Skip to content

boost-entropy-repos-org/terraform-azurerm-azopsreference

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
.github
.github
 
 
scripts
scripts
 
 
validatefiles
validatefiles
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
inputs.tf
inputs.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
policydefinition-append_appservice_httpsonly.tf
policydefinition-append_appservice_httpsonly.tf
 
 
policydefinition-append_appservice_latesttls.tf
policydefinition-append_appservice_latesttls.tf
 
 
policydefinition-append_kv_softdelete.tf
policydefinition-append_kv_softdelete.tf
 
 
policydefinition-append_redis_disablenonsslport.tf
policydefinition-append_redis_disablenonsslport.tf
 
 
policydefinition-append_redis_sslenforcement.tf
policydefinition-append_redis_sslenforcement.tf
 
 
policydefinition-audit_vnet_peering.tf
policydefinition-audit_vnet_peering.tf
 
 
policydefinition-deny_aa_child_resources.tf
policydefinition-deny_aa_child_resources.tf
 
 
policydefinition-deny_appgw_without_waf.tf
policydefinition-deny_appgw_without_waf.tf
 
 
policydefinition-deny_appserviceapiapp_http.tf
policydefinition-deny_appserviceapiapp_http.tf
 
 
policydefinition-deny_appservicefunctionapp_http.tf
policydefinition-deny_appservicefunctionapp_http.tf
 
 
policydefinition-deny_appservicewebapp_http.tf
policydefinition-deny_appservicewebapp_http.tf
 
 
policydefinition-deny_erpeering.tf
policydefinition-deny_erpeering.tf
 
 
policydefinition-deny_mysql_http.tf
policydefinition-deny_mysql_http.tf
 
 
policydefinition-deny_non_rbac_aks.tf
policydefinition-deny_non_rbac_aks.tf
 
 
policydefinition-deny_postgresql_http.tf
policydefinition-deny_postgresql_http.tf
 
 
policydefinition-deny_private_dns_zones.tf
policydefinition-deny_private_dns_zones.tf
 
 
policydefinition-deny_publicendpoint_aks.tf
policydefinition-deny_publicendpoint_aks.tf
 
 
policydefinition-deny_publicendpoint_cosmosdb.tf
policydefinition-deny_publicendpoint_cosmosdb.tf
 
 
policydefinition-deny_publicendpoint_keyvault.tf
policydefinition-deny_publicendpoint_keyvault.tf
 
 
policydefinition-deny_publicendpoint_mariadb.tf
policydefinition-deny_publicendpoint_mariadb.tf
 
 
policydefinition-deny_publicendpoint_mysql.tf
policydefinition-deny_publicendpoint_mysql.tf
 
 
policydefinition-deny_publicendpoint_postgresql.tf
policydefinition-deny_publicendpoint_postgresql.tf
 
 
policydefinition-deny_publicendpoint_sql.tf
policydefinition-deny_publicendpoint_sql.tf
 
 
policydefinition-deny_publicendpoint_storage.tf
policydefinition-deny_publicendpoint_storage.tf
 
 
policydefinition-deny_publicip.tf
policydefinition-deny_publicip.tf
 
 
policydefinition-deny_rdp_from_internet.tf
policydefinition-deny_rdp_from_internet.tf
 
 
policydefinition-deny_redis_http.tf
policydefinition-deny_redis_http.tf
 
 
policydefinition-deny_sql_mintls.tf
policydefinition-deny_sql_mintls.tf
 
 
policydefinition-deny_sqlmi_mintls.tf
policydefinition-deny_sqlmi_mintls.tf
 
 
policydefinition-deny_storage_mintls.tf
policydefinition-deny_storage_mintls.tf
 
 
policydefinition-deny_subnet_without_nsg.tf
policydefinition-deny_subnet_without_nsg.tf
 
 
policydefinition-deny_subnet_without_udr.tf
policydefinition-deny_subnet_without_udr.tf
 
 
policydefinition-deny_vnet_peer_cross_sub.tf
policydefinition-deny_vnet_peer_cross_sub.tf
 
 
policydefinition-deny_vnet_peering.tf
policydefinition-deny_vnet_peering.tf
 
 
policydefinition-deploy_asc_ce.tf
policydefinition-deploy_asc_ce.tf
 
 
policydefinition-deploy_asc_defender_acr.tf
policydefinition-deploy_asc_defender_acr.tf
 
 
policydefinition-deploy_asc_defender_aks.tf
policydefinition-deploy_asc_defender_aks.tf
 
 
policydefinition-deploy_asc_defender_akv.tf
policydefinition-deploy_asc_defender_akv.tf
 
