ARCHIVED - terraform-azurerm-azopsreference

🚨 Please use the official ALZ Terraform module at https://aka.ms/alz/tf 🚨

This module contains the reference Azure policy & initiative (policySet) definitions from Enterprise-Scale.

It will deploy the definitions to the supplied Azure AD Management Group.

Usage

Deploying the Definitions

It is very simple to get the policies deployed:

module "azopsreference" {
  source                = "github.com/terraform-azurerm-modules/terraform-azurerm-azopsreference?ref=v0.1.0"
  management_group_name = azurerm_management_group.mymg.name
}

Note: Update the reference to match the version you want to use

Using the Outputs

Each policy & initiative definition has its own output, allowing you to reference the policy definition in an assignment:

resource "azurerm_policy_assignment" "deploy_diag_loganalytics" {
  name                 = "Deploy-Diag-LogAnalytics"
  scope                = azurerm_management_group.mymg.id
  policy_definition_id = module.azopsreference.policysetdefinition_deploy_diag_loganalytics.id
  description          = "Ensure resources have diagnostic settings configured to forward to Log Analytics"
  display_name         = "Deploy-Diag-LogAnalytics"
  location             = var.default_location

  identity {
    type = "SystemAssigned"
  }

  parameters = <<PARAMETERS
{
  "logAnalytics": {
    "value": "${azurerm_log_analytics_workspace.mgmt.id}"
  }
}
PARAMETERS

}

For initiatives (policySets), there is an additional output, an array of all the contained policy definition objects. This can be useful when creating remediation tasks for each of the definitions:

resource "azurerm_policy_remediation" "deploy_diag_loganalytics" {
  count                          = length(module.azopsreference.diagnostic_policy_definitions)
  name                           = lower(module.azopsreference.diagnostic_policy_definitions[count.index].name)
  scope                          = azurerm_management_group.es.id
  policy_assignment_id           = azurerm_policy_assignment.deploy_diag_loganalytics.id
  policy_definition_reference_id = replace(module.azopsreference.diagnostic_policy_definitions[count.index].name, "-", "")
}

Auto Generation

This Terraform is automatically generated from the JSON files from Enterprise Scale. You can see the GitHub action and script that accomplished this in this repo.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

ARCHIVED - terraform-azurerm-azopsreference

Usage

Deploying the Definitions

Using the Outputs

Auto Generation

About

Releases 13

Packages

Contributors 2

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 62 Commits
.github		.github
scripts		scripts
validatefiles		validatefiles
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
inputs.tf		inputs.tf
main.tf		main.tf
outputs.tf		outputs.tf
policydefinition-append_appservice_httpsonly.tf		policydefinition-append_appservice_httpsonly.tf
policydefinition-append_appservice_latesttls.tf		policydefinition-append_appservice_latesttls.tf
policydefinition-append_kv_softdelete.tf		policydefinition-append_kv_softdelete.tf
policydefinition-append_redis_disablenonsslport.tf		policydefinition-append_redis_disablenonsslport.tf
policydefinition-append_redis_sslenforcement.tf		policydefinition-append_redis_sslenforcement.tf
policydefinition-audit_machinelearning_privateendpointid.tf		policydefinition-audit_machinelearning_privateendpointid.tf
policydefinition-audit_vnet_peering.tf		policydefinition-audit_vnet_peering.tf
policydefinition-deny_aa_child_resources.tf		policydefinition-deny_aa_child_resources.tf
policydefinition-deny_appgw_without_waf.tf		policydefinition-deny_appgw_without_waf.tf
policydefinition-deny_appserviceapiapp_http.tf		policydefinition-deny_appserviceapiapp_http.tf
policydefinition-deny_appservicefunctionapp_http.tf		policydefinition-deny_appservicefunctionapp_http.tf
policydefinition-deny_appservicewebapp_http.tf		policydefinition-deny_appservicewebapp_http.tf
policydefinition-deny_erpeering.tf		policydefinition-deny_erpeering.tf
policydefinition-deny_machinelearning_aks.tf		policydefinition-deny_machinelearning_aks.tf
policydefinition-deny_machinelearning_compute_subnetid.tf		policydefinition-deny_machinelearning_compute_subnetid.tf
policydefinition-deny_machinelearning_compute_vmsize.tf		policydefinition-deny_machinelearning_compute_vmsize.tf
policydefinition-deny_machinelearning_computecluster_remoteloginportpublicaccess.tf		policydefinition-deny_machinelearning_computecluster_remoteloginportpublicaccess.tf
policydefinition-deny_machinelearning_computecluster_scale.tf		policydefinition-deny_machinelearning_computecluster_scale.tf
policydefinition-deny_machinelearning_hbiworkspace.tf		policydefinition-deny_machinelearning_hbiworkspace.tf
policydefinition-deny_machinelearning_publicaccesswhenbehindvnet.tf		policydefinition-deny_machinelearning_publicaccesswhenbehindvnet.tf
policydefinition-deny_mysql_http.tf		policydefinition-deny_mysql_http.tf
policydefinition-deny_non_rbac_aks.tf		policydefinition-deny_non_rbac_aks.tf
policydefinition-deny_postgresql_http.tf		policydefinition-deny_postgresql_http.tf
policydefinition-deny_private_dns_zones.tf		policydefinition-deny_private_dns_zones.tf
policydefinition-deny_publicendpoint_aks.tf		policydefinition-deny_publicendpoint_aks.tf
policydefinition-deny_publicendpoint_cosmosdb.tf		policydefinition-deny_publicendpoint_cosmosdb.tf
policydefinition-deny_publicendpoint_keyvault.tf		policydefinition-deny_publicendpoint_keyvault.tf
policydefinition-deny_publicendpoint_mariadb.tf		policydefinition-deny_publicendpoint_mariadb.tf
policydefinition-deny_publicendpoint_mysql.tf		policydefinition-deny_publicendpoint_mysql.tf
policydefinition-deny_publicendpoint_postgresql.tf		policydefinition-deny_publicendpoint_postgresql.tf
policydefinition-deny_publicendpoint_sql.tf		policydefinition-deny_publicendpoint_sql.tf
policydefinition-deny_publicendpoint_storage.tf		policydefinition-deny_publicendpoint_storage.tf
policydefinition-deny_publicip.tf		policydefinition-deny_publicip.tf
policydefinition-deny_rdp_from_internet.tf		policydefinition-deny_rdp_from_internet.tf
policydefinition-deny_redis_http.tf		policydefinition-deny_redis_http.tf
policydefinition-deny_sql_mintls.tf		policydefinition-deny_sql_mintls.tf
policydefinition-deny_sqlmi_mintls.tf		policydefinition-deny_sqlmi_mintls.tf
policydefinition-deny_storage_mintls.tf		policydefinition-deny_storage_mintls.tf
policydefinition-deny_subnet_without_nsg.tf		policydefinition-deny_subnet_without_nsg.tf
policydefinition-deny_subnet_without_udr.tf		policydefinition-deny_subnet_without_udr.tf
policydefinition-deny_vnet_peer_cross_sub.tf		policydefinition-deny_vnet_peer_cross_sub.tf
policydefinition-deny_vnet_peering.tf		policydefinition-deny_vnet_peering.tf
policydefinition-deploy_asc_ce.tf		policydefinition-deploy_asc_ce.tf
policydefinition-deploy_asc_defender_acr.tf		policydefinition-deploy_asc_defender_acr.tf
policydefinition-deploy_asc_defender_aks.tf		policydefinition-deploy_asc_defender_aks.tf
policydefinition-deploy_asc_defender_akv.tf		policydefinition-deploy_asc_defender_akv.tf
policydefinition-deploy_asc_defender_appsrv.tf		policydefinition-deploy_asc_defender_appsrv.tf
policydefinition-deploy_asc_defender_arm.tf		policydefinition-deploy_asc_defender_arm.tf
policydefinition-deploy_asc_defender_dns.tf		policydefinition-deploy_asc_defender_dns.tf
policydefinition-deploy_asc_defender_sa.tf		policydefinition-deploy_asc_defender_sa.tf
policydefinition-deploy_asc_defender_sql.tf		policydefinition-deploy_asc_defender_sql.tf
policydefinition-deploy_asc_defender_sqlvm.tf		policydefinition-deploy_asc_defender_sqlvm.tf
policydefinition-deploy_asc_defender_vms.tf		policydefinition-deploy_asc_defender_vms.tf
policydefinition-deploy_asc_securitycontacts.tf		policydefinition-deploy_asc_securitycontacts.tf
policydefinition-deploy_asc_standard.tf		policydefinition-deploy_asc_standard.tf
policydefinition-deploy_azurebackup_on_vm.tf		policydefinition-deploy_azurebackup_on_vm.tf
policydefinition-deploy_budget.tf		policydefinition-deploy_budget.tf
policydefinition-deploy_ddosprotection.tf		policydefinition-deploy_ddosprotection.tf
policydefinition-deploy_default_udr.tf		policydefinition-deploy_default_udr.tf
policydefinition-deploy_diagnostics_aa.tf		policydefinition-deploy_diagnostics_aa.tf
policydefinition-deploy_diagnostics_aci.tf		policydefinition-deploy_diagnostics_aci.tf
policydefinition-deploy_diagnostics_acr.tf		policydefinition-deploy_diagnostics_acr.tf
policydefinition-deploy_diagnostics_activitylog.tf		policydefinition-deploy_diagnostics_activitylog.tf
policydefinition-deploy_diagnostics_aks.tf		policydefinition-deploy_diagnostics_aks.tf
policydefinition-deploy_diagnostics_analysisservice.tf		policydefinition-deploy_diagnostics_analysisservice.tf
policydefinition-deploy_diagnostics_apiforfhir.tf		policydefinition-deploy_diagnostics_apiforfhir.tf
policydefinition-deploy_diagnostics_apimgmt.tf		policydefinition-deploy_diagnostics_apimgmt.tf
policydefinition-deploy_diagnostics_applicationgateway.tf		policydefinition-deploy_diagnostics_applicationgateway.tf
policydefinition-deploy_diagnostics_batch.tf		policydefinition-deploy_diagnostics_batch.tf
policydefinition-deploy_diagnostics_cdnendpoints.tf		policydefinition-deploy_diagnostics_cdnendpoints.tf
policydefinition-deploy_diagnostics_cognitiveservices.tf		policydefinition-deploy_diagnostics_cognitiveservices.tf
policydefinition-deploy_diagnostics_cosmosdb.tf		policydefinition-deploy_diagnostics_cosmosdb.tf
policydefinition-deploy_diagnostics_databricks.tf		policydefinition-deploy_diagnostics_databricks.tf
policydefinition-deploy_diagnostics_dataexplorercluster.tf		policydefinition-deploy_diagnostics_dataexplorercluster.tf
policydefinition-deploy_diagnostics_datafactory.tf		policydefinition-deploy_diagnostics_datafactory.tf
policydefinition-deploy_diagnostics_datalakestore.tf		policydefinition-deploy_diagnostics_datalakestore.tf
policydefinition-deploy_diagnostics_dlanalytics.tf		policydefinition-deploy_diagnostics_dlanalytics.tf
policydefinition-deploy_diagnostics_eventgridsub.tf		policydefinition-deploy_diagnostics_eventgridsub.tf
policydefinition-deploy_diagnostics_eventgridsystemtopic.tf		policydefinition-deploy_diagnostics_eventgridsystemtopic.tf
policydefinition-deploy_diagnostics_eventgridtopic.tf		policydefinition-deploy_diagnostics_eventgridtopic.tf
policydefinition-deploy_diagnostics_eventhub.tf		policydefinition-deploy_diagnostics_eventhub.tf
policydefinition-deploy_diagnostics_expressroute.tf		policydefinition-deploy_diagnostics_expressroute.tf
policydefinition-deploy_diagnostics_firewall.tf		policydefinition-deploy_diagnostics_firewall.tf
policydefinition-deploy_diagnostics_frontdoor.tf		policydefinition-deploy_diagnostics_frontdoor.tf
policydefinition-deploy_diagnostics_function.tf		policydefinition-deploy_diagnostics_function.tf
policydefinition-deploy_diagnostics_hdinsight.tf		policydefinition-deploy_diagnostics_hdinsight.tf
policydefinition-deploy_diagnostics_iothub.tf		policydefinition-deploy_diagnostics_iothub.tf
policydefinition-deploy_diagnostics_keyvault.tf		policydefinition-deploy_diagnostics_keyvault.tf
policydefinition-deploy_diagnostics_loadbalancer.tf		policydefinition-deploy_diagnostics_loadbalancer.tf
policydefinition-deploy_diagnostics_logicappsise.tf		policydefinition-deploy_diagnostics_logicappsise.tf
policydefinition-deploy_diagnostics_logicappswf.tf		policydefinition-deploy_diagnostics_logicappswf.tf

License

terraform-azurerm-modules/terraform-azurerm-azopsreference

Folders and files

Latest commit

History

Repository files navigation

ARCHIVED - terraform-azurerm-azopsreference

Usage

Deploying the Definitions

Using the Outputs

Auto Generation

About

Topics

Resources

License

Stars

Watchers

Forks

Releases 13

Packages 0

Contributors 2

Languages

Packages