Definition
Manages a policy rule definition on a management group or your provider subscription. Policy definitions do not take effect until they are assigned to a scope using a Policy Assignment.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const policy = new azure.policy.Definition("policy", {
name: "accTestPolicy",
policyType: "Custom",
mode: "Indexed",
displayName: "acceptance test policy definition",
metadata: ` {
"category": "General"
}
`,
policyRule: ` {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "audit"
}
}
`,
parameters: ` {
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
}
}
}
`,
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
policy = azure.policy.Definition("policy",
name="accTestPolicy",
policy_type="Custom",
mode="Indexed",
display_name="acceptance test policy definition",
metadata=""" {
"category": "General"
}
""",
policy_rule=""" {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "audit"
}
}
""",
parameters=""" {
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
}
}
}
""")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var policy = new Azure.Policy.Definition("policy", new()
{
Name = "accTestPolicy",
PolicyType = "Custom",
Mode = "Indexed",
DisplayName = "acceptance test policy definition",
Metadata = @" {
""category"": ""General""
}
",
PolicyRule = @" {
""if"": {
""not"": {
""field"": ""location"",
""in"": ""[parameters('allowedLocations')]""
}
},
""then"": {
""effect"": ""audit""
}
}
",
Parameters = @" {
""allowedLocations"": {
""type"": ""Array"",
""metadata"": {
""description"": ""The list of allowed locations for resources."",
""displayName"": ""Allowed locations"",
""strongType"": ""location""
}
}
}
",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/policy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := policy.NewDefinition(ctx, "policy", &policy.DefinitionArgs{
Name: pulumi.String("accTestPolicy"),
PolicyType: pulumi.String("Custom"),
Mode: pulumi.String("Indexed"),
DisplayName: pulumi.String("acceptance test policy definition"),
Metadata: pulumi.String(" {\n \"category\": \"General\"\n }\n\n"),
PolicyRule: pulumi.String(` {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "audit"
}
}
`),
Parameters: pulumi.String(` {
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
}
}
}
`),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.policy.Definition;
import com.pulumi.azure.policy.DefinitionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new Definition("policy", DefinitionArgs.builder()
.name("accTestPolicy")
.policyType("Custom")
.mode("Indexed")
.displayName("acceptance test policy definition")
.metadata("""
{
"category": "General"
}
""")
.policyRule("""
{
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "audit"
}
}
""")
.parameters("""
{
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
}
}
}
""")
.build());
}
}Content copied to clipboard
resources:
policy:
type: azure:policy:Definition
properties:
name: accTestPolicy
policyType: Custom
mode: Indexed
displayName: acceptance test policy definition
metadata: |2+
{
"category": "General"
}
policyRule: |2
{
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "audit"
}
}
parameters: |2
{
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
}
}
}Content copied to clipboard
Import
Policy Definitions can be imported using the policy name, e.g.
$ pulumi import azure:policy/definition:Definition examplePolicy /subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/policyDefinitions/<POLICY_NAME>Content copied to clipboard
or
$ pulumi import azure:policy/definition:Definition examplePolicy /providers/Microsoft.Management/managementgroups/<MANGAGEMENT_GROUP_ID>/providers/Microsoft.Authorization/policyDefinitions/<POLICY_NAME>Content copied to clipboard
Properties
Link copied to clipboard
The description of the policy definition.
Link copied to clipboard
The display name of the policy definition.
Link copied to clipboard
The id of the Management Group where this policy should be defined. Changing this forces a new resource to be created.
Link copied to clipboard
The policy resource manager mode that allows you to specify which resource types will be evaluated. Possible values are All, Indexed, Microsoft.ContainerService.Data, Microsoft.CustomerLockbox.Data, Microsoft.DataCatalog.Data, Microsoft.KeyVault.Data, Microsoft.Kubernetes.Data, Microsoft.MachineLearningServices.Data, Microsoft.Network.Data and Microsoft.Synapse.Data.
Link copied to clipboard
Parameters for the policy definition. This field is a JSON string that allows you to parameterize your policy definition.
Link copied to clipboard
The policy rule for the policy definition. This is a JSON string representing the rule that contains an if and a then block.
Link copied to clipboard
The policy type. Possible values are BuiltIn, Custom, NotSpecified and Static. Changing this forces a new resource to be created.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
A list of role definition id extracted from policy_rule required for remediation.