azurermPolicyVirtualMachineConfigurationAssignment
Applies a Guest Configuration Policy to a Virtual Machine.
\~> NOTE: You can create Guest Configuration Policies without defining a azurermVirtualMachineExtension
resource, however the policies will not be executed until a azurermVirtualMachineExtension
has been provisioned to the virtual machine.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-gca",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_1",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupExample.location,
name: "example-vnet",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_2", {
address_prefixes: ["10.0.2.0/24"],
name: "internal",
resource_group_name: azurermResourceGroupExample.name,
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermNetworkInterfaceExample =
new azurerm.networkInterface.NetworkInterface(this, "example_3", {
ip_configuration: [
{
name: "internal",
private_ip_address_allocation: "Dynamic",
subnet_id: azurermSubnetExample.id,
},
],
location: azurermResourceGroupExample.location,
name: "example-nic",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermNetworkInterfaceExample.overrideLogicalId("example");
const azurermWindowsVirtualMachineExample =
new azurerm.windowsVirtualMachine.WindowsVirtualMachine(this, "example_4", {
admin_password: "P@$$w0rd1234!",
admin_username: "adminuser",
identity: [
{
type: "SystemAssigned",
},
],
location: azurermResourceGroupExample.location,
name: "examplevm",
network_interface_ids: [azurermNetworkInterfaceExample.id],
os_disk: [
{
caching: "ReadWrite",
storage_account_type: "Standard_LRS",
},
],
resource_group_name: azurermResourceGroupExample.name,
size: "Standard_F2",
source_image_reference: [
{
offer: "WindowsServer",
publisher: "MicrosoftWindowsServer",
sku: "2019-Datacenter",
version: "latest",
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermWindowsVirtualMachineExample.overrideLogicalId("example");
const azurermPolicyVirtualMachineConfigurationAssignmentExample =
new azurerm.policyVirtualMachineConfigurationAssignment.PolicyVirtualMachineConfigurationAssignment(
this,
"example_5",
{
configuration: [
{
assignment_type: "ApplyAndMonitor",
parameter: [
{
name: "Minimum Password Length;ExpectedValue",
value: "16",
},
{
name: "Minimum Password Age;ExpectedValue",
value: "0",
},
{
name: "Maximum Password Age;ExpectedValue",
value: "30,45",
},
{
name: "Enforce Password History;ExpectedValue",
value: "10",
},
{
name: "Password Must Meet Complexity Requirements;ExpectedValue",
value: "1",
},
],
version: "1.*",
},
],
location: azurermWindowsVirtualMachineExample.location,
name: "AzureWindowsBaseline",
virtual_machine_id: azurermWindowsVirtualMachineExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPolicyVirtualMachineConfigurationAssignmentExample.overrideLogicalId(
"example"
);
const azurermVirtualMachineExtensionExample =
new azurerm.virtualMachineExtension.VirtualMachineExtension(
this,
"example_6",
{
auto_upgrade_minor_version: "true",
name: "AzurePolicyforWindows",
publisher: "Microsoft.GuestConfiguration",
type: "ConfigurationforWindows",
type_handler_version: "1.29",
virtual_machine_id: azurermWindowsVirtualMachineExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualMachineExtensionExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Required) The name of the Guest Configuration that will be assigned in this Guest Configuration Assignment. Changing this forces a new resource to be created. -
location
- (Required) The Azure location where the Policy Virtual Machine Configuration Assignment should exist. Changing this forces a new resource to be created. -
virtualMachineId
- (Required) The resource ID of the Policy Virtual Machine which this Guest Configuration Assignment should apply to. Changing this forces a new resource to be created. -
configuration
- (Required) Aconfiguration
block as defined below.
A configuration
block supports the following:
-
assignmentType
- (Optional) The assignment type for the Guest Configuration Assignment. Possible values areaudit
,applyAndAutoCorrect
,applyAndMonitor
anddeployAndAutoCorrect
. -
contentHash
- (Optional) The content hash for the Guest Configuration package. -
contentUri
- (Optional) The content URI where the Guest Configuration package is stored.
\~> NOTE: When deploying a Custom Guest Configuration package the contentHash
and contentUri
fields must be defined. For Built-in Guest Configuration packages, such as the azureWindowsBaseline
package, the contentHash
and contentUri
should not be defined, rather these fields will be returned after the Built-in Guest Configuration package has been provisioned. For more information on guest configuration assignments please see the product documentation.
-
parameter
- (Optional) One or moreparameter
blocks as defined below which define what configuration parameters and values against. -
version
- (Optional) The version of the Guest Configuration that will be assigned in this Guest Configuration Assignment.
A parameter
block supports the following:
-
name
- (Required) The name of the configuration parameter to check. -
value
- (Required) The value to check the configuration parameter with.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Policy Virtual Machine Configuration Assignment.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Policy Virtual Machine Configuration Assignment.update
- (Defaults to 30 minutes) Used when updating the Policy Virtual Machine Configuration Assignment.read
- (Defaults to 5 minutes) Used when retrieving the Policy Virtual Machine Configuration Assignment.delete
- (Defaults to 30 minutes) Used when deleting the Policy Virtual Machine Configuration Assignment.
Import
Policy Virtual Machine Configuration Assignments can be imported using the resourceId
, e.g.