Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The first step in understanding compliance in Azure is to identify the status of your resources. This quickstart steps you through the process of creating a policy assignment to identify virtual machines that are not using managed disks.
When assigning a built-in policy or initiative definition, it's optional to reference a version. Policy assignments of built-in definitions default to the latest version and automatically inherit minor version changes unless otherwise specified.
Terraform enables the definition, preview, and deployment of cloud infrastructure. Using Terraform, you create configuration files using HCL syntax. The HCL syntax allows you to specify the cloud provider - such as Azure - and the elements that make up your cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure.
In this article, you learn how to:
- Retrieve the current Azure client configuration.
- Create a Azure resource group with the generated random name.
- Create Subscription Policy Assignment to identify virtual machines that aren't using managed disks
Create an Azure account with an active subscription. You can create an account for trial.
The sample code for this article is located in the Azure Terraform GitHub repo. You can view the log file containing the test results from current and previous versions of Terraform. See more articles and sample code showing how to use Terraform to manage Azure resources
Create a directory in which to test and run the sample Terraform code, and make it the current directory.
Create a file named
providers.tf
and insert the following code.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>4.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}
provider "azurerm" {
features {}
environment = "china"
}
- Create a file named
main.tf
and insert the following code.
# Create a random pet name to ensure unique resource group name
resource "random_pet" "rg_name" {
prefix = var.resource_group_name_prefix
}
# Create a resource group
resource "azurerm_resource_group" "example" {
location = var.resource_group_location
name = random_pet.rg_name.id
}
# Get the current subscription
data "azurerm_subscription" "current" {}
# Create a subscription policy assignment
resource "azurerm_subscription_policy_assignment" "auditvms" {
name = "audit-vm-manageddisks"
subscription_id = coalesce(var.scope, "/subscriptions/${data.azurerm_subscription.current.subscription_id}")
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
description = "Shows all virtual machines not using managed disks"
display_name = "Audit VMs without managed disks assignment"
}
- Create a file named
variables.tf
and insert the following code.
variable "resource_group_location" {
type = string
default = "chinanorth3"
description = "Location of the resource group."
}
variable "resource_group_name_prefix" {
type = string
default = "rg"
description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
}
variable "scope" {
type = string
default = ""
description = "Scope of the policy assignment."
}
- Create a file named
outputs.tf
and insert the following code.
output "resource_group_name" {
value = azurerm_resource_group.example.name
}
output "assignment_id" {
value = azurerm_subscription_policy_assignment.auditvms.id
}
output "subscription_id" {
value = data.azurerm_subscription.current.subscription_id
}
A scope determines what resources or grouping of resources the policy assignment gets enforced on. It could range from a management group to an individual resource. To use any of the following scopes, update the scope
variable in the variables.tf
file. If you leave the scope
variable value blank, the "subscription" scope is used.
- Subscription:
/subscriptions/<subscription_id>
- Resource group:
/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
- Resource:
/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<resource_provider_namespace>/[{parentResourcePath}/]
Important
If you are using the 4.x azurerm provider, you must explicitly specify the Azure subscription ID to authenticate to Azure before running the Terraform commands.
One way to specify the Azure subscription ID without putting it in the providers
block is to specify the subscription ID in an environment variable named ARM_SUBSCRIPTION_ID
.
For more information, see the Azure provider reference documentation.
Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.
terraform init -upgrade
Key points:
- The
-upgrade
parameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.
Run terraform plan to create an execution plan.
terraform plan -out main.tfplan
Key points:
- The
terraform plan
command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources. - The optional
-out
parameter allows you to specify an output file for the plan. Using the-out
parameter ensures that the plan you reviewed is exactly what is applied.
Run terraform apply to apply the execution plan to your cloud infrastructure.
terraform apply main.tfplan
Key points:
- The example
terraform apply
command assumes you previously ranterraform plan -out main.tfplan
. - If you specified a different filename for the
-out
parameter, use that same filename in the call toterraform apply
. - If you didn't use the
-out
parameter, callterraform apply
without any parameters.
Get the
_assignment\_id_
returned byterraform apply
.run the following command to view the resources that are not compliant under your new policy assignment.
armclient post "/subscriptions/<subscription_id>/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$filter=IsCompliant eq false and PolicyAssignmentId eq '<policyAssignmentID>'&$apply=groupby((ResourceId))" > <json file to direct the output with the resource IDs into>
The results are comparable to what you see listed under Noncompliant resources in the Azure portal view.
When you no longer need the resources created via Terraform, do the following steps:
- Run terraform plan and specify the
destroy
flag.
terraform plan -destroy -out main.destroy.tfplan
Key points:
- The
terraform plan
command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources. - The optional
-out
parameter allows you to specify an output file for the plan. Using the-out
parameter ensures that the plan you reviewed is exactly what is applied.
- Run terraform apply to apply the execution plan.
terraform apply main.destroy.tfplan