 
policydefinition-deploy_asc_defender_appsrv.tf
policydefinition-deploy_asc_defender_appsrv.tf
 
 
policydefinition-deploy_asc_defender_arm.tf
policydefinition-deploy_asc_defender_arm.tf
 
 
policydefinition-deploy_asc_defender_dns.tf
policydefinition-deploy_asc_defender_dns.tf
 
 
policydefinition-deploy_asc_defender_sa.tf
policydefinition-deploy_asc_defender_sa.tf
 
 
policydefinition-deploy_asc_defender_sql.tf
policydefinition-deploy_asc_defender_sql.tf
 
 
policydefinition-deploy_asc_defender_sqlvm.tf
policydefinition-deploy_asc_defender_sqlvm.tf
 
 
policydefinition-deploy_asc_defender_vms.tf
policydefinition-deploy_asc_defender_vms.tf
 
 
policydefinition-deploy_asc_securitycontacts.tf
policydefinition-deploy_asc_securitycontacts.tf
 
 
policydefinition-deploy_asc_standard.tf
policydefinition-deploy_asc_standard.tf
 
 
policydefinition-deploy_azurebackup_on_vm.tf
policydefinition-deploy_azurebackup_on_vm.tf
 
 
policydefinition-deploy_budget.tf
policydefinition-deploy_budget.tf
 
 
policydefinition-deploy_ddosprotection.tf
policydefinition-deploy_ddosprotection.tf
 
 
policydefinition-deploy_default_udr.tf
policydefinition-deploy_default_udr.tf
 
 
policydefinition-deploy_diagnostics_aa.tf
policydefinition-deploy_diagnostics_aa.tf
 
 
policydefinition-deploy_diagnostics_aci.tf
policydefinition-deploy_diagnostics_aci.tf
 
 
policydefinition-deploy_diagnostics_acr.tf
policydefinition-deploy_diagnostics_acr.tf
 
 
policydefinition-deploy_diagnostics_activitylog.tf
policydefinition-deploy_diagnostics_activitylog.tf
 
 
policydefinition-deploy_diagnostics_aks.tf
policydefinition-deploy_diagnostics_aks.tf
 
 
policydefinition-deploy_diagnostics_analysisservice.tf
policydefinition-deploy_diagnostics_analysisservice.tf
 
 
policydefinition-deploy_diagnostics_apiforfhir.tf
policydefinition-deploy_diagnostics_apiforfhir.tf
 
 
policydefinition-deploy_diagnostics_apimgmt.tf
policydefinition-deploy_diagnostics_apimgmt.tf
 
 
policydefinition-deploy_diagnostics_applicationgateway.tf
policydefinition-deploy_diagnostics_applicationgateway.tf
 
 
policydefinition-deploy_diagnostics_batch.tf
policydefinition-deploy_diagnostics_batch.tf
 
 
policydefinition-deploy_diagnostics_cdnendpoints.tf
policydefinition-deploy_diagnostics_cdnendpoints.tf
 
 
policydefinition-deploy_diagnostics_cognitiveservices.tf
policydefinition-deploy_diagnostics_cognitiveservices.tf
 
 
policydefinition-deploy_diagnostics_cosmosdb.tf
policydefinition-deploy_diagnostics_cosmosdb.tf
 
 
policydefinition-deploy_diagnostics_databricks.tf
policydefinition-deploy_diagnostics_databricks.tf
 
 
policydefinition-deploy_diagnostics_dataexplorercluster.tf
policydefinition-deploy_diagnostics_dataexplorercluster.tf
 
 
policydefinition-deploy_diagnostics_datafactory.tf
policydefinition-deploy_diagnostics_datafactory.tf
 
 
policydefinition-deploy_diagnostics_datalakestore.tf
policydefinition-deploy_diagnostics_datalakestore.tf
 
 
policydefinition-deploy_diagnostics_dlanalytics.tf
policydefinition-deploy_diagnostics_dlanalytics.tf
 
 
policydefinition-deploy_diagnostics_eventgridsub.tf
policydefinition-deploy_diagnostics_eventgridsub.tf
 
 
policydefinition-deploy_diagnostics_eventgridsystemtopic.tf
policydefinition-deploy_diagnostics_eventgridsystemtopic.tf
 
 
policydefinition-deploy_diagnostics_eventgridtopic.tf
policydefinition-deploy_diagnostics_eventgridtopic.tf
 
 
policydefinition-deploy_diagnostics_eventhub.tf
policydefinition-deploy_diagnostics_eventhub.tf
 
 
policydefinition-deploy_diagnostics_expressroute.tf
policydefinition-deploy_diagnostics_expressroute.tf
 
 
policydefinition-deploy_diagnostics_firewall.tf
policydefinition-deploy_diagnostics_firewall.tf
 
 
policydefinition-deploy_diagnostics_frontdoor.tf
policydefinition-deploy_diagnostics_frontdoor.tf
 
 
policydefinition-deploy_diagnostics_function.tf
policydefinition-deploy_diagnostics_function.tf
 
 
policydefinition-deploy_diagnostics_hdinsight.tf
policydefinition-deploy_diagnostics_hdinsight.tf
 
 
policydefinition-deploy_diagnostics_iothub.tf
policydefinition-deploy_diagnostics_iothub.tf
 
 
policydefinition-deploy_diagnostics_keyvault.tf
policydefinition-deploy_diagnostics_keyvault.tf
 
 
policydefinition-deploy_diagnostics_loadbalancer.tf
policydefinition-deploy_diagnostics_loadbalancer.tf
 
 
policydefinition-deploy_diagnostics_logicappsise.tf
policydefinition-deploy_diagnostics_logicappsise.tf
 
 
policydefinition-deploy_diagnostics_logicappswf.tf
policydefinition-deploy_diagnostics_logicappswf.tf
 
 
policydefinition-deploy_diagnostics_mariadb.tf
policydefinition-deploy_diagnostics_mariadb.tf
 
 
policydefinition-deploy_diagnostics_mediaservice.tf
policydefinition-deploy_diagnostics_mediaservice.tf
 
 
policydefinition-deploy_diagnostics_mlworkspace.tf
policydefinition-deploy_diagnostics_mlworkspace.tf
 
 
policydefinition-deploy_diagnostics_mysql.tf
policydefinition-deploy_diagnostics_mysql.tf
 
 
policydefinition-deploy_diagnostics_networksecuritygroups.tf
policydefinition-deploy_diagnostics_networksecuritygroups.tf
 
 
policydefinition-deploy_diagnostics_nic.tf
policydefinition-deploy_diagnostics_nic.tf
 
 
policydefinition-deploy_diagnostics_postgresql.tf
policydefinition-deploy_diagnostics_postgresql.tf
 
 
policydefinition-deploy_diagnostics_powerbiembedded.tf
policydefinition-deploy_diagnostics_powerbiembedded.tf
 
 

Repository files navigation

Update from upstreamValidationCreate Release

terraform-azurerm-azopsreference

This module contains the reference Azure policy & initiative (policySet) definitions from Enterprise-Scale.

It will deploy the definitions to the supplied Azure AD Management Group.

Usage

Deploying the Definitions

It is very simple to get the policies deployed:

module "azopsreference" {
  source                = "github.com/terraform-azurerm-modules/terraform-azurerm-azopsreference?ref=v0.1.0"
  management_group_name = azurerm_management_group.mymg.name
}

Note: Update the reference to match the version you want to use

Using the Outputs

Each policy & initiative definition has its own output, allowing you to reference the policy definition in an assignment:

resource "azurerm_policy_assignment" "deploy_diag_loganalytics" {
  name                 = "Deploy-Diag-LogAnalytics"
  scope                = azurerm_management_group.mymg.id
  policy_definition_id = module.azopsreference.policysetdefinition_deploy_diag_loganalytics.id
  description          = "Ensure resources have diagnostic settings configured to forward to Log Analytics"
  display_name         = "Deploy-Diag-LogAnalytics"
  location             = var.default_location

  identity {
    type = "SystemAssigned"
  }

  parameters = <<PARAMETERS
{
  "logAnalytics": {
    "value": "${azurerm_log_analytics_workspace.mgmt.id}"
  }
}
PARAMETERS

}

For initiatives (policySets), there is an additional output, an array of all the contained policy definition objects. This can be useful when creating remediation tasks for each of the definitions:

resource "azurerm_policy_remediation" "deploy_diag_loganalytics" {
  count                          = length(module.azopsreference.diagnostic_policy_definitions)
  name                           = lower(module.azopsreference.diagnostic_policy_definitions[count.index].name)
  scope                          = azurerm_management_group.es.id
  policy_assignment_id           = azurerm_policy_assignment.deploy_diag_loganalytics.id
  policy_definition_reference_id = replace(module.azopsreference.diagnostic_policy_definitions[count.index].name, "-", "")
}

Auto Generation

This Terraform is automatically generated from the JSON files from Enterprise Scale. You can see the GitHub action and script that accomplished this in this repo.

About

Implementation of Enterprise Scale azopsreference policies in Terraform

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

11 tags

Packages

 
 
 

Languages

  • HCL 98.0%
  • Shell 1.6%
  • PowerShell 0.4%