diff --git a/docs/policies.md b/docs/policies.md index 07d09e20c..fcf30ba3d 100644 --- a/docs/policies.md +++ b/docs/policies.md @@ -63,12 +63,12 @@ az deployment group create \ ### Deploying with Terraform -By default, the Terraform implementaiton at `src/terraform/mlz/main.tf` will assign the NIST 800-53 policies. You can disable this by providing a `false` value to the `create_policy_assignment` variable: +The Terraform implementaiton at `src/terraform/mlz/main.tf` supports assigning NIST 800-53 policies. You can enable this by providing a `true` value to the `create_policy_assignment` variable: ```plaintext cd src/terraform/mlz terraform init -terraform apply -var="create_policy_assignment=false" +terraform apply -var="create_policy_assignment=true" ``` After the resources are deployed, you will need to go into go into each assignment and retrieve the managed identity and modify its role access to contributor scoped to the associated resource group. This is due to the initiative including modify and deploy policies that act on resources, like deploying the require policy guest configuration extensions to VMs. diff --git a/src/terraform/README.md b/src/terraform/README.md index 1b5386d11..13ea4c99c 100644 --- a/src/terraform/README.md +++ b/src/terraform/README.md @@ -29,6 +29,8 @@ Read on to understand the [prerequisites](#Prerequisistes), how to get started, Deploying to a Cloud other than Azure Commercial? This requires updating the `azurerm` provider block `environment` and `metadata_host` values. Checkout the [Deploying to Other Clouds](#Deploying-to-Other-Clouds) documentation. +Looking to assign Azure Policy? This template supports assigning NIST 800-53 policies. See the [policies documentation](../../docs/policies.md) for more information. + ### Login to Azure CLI 1. Log in using the Azure CLI @@ -162,6 +164,28 @@ Here's the docs on `terraform destroy`: