» azurerm_policy_assignment
Configures the specified Policy Definition at the specified Scope. Also, Policy Set Definitions are supported.
» Example Usage
resource "azurerm_policy_definition" "test" {
name = "my-policy-definition"
policy_type = "Custom"
mode = "All"
display_name = "my-policy-definition"
policy_rule = <<POLICY_RULE
{
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "audit"
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
}
}
}
PARAMETERS
}
resource "azurerm_resource_group" "test" {
name = "test-resources"
location = "West Europe"
}
resource "azurerm_policy_assignment" "test" {
name = "example-policy-assignment"
scope = "${azurerm_resource_group.test.id}"
policy_definition_id = "${azurerm_policy_definition.test.id}"
description = "Policy Assignment created via an Acceptance Test"
display_name = "My Example Policy Assignment"
parameters = <<PARAMETERS
{
"allowedLocations": {
"value": [ "West Europe" ]
}
}
PARAMETERS
}
» Argument Reference
The following arguments are supported:
-
name
- (Required) The name of the Policy Assignment. Changing this forces a new resource to be created. -
scope
- (Required) The Scope at which the Policy Assignment should be applied, which must be a Resource ID (such as Subscription e.g./subscriptions/00000000-0000-0000-000000000000
or a Resource Group e.g./subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup
). Changing this forces a new resource to be created. -
policy_definition_id
- (Required) The ID of the Policy Definition to be applied at the specified Scope. -
identity
- (Optional) Anidentity
block. -
location
- (Optional) The Azure location where this policy assignment should exist. This is required when an Identity is assigned. Changing this forces a new resource to be created. -
description
- (Optional) A description to use for this Policy Assignment. Changing this forces a new resource to be created. -
display_name
- (Optional) A friendly display name to use for this Policy Assignment. Changing this forces a new resource to be created. -
parameters
- (Optional) Parameters for the policy definition. This field is a JSON object that maps to the Parameters field from the Policy Definition. Changing this forces a new resource to be created.
NOTE: This value is required when the specified Policy Definition contains the parameters
field.
-
not_scopes
- (Optional) A list of the Policy Assignment's excluded scopes. The list must contain Resource IDs (such as Subscriptions e.g./subscriptions/00000000-0000-0000-000000000000
or Resource Groups e.g./subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup
).
An identity
block supports the following:
-
type
- (Required) The Managed Service Identity Type of this Policy Assignment. Possible values areSystemAssigned
(where Azure will generate a Service Principal for you), orNone
(no use of a Managed Service Identity).
NOTE: When type
is set to SystemAssigned
, identity the Principal ID can be retrieved after the policy has been assigned.
» Attributes Reference
The following attributes are exported:
An identity
block exports the following:
-
principal_id
- The Principal ID of this Policy Assignment iftype
isSystemAssigned
. -
tenant_id
- The Tenant ID of this Policy Assignment iftype
isSystemAssigned
.
» Import
Policy Assignments can be imported using the policy name
, e.g.
terraform import azurerm_policy_assignment.assignment1 /subscriptions/00000000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/assignment1