Module policy

@pulumi/azure > policy

class Assignment

extends CustomResource

Configures the specified Policy Definition at the specified Scope. Also, Policy Set Definitions are supported.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const testDefinition = new azure.policy.Definition("test", {
    displayName: "my-policy-definition",
    mode: "All",
    name: "my-policy-definition",
    parameters: `	{
    "allowedLocations": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed locations for resources.",
        "displayName": "Allowed locations",
        "strongType": "location"
      }
    }
  }
`,
    policyRule: `	{
    "if": {
      "not": {
        "field": "location",
        "in": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    }
  }
`,
    policyType: "Custom",
});
const testResourceGroup = new azure.core.ResourceGroup("test", {
    location: "West Europe",
    name: "test-resources",
});
const testAssignment = new azure.policy.Assignment("test", {
    description: "Policy Assignment created via an Acceptance Test",
    displayName: "My Example Policy Assignment",
    name: "example-policy-assignment",
    parameters: `{
  "allowedLocations": {
    "value": [ "West Europe" ]
  }
}
`,
    policyDefinitionId: testDefinition.id,
    scope: testResourceGroup.id,
});

constructor

new Assignment(name: string, args: AssignmentArgs, opts?: pulumi.CustomResourceOptions)

Create a Assignment resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AssignmentState, opts?: pulumi.CustomResourceOptions): Assignment

Get an existing Assignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property description

public description: pulumi.Output<string | undefined>;

A description to use for this Policy Assignment. Changing this forces a new resource to be created.

property displayName

public displayName: pulumi.Output<string | undefined>;

A friendly display name to use for this Policy Assignment. Changing this forces a new resource to be created.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property identity

public identity: pulumi.Output<{
    principalId: string;
    tenantId: string;
    type: undefined | string;
}>;

An identity block.

property location

public location: pulumi.Output<string>;

The Azure location where this policy assignment should exist. This is required when an Identity is assigned. Changing this forces a new resource to be created.

property name

public name: pulumi.Output<string>;

The name of the Policy Assignment. Changing this forces a new resource to be created.

property notScopes

public notScopes: pulumi.Output<string[] | undefined>;

A list of the Policy Assignment’s excluded scopes. The list must contain Resource IDs (such as Subscriptions e.g. /subscriptions/00000000-0000-0000-000000000000 or Resource Groups e.g./subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup).

property parameters

public parameters: pulumi.Output<string | undefined>;

Parameters for the policy definition. This field is a JSON object that maps to the Parameters field from the Policy Definition. Changing this forces a new resource to be created.

property policyDefinitionId

public policyDefinitionId: pulumi.Output<string>;

The ID of the Policy Definition to be applied at the specified Scope.

property scope

public scope: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Definition

extends CustomResource

Manages a policy rule definition on a management group or your provider subscription.

Policy definitions do not take effect until they are assigned to a scope using a Policy Assignment.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const policy = new azure.policy.Definition("policy", {
    displayName: "acceptance test policy definition",
    mode: "Indexed",
    name: "accTestPolicy",
    parameters: `	{
    "allowedLocations": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed locations for resources.",
        "displayName": "Allowed locations",
        "strongType": "location"
      }
    }
  }
`,
    policyRule: `	{
    "if": {
      "not": {
        "field": "location",
        "in": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    }
  }
`,
    policyType: "Custom",
});

constructor

new Definition(name: string, args: DefinitionArgs, opts?: pulumi.CustomResourceOptions)

Create a Definition resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: DefinitionState, opts?: pulumi.CustomResourceOptions): Definition

Get an existing Definition resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property description

public description: pulumi.Output<string | undefined>;

The description of the policy definition.

property displayName

public displayName: pulumi.Output<string>;

The display name of the policy definition.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property managementGroupId

public managementGroupId: pulumi.Output<string | undefined>;

The ID of the Management Group where this policy should be defined. Changing this forces a new resource to be created.

property metadata

public metadata: pulumi.Output<string>;

The metadata for the policy definition. This is a json object representing additional metadata that should be stored with the policy definition.

