Skip to content

Latest commit

 

History

History
186 lines (158 loc) · 7.74 KB

README.md

File metadata and controls

186 lines (158 loc) · 7.74 KB

Azure Policy

Changelog Notice Apache V2 License OpenTofu Registry

This module creates an Azure Policy definition and assigns it to a list of scopes IDs (Azure Susbcriptions or Resource Groups).

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

locals {
  policy_tags_rule = <<RULE
{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachineScaleSets"
      },
      {
        "not": {
          "field": "[concat('tags[', parameters('tagName'), ']')]",
          "equals": "[parameters('tagValue')]"
        }
      }
    ]
  },
  "then": {
    "effect": "modify",
    "details": {
      "roleDefinitionIds": [
        "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
      ],
      "operations": [
        {
          "operation": "addOrReplace",
          "field": "[concat('tags[', parameters('tagName'), ']')]",
          "value": "[parameters('tagValue')]"
        }
      ]
    }
  }
}
RULE

  policy_tags_parameters = <<PARAMETERS
{
  "tagName": {
    "type": "String",
    "metadata": {
      "displayName": "Tag Name",
      "description": "Name of the tag, such as 'environment'"
    }
  },
  "tagValue": {
    "type": "String",
    "metadata": {
      "displayName": "Tag Value",
      "description": "Value of the tag, such as 'production'"
    }
  }
}
PARAMETERS

  policy_assignments = {
    production = {
      display_name = "VMSS tags checking for my production subscription"
      description  = "VMSS tags checking for my production subscription"
      scope_id     = "/subscriptions/xxxxx"
      scope_type   = "subscription"
      location     = module.azure_region.location
      parameters = jsonencode({
        environment = {
          value = "production"
        },
        managed_by = {
          value = "Claranet"
        }
      })
      identity_type = "SystemAssigned"
      enforce       = false
    },
    preproduction = {
      display_name = "VMSS tags checking for my Management group ABCD"
      description  = "VMSS tags checking for my Management group ABCD"
      scope_id     = "/providers/Microsoft.Management/managementGroups/group1"
      scope_type   = "management-group"
      location     = module.azure_region.location
      parameters = jsonencode({
        managed_by = {
          value = "Claranet"
        }
      })
      identity_type = "None"
      enforce       = true
    }
  }
}

module "policy_tags" {
  source  = "claranet/policy/azurerm"
  version = "x.x.x"

  display_name = "VMSS tagging policy"

  rule_content       = local.policy_tags_rule
  parameters_content = local.policy_tags_parameters

  assignments = local.policy_assignments
}

Providers

Name Version
azurecaf ~> 1.2.28
azurerm ~> 4.0

Modules

No modules.

Resources

Name Type
azurerm_management_group_policy_assignment.main resource
azurerm_policy_definition.main resource
azurerm_resource_group_policy_assignment.main resource
azurerm_resource_policy_assignment.main resource
azurerm_subscription_policy_assignment.main resource
azurecaf_name.policy data source

Inputs

Name Description Type Default Required
assignments Map with maps to configure assignments. Map key is the name of the assignment.
map(object({
display_name = string
description = string
scope_id = string
scope_type = string
parameters = string
identity_type = string
location = string
enforce = bool
}))
n/a yes
custom_name The name of the policy definition. Defaults generated. string "" no
description The description of the policy definition. string "" no
display_name The display name of the policy definition. string n/a yes
mgmt_group_name Create the Policy Definition at the Management Group level. string null no
mode The policy mode that allows you to specify which resource types will be evaluated. The value can be All, Indexed or NotSpecified. string "All" no
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
parameters_content Parameters for the policy definition. This field is a json object that allows you to parameterize your policy definition. string n/a yes
rule_content The policy rule for the policy definition. This is a json object representing the rule that contains an if and a then block. string n/a yes

Outputs

Name Description
definition_id Azure policy definition ID.
resource Azure policy resource object.

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/governance/policy/how-to/programmatically-create