Deploying Azure Policy using Terraform Module

While working on Azure, you might come across a requirement that says the resources being deployed should be in accordance with the organization’s policies. Suppose you might want to grant a particular or a set of permissions on the resource group or on the management group so that the owner of it should be restricted like denying deploying of resources by enforcing resource tagging, region enforcement, allowing approved Virtual machines (VM) images, and many more. 

In this blog, we will try to resolve these issues by applying Azure policies. 

First, let’s get familiar with the azure policy.

The azure policy is a service that has been designed to help you enforce different rules and to act based on the rule’s effect on your Azure resources. You can use it to create, assign and manage policies. Azure policy evaluates your resources for non-compliance with assigned policies and performs the assigned effect. 

Azure policy is basically 3 componentspolicy definition, assignment, and initiative policy.

So, Policy definition is the conditions under which you want to be controlled. There are built-in definitions such as controlling what type of resources can be deployed to enforce the use of tags on all resources. Policy assignment is the scope of what the policy definition can take effect around. Initiative policy is a collection of policies. 

Azure policies can be implemented at various scopes within the organization. They are :

  • Management groups
  • Subscriptions
  • Resource groups 
  • Individual resources 

Now we’ll achieve this by using our terraform code. So let’s get started!!!!

AZURE POLICY WITH OT-terraform-azure-modules 

First, let’s introduce you to OT-terraform-azure-modules i.e., It is an open-source project of Opstree where people from our organization contribute to the azure terraform modules so that anybody can use it. 

Applying the azure policy terraform module will perform the following tasks:

  • Create Azure policy with policy assignment 
  • Create an initiative policy with policy assignment 

PREREQUISITES:

Configure Azure on the machine you will be executing the terraform module.

az login
az account list
az account set –subscription=”XXXXXX-XXXXX-XXXX-XXXX-XXXXXXXXXX”

USAGE:

Azure policy terraform module can be found here.

Creation of policy depends on the policy_manner parameter. 

Policy Module can be executed for 2 scenarios , They are :

  • Creation of azure policy., i.e. policy_manner= Policy
  • Creation of initiative policy., i.e. policy_manner=Initiative
Creation of azure policy :

Let’s deploy a simple policy using below code. Parameters that to be kept in mind for this are: 

  • Policy_manner = Policy
  • Policy_def_scope_type values can be resource-group , resource, management-group, subscription.
  • If Policy_def_scope_type = resource-group then define the resource group id in resource_group_id variable or If Policy_def_scope_type = resource then define the resource id in resource_id variable or If Policy_def_scope_type = management-group then define the management group id in management_group_id variable or If Policy_def_scope_type = subscription then define the subscription id in subscription_id variable

Have a look at main.tf. Append the below values according to your requirement.

module “policy” {
source = “OT-terraform-azure-modules/policies/azure”
version = “0.0.1”
policy_manner = “Policy”
policy_name = “restrictregion”
policy_type = “Custom”
mode = “All”
policy_display_name = “restrictregion”
policy_rule = {
“if” : {
“not” : {
“field” : “location”
“in” : “[parameters(‘allowedLocations’)]”
}
},
“then” : {
“effect” : “deny”
}
}
policy_parameters = {
“allowedLocations” : {
“type” : “Array”,
“metadata” : {
“description” : “The list of allowed locations for resource group.”,
“displayName” : “Allowed locations”,
“strongType” : “location”
}
}
}
metadata = {
“category” : “General”
}
policy_def_scope_type = “resource-group”
policy_assignment_name = “assignment”
resource_group_id = “/subscriptions/XXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/resourcegroup-name”
assignment_location = “eastus”
assignment_parameters = {
“allowedLocations” : {
“value” : [“West Europe”]
}
}
}

Creation of initiative policy :

Let’s deploy a initiative policy using below code. Parameters that to be kept in mind for this are: 

  • Policy_manner = Initiative
  • Policy_def_scope_type values can be resource-group , resource, management-group, subscription.
  • If Policy_def_scope_type = resource-group then define the resource group id in resource_group_id variable or If Policy_def_scope_type = resource then define the resource id in resource_id variable or If Policy_def_scope_type = management-group then define the management group id in management_group_id variable or If Policy_def_scope_type = subscription then define the subscription id in subscription_id variable.
  • Pick existing policyID from azure portal and pass it in the initiative_policy_definition_reference block.

Have a look at main.tf. Append the below values according to your requirement.

module “policy” {
source = “OT-terraform-azure-modules/policies/azure”
version = “0.0.1”
policy_manner = “Initiative”
policy_name = “test”
policy_type = “Custom”
policy_display_name = “test policy”
metadata = {
“category” : “General”
}
initiative_policy_definition_reference = [{
“policyID” = “/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d”
“reference_id” = “Audit VMs that do not use managed disks”
},
{
“policyID” = “/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56”
“reference_id” = “Audit virtual machines without disaster recovery configured”
}]
policy_def_scope_type = “resource-group”
policy_assignment_name = “testassign”
resource_group_id = “/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXX/resourceGroups/rgname”
assignment_location = “eastus”
}

Apply the terraform module and let’s look for the policy definition and policy assignment that is created on the azure portal via the above code.

The result of the policy will restrict the user from selecting any region except West Europe.

Cheers!!! It worked. You have created an Azure policy and assigned it to a specific scope.

CONCLUSION

The scope of the terraform module is the creation of custom policy and initiative policy with policy assignments. For more information, you can go through README.md of the module.

 Let us know about your experience with the module and your suggestions. 

À bientôt!!

Blog Pundits: Mehul Sharma and Sandeep Rawat

Opstree is an End to End DevOps solution provider.

Connect with Us

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: