policy template

brown9804 · brown9804 · commit 36db52655d6f · 2026-02-09T21:52:22.000-06:00
diff --git a/4_identity-security/README.md b/4_identity-security/README.md
@@ -17,6 +17,7 @@ Last updated: 2026-02-09
 - [Microsoft Entra ID (Entra ID)](./entra_id)
 - [Azure Key Vault](./key-vault)
 - [User Assigned Managed Identity](./managed-identity)
+- [Azure Policy Assignment](./policy)
 
 <!-- START BADGE -->
 <div align="center">
diff --git a/4_identity-security/policy/README.md b/4_identity-security/policy/README.md
@@ -0,0 +1,86 @@
+# Terraform Template - Azure Policy Assignment (with Managed Identity)
+
+Costa Rica
+
+[![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/)
+[brown9804](https://github.com/brown9804)
+
+Last updated: 2026-02-09
+
+------------------------------------------
+
+> This template contains Terraform configurations to create an Azure Policy Assignment scoped to a Resource Group, using a User Assigned Managed Identity.
+
+> [!NOTE]
+> Some Azure Policies (for example, `DeployIfNotExists` / remediation scenarios) require an identity on the assignment. This template always creates a User Assigned Managed Identity and attaches it to the assignment.
+
+## File Descriptions
+
+- **main.tf**: Creates the Resource Group, User Assigned Managed Identity, and the Azure Policy Assignment.
+- **variables.tf**: Defines the input variables used in the Terraform configuration.
+- **provider.tf**: Configures the Azure provider to interact with Azure resources.
+- **terraform.tfvars**: Provides example values for the variables defined in `variables.tf`.
+- **outputs.tf**: Defines outputs such as the policy assignment ID and identity IDs.
+
+## Variables
+
+| Variable Name | Description | Type | Example Value |
+| --- | --- | --- | --- |
+| `resource_group_name` | The name of the Azure Resource Group to create and scope the assignment to. | string | `"rg-identity-security-dev"` |
+| `location` | The Azure region where the Resource Group and identity will be created. | string | `"East US"` |
+| `managed_identity_name` | The name of the User Assigned Managed Identity to create. | string | `"id-policy-identity-security-dev-001"` |
+| `policy_assignment_name` | The name of the Azure Policy Assignment. | string | `"pa-identity-security-dev-001"` |
+| `policy_definition_id` | The policy definition resource ID (built-in or custom). | string | `"/providers/Microsoft.Authorization/policyDefinitions/<id>"` |
+| `policy_assignment_display_name` | Optional display name for the assignment. | string | `"Identity/Security policy assignment (dev)"` |
+| `policy_assignment_description` | Optional description for the assignment. | string | `"Example policy assignment scoped to a resource group."` |
+| `policy_parameters_json` | Optional policy parameters JSON string. | string | `jsonencode({ effect = { value = "Audit" } })` |
+| `enforce` | Whether the policy should be enforced. | bool | `true` |
+| `tags` | A map of tags to assign to the resources. | map(string) | `{ "env": "dev" }` |
+
+## Usage
+
+1. Authenticate:
+
+   ```sh
+   az login
+   ```
+
+2. Ensure Azure CLI has the correct active subscription:
+
+   ```sh
+   az account show
+   # If needed:
+   az account set --subscription "<subscription-id-or-name>"
+   ```
+
+3. Initialize:
+
+   ```sh
+   terraform init -upgrade
+   ```
+
+4. Validate and plan:
+
+   ```sh
+   terraform validate
+   terraform plan
+   ```
+
+5. Apply:
+
+   ```sh
+   terraform apply -auto-approve
+   ```
+
+> [!NOTES]
+>
+> - This template creates the Resource Group for you.
+> - If you leave `policy_definition_id` as a placeholder, `terraform apply` will fail with `PolicyDefinitionNotFound`. Use Azure CLI to find a valid definition ID (built-in or custom), for example: `az policy definition list --query "[0].id" -o tsv`.
+> - If your policy requires remediation, you may need to grant the assignment identity additional Azure RBAC permissions at the assignment scope.
+
+<!-- START BADGE -->
+<div align="center">
+  <img src="https://img.shields.io/badge/Total%20views-1646-limegreen" alt="Total views">
+  <p>Refresh Date: 2026-02-09</p>
+</div>
+<!-- END BADGE -->
diff --git a/4_identity-security/policy/main.tf b/4_identity-security/policy/main.tf
@@ -0,0 +1,44 @@
+# main.tf
+# This file contains the main configuration for creating an Azure Policy Assignment.
+# It creates a Resource Group, a User Assigned Managed Identity, and a Policy Assignment scoped to the Resource Group.
+
+resource "azurerm_resource_group" "example" {
+  name     = var.resource_group_name
+  location = var.location
+
+  tags = var.tags
+}
+
+resource "azurerm_user_assigned_identity" "example" {
+  name                = var.managed_identity_name
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  tags = var.tags
+
+  depends_on = [
+    azurerm_resource_group.example
+  ]
+}
+
+resource "azurerm_resource_group_policy_assignment" "example" {
+  name                 = var.policy_assignment_name
+  resource_group_id    = azurerm_resource_group.example.id
+  policy_definition_id = var.policy_definition_id
+
+  location     = azurerm_resource_group.example.location
+  display_name = var.policy_assignment_display_name
+  description  = var.policy_assignment_description
+  parameters   = var.policy_parameters_json
+
+  enforce = var.enforce
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.example.id]
+  }
+
+  depends_on = [
+    azurerm_user_assigned_identity.example
+  ]
+}
diff --git a/4_identity-security/policy/outputs.tf b/4_identity-security/policy/outputs.tf
@@ -0,0 +1,42 @@
+# outputs.tf
+# This file defines the outputs of the Terraform configuration.
