Quickstart: Create a policy assignment to identify non-compliant resources using Terraform
Raksts
The first step in understanding compliance in Azure is to identify the status of your resources.
This quickstart steps you through the process of creating a policy assignment to identify virtual
machines that aren't using managed disks.
At the end of this process, you identify virtual machines that aren't using managed disks across subscription. They're non-compliant with the policy assignment.
When assigning a built-in policy or initiative definition, it's optional to reference a version. Policy assignments of built-in definitions default to the latest version and automatically inherit minor version changes unless otherwise specified.
Prerequisites
If you don't have an Azure subscription, create a free
account before you begin.
This quickstart requires that you run Azure CLI version 2.13.0 or later. To find the version, run
az --version. If you need to install or upgrade, see
Install Azure CLI.
Create the Terraform configuration, variable, and output file
In this quickstart, you create a policy assignment and assign the Audit VMs that do not use managed disks definition. This policy definition identifies resources that aren't compliant to the conditions set in the policy definition.
Configure the Terraform configuration, variable, and output files. The Terraform resources
for Azure Policy use the Azure Provider.
Create a new folder named policy-assignment and change directories into it.
provider"azurerm" {
features {}
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.96.0"
}
}
}
resource"azurerm_subscription_policy_assignment""auditvms" {
name = "audit-vm-manageddisks"
subscription_id = var.cust_scope
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
description = "Shows all virtual machines not using managed disks"
display_name = "Audit VMs without managed disks assignment"
}
Create variables.tf with the following code:
Terraform
variable"cust_scope" {
default = "{scope}"
}
A scope determines what resources or grouping of resources the policy assignment gets enforced on. It could range from a management group to an individual resource. Be sure to replace {scope} with one of the following patterns based on the declared resource:
Run the terraform apply command and specify the
assignment.tfplan already created.
Bash
terraform apply assignment.tfplan
With the Apply complete! Resources: 1 added, 0 changed, 0 destroyed. message, the policy
assignment is now created. Since we defined the outputs.tf file, the assignment_id is also
returned.
Identify non-compliant resources
To view the resources that aren't compliant under this new assignment, use the assignment_id
returned by terraform apply. With it, run the following command to get the resource IDs of the
non-compliant resources that are output into a JSON file:
Console
armclient post "/subscriptions/<subscriptionID>/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$filter=IsCompliant eq false and PolicyAssignmentId eq '<policyAssignmentID>'&$apply=groupby((ResourceId))" > <json file to direct the output with the resource IDs into>