Use Terraform to Deploy Azure Policy – Restrict Regions

In this post, we are going to use Terraform to deploy Azure Policy that restricts the regions users can create resource groups.

Azure Policy

Azure Policy is a service in Azure that enables you to create, assign, and manage policies. These policies enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

Policy definitions are made up of conditions and effects. Conditions are used to evaluate resources, and effects are used to enforce policies on resources that match the conditions.

Configuration

The Azure Policy below will create a policy that will not allow users to create resource groups in locations that are not listed in the listOfAllowedLocations that is shown below.

To customise the policy, add the regions where you are allowing users to create resource groups.

{
    "listOfAllowedLocations": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed locations for resources.",
        "displayName": "Allowed locations",
        "strongType": "location"
      },
      "defaultValue": [
        "southeastasia"
      ],
      "allowedValues": [
        "southeastasia",
        "eastus",
        "westus2"
      ]
    }
  }

Code – main.tf

The following code will deeply the policy.

  provider "azurerm" {
    features {}
  }

  terraform {
  required_providers {
      azurerm = {
          source = "hashicorp/azurerm"
          version = ">= 2.96.0"
      }
  }
  }

data "azurerm_subscription" "current" {}

resource "azurerm_policy_definition" "policy_def" {
 name = "Allowed locations for resource groups"
 policy_type = "Custom"
 mode = "All"
 display_name = "Allowed locations for resource groups"
 
 metadata = <<METADATA
    {
    "category": "General"
    }

METADATA



  policy_rule = <<POLICYRULE
  {
   "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "location",
            "notIn": "[parameters('listOfAllowedLocations')]"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
  }
  

POLICYRULE


  parameters = <<PARAMETERS
  {
    "listOfAllowedLocations": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed locations for resources.",
        "displayName": "Allowed locations",
        "strongType": "location"
      },
      "defaultValue": [
        "southeastasia"
      ],
      "allowedValues": [
        "southeastasia",
        "eastus",
        "westus2"
      ]
    }
  }
  
PARAMETERS

}


resource "azurerm_subscription_policy_assignment" "policy_assinment" {
  name                 = "Allowed locations for resource groups"
  policy_definition_id = azurerm_policy_definition.policy_def.id
  subscription_id      = data.azurerm_subscription.current.id
}

This policy definition uses the “not” condition to restrict new resource groups from being created in any location other than “eastus”, “westus”, or “southeastasia”. If a user attempts to create a resource group in a different location, the “deny” effect is triggered, and the resource group creation is blocked.

Posted

in

,

by

NTW – Content Network

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.