Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/libre-devops/terraform-azurerm-custom-policies
A module used to deploy Azure custom policies 🧱
https://github.com/libre-devops/terraform-azurerm-custom-policies
Last synced: 23 days ago
JSON representation
A module used to deploy Azure custom policies 🧱
- Host: GitHub
- URL: https://github.com/libre-devops/terraform-azurerm-custom-policies
- Owner: libre-devops
- License: mit
- Created: 2024-03-05T21:19:22.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2024-10-11T08:53:30.000Z (3 months ago)
- Last Synced: 2024-11-06T23:42:52.763Z (2 months ago)
- Language: PowerShell
- Size: 52.7 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
```hcl
#
```
## Requirements
No requirements.
## Providers
| Name | Version |
|------|---------|
| [azurerm](#provider\_azurerm) | n/a |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [azurerm_management_group_policy_assignment.add_resource_lock_to_nsg_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_management_group_policy_assignment.append_default_deny_nsg_rule_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_management_group_policy_assignment.approved_resource_providers_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_management_group_policy_assignment.approved_services_actions_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_management_group_policy_assignment.deny_nsg_deletion_action_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_management_group_policy_assignment.like_mandatory_resource_tagging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_management_group_policy_assignment.match_mandatory_resource_tagging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_management_group_policy_assignment.non_privileged_role_restriction_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_management_group_policy_assignment.privileged_role_restriction_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
| [azurerm_policy_definition.add_resource_lock_to_nsg_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
| [azurerm_policy_definition.append_default_deny_nsg_rule_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
| [azurerm_policy_definition.approved_resources_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
| [azurerm_policy_definition.deny_nsg_deletion_action_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
| [azurerm_policy_definition.like_mandatory_resource_tagging_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
| [azurerm_policy_definition.match_mandatory_resource_tagging_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
| [azurerm_policy_definition.non_privileged_role_restriction_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
| [azurerm_policy_definition.privileged_role_restriction_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
| [azurerm_role_assignment.add_resource_lock_to_nsg_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
| [azurerm_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
| [azurerm_policy_definition_built_in.allowed_resource_types](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/policy_definition_built_in) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [add\_resource\_lock\_to\_nsg\_policy](#input\_add\_resource\_lock\_to\_nsg\_policy) | Configuration for policy which adds a resource lock to all NSGs |
object({
name = optional(string, "add-nsg-lock")
deploy_assignment = optional(bool, true)
management_group_id = optional(string)
attempt_role_assignment = optional(bool, true)
enforce = optional(bool, true)
location = optional(string, "uksouth")
role_definition_id = optional(string, "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635")
non_compliance_message = optional(string)
description = optional(string)
}) | n/a | yes |
| [allowed\_resources\_policy](#input\_allowed\_resources\_policy) | Configuration for the list of resource providers which can be deployed | object({
name = optional(string, "allowed-resources-providers")
additional_resource_providers = optional(list(string), [])
approved_resources = optional(list(string), [
"microsoft.advisor",
"microsoft.alertsmanagement/smartdetectoralertrules",
"microsoft.authorization/locks",
"microsoft.automation/automationaccounts",
"microsoft.compute/disks",
"microsoft.compute/galleries/images",
"microsoft.compute/sshpublickeys",
"microsoft.compute/virtualmachines",
"microsoft.compute/virtualmachines/extensions",
"microsoft.insights/actiongroups",
"microsoft.insights/components",
"microsoft.insights/workbooks",
"microsoft.keyvault/vaults",
"microsoft.logic/workflows",
"microsoft.managedidentity/userassignedidentities",
"microsoft.network/applicationsecuritygroups",
"microsoft.network/bastionhosts",
"microsoft.network/connections",
"microsoft.network/networkinterfaces",
"microsoft.network/networksecuritygroups",
"microsoft.network/networkwatchers",
"microsoft.network/privatednszones",
"microsoft.network/privatednszones/virtualnetworklinks",
"microsoft.network/publicipaddresses",
"microsoft.network/virtualnetworks",
"microsoft.resourcehealth/availabilitystatuses",
"microsoft.resourcehealth/childavailabilitystatuses",
"microsoft.resourcehealth/childresources",
"microsoft.resourcehealth/emergingissues",
"microsoft.resourcehealth/events",
"microsoft.resourcehealth/impactedresources",
"microsoft.resourcehealth/metadata",
"microsoft.resourcehealth/operations",
"microsoft.resources/batch",
"microsoft.resources/builtintemplatespecs",
"microsoft.resources/builtintemplatespecs/versions",
"microsoft.resources/bulkdelete",
"microsoft.resources/calculatetemplatehash",
"microsoft.resources/changes",
"microsoft.resources/checkpolicycompliance",
"microsoft.resources/checkresourcename",
"microsoft.resources/checkzonepeers",
"microsoft.resources/deployments",
"microsoft.resources/deployments/operations",
"microsoft.resources/deploymentscripts",
"microsoft.resources/deploymentscripts/logs",
"microsoft.resources/deploymentstacks",
"microsoft.resources/deploymentstacks/snapshots",
"microsoft.resources/links",
"microsoft.resources/locations",
"microsoft.resources/locations/batchoperationresults",
"microsoft.resources/locations/batchoperationstatuses",
"microsoft.resources/locations/deploymentscriptoperationresults",
"microsoft.resources/locations/deploymentstackoperationstatus",
"microsoft.resources/mobobrokers",
"microsoft.resources/notifyresourcejobs",
"microsoft.resources/operationresults",
"microsoft.resources/operations",
"microsoft.resources/providers",
"microsoft.resources/resourcegroups",
"microsoft.resources/resources",
"microsoft.resources/snapshots",
"microsoft.resources/subscriptions",
"microsoft.resources/subscriptions/locations",
"microsoft.resources/subscriptions/operationresults",
"microsoft.resources/subscriptions/providers",
"microsoft.resources/subscriptions/resourcegroups",
"microsoft.resources/subscriptions/resourcegroups/resources",
"microsoft.resources/subscriptions/resources",
"microsoft.resources/subscriptions/tagnames",
"microsoft.resources/subscriptions/tagnames/tagvalues",
"microsoft.resources/tagnamespaceoperationresults",
"microsoft.resources/tagnamespaces",
"microsoft.resources/tags",
"microsoft.resources/templatespecs",
"microsoft.resources/templatespecs/versions",
"microsoft.resources/tenants",
"microsoft.resources/validateresources",
"microsoft.security/automations",
"microsoft.storage/storageaccounts",
"microsoft.support/checknameavailability",
"microsoft.support/fileworkspaces",
"microsoft.support/fileworkspaces/files",
"microsoft.support/lookupresourceid",
"microsoft.support/operationresults",
"microsoft.support/operations",
"microsoft.support/operationsstatus",
"microsoft.support/services",
"microsoft.support/services/problemclassifications",
"microsoft.support/supporttickets",
"microsoft.support/supporttickets/communications",
])
deploy_assignment = optional(bool, true)
management_group_id = optional(string)
enforce = optional(bool, true)
non_compliance_message = optional(string)
description = optional(string)
effect = optional(string, "Deny")
management_group_ids_to_exempt = optional(list(string), [])
}) | n/a | yes |
| [append\_default\_deny\_nsg\_rule\_policy](#input\_append\_default\_deny\_nsg\_rule\_policy) | Configuration for append deny NSG rule deployment policy | object({
name = optional(string, "append-nsg-default-deny1")
deploy_assignment = optional(bool, true)
nsg_rule_name = optional(string, "DenyAnyInbound")
management_group_id = optional(string)