+
+output "policy_assignment_id" {
+  description = "The resource ID of the Policy Assignment."
+  value       = azurerm_resource_group_policy_assignment.example.id
+}
+
+output "policy_assignment_name" {
+  description = "The name of the Policy Assignment."
+  value       = azurerm_resource_group_policy_assignment.example.name
+}
+
+output "policy_assignment_scope" {
+  description = "The scope of the Policy Assignment."
+  value       = azurerm_resource_group.example.id
+}
+
+output "managed_identity_id" {
+  description = "The resource ID of the User Assigned Managed Identity used by the Policy Assignment."
+  value       = azurerm_user_assigned_identity.example.id
+}
+
+output "managed_identity_name" {
+  description = "The name of the User Assigned Managed Identity used by the Policy Assignment."
+  value       = azurerm_user_assigned_identity.example.name
+}
+
+output "managed_identity_client_id" {
+  description = "The client ID (application ID) of the User Assigned Managed Identity."
+  value       = azurerm_user_assigned_identity.example.client_id
+}
+
+output "managed_identity_principal_id" {
+  description = "The principal ID (object ID) of the User Assigned Managed Identity."
+  value       = azurerm_user_assigned_identity.example.principal_id
+}
+
+output "resource_group_name" {
+  description = "The name of the Resource Group created for this template."
+  value       = azurerm_resource_group.example.name
+}
diff --git a/4_identity-security/policy/provider.tf b/4_identity-security/policy/provider.tf
@@ -0,0 +1,25 @@
+# provider.tf
+# This file configures the Azure provider to interact with Azure resources.
+# It specifies the required provider and its version, along with provider-specific configurations.
+
+terraform {
+  required_version = ">= 1.8, < 2.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.116"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+
+  # Uses the current Azure CLI context (az login + az account set)
+  skip_provider_registration = false
+}
diff --git a/4_identity-security/policy/terraform.tfvars b/4_identity-security/policy/terraform.tfvars
@@ -0,0 +1,31 @@
+# Example values for the Azure Policy Assignment template
+
+resource_group_name    = "rg-identity-security-dev"
+location               = "East US"
+managed_identity_name  = "id-policy-identity-security-dev-001"
+policy_assignment_name = "pa-identity-security-dev-001"
+
+# Provide a built-in or custom policy definition ID.
+# Example format: /providers/Microsoft.Authorization/policyDefinitions/<policyDefinitionId>
+# Tip: list definitions with:
+#   az policy definition list --query "[0].id" -o tsv
+policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945"
+
+# Optional
+policy_assignment_display_name = "Identity/Security policy assignment (dev)"
+policy_assignment_description  = "Example policy assignment scoped to a resource group."
+
+# Optional parameters JSON (only if your policy expects parameters)
+# policy_parameters_json = jsonencode({
+#   effect = {
+#     value = "Audit"
+#   }
+# })
+
+enforce = true
+
+tags = {
+  env   = "dev"
+  app   = "identity-security"
+  owner = "terraform"
+}
diff --git a/4_identity-security/policy/variables.tf b/4_identity-security/policy/variables.tf
@@ -0,0 +1,72 @@
+# variables.tf
+# This file defines the input variables used in the Terraform configuration.
+
+variable "resource_group_name" {
+  description = "The name of the Azure Resource Group to create and scope the Policy Assignment to."
+  type        = string
+}
+
+variable "location" {
+  description = "The Azure region where the Resource Group (and Managed Identity) will be created."
+  type        = string
+}
+
+variable "managed_identity_name" {
+  description = "The name of the User Assigned Managed Identity to create for the Policy Assignment."
+  type        = string
+
+  validation {
+    condition     = length(trimspace(var.managed_identity_name)) > 0
+    error_message = "managed_identity_name must not be empty."
+  }
+}
+
+variable "policy_assignment_name" {
+  description = "The name of the Azure Policy Assignment."
+  type        = string
+
+  validation {
+    condition     = length(trimspace(var.policy_assignment_name)) > 0 && length(var.policy_assignment_name) <= 64
+    error_message = "policy_assignment_name must be 1-64 characters."
+  }
+}
+
+variable "policy_definition_id" {
+  description = "The resource ID of the Policy Definition (built-in or custom) to assign. Example: /providers/Microsoft.Authorization/policyDefinitions/<id>"
+  type        = string
+
+  validation {
+    condition     = length(trimspace(var.policy_definition_id)) > 0
+    error_message = "policy_definition_id must not be empty."
+  }
+}
+
+variable "policy_assignment_display_name" {
+  description = "Optional display name for the Policy Assignment."
+  type        = string
+  default     = null
+}
+
+variable "policy_assignment_description" {
+  description = "Optional description for the Policy Assignment."
+  type        = string
+  default     = null
+}
+
+variable "policy_parameters_json" {
+  description = "Optional policy parameters JSON string. Example: jsonencode({ effect = { value = \"Audit\" } })"
+  type        = string
+  default     = null
+}
+
+variable "enforce" {
+  description = "Whether the Policy Assignment should be enforced. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "tags" {
+  description = "A map of tags to assign to the resources."
+  type        = map(string)
+  default     = {}
+}
