Reputation: 1
Create a policy exemption where the scope is a resource (Azure & Terraform)
Can you create a policy exemption where the scope is a resource (not RG) in Azure with Terraform? cause I found this module:
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.2.1"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
name = "exemption1"
displayName = "exemption1 for Insert-Your-RG-Name1"
description = "exemption1 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name1"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
But You can only put the RGs name not the resource...
Maybe I don't understand the syntax?
Upvotes: 0
Views: 2609
Answers (1)
Reputation: 11451
As I have mentioned in the comments, the Policy exemptions module doesn't have a scope mentioned so it gets applied to the resource group.
As a Solution you will have to change few thing in the module file after you have initialized terraform.
Step 1 : Go to the Module>>policy_exemptions>>policyExemption.json . Add Scope in parameter and in resources as shown below:
Step 2 : Go to Module>>policy_exemptions>>variables.tf . Add Scope in the variable as shown below:
Step 3 : Go to Module>>policy_exemptions>>main.tf. Add scope in the resource_group_deployment block in the parameters_content as shown below:
Step 4 : Then you can the module like below:
provider "azurerm" {
features{}
}
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.2.1"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
name = "exemption1"
displayName = "exemption1 for cloudshell storage acocunt"
description = "exemption1 waives compliance on an resource group"
resourceGroupName = "ansuman-resourcegroup"
policyAssignmentId = "/subscriptions/88xxxxb30-xxxx-xxxx-xxxx-xxxxc93573ae/resourceGroups/ansuman-resourcegroup/providers/Microsoft.Authorization/policyAssignments/b3f5ccb5b1a74a2db0401c0e"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
scope = "/subscriptions/88xxxxb30-xxxx-xxxx-xxxx-xxxxc93573ae/resourceGroups/ansuman-resourcegroup/providers/Microsoft.Storage/storageAccounts/cloudshellansuman123"
metadata = {}
}
}
}
I tested the modified module to add a exemption to the policy Storage account keys should not be expired on a specific resource that is a Storage account .
Outputs:
You can find the Modified code after the commits I have made in my Github Repo. You can check the below three commits:
- Update main.tf …
- Update variables.tf …
- Update policyExemptions.json
Upvotes: 1
Related Questions
- targeting all resources exept one in terraform(the opposite of "-target" parameter)
- IAM policy that allows only terraform plans to be executed
- Create Azure policy with Terraform
- Terraform: Create an Azure Policy Initiative with multiple custom Azure Policies with Parameters
- Terraform : How to define the Azure Policy Initiative along with Azure Policies?
- How to assign existing multiple Azure policies to multiple resources with Terraform
- How can I do so that policies are not attached when I want
- How to conditionally skip a part of terraform resource from being created/implemented using terrraform
- Can terraform enable Azure resource providers?
- Excluding resource in Terraform module