Search code examples
azureterraformterraform-provider-azureazure-policy

Terraform : How to define the Azure Policy Initiative along with Azure Policies?

I have a custom policy

// Policy: Management Group Level
resource "azurerm_policy_definition" "only-deploy-in-eastus" {
  name                = "only-deploy-in-eastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "only-deploy-in-eastus"
  management_group_id = data.azurerm_management_group.parent-mg.id

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "equals": "eastus"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

and a custom Initiative that references the above policy

// Policy Initivate
variable "custom_geo_definitions" {
  type        = list
  description = "List of policy definitions (display names) for the Geo_governance policyset"
  default = [
    "only-deploy-in-eastus"
  ]
}

data "azurerm_policy_definition" "custom_geo_definitions" {
  count        = length(var.custom_geo_definitions)
  display_name = var.custom_geo_definitions[count.index]
}

resource "azurerm_policy_set_definition" "custom_geo_policy_set" {

  name         = "custom_geo_policy_set"
  policy_type  = "Custom"
  display_name = "Custom Geo-Location Governance"
  description  = "Contains common Geo-Location Governance policies"

  metadata = <<METADATA
    {
    "category": "${var.policyset_definition_category}"
    }
METADATA

  policy_definition_reference {
    policy_definition_id = "${data.azurerm_policy_definition.custom_geo_definitions.*.id[0]}"
  }    
}

I don't want to define the policy separately as I have shown above.

I want to define the policy within the azurerm_policy_set_definition (Azure Policy Initiative). Is that doable? In General, which approach is used?

Solution

  • I tried to reproduce to directly declare policy definition inside azurerm_policy_set_definition

    resource "azurerm_policy_set_definition" "example" {
  name         = "katestPolicySet"
  policy_type  = "Custom"
  display_name = "Test Policy Set"

  parameters = <<PARAMETERS
    {
        "allowedLocations": {
            "type": "Array",
            "metadata": {
                "description": "The list of allowed locations for resources.",
                "displayName": "Allowed locations",
                "strongType": "location"
            },
            "defaultValue": [ "westus2" ],
        "allowedValues": [
            "eastus2",
            "westus2",
            "westus"
        ]
        }
    }
PARAMETERS




  policy_definition_reference {
  name                = "only-deploy-in-eastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "only-deploy-in-eastus"
  management_group_id = azurerm_management_group.example.id
 policy_rule = <<POLICY_RULE
       {
    "if": {
      "not": {
        "field": "location",
        "equals": "eastus"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

 ....

  }

    But lead to errors like unsupported argument ,missing

    Unsupported argument
  policy_rule = <<POLICY_RULE
│
│ An argument named "policy_rule" is not expected here.

    And

    Error: Missing required argument
│
│   on main.tf line 64, in resource "azurerm_policy_set_definition" "example":
│   64:   policy_definition_reference {
│
│ The argument "policy_definition_id" is required, but no definition was found.

    enter image description here

    Generally,in the azurerm_policy_set_definition block, policy definition Id is one of the required argument to be declared and for that it needs azurerm_policy_definition resource.

    resource "azurerm_management_group" "example" {
  display_name = "xManagement Group"
}

resource "azurerm_policy_definition" "policy" {
  name                = "onlydeployineastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "onlydeployineastus"
  management_group_id = azurerm_management_group.example.id


  metadata = <<METADATA
    {
    "category": "General"
    }

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "in": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    }
  }
POLICY_RULE


parameters = <<PARAMETERS
    {
        "allowedLocations": {
            "type": "Array",
            "metadata": {
                "description": "The list of allowed locations for resources.",
                "displayName": "Allowed locations",
                "strongType": "location"
            },
            "defaultValue": [ "westus2" ],
        "allowedValues": [
            "eastus2",
            "westus2",
            "westus"
        ]
        }
    }
PARAMETERS

resource "azurerm_policy_set_definition" "example" {
  name         = "katestPolicySet"
  policy_type  = "Custom"
  display_name = "Test Policy Set"

  policy_definition_reference {
  policy_definition_id = azurerm_policy_definition.policy.id

  parameter_values     = <<VALUE
    {
      "listOfAllowedLocations": {"value": "[parameters('allowedLocations')]"}
    }
    VALUE

    }

 }

    enter image description here

    Reference: azurerm_policy_set_definition | Resources | hashicorp/azurerm | Terraform Registry