property mode

public mode: pulumi.Output<string>;

The policy mode that allows you to specify which resource types will be evaluated. The value can be “All”, “Indexed” or “NotSpecified”. Changing this resource forces a new resource to be created.

property name

public name: pulumi.Output<string>;

The name of the policy definition. Changing this forces a new resource to be created.

property parameters

public parameters: pulumi.Output<string | undefined>;

Parameters for the policy definition. This field is a json object that allows you to parameterize your policy definition.

property policyRule

public policyRule: pulumi.Output<string | undefined>;

The policy rule for the policy definition. This is a json object representing the rule that contains an if and a then block.

property policyType

public policyType: pulumi.Output<string>;

The policy type. The value can be “BuiltIn”, “Custom” or “NotSpecified”. Changing this forces a new resource to be created.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class PolicySetDefinition

extends CustomResource

Manages a policy set definition.

NOTE: Policy set definitions (also known as policy initiatives) do not take effect until they are assigned to a scope using a Policy Set Assignment.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const test = new azure.policy.PolicySetDefinition("test", {
    displayName: "Test Policy Set",
    name: "testPolicySet",
    parameters: `    {
        "allowedLocations": {
            "type": "Array",
            "metadata": {
                "description": "The list of allowed locations for resources.",
                "displayName": "Allowed locations",
                "strongType": "location"
            }
        }
    }
`,
    policyDefinitions: `    [
        {
            "parameters": {
                "listOfAllowedLocations": {
                    "value": "[parameters('allowedLocations')]"
                }
            },
            "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988"
        }
    ]
`,
    policyType: "Custom",
});

constructor

new PolicySetDefinition(name: string, args: PolicySetDefinitionArgs, opts?: pulumi.CustomResourceOptions)

Create a PolicySetDefinition resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicySetDefinitionState, opts?: pulumi.CustomResourceOptions): PolicySetDefinition

Get an existing PolicySetDefinition resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property description

public description: pulumi.Output<string | undefined>;

The description of the policy set definition.

property displayName

public displayName: pulumi.Output<string>;

The display name of the policy set definition.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property managementGroupId

public managementGroupId: pulumi.Output<string | undefined>;

The ID of the Management Group where this policy should be defined. Changing this forces a new resource to be created.

property metadata

public metadata: pulumi.Output<string | undefined>;

The metadata for the policy set definition. This is a json object representing additional metadata that should be stored with the policy definition.

property name

public name: pulumi.Output<string>;

The name of the policy set definition. Changing this forces a new resource to be created.

property parameters

public parameters: pulumi.Output<string | undefined>;

Parameters for the policy set definition. This field is a json object that allows you to parameterize your policy definition.

property policyDefinitions

public policyDefinitions: pulumi.Output<string | undefined>;

The policy definitions for the policy set definition. This is a json object representing the bundled policy definitions .

property policyType

public policyType: pulumi.Output<string>;

The policy set type. Possible values are BuiltIn or Custom. Changing this forces a new resource to be created.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

function getPolicyDefintion

getPolicyDefintion(args: GetPolicyDefintionArgs, opts?: pulumi.InvokeOptions): Promise<GetPolicyDefintionResult>

Use this data source to access information about a Policy Definition, both custom and built in. Retrieves Policy Definitions from your current subscription by default.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const test = pulumi.output(azure.policy.getPolicyDefintion({
    displayName: "Allowed resource types",
}));

export const id = test.id;

interface AssignmentArgs

The set of arguments for constructing a Assignment resource.

property description

description?: pulumi.Input<string>;

A description to use for this Policy Assignment. Changing this forces a new resource to be created.

property displayName

displayName?: pulumi.Input<string>;

A friendly display name to use for this Policy Assignment. Changing this forces a new resource to be created.

property identity

identity?: pulumi.Input<{
    principalId: pulumi.Input<string>;
    tenantId: pulumi.Input<string>;
    type: pulumi.Input<string>;
}>;

An identity block.

property location

location?: pulumi.Input<string>;

