diff --git a/README.md b/README.md index 00b8621..1b82ea4 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,17 @@ # AzureRM Policy - Terraform parent module + ![Lint Terraform](https://github.com/globalbao/terraform-azurerm-policy/workflows/Lint%20Terraform/badge.svg) -* Vendor reference [https://www.terraform.io/docs/providers/azurerm/index.html](https://www.terraform.io/docs/providers/azurerm/index.html) -![ModuleLayout](https://github.com/globalbao/terraform-azurerm-policy/blob/master/images/terraform-azurepolicy-modulelayout.png?raw=true) +Get in touch :octocat: + +* Twitter: [@GitBao](https://twitter.com/gitbao) +* LinkedIn: [@JesseLoudon](https://www.linkedin.com/in/jesseloudon/) +* Web: [jloudon.com](https://jloudon.com) +* GitHub: [@JesseLoudon](https://github.com/jesseloudon) +Learning resources :books: +* [https://www.terraform.io/docs/providers/azurerm/index.html](https://www.terraform.io/docs/providers/azurerm/index.html) +* [https://docs.microsoft.com/en-us/azure/governance/policy/overview](https://docs.microsoft.com/en-us/azure/governance/policy/overview) ## Blogs that might interest you :pencil: @@ -19,23 +27,52 @@ * `outputs.tf` * `variables.tf` +![ModuleLayout](https://github.com/globalbao/terraform-azurerm-policy/blob/master/images/terraform-azurepolicy-modulelayout.png?raw=true) + ## Terraform resources (main.tf) -|Module | Resource Type | Resource name | Deployment Count -|:-----------------------|:------------------------------|:-------------------------------|:----- -| policy_definitions | azurerm_policy_definition | `addTagToRG` | 6 -| policy_definitions | azurerm_policy_definition | `inheritTagFromRG` | 6 -| policy_definitions | azurerm_policy_definition | `bulkInheritTagsFromRG` | 1 -| policy_definitions | azurerm_policy_definition | `auditRoleAssignmentType_user` | 1 -| policy_definitions | azurerm_policy_definition | `auditLockOnNetworking` | 1 -| policyset_definitions | azurerm_policy_set_definition | `tag_governance` | 1 -| policyset_definitions | azurerm_policy_set_definition | `iam_governance` | 1 -| policyset_definitions | azurerm_policy_set_definition | `security_governance` | 1 -| policyset_definitions | azurerm_policy_set_definition | `data_protection_governance` | 1 -| policy_assignments | azurerm_policy_assignment | `tag_governance` | 1 -| policy_assignments | azurerm_policy_assignment | `iam_governance` | 1 -| policy_assignments | azurerm_policy_assignment | `security_governance` | 1 -| policy_assignments | azurerm_policy_assignment | `data_protection_governance` | 1 +|Module | Resource Type | Resource name | Deployment Count +|:-----------------------|:------------------------------|:---------------------------------------|:----- +| policy_definitions | azurerm_policy_definition | `addTagToRG` | 6 +| policy_definitions | azurerm_policy_definition | `inheritTagFromRG` | 6 +| policy_definitions | azurerm_policy_definition | `inheritTagFromRGOverwriteExisting` | 6 +| policy_definitions | azurerm_policy_definition | `bulkInheritTagsFromRG` | 1 +| policy_definitions | azurerm_policy_definition | `auditRoleAssignmentType_user` | 1 +| policy_definitions | azurerm_policy_definition | `appGateway_CpuUtilization` | 1 +| policy_definitions | azurerm_policy_definition | `appGateway_ClientRtt` | 1 +| policy_definitions | azurerm_policy_definition | `appGateway_UnhealthyHostcount` | 1 +| policy_definitions | azurerm_policy_definition | `appGateway_HealthyHostCount` | 1 +| policy_definitions | azurerm_policy_definition | `appGateway_FailedRequests` | 1 +| policy_definitions | azurerm_policy_definition | `appGateway_TotalRequests` | 1 +| policy_definitions | azurerm_policy_definition | `azureFirewall_Health` | 1 +| policy_definitions | azurerm_policy_definition | `sqlManagedInstances_avgCPUPercent` | 1 +| policy_definitions | azurerm_policy_definition | `loadBalancer_VipAvailability` | 1 +| policy_definitions | azurerm_policy_definition | `sqlManagedInstances_ioRequests` | 1 +| policy_definitions | azurerm_policy_definition | `websvrfarm_CpuPercentage` | 1 +| policy_definitions | azurerm_policy_definition | `websvrfarm_MemoryPercentage` | 1 +| policy_definitions | azurerm_policy_definition | `website_AverageMemoryWorkingSet` | 1 +| policy_definitions | azurerm_policy_definition | `website_AverageResponseTime` | 1 +| policy_definitions | azurerm_policy_definition | `website_CpuTime` | 1 +| policy_definitions | azurerm_policy_definition | `website_HealthCheckStatus` | 1 +| policy_definitions | azurerm_policy_definition | `website_Http5xx` | 1 +| policy_definitions | azurerm_policy_definition | `website_RequestsInApplicationQueue` | 1 +| policy_definitions | azurerm_policy_definition | `websiteSlot_AverageMemoryWorkingSet` | 1 +| policy_definitions | azurerm_policy_definition | `websiteSlot_AverageResponseTime` | 1 +| policy_definitions | azurerm_policy_definition | `websiteSlot_CpuTime` | 1 +| policy_definitions | azurerm_policy_definition | `websiteSlot_HealthCheckStatus` | 1 +| policy_definitions | azurerm_policy_definition | `websiteSlot_Http5xx` | 1 +| policy_definitions | azurerm_policy_definition | `websiteSlot_RequestsInApplicationQueue` | 1 +| policyset_definitions | azurerm_policy_set_definition | `monitoring_governance` | 1 +| policyset_definitions | azurerm_policy_set_definition | `tag_governance` | 1 +| policyset_definitions | azurerm_policy_set_definition | `iam_governance` | 1 +| policyset_definitions | azurerm_policy_set_definition | `security_governance` | 1 +| policyset_definitions | azurerm_policy_set_definition | `data_protection_governance` | 1 +| policy_assignments | azurerm_policy_assignment | `monitoring_governance` | 1 +| policy_assignments | azurerm_policy_assignment | `tag_governance` | 1 +| policy_assignments | azurerm_policy_assignment | `iam_governance` | 1 +| policy_assignments | azurerm_policy_assignment | `security_governance` | 1 +| policy_assignments | azurerm_policy_assignment | `data_protection_governance` | 1 + ## Terraform input variables (variables.tf) @@ -50,23 +87,16 @@ ## Terraform output variables (outputs.tf) -| Name | Description | Value -|:--------------------------------------------|:------------------------------------------------------------|:---------- -| `addTagToRG_policy_ids` | The policy definition ids for addTagToRG policies | ${module.policy_definitions.addTagToRG_policy_ids} -| `inheritTagFromRG_policy_ids` | The policy definition ids for inheritTagFromRG policies | ${module.policy_definitions.inheritTagFromRG_policy_ids} -| `bulkInheritTagsFromRG_policy_id` | The policy definition id for bulkInheritTagsFromRG | ${module.policy_definitions.bulkInheritTagsFromRG_policy_id} -| `auditRoleAssignmentType_user_policy_id` | The policy definition id for auditRoleAssignmentType_user | ${module.policy_definitions.auditRoleAssignmentType_user_policy_id} -| `auditLockOnNetworking_policy_id` | The policy definition id for auditLockOnNetworking | ${module.policy_definitions.auditLockOnNetworking_policy_id} -| `tag_governance_policyset_id` | The policy set definition id for tag_governance | ${module.policyset_definitions.tag_governance_policyset_id} -| `iam_governance_policyset_id` | The policy set definition id for iam_governance | ${module.policyset_definitions.iam_governance_policyset_id} -| `security_governance_policyset_id` | The policy set definition id for security_governance | ${module.policyset_definitions.security_governance_policyset_id} -| `data_protection_governance_policyset_id` | The policy set definition id for data_protection_governance | ${module.policyset_definitions.data_protection_governance_policyset_id} -| `tag_governance_assignment_id` | The policy assignment id for tag_governance | ${module.policy_assignments.tag_governance_assignment_id} -| `tag_governance_assignment_identity` | The policy assignment identity for tag_governance | ${module.policy_assignments.tag_governance_assignment_identity} -| `iam_governance_assignment_id` | The policy assignment id for iam_governance | ${module.policy_assignments.iam_governance_assignment_id} -| `security_governance_assignment_id` | The policy assignment id for security_governance | ${module.policy_assignments.security_governance_assignment_id} -| `security_governance_assignment_identity` | The policy assignment identity for security_governance | ${module.policy_assignments.security_governance_assignment_identity} -| `data_protection_governance_assignment_id` | The policy assignment id for data_protection_governance | ${module.policy_assignments.data_protection_governance_assignment_id} +| Name | Description | Value +|:---------------|:-------------------|:---------- +| `monitoring_governance_assignment_id` | The policy assignment id for monitoring_governance | module.policy_assignments.monitoring_governance_assignment_id +| `monitoring_governance_assignment_identity` | The policy assignment identity for monitoring_governance | module.policy_assignments.monitoring_governance_assignment_identity +| `tag_governance_assignment_id` | The policy assignment id for tag_governance | module.policy_assignments.tag_governance_assignment_id +| `tag_governance_assignment_identity` | The policy assignment identity for tag_governance | module.policy_assignments.tag_governance_assignment_identity +| `iam_governance_assignment_id` | The policy assignment id for iam_governance | module.policy_assignments.iam_governance_assignment_id +| `security_governance_assignment_id` | The policy assignment id for security_governance | module.policy_assignments.security_governance_assignment_id +| `security_governance_assignment_identity` | The policy assignment identity for security_governance | module.policy_assignments.security_governance_assignment_identity +| `data_protection_governance_assignment_id` | The policy assignment id for data_protection_governance | module.policy_assignments.data_protection_governance_assignment_id ## Usage Examples @@ -87,7 +117,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.31.0" + version = "~> 2.33.0" } } } @@ -99,6 +129,7 @@ provider "azurerm" { module "policy_assignments" { source = "./modules/policy-assignments" + monitoring_governance_policyset_id = module.policyset_definitions.monitoring_governance_policyset_id tag_governance_policyset_id = module.policyset_definitions.tag_governance_policyset_id iam_governance_policyset_id = module.policyset_definitions.iam_governance_policyset_id security_governance_policyset_id = module.policyset_definitions.security_governance_policyset_id @@ -113,6 +144,84 @@ module "policy_definitions" { module "policyset_definitions" { source = "./modules/policyset-definitions" + custom_policies_monitoring_governance = [ + { + policyID = module.policy_definitions.sqlManagedInstances_ioRequests_policy_id + }, + { + policyID = module.policy_definitions.sqlManagedInstances_avgCPUPercent_policy_id + }, + { + policyID = module.policy_definitions.appGateway_FailedRequests_policy_id + }, + { + policyID = module.policy_definitions.appGateway_HealthyHostCount_policy_id + }, + { + policyID = module.policy_definitions.appGateway_UnhealthyHostcount_policy_id + }, + { + policyID = module.policy_definitions.appGateway_TotalRequests_policy_id + }, + { + policyID = module.policy_definitions.appGateway_CpuUtilization_policy_id + }, + { + policyID = module.policy_definitions.appGateway_ClientRtt_policy_id + }, + { + policyID = module.policy_definitions.websvrfarm_CpuPercentage_policy_id + }, + { + policyID = module.policy_definitions.websvrfarm_MemoryPercentage_policy_id + }, + { + policyID = module.policy_definitions.website_AverageMemoryWorkingSet_policy_id + }, + { + policyID = module.policy_definitions.website_AverageResponseTime_policy_id + }, + { + policyID = module.policy_definitions.website_CpuTime_policy_id + }, + { + policyID = module.policy_definitions.website_HealthCheckStatus_policy_id + }, + { + policyID = module.policy_definitions.website_Http5xx_policy_id + }, + { + policyID = module.policy_definitions.website_RequestsInApplicationQueue_policy_id + }, + { + policyID = module.policy_definitions.websiteSlot_AverageMemoryWorkingSet_policy_id + }, + { + policyID = module.policy_definitions.websiteSlot_AverageResponseTime_policy_id + }, + { + policyID = module.policy_definitions.websiteSlot_CpuTime_policy_id + }, + { + policyID = module.policy_definitions.websiteSlot_HealthCheckStatus_policy_id + }, + { + policyID = module.policy_definitions.websiteSlot_Http5xx_policy_id + }, + { + policyID = module.policy_definitions.websiteSlot_RequestsInApplicationQueue_policy_id + }, + { + policyID = module.policy_definitions.azureFirewall_Health_policy_id + }, + { + policyID = module.policy_definitions.loadBalancer_DipAvailability_policy_id + }, + { + policyID = module.policy_definitions.loadBalancer_VipAvailability_policy_id + } + ] + custom_policies_tag_governance = [ { policyID = module.policy_definitions.addTagToRG_policy_ids[0] @@ -150,6 +259,24 @@ module "policyset_definitions" { { policyID = module.policy_definitions.inheritTagFromRG_policy_ids[5] }, + { + policyID = module.policy_definitions.inheritTagFromRGOverwriteExisting_policy_ids[0] + }, + { + policyID = module.policy_definitions.inheritTagFromRGOverwriteExisting_policy_ids[1] + }, + { + policyID = module.policy_definitions.inheritTagFromRGOverwriteExisting_policy_ids[2] + }, + { + policyID = module.policy_definitions.inheritTagFromRGOverwriteExisting_policy_ids[3] + }, + { + policyID = module.policy_definitions.inheritTagFromRGOverwriteExisting_policy_ids[4] + }, + { + policyID = module.policy_definitions.inheritTagFromRGOverwriteExisting_policy_ids[5] + }, { policyID = module.policy_definitions.bulkInheritTagsFromRG_policy_id } @@ -164,6 +291,7 @@ module "policyset_definitions" { } ] } + ``` ### Terraform plan & apply diff --git a/main.tf b/main.tf index 5d6aa66..29b4f8a 100644 --- a/main.tf +++ b/main.tf @@ -3,12 +3,19 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.31.0" + version = "~> 2.33.0" } } } provider "azurerm" { +/* + skip_provider_registration = true + tenant_id = "your tenant id" + subscription_id = "your subscription id" + client_id = "your service principal appId" + client_secret = "your service principal password" +*/ features {} } diff --git a/modules/policy-assignments/README.md b/modules/policy-assignments/README.md index 5bd52be..27e600c 100644 --- a/modules/policy-assignments/README.md +++ b/modules/policy-assignments/README.md @@ -1,6 +1,16 @@ # AzureRM Policy Assignments - Terraform child module -* Vendor reference [https://www.terraform.io/docs/providers/azurerm/r/policy_assignment.html](https://www.terraform.io/docs/providers/azurerm/r/policy_assignment.html) +Get in touch :octocat: + +* Twitter: [@GitBao](https://twitter.com/gitbao) +* LinkedIn: [@JesseLoudon](https://www.linkedin.com/in/jesseloudon/) +* Web: [jloudon.com](https://jloudon.com) +* GitHub: [@JesseLoudon](https://github.com/jesseloudon) + +Learning resources :books: + +* [https://www.terraform.io/docs/providers/azurerm/r/policy_assignment.html](https://www.terraform.io/docs/providers/azurerm/r/policy_assignment.html) +* [https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure) ## Terraform child module files @@ -12,6 +22,7 @@ | Resource Type | Resource name | Deployment Count |:--------------|:--------------|:---------------- +| azurerm_policy_assignment | `monitoring_governance` | 1 | azurerm_policy_assignment | `tag_governance` | 1 | azurerm_policy_assignment | `iam_governance` | 1 | azurerm_policy_assignment | `security_governance` | 1 @@ -21,6 +32,7 @@ | Name | Description | Type | Default Value |:------|:-------------|:------|:--------- +| `monitoring_governance_policyset_id` | The policy set definition id for monitoring_governance | `string` | null | `tag_governance_policyset_id` | The policy set definition id for tag_governance | `string` | null | `iam_governance_policyset_id` | The policy set definition id for iam_governance | `string` | null | `security_governance_policyset_id` | The policy set definition id