azurermPolicyVirtualMachineConfigurationAssignment
Applies a Guest Configuration Policy to a Virtual Machine.
\~> NOTE: You can create Guest Configuration Policies without defining a azurermVirtualMachineExtension resource, however the policies will not be executed until a azurermVirtualMachineExtension has been provisioned to the virtual machine.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-gca",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_1",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupExample.location,
name: "example-vnet",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_2", {
address_prefixes: ["10.0.2.0/24"],
name: "internal",
resource_group_name: azurermResourceGroupExample.name,
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermNetworkInterfaceExample =
new azurerm.networkInterface.NetworkInterface(this, "example_3", {
ip_configuration: [
{
name: "internal",
private_ip_address_allocation: "Dynamic",
subnet_id: azurermSubnetExample.id,
},
],
location: azurermResourceGroupExample.location,
name: "example-nic",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermNetworkInterfaceExample.overrideLogicalId("example");
const azurermWindowsVirtualMachineExample =
new azurerm.windowsVirtualMachine.WindowsVirtualMachine(this, "example_4", {
admin_password: "P@$$w0rd1234!",
admin_username: "adminuser",
identity: [
{
type: "SystemAssigned",
},
],
location: azurermResourceGroupExample.location,
name: "examplevm",
network_interface_ids: [azurermNetworkInterfaceExample.id],
os_disk: [
{
caching: "ReadWrite",
storage_account_type: "Standard_LRS",
},
],
resource_group_name: azurermResourceGroupExample.name,
size: "Standard_F2",
source_image_reference: [
{
offer: "WindowsServer",
publisher: "MicrosoftWindowsServer",
sku: "2019-Datacenter",
version: "latest",
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermWindowsVirtualMachineExample.overrideLogicalId("example");
const azurermPolicyVirtualMachineConfigurationAssignmentExample =
new azurerm.policyVirtualMachineConfigurationAssignment.PolicyVirtualMachineConfigurationAssignment(
this,
"example_5",
{
configuration: [
{
assignment_type: "ApplyAndMonitor",
parameter: [
{
name: "Minimum Password Length;ExpectedValue",
value: "16",
},
{
name: "Minimum Password Age;ExpectedValue",
value: "0",
},
{
name: "Maximum Password Age;ExpectedValue",
value: "30,45",
},
{
name: "Enforce Password History;ExpectedValue",
value: "10",
},
{
name: "Password Must Meet Complexity Requirements;ExpectedValue",
value: "1",
},
],
version: "1.*",
},
],
location: azurermWindowsVirtualMachineExample.location,
name: "AzureWindowsBaseline",
virtual_machine_id: azurermWindowsVirtualMachineExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPolicyVirtualMachineConfigurationAssignmentExample.overrideLogicalId(
"example"
);
const azurermVirtualMachineExtensionExample =
new azurerm.virtualMachineExtension.VirtualMachineExtension(
this,
"example_6",
{
auto_upgrade_minor_version: "true",
name: "AzurePolicyforWindows",
publisher: "Microsoft.GuestConfiguration",
type: "ConfigurationforWindows",
type_handler_version: "1.29",
virtual_machine_id: azurermWindowsVirtualMachineExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualMachineExtensionExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name- (Required) The name of the Guest Configuration that will be assigned in this Guest Configuration Assignment. Changing this forces a new resource to be created. -
location- (Required) The Azure location where the Policy Virtual Machine Configuration Assignment should exist. Changing this forces a new resource to be created. -
virtualMachineId- (Required) The resource ID of the Policy Virtual Machine which this Guest Configuration Assignment should apply to. Changing this forces a new resource to be created. -
configuration- (Required) Aconfigurationblock as defined below.
A configuration block supports the following:
-
assignmentType- (Optional) The assignment type for the Guest Configuration Assignment. Possible values areaudit,applyAndAutoCorrect,applyAndMonitoranddeployAndAutoCorrect. -
contentHash- (Optional) The content hash for the Guest Configuration package. -
contentUri- (Optional) The content URI where the Guest Configuration package is stored.
\~> NOTE: When deploying a Custom Guest Configuration package the contentHash and contentUri fields must be defined. For Built-in Guest Configuration packages, such as the azureWindowsBaseline package, the contentHash and contentUri should not be defined, rather these fields will be returned after the Built-in Guest Configuration package has been provisioned. For more information on guest configuration assignments please see the product documentation.
-
parameter- (Optional) One or moreparameterblocks as defined below which define what configuration parameters and values against. -
version- (Optional) The version of the Guest Configuration that will be assigned in this Guest Configuration Assignment.
A parameter block supports the following:
-
name- (Required) The name of the configuration parameter to check. -
value- (Required) The value to check the configuration parameter with.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id- The ID of the Policy Virtual Machine Configuration Assignment.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Policy Virtual Machine Configuration Assignment.update- (Defaults to 30 minutes) Used when updating the Policy Virtual Machine Configuration Assignment.read- (Defaults to 5 minutes) Used when retrieving the Policy Virtual Machine Configuration Assignment.delete- (Defaults to 30 minutes) Used when deleting the Policy Virtual Machine Configuration Assignment.
Import
Policy Virtual Machine Configuration Assignments can be imported using the resourceId, e.g.