This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$OBJTYPE = "Unknown" | |
Get-AzRoleAssignment | Where Object {$_.ObjectType.Equals($OBJTYPE)} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "azurerm_policy_definition" "auditRoleAssignmentType_user" { | |
name = "auditRoleAssignmentType_user" | |
policy_type = "Custom" | |
mode = "All" | |
display_name = "Audit user role assignments" | |
description = "This policy checks for any Role Assignments of Type [User] - useful to catch individual IAM assignments to resources/RGs which are out of compliance with the RBAC standards e.g. using Groups for RBAC." | |
metadata = <<METADATA | |
{ | |
"category": "${var.policy_definition_category}", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
provider "azurerm" { | |
features {} | |
} | |
variable "policy_definition_category" { | |
type = string | |
description = "The category to use for all Policy Definitions" | |
default = "Custom" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#PowerShell | |
New-AzPolicyDefinition | |
-Name 'AuditStorageAccounts' | |
-DisplayName 'Audit Storage Accounts Open to Public Networks' | |
-Policy 'AuditStorageAccounts.json' | |
#ARMClient | |
armclient PUT "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/AuditStorageAccounts?api-version=2019-09-01" @<path to policy definition JSON file> | |
#AzCLI |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Terraform fmt -recursive | |
Terraform validate | |
Terraform init | |
Terraform plan | |
Terraform apply | |
Terraform destroy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
az login | |
az account list | |
az account set --subscription="XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "mandatory_tag_keys" { | |
type = list | |
description = "List of mandatory tag keys used by policies 'addTagToRG','inheritTagFromRG','bulkAddTagsToRG','bulkInheritTagsFromRG'" | |
default = [ | |
"Application", | |
"CostCentre", | |
"Environment", | |
"ManagedBy", | |
"OwnedBy", | |
"SupportBy" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "azurerm_policy_definition" "addTagToRG" { | |
count = length(var.mandatory_tag_keys) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name = "addTagToRG_${var.mandatory_tag_keys[count.index]}" | |
policy_type = "Custom" | |
mode = "All" | |
display_name = "Add tag ${var.mandatory_tag_keys[count.index]} to resource group" | |
description = "Adds the mandatory tag key ${var.mandatory_tag_keys[count.index]} when any resource group missing this tag is created or updated. \nExisting resource groups can be remediated by triggering a remediation task.\nIf the tag exists with a different value it will not be changed." | |
metadata = <<METADATA | |
{ | |
"category": "${var.policy_definition_category}", | |
"version" : "1.0.0" | |
} |