The Azure location where this policy assignment should exist. This is required when an Identity is assigned. Changing this forces a new resource to be created.

property name

name?: pulumi.Input<string>;

The name of the Policy Assignment. Changing this forces a new resource to be created.

property notScopes

notScopes?: pulumi.Input<pulumi.Input<string>[]>;

A list of the Policy Assignment’s excluded scopes. The list must contain Resource IDs (such as Subscriptions e.g. /subscriptions/00000000-0000-0000-000000000000 or Resource Groups e.g./subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup).

property parameters

parameters?: pulumi.Input<string>;

Parameters for the policy definition. This field is a JSON object that maps to the Parameters field from the Policy Definition. Changing this forces a new resource to be created.

property policyDefinitionId

policyDefinitionId: pulumi.Input<string>;

The ID of the Policy Definition to be applied at the specified Scope.

property scope

scope: pulumi.Input<string>;

interface AssignmentState

Input properties used for looking up and filtering Assignment resources.

property description

description?: pulumi.Input<string>;

A description to use for this Policy Assignment. Changing this forces a new resource to be created.

property displayName

displayName?: pulumi.Input<string>;

A friendly display name to use for this Policy Assignment. Changing this forces a new resource to be created.

property identity

identity?: pulumi.Input<{
    principalId: pulumi.Input<string>;
    tenantId: pulumi.Input<string>;
    type: pulumi.Input<string>;
}>;

An identity block.

property location

location?: pulumi.Input<string>;

The Azure location where this policy assignment should exist. This is required when an Identity is assigned. Changing this forces a new resource to be created.

property name

name?: pulumi.Input<string>;

The name of the Policy Assignment. Changing this forces a new resource to be created.

property notScopes

notScopes?: pulumi.Input<pulumi.Input<string>[]>;

A list of the Policy Assignment’s excluded scopes. The list must contain Resource IDs (such as Subscriptions e.g. /subscriptions/00000000-0000-0000-000000000000 or Resource Groups e.g./subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup).

property parameters

parameters?: pulumi.Input<string>;

Parameters for the policy definition. This field is a JSON object that maps to the Parameters field from the Policy Definition. Changing this forces a new resource to be created.

property policyDefinitionId

policyDefinitionId?: pulumi.Input<string>;

The ID of the Policy Definition to be applied at the specified Scope.

property scope

scope?: pulumi.Input<string>;

interface DefinitionArgs

The set of arguments for constructing a Definition resource.

property description

description?: pulumi.Input<string>;

The description of the policy definition.

property displayName

displayName: pulumi.Input<string>;

The display name of the policy definition.

property managementGroupId

managementGroupId?: pulumi.Input<string>;

The ID of the Management Group where this policy should be defined. Changing this forces a new resource to be created.

property metadata

metadata?: pulumi.Input<string>;

The metadata for the policy definition. This is a json object representing additional metadata that should be stored with the policy definition.

property mode

mode: pulumi.Input<string>;

The policy mode that allows you to specify which resource types will be evaluated. The value can be “All”, “Indexed” or “NotSpecified”. Changing this resource forces a new resource to be created.

property name

name?: pulumi.Input<string>;

The name of the policy definition. Changing this forces a new resource to be created.

property parameters

parameters?: pulumi.Input<string>;

Parameters for the policy definition. This field is a json object that allows you to parameterize your policy definition.

property policyRule

policyRule?: pulumi.Input<string>;

The policy rule for the policy definition. This is a json object representing the rule that contains an if and a then block.

property policyType

policyType: pulumi.Input<string>;

The policy type. The value can be “BuiltIn”, “Custom” or “NotSpecified”. Changing this forces a new resource to be created.

interface DefinitionState

Input properties used for looking up and filtering Definition resources.

property description

description?: pulumi.Input<string>;

The description of the policy definition.

property displayName

displayName?: pulumi.Input<string>;

The display name of the policy definition.

property managementGroupId

managementGroupId?: pulumi.Input<string>;

The ID of the Management Group where this policy should be defined. Changing this forces a new resource to be created.

property metadata

metadata?: pulumi.Input<string>;

