Skip to content

libre-devops/terraform-azurerm-custom-policies

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

.azuredevops

.azuredevops

 
 

.github

.github

 
 

examples/module-development

examples/module-development

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Run-AzTerraform.ps1

Run-AzTerraform.ps1

 
 

Terraform-Release.ps1

Terraform-Release.ps1

 
 

data.tf

data.tf

 
 

definition-add-resource-lock-to-nsgs.tf

definition-add-resource-lock-to-nsgs.tf

 
 

definition-allowed-resources.tf

definition-allowed-resources.tf

 
 

definition-append-default-deny-rule-exists.tf

definition-append-default-deny-rule-exists.tf

 
 

definition-deny-nsg-deletion-action.tf

definition-deny-nsg-deletion-action.tf

 
 

definition-deploy-azure-activity-logs.tf

definition-deploy-azure-activity-logs.tf

 
 

definition-deploy-deny-rule-if-not-exists.tf

definition-deploy-deny-rule-if-not-exists.tf

 
 

definition-like-mandatory-resource-tagging.tf

definition-like-mandatory-resource-tagging.tf

 
 

definition-match-mandatory-resource-tagging.tf

definition-match-mandatory-resource-tagging.tf

 
 

definition-non-privileged-approved-roles.tf

definition-non-privileged-approved-roles.tf

 
 

definition-privileged-approved-roles.tf

definition-privileged-approved-roles.tf

 
 

main.tf

main.tf

 
 

outputs.tf

outputs.tf

 
 

policy-set-definition-add-resource-diags.tf

policy-set-definition-add-resource-diags.tf

 
 

policy.json

policy.json

 
 

storage.tf

storage.tf

 
 

variables.tf

variables.tf

 
 

Repository files navigation

#

Requirements

No requirements.

Providers

Name Version
azurerm n/a

Modules

No modules.

Resources

Name Type
azurerm_management_group_policy_assignment.add_resource_lock_to_nsg_assignment resource
azurerm_management_group_policy_assignment.append_default_deny_nsg_rule_assignment resource
azurerm_management_group_policy_assignment.approved_resource_providers_assignment resource
azurerm_management_group_policy_assignment.approved_services_actions_assignment resource
azurerm_management_group_policy_assignment.deny_nsg_deletion_action_assignment resource
azurerm_management_group_policy_assignment.like_mandatory_resource_tagging resource
azurerm_management_group_policy_assignment.match_mandatory_resource_tagging resource
azurerm_management_group_policy_assignment.non_privileged_role_restriction_assignment resource
azurerm_management_group_policy_assignment.privileged_role_restriction_assignment resource
azurerm_policy_definition.add_resource_lock_to_nsg_policy resource
azurerm_policy_definition.append_default_deny_nsg_rule_policy resource
azurerm_policy_definition.approved_resources_policy resource
azurerm_policy_definition.deny_nsg_deletion_action_policy resource
azurerm_policy_definition.like_mandatory_resource_tagging_policy resource
azurerm_policy_definition.match_mandatory_resource_tagging_policy resource
azurerm_policy_definition.non_privileged_role_restriction_policy resource
azurerm_policy_definition.privileged_role_restriction_policy resource
azurerm_role_assignment.add_resource_lock_to_nsg_assignment resource
azurerm_client_config.current data source
azurerm_management_group.tenant_root_group data source
azurerm_policy_definition_built_in.allowed_resource_types data source
azurerm_subscription.current data source

Inputs

Name Description Type Default Required
add_resource_lock_to_nsg_policy Configuration for policy which adds a resource lock to all NSGs 
object({
    name                    = optional(string, "add-nsg-lock")
    deploy_assignment       = optional(bool, true)
    management_group_id     = optional(string)
    attempt_role_assignment = optional(bool, true)
    enforce                 = optional(bool, true)
    location                = optional(string, "uksouth")
    role_definition_id      = optional(string, "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635")
    non_compliance_message  = optional(string)
    description             = optional(string)
  })
 n/a yes
allowed_resources_policy Configuration for the list of resource providers which can be deployed 
object({
    name                          = optional(string, "allowed-resources-providers")
    additional_resource_providers = optional(list(string), [])
    approved_resources = optional(list(string), [
      "microsoft.advisor",
      "microsoft.alertsmanagement/smartdetectoralertrules",
      "microsoft.authorization/locks",
      "microsoft.automation/automationaccounts",
      "microsoft.compute/disks",
      "microsoft.compute/galleries/images",
      "microsoft.compute/sshpublickeys",
      "microsoft.compute/virtualmachines",
      "microsoft.compute/virtualmachines/extensions",
      "microsoft.insights/actiongroups",
      "microsoft.insights/components",
      "microsoft.insights/workbooks",
      "microsoft.keyvault/vaults",
      "microsoft.logic/workflows",
      "microsoft.managedidentity/userassignedidentities",
      "microsoft.network/applicationsecuritygroups",
      "microsoft.network/bastionhosts",
      "microsoft.network/connections",
      "microsoft.network/networkinterfaces",
      "microsoft.network/networksecuritygroups",
      "microsoft.network/networkwatchers",
      "microsoft.network/privatednszones",
      "microsoft.network/privatednszones/virtualnetworklinks",
      "microsoft.network/publicipaddresses",
      "microsoft.network/virtualnetworks",
      "microsoft.resourcehealth/availabilitystatuses",
      "microsoft.resourcehealth/childavailabilitystatuses",
      "microsoft.resourcehealth/childresources",
      "microsoft.resourcehealth/emergingissues",
      "microsoft.resourcehealth/events",
      "microsoft.resourcehealth/impactedresources",
      "microsoft.resourcehealth/metadata",
      "microsoft.resourcehealth/operations",
      "microsoft.resources/batch",
      "microsoft.resources/builtintemplatespecs",
      "microsoft.resources/builtintemplatespecs/versions",
      "microsoft.resources/bulkdelete",
      "microsoft.resources/calculatetemplatehash",
      "microsoft.resources/changes",
      "microsoft.resources/checkpolicycompliance",
      "microsoft.resources/checkresourcename",
      "microsoft.resources/checkzonepeers",
      "microsoft.resources/deployments",
      "microsoft.resources/deployments/operations",
      "microsoft.resources/deploymentscripts",
      "microsoft.resources/deploymentscripts/logs",
      "microsoft.resources/deploymentstacks",
      "microsoft.resources/deploymentstacks/snapshots",
      "microsoft.resources/links",
      "microsoft.resources/locations",
      "microsoft.resources/locations/batchoperationresults",
      "microsoft.resources/locations/batchoperationstatuses",
      "microsoft.resources/locations/deploymentscriptoperationresults",
      "microsoft.resources/locations/deploymentstackoperationstatus",
      "microsoft.resources/mobobrokers",
      "microsoft.resources/notifyresourcejobs",
      "microsoft.resources/operationresults",
      "microsoft.resources/operations",
      "microsoft.resources/providers",
      "microsoft.resources/resourcegroups",
      "microsoft.resources/resources",
      "microsoft.resources/snapshots",
      "microsoft.resources/subscriptions",
      "microsoft.resources/subscriptions/locations",
      "microsoft.resources/subscriptions/operationresults",
      "microsoft.resources/subscriptions/providers",
      "microsoft.resources/subscriptions/resourcegroups",
      "microsoft.resources/subscriptions/resourcegroups/resources",
      "microsoft.resources/subscriptions/resources",
      "microsoft.resources/subscriptions/tagnames",
      "microsoft.resources/subscriptions/tagnames/tagvalues",
      "microsoft.resources/tagnamespaceoperationresults",
      "microsoft.resources/tagnamespaces",
      "microsoft.resources/tags",
      "microsoft.resources/templatespecs",
      "microsoft.resources/templatespecs/versions",
      "microsoft.resources/tenants",
      "microsoft.resources/validateresources",
      "microsoft.security/automations",
      "microsoft.storage/storageaccounts",
      "microsoft.support/checknameavailability",
      "microsoft.support/fileworkspaces",
      "microsoft.support/fileworkspaces/files",
      "microsoft.support/lookupresourceid",
      "microsoft.support/operationresults",
      "microsoft.support/operations",
      "microsoft.support/operationsstatus",
      "microsoft.support/services",
      "microsoft.support/services/problemclassifications",
      "microsoft.support/supporttickets",
      "microsoft.support/supporttickets/communications",
    ])
    deploy_assignment              = optional(bool, true)
    management_group_id            = optional(string)
    enforce                        = optional(bool, true)
    non_compliance_message         = optional(string)
