azurermPolicyDefinition
Manages a policy rule definition on a management group or your provider subscription.
Policy definitions do not take effect until they are assigned to a scope using a Policy Assignment.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.policyDefinition.PolicyDefinition(this, "policy", {
display_name: "acceptance test policy definition",
metadata: ' {\n "category": "General"\n }\n\n',
mode: "Indexed",
name: "accTestPolicy",
parameters:
' {\n "allowedLocations": {\n "type": "Array",\n "metadata": {\n "description": "The list of allowed locations for resources.",\n "displayName": "Allowed locations",\n "strongType": "location"\n }\n }\n }\n',
policy_rule:
' {\n "if": {\n "not": {\n "field": "location",\n "in": "[parameters(\'allowedLocations\')]"\n }\n },\n "then": {\n "effect": "audit"\n }\n }\n',
policy_type: "Custom",
});
Argument Reference
The following arguments are supported:
-
name- (Required) The name of the policy definition. Changing this forces a new resource to be created. -
policyType- (Required) The policy type. Possible values arebuiltIn,custom,notSpecifiedandstatic. Changing this forces a new resource to be created. -
mode- (Required) The policy resource manager mode that allows you to specify which resource types will be evaluated. Possible values areall,indexed,microsoftContainerServiceData,microsoftCustomerLockboxData,microsoftDataCatalogData,microsoftKeyVaultData,microsoftKubernetesData,microsoftMachineLearningServicesData,microsoftNetworkDataandmicrosoftSynapseData.
\~> Note: Other resource provider modes only support built-in policy definitions but may later become available in custom definitions, these include; microsoftContainerServiceData, microsoftCustomerLockboxData, microsoftDataCatalogData, microsoftKeyVaultData, microsoftKubernetesData, microsoftMachineLearningServicesData, microsoftNetworkData and microsoftSynapseData. See here for more details.
-
displayName- (Required) The display name of the policy definition. -
description- (Optional) The description of the policy definition. -
managementGroupId- (Optional) The id of the Management Group where this policy should be defined. Changing this forces a new resource to be created. -
policyRule- (Optional) The policy rule for the policy definition. This is a JSON string representing the rule that contains an if and a then block. -
metadata- (Optional) The metadata for the policy definition. This is a JSON string representing additional metadata that should be stored with the policy definition. -
parameters- (Optional) Parameters for the policy definition. This field is a JSON string that allows you to parameterize your policy definition.
Attributes Reference
The following attributes are exported:
-
id- The ID of the Policy Definition. -
roleDefinitionIds- A list of role definition id extracted frompolicyRulerequired for remediation.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Policy Definition.update- (Defaults to 30 minutes) Used when updating the Policy Definition.read- (Defaults to 5 minutes) Used when retrieving the Policy Definition.delete- (Defaults to 30 minutes) Used when deleting the Policy Definition.
Import
Policy Definitions can be imported using the policyName, e.g.
terraform import azurerm_policy_definition.examplePolicy /subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/policyDefinitions/<POLICY_NAME>
or