This module creates an Azure Policy definition and assigns it to a list of scopes IDs (Azure Susbcriptions or Resource Groups).
| Module version | Terraform version | AzureRM version |
|---|---|---|
| >= 7.x.x | 1.3.x | >= 3.0 |
| >= 6.x.x | 1.x | >= 3.0 |
| >= 5.x.x | 0.15.x | >= 2.0 |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
| >= 3.x.x | 0.12.x | >= 2.0 |
| >= 2.x.x | 0.12.x | < 2.0 |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
locals {
policy_tags_rule = <<RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachineScaleSets"
},
{
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": "[parameters('tagValue')]"
}
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
],
"operations": [
{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}
]
}
}
}
RULE
policy_tags_parameters = <<PARAMETERS
{
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
}
PARAMETERS
policy_assignments = {
production = {
display_name = "VMSS tags checking for my production subscription"
description = "VMSS tags checking for my production subscription"
scope_id = "/subscriptions/xxxxx"
scope_type = "subscription"
location = module.azure_region.location
parameters = jsonencode({
environment = {
value = "production"
},
managed_by = {
value = "Claranet"
}
})
identity_type = "SystemAssigned"
enforce = false
},
preproduction = {
display_name = "VMSS tags checking for my Management group ABCD"
description = "VMSS tags checking for my Management group ABCD"
scope_id = "/providers/Microsoft.Management/managementGroups/group1"
scope_type = "management-group"
location = module.azure_region.location
parameters = jsonencode({
managed_by = {
value = "Claranet"
}
})
identity_type = "None"
enforce = true
}
}
}
module "policy_tags" {
source = "claranet/policy/azurerm"
version = "x.x.x"
policy_display_name = "VMSS tagging policy"
policy_rule_content = local.policy_tags_rule
policy_parameters_content = local.policy_tags_parameters
policy_assignments = local.policy_assignments
}| Name | Version |
|---|---|
| azurecaf | ~> 1.2, >= 1.2.22 |
| azurerm | ~> 3.0 |
No modules.
| Name | Type |
|---|---|
| azurerm_management_group_policy_assignment.assign_policy_mgmt | resource |
| azurerm_policy_definition.main_policy | resource |
| azurerm_resource_group_policy_assignment.assign_policy_rg | resource |
| azurerm_resource_policy_assignment.assign_policy_res | resource |
| azurerm_subscription_policy_assignment.assign_policy_sub | resource |
| azurecaf_name.policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name_prefix | Optional prefix for the generated name | string |
"" |
no |
| name_suffix | Optional suffix for the generated name | string |
"" |
no |
| policy_assignments | Map with maps to configure assignments. Map key is the name of the assignment. | map(object({ |
n/a | yes |
| policy_description | The description of the policy definition. | string |
"" |
no |
| policy_display_name | The display name of the policy definition. | string |
n/a | yes |
| policy_mgmt_group_name | Create the Policy Definition at the Management Group level | string |
null |
no |
| policy_mode | The policy mode that allows you to specify which resource types will be evaluated. The value can be All, Indexed or NotSpecified. |
string |
"All" |
no |
| policy_name | The name of the policy definition. Defaults generated from CAF Provider or display name if CAF is disabled. | string |
"" |
no |
| policy_parameters_content | Parameters for the policy definition. This field is a json object that allows you to parameterize your policy definition. | string |
n/a | yes |
| policy_rule_content | The policy rule for the policy definition. This is a json object representing the rule that contains an if and a then block. | string |
n/a | yes |
| use_caf_naming | Use the Azure CAF naming provider to generate default resource name. policy_name override this if set. Legacy default name is used if this is set to false. |
bool |
true |
no |
| Name | Description |
|---|---|
| policy_definition_id | Azure policy ID |
Microsoft Azure documentation: docs.microsoft.com/en-us/azure/governance/policy/how-to/programmatically-create