Dynamically creates a policy set based on multiple custom or built-in policy definitions
⚠️ Warning: To simplify assignments, if anymember_definitions
contain the same parameter names they will be merged unless you specifymerge_effects = false
ormerge_parameters = false
as described in the second example below.
💡 Note: Multiple entries of the same
member_definitions
are not currently supported, if you require the same definition to be present more than once you may use this module to create the initiative json which you can then edit to add unique parameter and definition references.
module configure_asc_initiative {
source = "gettek/policy-as-code/azurerm//modules/initiative"
initiative_name = "configure_asc_initiative"
initiative_display_name = "[Security]: Configure Azure Security Center"
initiative_description = "Deploys and configures Azure Security Center settings and defines exports"
initiative_category = "Security Center"
management_group_id = data.azurerm_management_group.org.id
member_definitions = [
module.configure_asc["auto_enroll_subscriptions"].definition,
module.configure_asc["auto_provision_log_analytics_agent_custom_workspace"].definition,
module.configure_asc["auto_set_contact_details"].definition,
module.configure_asc["export_asc_alerts_and_recommendations_to_eventhub"].definition,
module.configure_asc["export_asc_alerts_and_recommendations_to_log_analytics"].definition,
]
}
When setting merge_effects = false
each definition effect parameter will be suffixed with its respective policy definition reference Id e.g. "effect_AutoEnrollSubscriptions"
.
data azurerm_policy_definition deploy_law_on_linux_vms {
display_name = "Deploy Log Analytics extension for Linux VMs"
}
module configure_asc_initiative {
source = "gettek/policy-as-code/azurerm//modules/initiative"
initiative_name = "configure_asc_initiative"
initiative_display_name = "[Security]: Configure Azure Security Center"
initiative_description = "Deploys and configures Azure Security Center settings and defines exports"
initiative_category = "Security Center"
management_group_id = data.azurerm_management_group.org.id
merge_effects = false
member_definitions = [
module.configure_asc["auto_enroll_subscriptions"].definition,
module.configure_asc["auto_provision_log_analytics_agent_custom_workspace"].definition,
module.configure_asc["auto_set_contact_details"].definition,
module.configure_asc["export_asc_alerts_and_recommendations_to_eventhub"].definition,
module.configure_asc["export_asc_alerts_and_recommendations_to_log_analytics"].definition,
data.azurerm_policy_definition.deploy_law_on_linux_vms,
]
}
locals {
guest_config_prereqs = [
"add_system_identity_when_none_prerequisite",
"add_system_identity_when_user_prerequisite",
"deploy_extension_linux_prerequisite",
"deploy_extension_windows_prerequisite",
]
}
module guest_config_prereqs {
source = "..//modules/definition"
for_each = toset(local.guest_config_prereqs)
policy_name = each.value
policy_category = "Guest Configuration"
management_group_id = data.azurerm_management_group.org.id
}
module guest_config_prereqs_initiative {
source = "..//modules/initiative"
initiative_name = "guest_config_prereqs_initiative"
initiative_display_name = "[GC]: Deploys Guest Config Prerequisites"
initiative_description = "Deploys and configures Windows and Linux VM Guest Config Prerequisites"
initiative_category = "Guest Configuration"
management_group_id = data.azurerm_management_group.org.id
member_definitions = [
for gcp in module.guest_config_prereqs :
gcp.definition
]
}
No requirements.
Name | Version |
---|---|
azurerm | n/a |
No modules.
Name | Type |
---|---|
azurerm_policy_set_definition.set | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
initiative_category | The category of the initiative | string |
"General" |
no |
initiative_description | Policy initiative description | string |
"" |
no |
initiative_display_name | Policy initiative display name | string |
n/a | yes |
initiative_metadata | The metadata for the policy initiative. This is a JSON object representing additional metadata that should be stored with the policy initiative. Omitting this will default to merge var.initiative_category and var.initiative_version | any |
null |
no |
initiative_name | Policy initiative name. Changing this forces a new resource to be created | string |
n/a | yes |
initiative_version | The version for this initiative, defaults to 1.0.0 | string |
"1.0.0" |
no |
management_group_id | The management group scope at which the initiative will be defined. Defaults to current Subscription if omitted. Changing this forces a new resource to be created. Note: if you are using azurerm_management_group to assign a value to management_group_id, be sure to use name or group_id attribute, but not id. | string |
null |
no |
member_definitions | Policy Defenition resource nodes that will be members of this initiative | any |
n/a | yes |
merge_effects | Should the module merge all member definition effects? Defauls to true | bool |
true |
no |
merge_parameters | Should the module merge all member definition parameters? Defauls to true | bool |
true |
no |
Name | Description |
---|---|
id | The Id of the Policy Set Definition |
initiative | The combined Policy Initiative resource node |
metadata | The metadata of the Policy Set Definition |
name | The name of the Policy Set Definition |
parameters | The combined parameters of the Policy Set Definition |
role_definition_ids | Role definition IDs for remediation |