forked from bridgecrewio/terragoat
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policies.tf
51 lines (50 loc) · 1.29 KB
/
policies.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
resource "azurerm_policy_definition" "policy-res" {
name = "terragoat-policy-${var.environment}"
policy_type = "Custom"
mode = "Indexed"
display_name = "acceptance test policy definition"
metadata = <<METADATA
{
"category": "Security Center"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "audit"
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
}
}
}
PARAMETERS
}
resource "azurerm_policy_assignment" "example" {
name = "terragoat-policy-assignment-${var.environment}"
scope = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
policy_definition_id = azurerm_policy_definition.policy-res.id
description = "Policy Assignment created via an Acceptance Test"
display_name = "My Example Policy Assignment"
parameters = <<PARAMETERS
{
"allowedLocations": {
"value": [ "East US" ]
}
}
PARAMETERS
}