for security_governance | `string` | null @@ -30,9 +42,11 @@ | Name | Description | Value |:-------|:-----------|:---------- -| `tag_governance_assignment_id` | The policy assignment id for tag_governance | ${azurerm_policy_assignment.tag_governance.id} -| `tag_governance_assignment_identity` | The policy assignment identity for tag_governance | ${azurerm_policy_assignment.tag_governance.identity} -| `iam_governance_assignment_id` | The policy assignment id for iam_governance | ${azurerm_policy_assignment.iam_governance.id} -| `security_governance_assignment_id` | The policy assignment id for security_governance | ${azurerm_policy_assignment.security_governance.id} -| `security_governance_assignment_identity` | The policy assignment identity for security_governance | ${azurerm_policy_assignment.security_governance.identity} -| `data_protection_governance_assignment_id` | The policy assignment id for data_protection_governance | ${azurerm_policy_assignment.data_protection_governance.id} +| `monitoring_governance_assignment_id` | The policy assignment id for monitoring_governance | azurerm_policy_assignment.monitoring_governance.id +| `monitoring_governance_assignment_identity` | The policy assignment identity for monitoring_governance | azurerm_policy_assignment.monitoring_governance.identity +| `tag_governance_assignment_id` | The policy assignment id for tag_governance | azurerm_policy_assignment.tag_governance.id +| `tag_governance_assignment_identity` | The policy assignment identity for tag_governance | azurerm_policy_assignment.tag_governance.identity +| `iam_governance_assignment_id` | The policy assignment id for iam_governance | azurerm_policy_assignment.iam_governance.id +| `security_governance_assignment_id` | The policy assignment id for security_governance | azurerm_policy_assignment.security_governance.id +| `security_governance_assignment_identity` | The policy assignment identity for security_governance | azurerm_policy_assignment.security_governance.identity +| `data_protection_governance_assignment_id` | The policy assignment id for data_protection_governance | azurerm_policy_assignment.data_protection_governance.id diff --git a/modules/policy-definitions/README.md b/modules/policy-definitions/README.md index 1ae85e8..cf1e7b5 100644 --- a/modules/policy-definitions/README.md +++ b/modules/policy-definitions/README.md @@ -1,6 +1,16 @@ # AzureRM Policy Definitions - Terraform child module -* Vendor reference [https://www.terraform.io/docs/providers/azurerm/r/policy_definition.html](https://www.terraform.io/docs/providers/azurerm/r/policy_definition.html) +Get in touch :octocat: + +* Twitter: [@GitBao](https://twitter.com/gitbao) +* LinkedIn: [@JesseLoudon](https://www.linkedin.com/in/jesseloudon/) +* Web: [jloudon.com](https://jloudon.com) +* GitHub: [@JesseLoudon](https://github.com/jesseloudon) + +Learning resources :books: + +* [https://www.terraform.io/docs/providers/azurerm/r/policy_definition.html](https://www.terraform.io/docs/providers/azurerm/r/policy_definition.html) +* [https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure) ## Terraform child module files @@ -10,28 +20,80 @@ ## Terraform resources (main.tf) -| Resource Type | Resource name | Deployment Count -|:--------------------------|:-------------------------------|:---------------- -| azurerm_policy_definition | `addTagToRG` | 6 -| azurerm_policy_definition | `inheritTagFromRG` | 6 -| azurerm_policy_definition | `bulkInheritTagsFromRG` | 1 -| azurerm_policy_definition | `auditRoleAssignmentType_user` | 1 -| azurerm_policy_definition | `auditLockOnNetworking` | 1 +| Resource Type | Resource name | Deployment Count +|:--------------------------|:-------------------------------------------|:------ +| azurerm_policy_definition | `addTagToRG` | 6 +| azurerm_policy_definition | `inheritTagFromRG` | 6 +| azurerm_policy_definition | `inheritTagFromRGOverwriteExisting` | 6 +| azurerm_policy_definition | `bulkInheritTagsFromRG` | 1 +| azurerm_policy_definition | `auditRoleAssignmentType_user` | 1 +| azurerm_policy_definition | `appGateway_CpuUtilization` | 1 +| azurerm_policy_definition | `appGateway_ClientRtt` | 1 +| azurerm_policy_definition | `appGateway_UnhealthyHostcount` | 1 +| azurerm_policy_definition | `appGateway_HealthyHostCount` | 1 +| azurerm_policy_definition | `appGateway_FailedRequests` | 1 +| azurerm_policy_definition | `appGateway_TotalRequests` | 1 +| azurerm_policy_definition | `azureFirewall_Health` | 1 +| azurerm_policy_definition | `sqlManagedInstances_avgCPUPercent` | 1 +| azurerm_policy_definition | `loadBalancer_VipAvailability` | 1 +| azurerm_policy_definition | `sqlManagedInstances_ioRequests` | 1 +| azurerm_policy_definition | `websvrfarm_CpuPercentage` | 1 +| azurerm_policy_definition | `websvrfarm_MemoryPercentage` | 1 +| azurerm_policy_definition | `website_AverageMemoryWorkingSet` | 1 +| azurerm_policy_definition | `website_AverageResponseTime` | 1 +| azurerm_policy_definition | `website_CpuTime` | 1 +| azurerm_policy_definition | `website_HealthCheckStatus` | 1 +| azurerm_policy_definition | `website_Http5xx` | 1 +| azurerm_policy_definition | `website_RequestsInApplicationQueue` | 1 +| azurerm_policy_definition | `websiteSlot_AverageMemoryWorkingSet` | 1 +| azurerm_policy_definition | `websiteSlot_AverageResponseTime` | 1 +| azurerm_policy_definition | `websiteSlot_CpuTime` | 1 +| azurerm_policy_definition | `websiteSlot_HealthCheckStatus` | 1 +| azurerm_policy_definition | `websiteSlot_Http5xx` | 1 +| azurerm_policy_definition | `websiteSlot_RequestsInApplicationQueue` | 1 ## Terraform input variables (variables.tf) | Name | Description | Type | Default Value |:----------------|:------------|:-----|:--------- -| `mandatory_tag_keys`| List of mandatory tag keys used by policies 'addTagToRG','inheritTagFromRG','bulkAddTagsToRG','bulkInheritTagsFromRG' | `list` | "Application", "CostCentre", "Environment", "ManagedBy", "OwnedBy", "SupportBy" -| `mandatory_tag_value` | Tag value to include with the mandatory tag keys used by policies 'addTagToRG','inheritTagFromRG','bulkAddTagsToRG','bulkInheritTagsFromRG' | `string` | "TBC" +| `mandatory_tag_keys`| List of mandatory tag keys used by policies 'addTagToRG','inheritTagFromRG','bulkInheritTagsFromRG' | `list` | "Application", "CostCentre", "Environment", "ManagedBy", "Owner", "Support" +| `mandatory_tag_value` | Tag value to include with the mandatory tag keys used by policies 'addTagToRG','inheritTagFromRG','bulkInheritTagsFromRG' | `string` | "TBC" | `policy_definition_category` | The category to use for all Policy Definitions | `string` | "Custom" +| `azure_monitor_action_group_name` | The name of the Azure Monitor Action Group | `string` | "AlertOperationsGroup" +| `azure_monitor_action_group_rg_name` | Resource Group containing the Azure Monitor Action Group | `string` | "AzMonitorAlertGroups" ## Terraform output variables (outputs.tf) -| Name | Description | Value -|:-------|:-----------|:---------- -| `addTagToRG_policy_ids` | The policy definition ids for addTagToRG policies | ${azurerm_policy_definition.addTagToRG.*.id} -| `inheritTagFromRG_policy_ids` | The policy definition ids for inheritTagFromRG policies | ${azurerm_policy_definition.inheritTagFromRG.*.id} -| `bulkInheritTagsFromRG_policy_id` | The policy definition id for bulkInheritTagsFromRG | ${azurerm_policy_definition.bulkInheritTagsFromRG.id} -| `auditRoleAssignmentType_user_policy_id` | The policy definition id for auditRoleAssignmentType_user | ${azurerm_policy_definition.auditRoleAssignmentType_user.id} -| `auditLockOnNetworking_policy_id` | The policy definition id for auditLockOnNetworking | ${azurerm_policy_definition.auditLockOnNetworking.id} +| Name | Description | Value +|:-------------------------|:------------------------|:---------- +| `addTagToRG_policy_ids` | The policy definition ids for addTagToRG policies | azurerm_policy_definition.addTagToRG.*.id +| `inheritTagFromRG_policy_ids` | The policy definition ids for inheritTagFromRG policies | azurerm_policy_definition.inheritTagFromRG.*.id +| `inheritTagFromRGOverwriteExisting_policy_ids` | The policy definition ids for inheritTagFromRGOverwriteExisting policies | azurerm_policy_definition.inheritTagFromRGOverwriteExisting.*.id +| `bulkInheritTagsFromRG_policy_id` | The policy definition id for bulkInheritTagsFromRG | azurerm_policy_definition.bulkInheritTagsFromRG.id +| `auditRoleAssignmentType_user_policy_id` | The policy definition id for auditRoleAssignmentType_user | azurerm_policy_definition.auditRoleAssignmentType_user.id +| `auditLockOnNetworking_policy_id` | The policy definition id for auditLockOnNetworking | azurerm_policy_definition.auditLockOnNetworking.id +| `sqlManagedInstances_ioRequests_policy_id` | The policy definition id for sqlManagedInstances_ioRequests | azurerm_policy_definition.sqlManagedInstances_ioRequests.id +| `sqlManagedInstances_avgCPUPercent_policy_id` | The policy definition id for sqlManagedInstances_avgCPUPercent | azurerm_policy_definition.sqlManagedInstances_avgCPUPercent.id +| `appGateway_HealthyHostCount_policy_id` | The policy definition id for appGateway_HealthyHostCount | azurerm_policy_definition.appGateway_HealthyHostCount.id +| `appGateway_UnhealthyHostCount_policy_id` | The policy definition id for appGateway_UnhealthyHostCount | azurerm_policy_definition.appGateway_UnhealthyHostCount.id +| `appGateway_FailedRequests_policy_id` | The policy definition id for appGateway_FailedRequests | azurerm_policy_definition.appGateway_FailedRequests.id +| `appGateway_TotalRequests_policy_id` | The policy definition id for appGateway_TotalRequests | azurerm_policy_definition.appGateway_TotalRequests.id +| `appGateway_ClientRtt_policy_id` | The policy definition id for appGateway_ClientRtt | azurerm_policy_definition.appGateway_ClientRtt.id +| `appGateway_CpuUtilization_policy_id` | The policy definition id for appGateway_CpuUtilization | azurerm_policy_definition.appGateway_CpuUtilization.id +| `websvrfarm_CpuPercentage_policy_id` | The policy definition id for websvrfarm_CpuPercentage | azurerm_policy_definition.websvrfarm_CpuPercentage.id +| `websvrfarm_MemoryPercentage_policy_id` | The policy definition id for websvrfarm_MemoryPercentage | azurerm_policy_definition.websvrfarm_MemoryPercentage.id +| `website_AverageMemoryWorkingSet_policy_id` | The policy definition id for website_AverageMemoryWorkingSet | azurerm_policy_definition.website_AverageMemoryWorkingSet.id +| `website_AverageResponseTime_policy_id` | The policy definition id for website_AverageResponseTime | azurerm_policy_definition.website_AverageResponseTime.id +| `website_CpuTime_policy_id` | The policy definition id for website_CpuTime | azurerm_policy_definition.website_CpuTime.id +| `website_HealthCheckStatus_policy_id` | The policy definition id for website_HealthCheckStatus | azurerm_policy_definition.website_HealthCheckStatus.id +| `website_Http5xx_policy_id` | The policy definition id for website_Http5xx| azurerm_policy_definition.website_Http5xx.id +| `website_RequestsInApplicationQueue_policy_id` | The policy definition id for website_RequestsInApplicationQueue | azurerm_policy_definition.website_RequestsInApplicationQueue.id +| `websiteSlot_AverageMemoryWorkingSet_policy_id` | The policy definition id for websiteSlot_AverageMemoryWorkingSet | azurerm_policy_definition.websiteSlot_AverageMemoryWorkingSet.id +| `websiteSlot_AverageResponseTime_policy_id` | The policy definition id for websiteSlot_AverageResponseTime | azurerm_policy_definition.websiteSlot_AverageResponseTime.id +| `websiteSlot_CpuTime_policy_id` | The policy definition id for websiteSlot_CpuTime | azurerm_policy_definition.websiteSlot_CpuTimet.id +| `websiteSlot_HealthCheckStatus_policy_id` | The policy definition id for websiteSlot_HealthCheckStatus | azurerm_policy_definition.websiteSlot_HealthCheckStatus.id +| `websiteSlot_Http5xx_policy_id` | The policy definition id for websiteSlot_Http5xx| azurerm_policy_definition.websiteSlot_Http5xx.id +| `websiteSlot_RequestsInApplicationQueue_policy_id` | The policy definition id for websiteSlot_RequestsInApplicationQueue| azurerm_policy_definition.websiteSlot_RequestsInApplicationQueue.id +| `azureFirewall_Health_policy_id` | The policy definition id for azureFirewall_Health | azurerm_policy_definition.azureFirewall_Health.id +| `loadBalancer_DipAvailability_policy_id` | The policy definition id for loadBalancer_DipAvailability | azurerm_policy_definition.loadBalancer_DipAvailability.id +| `loadBalancer_VipAvailability_policy_id` | The policy definition id for loadBalancer_VipAvailability | azurerm_policy_definition.loadBalancer_VipAvailability.id diff --git a/modules/policy-definitions/main.tf b/modules/policy-definitions/main.tf index 58e2f0c..60c3c20 100644 --- a/modules/policy-definitions/main.tf +++ b/modules/policy-definitions/main.tf @@ -663,10 +663,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -842,10 +842,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -1017,10 +1017,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -1192,10 +1192,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -1367,10 +1367,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -1542,10 +1542,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -1724,10 +1724,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -1917,10 +1917,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -2102,10 +2102,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -2268,10 +2268,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -2433,10 +2433,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -2608,10 +2608,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -2783,10 +2783,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -2958,10 +2958,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -3133,10 +3133,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -3308,10 +3308,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -3483,10 +3483,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -3658,10 +3658,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -3833,10 +3833,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -4008,10 +4008,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -4183,10 +4183,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -4358,10 +4358,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -4533,10 +4533,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -4708,10 +4708,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } @@ -4883,10 +4883,10 @@ METADATA "value": "[field('location')]" }, "actionGroupName": { - "value": "AlertOperationsGroup" + "value": "${var.azure_monitor_action_group_name}" }, "actionGroupRG": { - "value": "AzMonitorAlertGroups" + "value": "${var.azure_monitor_action_group_rg_name}" } } } diff --git a/modules/policy-definitions/variables.tf b/modules/policy-definitions/variables.tf index 4406736..8f12578 100644 --- a/modules/policy-definitions/variables.tf +++ b/modules/policy-definitions/variables.tf @@ -22,4 +22,16 @@ variable "policy_definition_category" { type = string description = "The category to use for all Policy Definitions" default = "Custom" +} + +variable "azure_monitor_action_group_name" { + type = string + description = "The name of the Azure Monitor Action Group" + default = "AlertOperationsGroup" +} + +variable "azure_monitor_action_group_rg_name" { + type = string + description = "Resource Group containing the Azure Monitor Action Group" + default = "AzMonitorAlertGroups" } \ No newline at end of file diff --git a/modules/policyset-definitions/README.md b/modules/policyset-definitions/README.md index 0a2e9aa..19b5a0d 100644 --- a/modules/policyset-definitions/README.md +++ b/modules/policyset-definitions/README.md @@ -1,6 +1,16 @@ # AzureRM PolicySet Definitions - Terraform child module -* Vendor reference [https://www.terraform.io/docs/providers/azurerm/r/policy_set_definition.html](https://www.terraform.io/docs/providers/azurerm/r/policy_set_definition.html) +Get in touch :octocat: + +* Twitter: [@GitBao](https://twitter.com/gitbao) +* LinkedIn: [@JesseLoudon](https://www.linkedin.com/in/jesseloudon/) +* Web: [jloudon.com](https://jloudon.com) +* GitHub: [@JesseLoudon](https://github.com/jesseloudon) + +Learning resources :books: + +* [https://www.terraform.io/docs/providers/azurerm/r/policy_set_definition.html](https://www.terraform.io/docs/providers/azurerm/r/policy_set_definition.html) +* [https://docs.