    description                    = optional(string)
    effect                         = optional(string, "Deny")
    management_group_ids_to_exempt = optional(list(string), [])
  })
 n/a yes
append_default_deny_nsg_rule_policy Configuration for append deny NSG rule deployment policy 
object({
    name                         = optional(string, "append-nsg-default-deny1")
    deploy_assignment            = optional(bool, true)
    nsg_rule_name                = optional(string, "DenyAnyInbound")
    management_group_id          = optional(string)
    enforce                      = optional(bool, true)
    non_compliance_message       = optional(string)
    description                  = optional(string)
    effect                       = optional(string, "Append")
    protocol                     = optional(string, "")
    access                       = optional(string, "Deny")
    name_suffix                  = optional(string, "")
    priority                     = optional(string, "4096")
    direction                    = optional(string, "Inbound")
    source_port_ranges           = optional(list(string), [""])
    destination_port_ranges      = optional(list(string), [""])
    source_address_prefixes      = optional(list(string), [""])
    destination_address_prefixes = optional(list(string), [""])
  })
 n/a yes
attempt_read_tenant_root_group Whether the module should attempt to read the tenant root group, your SPN may not have permissions bool true no
deny_nsg_deletion_action_policy Configuration for DenyAction policy for NSG 
object({
    name                   = optional(string, "deny-nsg-delete")
    deploy_assignment      = optional(bool, true)
    management_group_id    = optional(string)
    enforce                = optional(bool, true)
    non_compliance_message = optional(string)
    description            = optional(string)
  })
 n/a yes
like_mandatory_resource_tagging_policy Configuration for the mandatory resource tagging policy for the like 
object({
    name                   = optional(string, "like-mandatory-tags")
    deploy_assignment      = optional(bool, true)
    management_group_id    = optional(string)
    enforce                = optional(bool, true)
    non_compliance_message = optional(string)
    description            = optional(string)
    effect                 = optional(string, "Audit")
    required_tags = list(object({
      key     = string
      pattern = string
    }))
  })
 n/a yes
match_mandatory_resource_tagging_policy Configuration for the mandatory resource tagging policy for the match pattern 
object({
    name                   = optional(string, "match-mandatory-tags")
    deploy_assignment      = optional(bool, true)
    management_group_id    = optional(string)
    enforce                = optional(bool, true)
    non_compliance_message = optional(string)
    description            = optional(string)
    effect                 = optional(string, "Audit")
    required_tags = list(object({
      key     = string
      pattern = string
    }))
  })
 n/a yes
non_privileged_role_restriction_policy Configuration for the non privileged role restriction policy, this policy allows you to restrict specific role definition IDs to specific principal types, in the event you would like users to have different access to other things like Managed Identities (normally used in automation) 
object({
    name                                                      = optional(string, "restrict-roles-for-non-privileged")
    management_group_id                                       = optional(string)
    deploy_assignment                                         = optional(bool, true)
    enforce                                                   = optional(bool, true)
    non_compliance_message                                    = optional(string)
    description                                               = optional(string)
    effect                                                    = optional(string, "Audit")
    non_privileged_role_definition_ids                        = optional(list(string), [])
    non_privileged_role_definition_restricted_principal_types = optional(list(string), ["User", "Group"])
  })
 n/a yes
policy_error_prefix The prefix to apply to custom policies string "[PlatformPolicyException]:" no
policy_prefix The prefix to apply to the custom policies string "[LibreDevOps Custom]" no
privileged_role_restriction_policy Configuration for the role restriction policy, this policy allows you to restrict specific role definition IDs to specific principal types, in the event you would like users to have different access to other things like Managed Identities (normally used in automation) 
object({
    name                           = optional(string, "restrict-roles-for-principal-type")
    management_group_id            = optional(string)
    deploy_assignment              = optional(bool, true)
    enforce                        = optional(bool, true)
    non_compliance_message         = optional(string)
    description                    = optional(string)
    effect                         = optional(string, "Audit")
    privileged_role_definition_ids = optional(list(string), [])
    privileged_role_definition_restricted_principal_types = optional(list(string), [
      "ServicePrincipal", "ManagedIdentity", "Application"
    ])
  })
 n/a yes

Outputs

No outputs.

About

A module used to deploy Azure custom policies 🧱

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages