This terraform module streamlines the assignment of policy sets. You don't need to worry about assigning the correct roles, because the needed roles are calculated based on the referenced policies. Currently only assignment to resource group is supported.
A random_string 20 characters long prefixed with pa-is used as name if none is provided.
As this module assigns the required roles to the managed identity you must have the Microsoft.Authorization/roleAssignments/write permission such as User Access Administrator or Owner on scope.
To avoid to rely on data that is only available after apply, you need to provide the policy_set_definition and policy_definitions that are referenced.
You can easily assign a custom policy set to a resource group.
provider "azurerm" {
features {
}
}
resource "random_pet" "this" {
separator = ""
length = 1
prefix = "PolicyAssignment"
}
resource "azurerm_resource_group" "this" {
#ts:skip=AC_AZURE_0389 Example RGs should not be locked, but immediately destroyed
name = "rg-dev-${random_pet.this.id}-01"
location = "West Europe"
}
resource "azurerm_policy_definition" "this" {
name = "pd-policy-does-nothing-${random_pet.this.id}"
display_name = "A policy that is just used to test a policy assignment."
policy_type = "Custom"
mode = "Indexed"
policy_rule = jsonencode({
if = {
field = "type"
equals = "qbeyond.Nothing"
}
then = {
effect = "audit"
}
})
}
resource "azurerm_policy_set_definition" "this" {
name = "pd-policy-set-does-nothing-${random_pet.this.id}"
display_name = "A policy set that is just used to test a policy assignment."
policy_type = "Custom"
policy_definition_reference {
policy_definition_id = azurerm_policy_definition.this.id
parameter_values = jsonencode({})
}
}
module "policy_assignment_resource_group" {
source = "../.."
scope = azurerm_resource_group.this.id
location = azurerm_resource_group.this.location
policy_set_definition = azurerm_policy_set_definition.this
policy_definitions = [azurerm_policy_definition.this]
}To assign a built in policy set, you need to retrieve the set and referenced policies as data sources and pass them to the module.
provider "azurerm" {
features {
}
}
resource "random_pet" "this" {
separator = ""
length = 1
prefix = "PolicyAssignment"
}
resource "azurerm_resource_group" "this" {
#ts:skip=AC_AZURE_0389 Example RGs should not be locked, but immediately destroyed
name = "rg-dev-${random_pet.this.id}-01"
location = "West Europe"
}
resource "azurerm_policy_definition" "this" {
name = "pd-policy-does-nothing-${random_pet.this.id}"
display_name = "A policy that is just used to test a policy assignment."
policy_type = "Custom"
mode = "Indexed"
policy_rule = jsonencode({
if = {
field = "type"
equals = "qbeyond.Nothing"
}
then = {
effect = "audit"
}
})
}
resource "azurerm_policy_set_definition" "this" {
name = "pd-policy-set-does-nothing-${random_pet.this.id}"
display_name = "A policy set that is just used to test a policy assignment."
policy_type = "Custom"
policy_definition_reference {
policy_definition_id = azurerm_policy_definition.this.id
parameter_values = jsonencode({})
}
}
module "policy_assignment_resource_group" {
source = "../.."
scope = azurerm_resource_group.this.id
location = azurerm_resource_group.this.location
policy_set_definition = azurerm_policy_set_definition.this
policy_definitions = [azurerm_policy_definition.this]
}| Name | Version |
|---|---|
| terraform | >=1.1.0 |
| azurerm | >=2.66.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| location | The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created. | string |
n/a | yes |
| policy_definitions | The policy definitions, that are referenced by the policy set. id is used to validate, that every referenced policy is present. policy_rule is used to extract ids of role definitions required for remediation. role_definition_id is used to validate the role_assignment. |
list(object({ |
n/a | yes |
| policy_set_definition | The policy set definition to assign. | object({ |
n/a | yes |
| scope | The scope to assign the policy to. | string |
n/a | yes |
| description | A description which should be used for this Policy Assignment. If none is provided the Description of the definition is used. | string |
null |
no |
| display_name | The Display Name for this Policy Assignment. If none is provided the Display Name of the definition is used. | string |
null |
no |
| metadata | A Map of any Metadata for this Policy assignment. | map(string) |
null |
no |
| name | The name which should be used for this Policy Assignment. If none is provided a random string prefixed with pa- is used. Changing this forces a new Resource Policy Assignment to be created. Cannot exceed 24 characters in length, because this is the maximum for management group assignments. |
string |
null |
no |
| parameters | Map of Parameters for policy assignment. | any |
null |
no |
| Name | Description |
|---|---|
| resource_group_policy_assignment | The azurerm_resource_group_policy_assignment object, if scope was a resource_group. |
| Type | Used |
|---|---|
| azurerm_resource_group_policy_assignment | 1 |
| azurerm_role_assignment | 1 |
| random_id | 1 |
Used only includes resource blocks. for_each and count meta arguments, as well as resource blocks of modules are not considered.
No modules.
| Name | Type |
|---|---|
| azurerm_resource_group_policy_assignment.this | resource |
| azurerm_role_assignment.this | resource |
| random_id.name | resource |
| azurerm_role_definition.this | data source |
Please use Pull requests to contribute.
Run terraform apply for any examples and tests twice. The second apply shouldn't plan any changes. You may run terraform test to run the tests, although the tests are using conditions rather than the experimental terraform.io/builtin/test resources.
When a new Feature or Fix is ready to be released, create a new Github release and adhere to Semantic Versioning 2.0.0.