enforce = optional(bool, true)
non_compliance_message = optional(string)
description = optional(string)
effect = optional(string, "Append")
protocol = optional(string, "*")
access = optional(string, "Deny")
name_suffix = optional(string, "*")
priority = optional(string, "4096")
direction = optional(string, "Inbound")
source_port_ranges = optional(list(string), ["*"])
destination_port_ranges = optional(list(string), ["*"])
source_address_prefixes = optional(list(string), ["*"])
destination_address_prefixes = optional(list(string), ["*"])
}) | n/a | yes |
| [attempt\_read\_tenant\_root\_group](#input\_attempt\_read\_tenant\_root\_group) | Whether the module should attempt to read the tenant root group, your SPN may not have permissions | `bool` | `true` | no |
| [deny\_nsg\_deletion\_action\_policy](#input\_deny\_nsg\_deletion\_action\_policy) | Configuration for DenyAction policy for NSG | object({
name = optional(string, "deny-nsg-delete")
deploy_assignment = optional(bool, true)
management_group_id = optional(string)
enforce = optional(bool, true)
non_compliance_message = optional(string)
description = optional(string)
}) | n/a | yes |
| [like\_mandatory\_resource\_tagging\_policy](#input\_like\_mandatory\_resource\_tagging\_policy) | Configuration for the mandatory resource tagging policy for the like | object({
name = optional(string, "like-mandatory-tags")
deploy_assignment = optional(bool, true)
management_group_id = optional(string)
enforce = optional(bool, true)
non_compliance_message = optional(string)
description = optional(string)
effect = optional(string, "Audit")
required_tags = list(object({
key = string
pattern = string
}))
}) | n/a | yes |
| [match\_mandatory\_resource\_tagging\_policy](#input\_match\_mandatory\_resource\_tagging\_policy) | Configuration for the mandatory resource tagging policy for the match pattern | object({
name = optional(string, "match-mandatory-tags")
deploy_assignment = optional(bool, true)
management_group_id = optional(string)
enforce = optional(bool, true)
non_compliance_message = optional(string)
description = optional(string)
effect = optional(string, "Audit")
required_tags = list(object({
key = string
pattern = string
}))
}) | n/a | yes |
| [non\_privileged\_role\_restriction\_policy](#input\_non\_privileged\_role\_restriction\_policy) | Configuration for the non privileged role restriction policy, this policy allows you to restrict specific role definition IDs to specific principal types, in the event you would like users to have different access to other things like Managed Identities (normally used in automation) | object({
name = optional(string, "restrict-roles-for-non-privileged")
management_group_id = optional(string)
deploy_assignment = optional(bool, true)
enforce = optional(bool, true)
non_compliance_message = optional(string)
description = optional(string)
effect = optional(string, "Audit")
non_privileged_role_definition_ids = optional(list(string), [])
non_privileged_role_definition_restricted_principal_types = optional(list(string), ["User", "Group"])
}) | n/a | yes |
| [policy\_error\_prefix](#input\_policy\_error\_prefix) | The prefix to apply to custom policies | `string` | `"[PlatformPolicyException]:"` | no |
| [policy\_prefix](#input\_policy\_prefix) | The prefix to apply to the custom policies | `string` | `"[LibreDevOps Custom]"` | no |
| [privileged\_role\_restriction\_policy](#input\_privileged\_role\_restriction\_policy) | Configuration for the role restriction policy, this policy allows you to restrict specific role definition IDs to specific principal types, in the event you would like users to have different access to other things like Managed Identities (normally used in automation) | object({
name = optional(string, "restrict-roles-for-principal-type")
management_group_id = optional(string)
deploy_assignment = optional(bool, true)
enforce = optional(bool, true)
non_compliance_message = optional(string)
description = optional(string)
effect = optional(string, "Audit")
privileged_role_definition_ids = optional(list(string), [])
privileged_role_definition_restricted_principal_types = optional(list(string), [
"ServicePrincipal", "ManagedIdentity", "Application"
])
}) | n/a | yes |
## Outputs
No outputs.