The azure policy is a service that has been designed to help you enforce different rules and to act based on the rule’s effect on your Azure resources. You can use it to create, assign and manage policies. Azure policy evaluates your resources for non-compliance with assigned policies and performs the assigned effect. <\/p>\n\n\n\n\n\n\n\n Azure policy is basically 3 components<\/strong>– policy definition<\/em>, assignment<\/em>,<\/strong> and initiative policy<\/em>.<\/p>\n\n\n\n So, Policy definition<\/strong> is the conditions under which you want to be controlled. There are built-in definitions such as controlling what type of resources can be deployed to enforce the use of tags on all resources. Policy assignment<\/strong> is the scope of what the policy definition can take effect around. Initiative policy<\/strong> is a collection of policies. <\/p>\n\n\n\n Azure policies can be implemented at various scopes within the organization. They are : <\/p>\n\n\n\n Now we’ll achieve this by using our terraform code. So let’s get started!!!!<\/strong><\/p>\n\n\n\n First, let’s introduce you to OT-terraform-azure-modules i.e., It is an open-source project of Opstree where people from our organization contribute to the azure terraform modules so that anybody can use it. <\/p>\n\n\n\n Applying the azure policy terraform module will perform the following tasks:<\/p>\n\n\n\n Configure Azure on the machine you will be executing the terraform module.<\/p>\n\n\n\n az login Azure policy terraform module can be found here<\/strong><\/a>.<\/em><\/p>\n\n\n\n Creation of policy depends on the Policy Module can be executed for 2 scenarios , They are :<\/p>\n\n\n\n Let\u2019s deploy a simple policy using below code. Parameters that to be kept in mind for this are: <\/p>\n\n\n\n Have a look at main.tf<\/strong>. Append the below values according to your requirement.<\/p>\n\n\n\n module “policy” { Let\u2019s deploy a initiative policy using below code. Parameters that to be kept in mind for this are: <\/p>\n\n\n\n Have a look at main.tf<\/strong>. Append the below values according to your requirement.<\/p>\n\n\n\n module “policy” { Apply the terraform module and let\u2019s look for the policy definition and policy assignment that is created on the azure portal via the above code.<\/p>\n\n\n\n The result of the policy will restrict the user from selecting any region except West Europe.<\/p>\n\n\n\n Cheers!!! It worked. You have created an Azure policy and assigned it to a specific scope.<\/p>\n\n\n\n The scope of the terraform module is the creation of custom policy and initiative policy with policy assignments. For more information, you can go through README.md<\/a> of the module.<\/p>\n\n\n\n Let us know about your experience with the module and your suggestions. <\/p>\n\n\n\n \u00c0 bient\u00f4t!!<\/em><\/p>\n\n\n\n Blog Pundits: Mehul Sharma<\/a> and Sandeep Rawat<\/a><\/strong><\/p>\n\n\n\n Opstree<\/a><\/strong> is an End to End DevOps solution provider.<\/p>\n\n\n\n![](\"https:\/\/lh4.googleusercontent.com\/NU2DScpoYtz8OcZGM9xu2kiCWhbtxuHfhOumLl0Ax8u1DN_MQQW0dKVOBJXKwTq6k91oMEOjJyWYFntX10wwx4kmTH5mHFSTIJmW-nS3rcY3M6l2KlHmXNzZkQxR0WZpXanUip0X0hEhvokvYtNEz1nt2Rsam6IjVGCxKKGtJrdQFJZ36XMjIIcwBXyucg\")
\n
AZURE POLICY WITH OT-terraform-azure-modules <\/strong><\/h4>\n\n\n\n
\n
PREREQUISITES:<\/strong><\/h2>\n\n\n\n
az account list
az account set \u2013subscription=\u201dXXXXXX-XXXXX-XXXX-XXXX-XXXXXXXXXX”<\/p>\n\n\n\nUSAGE: <\/h2>\n\n\n\n
policy_manner<\/code> parameter. <\/p>\n\n\n\n\n
policy_manner= Policy<\/code><\/li>\n\n\n\npolicy_manner=Initiative<\/code><\/li>\n<\/ul>\n\n\n\nCreation of azure policy :<\/strong><\/h6>\n\n\n\n