The metadata for the policy definition. This is a json object representing additional metadata that should be stored with the policy definition.

property mode

mode?: pulumi.Input<string>;

The policy mode that allows you to specify which resource types will be evaluated. The value can be “All”, “Indexed” or “NotSpecified”. Changing this resource forces a new resource to be created.

property name

name?: pulumi.Input<string>;

The name of the policy definition. Changing this forces a new resource to be created.

property parameters

parameters?: pulumi.Input<string>;

Parameters for the policy definition. This field is a json object that allows you to parameterize your policy definition.

property policyRule

policyRule?: pulumi.Input<string>;

The policy rule for the policy definition. This is a json object representing the rule that contains an if and a then block.

property policyType

policyType?: pulumi.Input<string>;

The policy type. The value can be “BuiltIn”, “Custom” or “NotSpecified”. Changing this forces a new resource to be created.

interface GetPolicyDefintionArgs

A collection of arguments for invoking getPolicyDefintion.

property displayName

displayName: string;

Specifies the name of the Policy Definition.

property managementGroupId

managementGroupId?: undefined | string;

Only retrieve Policy Definitions from this Management Group.

interface GetPolicyDefintionResult

A collection of values returned by getPolicyDefintion.

property description

description: string;

The Description of the Policy.

property displayName

displayName: string;

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property managementGroupId

managementGroupId?: undefined | string;

property metadata

metadata: string;

Any Metadata defined in the Policy.

property name

name: string;

The Name of the Policy Definition.

property parameters

parameters: string;

Any Parameters defined in the Policy.

property policyRule

policyRule: string;

The Rule as defined (in JSON) in the Policy.

property policyType

policyType: string;

The Type of the Policy, such as Microsoft.Authorization/policyDefinitions.

property type

type: string;

The Type of Policy.

interface PolicySetDefinitionArgs

The set of arguments for constructing a PolicySetDefinition resource.

property description

description?: pulumi.Input<string>;

The description of the policy set definition.

property displayName

displayName: pulumi.Input<string>;

The display name of the policy set definition.

property managementGroupId

managementGroupId?: pulumi.Input<string>;

The ID of the Management Group where this policy should be defined. Changing this forces a new resource to be created.

property metadata

metadata?: pulumi.Input<string>;

The metadata for the policy set definition. This is a json object representing additional metadata that should be stored with the policy definition.

property name

name?: pulumi.Input<string>;

The name of the policy set definition. Changing this forces a new resource to be created.

property parameters

parameters?: pulumi.Input<string>;

Parameters for the policy set definition. This field is a json object that allows you to parameterize your policy definition.

property policyDefinitions

policyDefinitions?: pulumi.Input<string>;

The policy definitions for the policy set definition. This is a json object representing the bundled policy definitions .

property policyType

policyType: pulumi.Input<string>;

The policy set type. Possible values are BuiltIn or Custom. Changing this forces a new resource to be created.

interface PolicySetDefinitionState

Input properties used for looking up and filtering PolicySetDefinition resources.

property description

description?: pulumi.Input<string>;

The description of the policy set definition.

property displayName

displayName?: pulumi.Input<string>;

The display name of the policy set definition.

property managementGroupId

managementGroupId?: pulumi.Input<string>;

The ID of the Management Group where this policy should be defined. Changing this forces a new resource to be created.

property metadata

metadata?: pulumi.Input<string>;

The metadata for the policy set definition. This is a json object representing additional metadata that should be stored with the policy definition.

property name

name?: pulumi.Input<string>;

The name of the policy set definition. Changing this forces a new resource to be created.

property parameters

parameters?: pulumi.Input<string>;

Parameters for the policy set definition. This field is a json object that allows you to parameterize your policy definition.

property policyDefinitions

policyDefinitions?: pulumi.Input<string>;

The policy definitions for the policy set definition. This is a json object representing the bundled policy definitions .

property policyType

policyType?: pulumi.Input<string>;

The policy set type. Possible values are BuiltIn or Custom. Changing this forces a new resource to be created.