Skip to content

azurermPolicySetDefinition

Manages a policy set definition.

-> NOTE: Policy set definitions (also known as policy initiatives) do not take effect until they are assigned to a scope using a Policy Set Assignment.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.policySetDefinition.PolicySetDefinition(this, "example", {
  display_name: "Test Policy Set",
  name: "testPolicySet",
  parameters:
    '    {\n        "allowedLocations": {\n            "type": "Array",\n            "metadata": {\n                "description": "The list of allowed locations for resources.",\n                "displayName": "Allowed locations",\n                "strongType": "location"\n            }\n        }\n    }\n',
  policy_definition_reference: [
    {
      parameter_values:
        '    {\n      "listOfAllowedLocations": {"value": "[parameters(\'allowedLocations\')]"}\n    }\n',
      policy_definition_id:
        "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988",
    },
  ],
  policy_type: "Custom",
});

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the policy set definition. Changing this forces a new resource to be created.

  • policyType - (Required) The policy set type. Possible values are builtIn, custom, notSpecified and static. Changing this forces a new resource to be created.

  • displayName - (Required) The display name of the policy set definition.

  • policyDefinitionReference - (Required) One or more policyDefinitionReference blocks as defined below.

  • policyDefinitionGroup - (Optional) One or more policyDefinitionGroup blocks as defined below.

  • description - (Optional) The description of the policy set definition.

  • managementGroupId - (Optional) The id of the Management Group where this policy set definition should be defined. Changing this forces a new resource to be created.

  • metadata - (Optional) The metadata for the policy set definition. This is a JSON object representing additional metadata that should be stored with the policy definition.

  • parameters - (Optional) Parameters for the policy set definition. This field is a JSON object that allows you to parameterize your policy definition.

A policyDefinitionReference block supports the following:

  • policyDefinitionId - (Required) The ID of the policy definition that will be included in this policy set definition.

  • parameterValues - (Optional) Parameter values for the referenced policy rule. This field is a JSON string that allows you to assign parameters to this policy rule.

  • referenceId - (Optional) A unique ID within this policy set definition for this policy definition reference.

  • policyGroupNames - (Optional) A list of names of the policy definition groups that this policy definition reference belongs to.

An policyDefinitionGroup block supports the following:

  • name - (Required) The name of this policy definition group.

  • displayName - (Optional) The display name of this policy definition group.

  • category - (Optional) The category of this policy definition group.

  • description - (Optional) The description of this policy definition group.

  • additionalMetadataResourceId - (Optional) The ID of a resource that contains additional metadata about this policy definition group.

Attributes Reference

The following attributes are exported:

  • id - The ID of the Policy Set Definition.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Policy Set Definition.
  • update - (Defaults to 30 minutes) Used when updating the Policy Set Definition.
  • read - (Defaults to 5 minutes) Used when retrieving the Policy Set Definition.
  • delete - (Defaults to 30 minutes) Used when deleting the Policy Set Definition.

Import

Policy Set Definitions can be imported using the resourceId, e.g.

terraform import azurerm_policy_set_definition.example /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/testPolicySet

or

terraform import azurerm_policy_set_definition.example /providers/Microsoft.Management/managementGroups/my-mgmt-group-id/providers/Microsoft.Authorization/policySetDefinitions/testPolicySet