Azure Policy Subscription Policy Assignment
This page shows how to write Terraform and Azure Resource Manager for Policy Subscription Policy Assignment and write them securely.
azurerm_subscription_policy_assignment (Terraform)
The Subscription Policy Assignment in Policy can be configured in Terraform with the resource name azurerm_subscription_policy_assignment
. The following sections describe 6 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_subscription_policy_assignment" "monitoring_governance" {
name = "monitoring_governance"
subscription_id = data.azurerm_subscription.current.id
policy_definition_id = var.monitoring_governance_policyset_id
description = "Assignment of the Monitoring Governance initiative to subscription."
display_name = "Monitoring Governance"
resource "azurerm_subscription_policy_assignment" "custom" {
name = "TangentPolicySet"
policy_definition_id = azurerm_policy_set_definition.tangent.id
subscription_id = data.azurerm_subscription.sub.id
}
resource "azurerm_subscription_policy_assignment" "location-policy" {
display_name = "Allowed locations"
name = "location-policy"
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c"
subscription_id = data.azurerm_subscription.current.id
parameters = <<PARAMS
resource "azurerm_subscription_policy_assignment" "assignment_1" {
name = "allowed-resources"
policy_definition_id = azurerm_policy_definition.allowed_resources.id
subscription_id = "/subscriptions/201e612c-a95e-4c2e-aefe-5aef9c0cafb3"
parameters = <<PARAMETERS
{
resource "azurerm_subscription_policy_assignment" "tagging" {
name = "tagging-policy-assignment"
policy_definition_id = azurerm_policy_definition.tagging.id
subscription_id = data.azurerm_subscription.current.id
}
resource "azurerm_subscription_policy_assignment" "nzism" {
count = var.subscription_id == null ? 0 : 1
name = "nzism-sub"
policy_definition_id = data.azurerm_policy_set_definition.nzism.id
subscription_id = data.azurerm_subscription.scope[0].id
location = var.location
Parameters
The following arguments are supported:
name
- (Required) The name which should be used for this Policy Assignment. Changing this forces a new Policy Assignment to be created.policy_definition_id
- (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.subscription_id
- (Required) The ID of the Subscription where this Policy Assignment should be created. Changing this forces a new Policy Assignment to be created.
description
- (Optional) A description which should be used for this Policy Assignment.display_name
- (Optional) The Display Name for this Policy Assignment.enforce
- (Optional) Specifies if this Policy should be enforced or not?identity
- (Optional) Anidentity
block as defined below.
-> Note: The location
field must also be specified when identity
is specified.
location
- (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.metadata
- (Optional) A JSON mapping of any Metadata for this Policy.not_scopes
- (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.parameters
- (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.
A identity
block supports the following:
type
- (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value isSystemAssigned
.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Subscription Policy Assignment.
The identity
block exports the following:
principal_id
- The Principal ID of the Policy Assignment for this Subscription.tenant_id
- The Tenant ID of the Policy Assignment for this Subscription.
Explanation in Terraform Registry
Manages a Subscription Policy Assignment.
Microsoft.Authorization/policyAssignments (Azure Resource Manager)
The policyAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/policyAssignments
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
"apiVersion": "2019-09-01",
"location": "[parameters('azureLocation')]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyNameForLinuxDeployLogAnalytics')]",
"apiVersion": "2019-09-01",
"location": "[parameters('azureLocation')]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"location": "[parameters('location')]",
"properties": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').denyRdp]",
"properties": {
"description": "Deny-RDP-from-Internet",
"displayName": "Deny-RDP-from-Internet",
"type": "Microsoft.Authorization/policyAssignments",
"name": "[guid('diagnositcs-enabled-for-aks-cluster')]",
"apiVersion": "2018-05-01",
"properties": {
"scope": "[resourceGroup().id]",
"policyDefinitionId": "[concat('/providers/Microsoft.Authorization/policyDefinitions/', guid('diagnositcs-enabled-for-aks-cluster'))]"
Frequently asked questions
What is Azure Policy Subscription Policy Assignment?
Azure Policy Subscription Policy Assignment is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Policy Subscription Policy Assignment?
For Terraform, the globalbao/azure-policy-as-code, quintindk/azurebootcamp21 and acend/terraform-training-env source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the lolittle/azure, microsoft/azure_arc and karlochacon/my-arc-repo source code examples are useful. See the Azure Resource Manager Example section for further details.