\n
Policy_manner = Policy<\/code><\/li>\n\n\n\nPolicy_def_scope_type<\/code> values can be resource-group , resource, management-group, subscription.<\/li>\n\n\n\nPolicy_def_scope_type = resource-group <\/code>then define the resource group id in resource_group_id <\/code>variable or<\/strong> If Policy_def_scope_type = resource <\/code>then define the resource id in resource_id <\/code>variable or<\/strong> If Policy_def_scope_type = management-group<\/code> then define the management group id in management_group_id<\/code> variable or<\/strong> If Policy_def_scope_type = subscription<\/code> then define the subscription id in subscription_id<\/code> variable<\/li>\n<\/ul>\n\n\n\n
source = “OT-terraform-azure-modules\/policies\/azure”
version = “0.0.1”
policy_manner = “Policy”
policy_name = “restrictregion”
policy_type = “Custom”
mode = “All”
policy_display_name = “restrictregion”
policy_rule = {
“if” : {
“not” : {
“field” : “location”
“in” : “[parameters(‘allowedLocations’)]”
}
},
“then” : {
“effect” : “deny”
}
}
policy_parameters = {
“allowedLocations” : {
“type” : “Array”,
“metadata” : {
“description” : “The list of allowed locations for resource group.”,
“displayName” : “Allowed locations”,
“strongType” : “location”
}
}
}
metadata = {
“category” : “General”
}
policy_def_scope_type = “resource-group”
policy_assignment_name = “assignment”
resource_group_id = “\/subscriptions\/XXXXXX-XXXX-XXXX-XXXX-XXXXXXXX\/resourceGroups\/resourcegroup-name”
assignment_location = “eastus”
assignment_parameters = {
“allowedLocations” : {
“value” : [“West Europe”]
}
}
}<\/p>\n\n\n\nCreation of initiative policy :<\/strong><\/h6>\n\n\n\n
\n
Policy_manner = Initiative<\/code><\/li>\n\n\n\nPolicy_def_scope_type<\/code> values can be resource-group , resource, management-group, subscription.<\/li>\n\n\n\nPolicy_def_scope_type = resource-group <\/code>then define the resource group id in resource_group_id <\/code>variable or<\/strong> If Policy_def_scope_type = resource <\/code>then define the resource id in resource_id <\/code>variable or<\/strong> If Policy_def_scope_type = management-group<\/code> then define the management group id in management_group_id<\/code> variable or<\/strong> If Policy_def_scope_type = subscription<\/code> then define the subscription id in subscription_id<\/code> variable. <\/li>\n\n\n\ninitiative_policy_definition_reference<\/code> block.<\/li>\n<\/ul>\n\n\n\n
source = “OT-terraform-azure-modules\/policies\/azure”
version = “0.0.1”
policy_manner = “Initiative”
policy_name = “test”
policy_type = “Custom”
policy_display_name = “test policy”
metadata = {
“category” : “General”
}
initiative_policy_definition_reference = [{
“policyID” = “\/providers\/Microsoft.Authorization\/policyDefinitions\/06a78e20-9358-41c9-923c-fb736d382a4d”
“reference_id” = “Audit VMs that do not use managed disks”
},
{
“policyID” = “\/providers\/Microsoft.Authorization\/policyDefinitions\/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56”
“reference_id” = “Audit virtual machines without disaster recovery configured”
}]
policy_def_scope_type = “resource-group”
policy_assignment_name = “testassign”
resource_group_id = “\/subscriptions\/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXX\/resourceGroups\/rgname”
assignment_location = “eastus”
}<\/p>\n\n\n\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/12\/screenshot-from-2022-12-06-09-52-57.png?w=1024\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/12\/screenshot-from-2022-12-06-09-53-39.png?w=1024\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/12\/screenshot-from-2022-12-06-09-56-01.png?w=1024\")
<\/figure>\n\n\n\nCONCLUSION<\/h2>\n\n\n\n