optional) Specifies if this Policy should be enforced or not?identity
- (Optional) Anidentity
block as defined below.
-> Note: The location
field must also be specified when identity
is specified.
location
- (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.metadata
- (Optional) A JSON mapping of any Metadata for this Policy.not_scopes
- (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.parameters
- (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.
A identity
block supports the following:
type
- (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value isSystemAssigned
.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Resource Policy Assignment.
The identity
block exports the following:
principal_id
- The Principal ID of the Policy Assignment for this Resource.tenant_id
- The Tenant ID of the Policy Assignment for this Resource.
Explanation in Terraform Registry
Manages a Policy Assignment to a Resource.
Microsoft.Authorization/policyAssignments (Azure Resource Manager)
The policyAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/policyAssignments
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
"apiVersion": "2019-09-01",
"location": "[parameters('azureLocation')]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
"apiVersion": "2019-09-01",
"location": "[parameters('azureLocation')]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').denyRdp]",
"properties": {
"description": "Deny-RDP-from-Internet",
"displayName": "Deny-RDP-from-Internet",
"type": "Microsoft.Authorization/policyAssignments",
"name": "[guid('diagnositcs-enabled-for-aks-cluster')]",
"apiVersion": "2018-05-01",
"properties": {
"scope": "[resourceGroup().id]",
"policyDefinitionId": "[concat('/providers/Microsoft.Authorization/policyDefinitions/', guid('diagnositcs-enabled-for-aks-cluster'))]"
Frequently asked questions
What is Azure Policy Assignment?
Azure Policy Assignment is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Policy Assignment?
For Terraform, the floriandorau/opa-aks source code example is useful. See the Terraform Example section for further details.
For Azure Resource Manager, the lolittle/azure, microsoft/azure_arc and karlochacon/my-arc-repo source code examples are useful. See the Azure Resource Manager Example section for further details.