generated from cyber-scot/terraform-module-repo-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
definition-like-mandatory-resource-tagging.tf
72 lines (61 loc) · 3.27 KB
/
definition-like-mandatory-resource-tagging.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
locals {
like_mandatory_resource_tag_name_prefix = var.like_mandatory_resource_tagging_policy.name
like_mandatory_resource_tag_name_hash = substr(md5(local.like_mandatory_resource_tag_name_prefix), 0, 4)
like_mandatory_non_compliance_messages = [for tag in var.like_mandatory_resource_tagging_policy.required_tags :
format("PlatformPolicyInfo: The resource you have tried to deploy is restricted by mandatory like-pattern tagging policy. %s does is not like the pattern. Please ensure all mandatory tags are provided. Contact your administrator for assistance.", tag.key)
]
like_mandatory_combined_non_compliance_message = join(" or ", local.like_mandatory_non_compliance_messages)
like_mandatory_policy_rule = {
"if" = {
"allOf" = [for tag in var.like_mandatory_resource_tagging_policy.required_tags : {
not = {
"field" = "tags['${tag.key}']",
"like" = tag.pattern
}
}]
},
"then" = {
"effect" = "[parameters('effect')]"
}
}
}
resource "azurerm_policy_definition" "like_mandatory_resource_tagging_policy" {
name = local.like_mandatory_resource_tag_name_hash
policy_type = "Custom"
mode = "Indexed"
display_name = "${var.policy_prefix} - Mandatory Resource Tags"
description = "This policy enforces mandatory tags on resources with a like pattern."
management_group_id = var.like_mandatory_resource_tagging_policy.management_group_id != null ? var.like_mandatory_resource_tagging_policy.management_group_id : (var.attempt_read_tenant_root_group ? data.azurerm_management_group.tenant_root_group[0].id : null)
metadata = jsonencode({
version = "1.0.0",
category = "Management"
})
policy_rule = jsonencode(local.like_mandatory_policy_rule)
parameters = jsonencode({
"effect" = {
"type" = "String",
"metadata" = {
"displayName" = "Effect",
"description" = "Enable or disable the execution of the policy."
},
"allowedValues" = ["Audit", "Deny", "Disabled"],
"defaultValue" = var.like_mandatory_resource_tagging_policy.effect
}
})
}
resource "azurerm_management_group_policy_assignment" "like_mandatory_resource_tagging" {
name = azurerm_policy_definition.like_mandatory_resource_tagging_policy.name
management_group_id = var.like_mandatory_resource_tagging_policy.management_group_id != null ? var.like_mandatory_resource_tagging_policy.management_group_id : (var.attempt_read_tenant_root_group ? data.azurerm_management_group.tenant_root_group[0].id : null)
policy_definition_id = azurerm_policy_definition.like_mandatory_resource_tagging_policy.id
enforce = var.like_mandatory_resource_tagging_policy.enforce
display_name = azurerm_policy_definition.like_mandatory_resource_tagging_policy.display_name
description = "This policy assignment enforces mandatory tagging with a like pattern."
non_compliance_message {
content = var.like_mandatory_resource_tagging_policy.non_compliance_message != null ? var.like_mandatory_resource_tagging_policy.non_compliance_message : local.like_mandatory_combined_non_compliance_message
}
parameters = jsonencode({
"effect" = {
"value" = var.like_mandatory_resource_tagging_policy.effect
}
})
}