states.azurerm.resource.policy

Azure Resource Manager (ARM) Resource Policy State Module

New in version 1.0.0.

Changed in version 2.0.0,: 2.3.2, 4.0.0

maintainer:

<devops@eitr.tech>

configuration:

This module requires Azure Resource Manager credentials to be passed via acct. Note that the authentication parameters are case sensitive.

Required provider parameters:

if using username and password:
  • subscription_id
  • username
  • password
if using a service principal:
  • subscription_id
  • tenant
  • client_id
  • secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:

  • AZURE_PUBLIC_CLOUD (default)
  • AZURE_CHINA_CLOUD
  • AZURE_US_GOV_CLOUD
  • AZURE_GERMAN_CLOUD

Example acct setup for Azure Resource Manager authentication:

azurerm:
    default:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        tenant: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        client_id: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        secret: XXXXXXXXXXXXXXXXXXXXXXXX
        cloud_environment: AZURE_PUBLIC_CLOUD
    user_pass_auth:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        username: fletch
        password: 123pass

The authentication parameters can also be passed as a dictionary of keyword arguments to the connection_auth parameter of each state, but this is not preferred and could be deprecated in the future.

idem_azurerm.states.azurerm.resource.policy.assignment_absent(hub, ctx, name, scope, connection_auth=None, **kwargs)

New in version 1.0.0.

Ensure a policy assignment does not exist in the provided scope.

Parameters:
  • name – Name of the policy assignment.
  • scope – The scope of the policy assignment.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure assignment absent:
    azurerm.resource.policy.assignment_absent:
      - name: test_assign
      - scope: test_scope
idem_azurerm.states.azurerm.resource.policy.assignment_present(hub, ctx, name, scope, definition_name, display_name=None, description=None, parameters=None, enforcement_mode=None, connection_auth=None, **kwargs)

New in version 1.0.0.

Changed in version 2.3.2,: 4.0.0

Ensure a security policy assignment exists.

Parameters:
  • name – Name of the policy assignment.
  • scope – The scope of the policy assignment.
  • definition_name – The name of the policy definition to assign.
  • display_name – The display name of the policy assignment.
  • description – The policy assignment description.
  • parameters – Required dictionary if a parameter is used in the policy rule. Note that parameters will require a “value” key underneath the actual parameter name before specifying the values being passed. See the example for details.
  • enforcement_mode – The policy assignment enforcement mode. Possible values are “Default” and DoNotEnforce”.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Restrict Allowed Locations :
    azurerm.resource.policy.assignment_present :
        - name: AllowedLocations
        - scope: /subscriptions/bc75htn-a0fhsi-349b-56gh-4fghti-f84852
        - definition_name: e56962a6-4747-49cd-b67b-bf8b01975c4c
        - display_name: Allowed Locations
        - description: This policy enables restriction of locations you can specify when deploying resources
        - parameters:
              listOfAllowedLocations:
                  value:
                      - centralus
                      - eastus
                      - eastus2
                      - northcentralus
                      - southcentralus
                      - westcentralus
                      - westus
                      - westus2
idem_azurerm.states.azurerm.resource.policy.definition_absent(hub, ctx, name, connection_auth=None, **kwargs)

New in version 1.0.0.

Ensure a policy definition does not exist in the current subscription.

Parameters:
  • name – Name of the policy definition.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure definition absent:
    azurerm.resource.policy.definition_absent:
      - name: test_def
idem_azurerm.states.azurerm.resource.policy.definition_present(hub, ctx, name, policy_rule=None, policy_type=None, mode=None, display_name=None, description=None, metadata=None, parameters=None, policy_rule_json=None, policy_rule_file=None, template='jinja', source_hash=None, source_hash_name=None, skip_verify=False, connection_auth=None, **kwargs)

New in version 1.0.0.

Changed in version 2.0.0,: 4.0.0

Ensure a security policy definition exists.

Parameters:
  • name – Name of the policy definition.
  • policy_rule – A YAML dictionary defining the policy rule. See Azure Policy Definition documentation for details on the structure. One of policy_rule, policy_rule_json, or policy_rule_file is required, in that order of precedence for use if multiple parameters are used.
  • policy_rule_json

    A text field defining the entirety of a policy definition in JSON. See Azure Policy Definition documentation for details on the structure. One of policy_rule, policy_rule_json, or policy_rule_file is required, in that order of precedence for use if multiple parameters are used. Note that the name field in the JSON will override the name parameter in the state.

  • policy_rule_file

    The local source location of a JSON file defining the entirety of a policy definition. See Azure Policy Definition documentation for details on the structure. One of policy_rule, policy_rule_json, or policy_rule_file is required, in that order of precedence for use if multiple parameters are used. Note that the name field in the JSON will override the name parameter in the state.

  • policy_type – The type of policy definition. Possible values are “NotSpecified”, “BuiltIn”, “Static”, and “Custom”. Only used with the policy_rule parameter.
  • mode – The policy definition mode. Possible values include, but are not limited to, “NotSpecified”, “Indexed”, “All”, and “Microsoft.KeyVault.Data”. Only used with thev``policy_rule`` parameter.
  • display_name – The display name of the policy definition. Only used with the policy_rule parameter.
  • description – The policy definition description. Only used with the policy_rule parameter.
  • metadata – The policy definition metadata defined as a dictionary. Only used with the policy_rule parameter.
  • parameters – Required dictionary if a parameter is used in the policy rule. Only used with the policy_rule parameter.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure policy definition exists:
    azurerm.resource.policy.definition_present:
        - name: testpolicy
        - display_name: Test Policy
        - description: Test policy for testing policies.
        - policy_rule:
            if:
              allOf:
                - equals: Microsoft.Compute/virtualMachines/write
                  source: action
                - field: location
                  in:
                    - eastus
                    - eastus2
                    - centralus
            then:
              effect: deny