Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/globalbao/terraform-azurerm-policy-exemptions
Terraform module for managing AzureRM policy exemptions (via ARM template) - by @JesseLoudon
https://github.com/globalbao/terraform-azurerm-policy-exemptions
azure-policy-exemptions azurerm-policy azurerm-terraform-provider policy-exemptions terraform
Last synced: about 2 months ago
JSON representation
Terraform module for managing AzureRM policy exemptions (via ARM template) - by @JesseLoudon
- Host: GitHub
- URL: https://github.com/globalbao/terraform-azurerm-policy-exemptions
- Owner: globalbao
- License: mit
- Archived: true
- Created: 2021-08-08T08:07:20.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2022-12-01T00:09:59.000Z (over 1 year ago)
- Last Synced: 2024-04-23T14:19:04.958Z (2 months ago)
- Topics: azure-policy-exemptions, azurerm-policy, azurerm-terraform-provider, policy-exemptions, terraform
- Language: HCL
- Homepage: https://registry.terraform.io/modules/globalbao/policy-exemptions/azurerm/latest
- Size: 37.1 KB
- Stars: 6
- Watchers: 3
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Lists
- awesome-azure-policy - globalbao/terraform-azurerm-policy-exemptions
- awesome-azure-policy - globalbao/terraform-azurerm-policy-exemptions
README
# **Update: Dec 2022**
Terraform AzureRM provider now has resources available for Policy Exemptions!
I recommend utilising these for the best experience:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_exemption
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_policy_exemption
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_policy_exemption
# Terraform AzureRM Policy Exemptions
Uses a Terraform [Resource Group Template Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment) for managing [Azure Policy Exemptions](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?WT.mc_id=AZ-MVP-5004598).
Learn more about [Azure Policy Exemptions](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure?WT.mc_id=AZ-MVP-5004598)
> Note: Terraform v0.13 or greater is required to use this module. Download the latest Terraform at [https://www.terraform.io/downloads.html](https://www.terraform.io/downloads.html)
# Example Usage
* Create 1 policy exemption for resources in an RG to be exempt from policies in an assignment.
* Create 1 policy exemption for a Virtual Machine to be exempt from policies in an assignment.
* Create 3 policy exemptions for resources in selected RGs to be exempt from policies in selected assignments.
* Create 2 policy exemptions targeting resources in 2 RGs in 2 subscriptions.
> Complete example code can be found here: [terraform-azurerm-policy-exemptions/tree/main/examples](https://github.com/globalbao/terraform-azurerm-policy-exemptions/tree/main/examples)
#### Create 1 policy exemption for resources in an RG to be exempt from policies in an assignment
```hcl
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.3.0"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
name = "exemption1"
scope = null
displayName = "exemption1 for Insert-Your-RG-Name1"
description = "exemption1 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name1"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
```
#### Create 1 policy exemption for a Virtual Machine to be exempt from policies in an assignment
```hcl
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.3.0"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
name = "exemption1"
scope = "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/resourcegroups/Insert-Your-RG-Name1/providers/Microsoft.Compute/virtualMachines/virtualmachine1"
displayName = "exemption1 for storageaccountname1 in Insert-Your-RG-Name1"
description = "exemption1 exempts policy assignment compliance for storageaccountname1 in Insert-Your-RG-Name1"
resourceGroupName = "Insert-Your-RG-Name1"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
```
#### Create 3 policy exemptions for resources in selected RGs to be exempt from policies in selected assignments
```hcl
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.3.0"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
name = "exemption1"
scope = null
displayName = "exemption1 for Insert-Your-RG-Name1"
description = "exemption1 exempts policy compliance for resources in Insert-Your-RG-Name1"
resourceGroupName = "Insert-Your-RG-Name1"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2027-12-30"
metadata = {}
},
exemption2 = {
deploymentMode = "Incremental"
name = "exemption2"
scope = null
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 exempts policy compliance for resources in Insert-Your-RG-Name2"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn"
policyDefinitionReferenceIds = []
exemptionCategory = "Mitigated"
expiresOn = "2026-12-31"
metadata = {}
},
exemption3 = {
deploymentMode = "Incremental"
name = "exemption3"
scope = null
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 exempts policy compliance for resources in Insert-Your-RG-Name3"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
```
#### Create 2 policy exemptions targeting resources in 2 RGs in 2 subscriptions
> For documentation on using provider blocks and aliases see [https://www.terraform.io/docs/language/modules/develop/providers.html](https://www.terraform.io/docs/language/modules/develop/providers.html)
```hcl
# default provider block
provider "azurerm" {
features {}
}
# new provider block for subscription A
provider "azurerm" {
alias = "subA"
subscription_id = "xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
features {}
}
# new provider block for subscription B
provider "azurerm" {
alias = "subB"
subscription_id = "xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
features {}
}
# exemption module for subscription A
module "policy_exemptions_subA" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.3.0"
providers = {
azurerm = azurerm.subA
}
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
name = "exemption1"
scope = null
displayName = "exemption1 for Insert-Your-RG-Name1"
description = "exemption1 exempts policy compliance for resources in Insert-Your-RG-Name1"
resourceGroupName = "Insert-Your-RG-Name1"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2027-12-30"
metadata = {}
}
}
}
# exemption module for subscription B
module "policy_exemptions_subB" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.3.0"
providers = {
azurerm = azurerm.subB
}
policyExemptions = {
exemption2 = {
deploymentMode = "Incremental"
name = "exemption2"
scope = null
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 exempts policy compliance for resources in Insert-Your-RG-Name2"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn"
policyDefinitionReferenceIds = []
exemptionCategory = "Mitigated"
expiresOn = "2026-12-31"
metadata = {}
}
}
}
```
# Variables
```hcl
variable "policyExemptions" {
type = map(object({
deploymentMode = string
name = string
scope = string
displayName = string
description = string
resourceGroupName = string
policyAssignmentId = string
policyDefinitionReferenceIds = list(string)
exemptionCategory = string
expiresOn = string
metadata = any
}))
description = <