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure) ## Module files @@ -12,6 +22,7 @@ | Resource Type | Resource name | Deployment Count |:--------------|:--------------|:---------------- +| azurerm_policy_set_definition | `monitoring_governance` | 1 | azurerm_policy_set_definition | `tag_governance` | 1 | azurerm_policy_set_definition | `iam_governance` | 1 | azurerm_policy_set_definition | `security_governance` | 1 @@ -22,17 +33,19 @@ | Name | Description | Type | Default Value |:------|:-------------|:------|:--------- | `policyset_definition_category` | The category to use for all PolicySet definitions | `string` | "Custom" -| `custom_policies_tag_governance` | The policy definition id '0' from the 'addTagToRG_policy_ids' output | `list(map(string))` | null -| `custom_policies_iam_governance` | The policy definition id '1' from the 'addTagToRG_policy_ids' output | `list(map(string))` | null +| `custom_policies_monitoring_governance` | List of custom policy definitions for the monitoring_governance policyset| `list(map(string))` | null +| `custom_policies_tag_governance` | List of custom policy definitions for the tag_governance policyset | `list(map(string))` | null +| `custom_policies_iam_governance` | List of custom policy definitions for the iam_governance policyset | `list(map(string))` | null | `builtin_policies_iam_governance` | List of policy definitions (display names) for the iam_governance policyset | `list` |"Audit usage of custom RBAC rules","Custom subscription owner roles should not exist","Deprecated accounts should be removed from your subscription","Deprecated accounts with owner permissions should be removed from your subscription","External accounts with write permissions should be removed from your subscription","External accounts with read permissions should be removed from your subscription","External accounts with owner permissions should be removed from your subscription","MFA should be enabled accounts with write permissions on your subscription","MFA should be enabled on accounts with owner permissions on your subscription","MFA should be enabled on accounts with read permissions on your subscription","There should be more than one owner assigned to your subscription" -| `builtin_policies_security_governance` | List of policy definitions (display names) for the security_governance policyset | `list` | "Internet-facing virtual machines should be protected with Network Security Groups","Subnets should be associated with a Network Security Group","Gateway subnets should not be configured with a network security group","Storage accounts should restrict network access","Secure transfer to storage accounts should be enabled","Access through Internet facing endpoint should be restricted","Storage accounts should allow access from trusted Microsoft services","RDP access from the Internet should be blocked","SSH access from the Internet should be blocked","Disk encryption should be applied on virtual machines","Automation account variables should be encrypted","Azure subscriptions should have a log profile for Activity Log","Email notification to subscription owner for high severity alerts should be enabled","A security contact email address should be provided for your subscription","Enable Azure Security Center on your subscription" +| `builtin_policies_security_governance` | List of policy definitions (display names) for the security_governance policyset | `list` | "Internet-facing virtual machines should be protected with Network Security Groups","Subnets should be associated with a Network Security Group","Gateway subnets should not be configured with a network security group","Storage accounts should restrict network access","Secure transfer to storage accounts should be enabled","Storage accounts should allow access from trusted Microsoft services","RDP access from the Internet should be blocked","SSH access from the Internet should be blocked","Disk encryption should be applied on virtual machines","Automation account variables should be encrypted","Azure subscriptions should have a log profile for Activity Log","Email notification to subscription owner for high severity alerts should be enabled","A security contact email address should be provided for your subscription","Enable Azure Security Center on your subscription" | `builtin_policies_data_protection_governance` | List of policy definitions (display names) for the data_protection_governance policyset | `list` | "Azure Backup should be enabled for Virtual Machines","Long-term geo-redundant backup should be enabled for Azure SQL Databases","Audit virtual machines without disaster recovery configured","Key Vault objects should be recoverable" ## Output variables (outputs.tf) | Name | Description | Value |:-------|:-----------|:---------- -| `tag_governance_policyset_id` | The policy set definition id for tag_governance | ${azurerm_policy_set_definition.tag_governance.id} -| `iam_governance_policyset_id` | The policy set definition id for iam_governance | ${azurerm_policy_set_definition.iam_governance.id} -| `security_governance_policyset_id` | The policy set definition id for security_governance | ${azurerm_policy_set_definition.security_governance.id} -| `data_protection_governance_policyset_id` | The policy set definition id for data_protection_governance | ${azurerm_policy_set_definition.data_protection_governance.id} +| `monitoring_governance_policyset_id` | The policy set definition id for monitoring_governance | azurerm_policy_set_definition.monitoring_governance.id +| `tag_governance_policyset_id` | The policy set definition id for tag_governance | azurerm_policy_set_definition.tag_governance.id +| `iam_governance_policyset_id` | The policy set definition id for iam_governance | azurerm_policy_set_definition.iam_governance.id +| `security_governance_policyset_id` | The policy set definition id for security_governance | azurerm_policy_set_definition.security_governance.id +| `data_protection_governance_policyset_id` | The policy set definition id for data_protection_governance | azurerm_policy_set_definition.data_protection_governance.id diff --git a/modules/policyset-definitions/variables.tf b/modules/policyset-definitions/variables.tf index d63601a..1ae2fff 100644 --- a/modules/policyset-definitions/variables.tf +++ b/modules/policyset-definitions/variables.tf @@ -5,15 +5,21 @@ variable "policyset_definition_category" { } variable "custom_policies_monitoring_governance" { - type = list(map(string)) + type = list(map(string)) + description = "List of custom policy definitions for the monitoring_governance policyset" + default = [] } variable "custom_policies_tag_governance" { - type = list(map(string)) + type = list(map(string)) + description = "List of custom policy definitions for the tag_governance policyset" + default = [] } variable "custom_policies_iam_governance" { - type = list(map(string)) + type = list(map(string)) + description = "List of custom policy definitions for the iam_governance policyset" + default = [] } variable "builtin_policies_iam_governance" { diff --git a/outputs.tf b/outputs.tf index 8021919..034a290 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,46 +1,11 @@ -output "addTagToRG_policy_ids" { - value = module.policy_definitions.addTagToRG_policy_ids - description = "The policy definition ids for addTagToRG policies" +output "monitoring_governance_assignment_id" { + value = module.policy_assignments.monitoring_governance_assignment_id + description = "The policy assignment id for monitoring_governance" } -output "inheritTagFromRG_policy_ids" { - value = module.policy_definitions.inheritTagFromRG_policy_ids - description = "The policy definition ids for inheritTagFromRG policies" -} - -output "bulkInheritTagsFromRG_policy_id" { - value = module.policy_definitions.bulkInheritTagsFromRG_policy_id - description = "The policy definition id for bulkInheritTagsFromRG" -} - -output "auditRoleAssignmentType_user_policy_id" { - value = module.policy_definitions.auditRoleAssignmentType_user_policy_id - description = "The policy definition id for auditRoleAssignmentType_user" -} - -output "auditLockOnNetworking_policy_id" { - value = module.policy_definitions.auditLockOnNetworking_policy_id - description = "The policy definition id for auditLockOnNetworking" -} - -output "tag_governance_policyset_id" { - value = module.policyset_definitions.tag_governance_policyset_id - description = "The policy set definition id for tag_governance" -} - -output "iam_governance_policyset_id" { - value = module.policyset_definitions.iam_governance_policyset_id - description = "The policy set definition id for iam_governance" -} - -output "security_governance_policyset_id" { - value = module.policyset_definitions.security_governance_policyset_id - description = "The policy set definition id for security_governance" -} - -output "data_protection_governance_policyset_id" { - value = module.policyset_definitions.data_protection_governance_policyset_id - description = "The policy set definition id for data_protection_governance" +output "monitoring_governance_assignment_identity" { + value = module.policy_assignments.monitoring_governance_assignment_identity + description = "The policy assignment identity for monitoring_governance" } output "tag_governance_assignment_id" { diff --git a/variables.tf b/variables.tf index 0511b11..8797591 100644 --- a/variables.tf +++ b/variables.tf @@ -1,19 +1,23 @@ -#variable "subscription_id" { -# type = string -# description = "Your Azure Subscription ID" -#} +/* -#variable "client_id" { -# type = string -# description = "Your Azure Service Principal appId" -#} +variable "subscription_id" { + type = string + description = "Your Azure Subscription ID" +} -#variable "client_secret" { -# type = string -# description = "Your Azure Service Principal Password" -#} +variable "client_id" { + type = string + description = "Your Azure Service Principal appId" +} -#variable "tenant_id" { -# type = string -# description = "Your Azure Tenant ID" -#} +variable "client_secret" { + type = string + description = "Your Azure Service Principal Password" +} + +variable "tenant_id" { + type = string + description = "Your Azure Tenant ID" +} + +*/