I want to create multiple Azure Policies and I don't want to create the policies one after another. I would like to use for_each to define multiple Azure Policies. How do I do this?
For example, I have the following Azure Policies defined separately which should be created using the for_each or in any other better way like powershell https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-enterprise-policy-as-code-a-new-approach/ba-p/3607843
// Deny creation of resource groups missing certain tags
resource "azurerm_policy_definition" "require-tag-owner-on-rg" {
name = "require-tag-owner-on-rg"
policy_type = "Custom"
mode = "All"
display_name = "Require tag 'owner' on resource group"
management_group_name = var.management-group-name
metadata = <<METADATA
{
"version": "1.0.0",
"category": "Custom"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['owner']",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
POLICY_RULE
}
// Deny creation of resource except in EastUS
resource "azurerm_policy_definition" "only-deploy-in-eastus" {
name = "only-deploy-in-eastus"
policy_type = "Custom"
mode = "All"
display_name = "only-deploy-in-eastus"
management_group_id = data.azurerm_management_group.parent-mg.id
policy_rule = <<POLICY_RULE
{
"if": {
"not": {
"field": "location",
"equals": "eastus"
}
},
"then": {
"effect": "Deny"
}
}
POLICY_RULE
}
I tried using "for_each" to create policies with definitions in terraform environment for your code as detailed below.
terraform{
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.37.0"
}
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "RG" {
name = "example"
location = "EastUS"
}
resource "azurerm_policy_definition" "policy" {
for_each = {
policy1 = "Create"
policy2 = "Use"
policy3 = "New"
}
name = each.key
policy_type = "Custom"
mode = "All"
display_name = each.value
metadata = <<METADATA
{
"version": "1.0.0",
"category": "Custom"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['xxxxx']",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
POLICY_RULE
}
terraform init
:
terraform plan
terraform apply
:
Created in portal after deployment: