Skip to main content

azure_policy_assignments Resource

Use the azure_policy_assignments InSpec resource to examine assignments of the Azure policy to resources and resource groups.

Azure REST API Version, Endpoint, and HTTP Client Parameters

This resource interacts with API versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, this resource uses the latest version. For more information, refer to the azure_generic_resource document.

Unless defined, this resource uses the azure_cloud global endpoint and default values for the HTTP client. For more information, refer to the resource pack README.

Install

This resource is available in the Chef InSpec Azure resource pack.

For information on configuring your Azure environment for Chef InSpec and creating an InSpec profile that uses the InSpec Azure resource pack, see the Chef InSpec documentation for the Azure cloud platform.

Syntax

describe azure_policy_assignments do
  it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

Please review the Azure documentation for a full description of the available properties.

ids
The ID of this policy assignment.

Filter: id

types
The Azure resource type.

Filter: type

names
The names of the policy assignments.

Filter: name

locations
The locations of the policy assignments.

Filter: location

tags
The tags of the policy assignments.

Filter: tags

displayNames
The display names of the policy assignments.

Filter: displayName

policyDefinitionIds
The IDs of the policies being assigned by these policy assignments.

Filter: policyDefinitionId

scopes
The scope of the policy assignments (which resources they are being attached to).

Filter: scope

notScopes
The scopes which are excluded from these policy assignments (blocks inheritance).

Filter: notScopes

parameters
The override parameters passed to the base policy by this assignment.

Filter: parameters

enforcementMode
The enforcement modes of these policy assignments.

Filter: enforcementModes

assignedBys
The IDs that assigned these policies.

Filter: assignedBy

parameterScopes
Unknown - no data observed in this field in the wild.

Filter: parameterScopes

created_bys
The IDs that created these policy assignments.

Filter: created_by

createdOns
The dates these policy assignments were created (as a Ruby Time object).

Filter: createdOn

updatedBys
The IDs that updated these policy assignments.

Filter: updatedBy

updatedOns
The dates these policy assignments were updated (as a Ruby Time object).

Filter: updatedOn

identityPrincipalIds
The principal IDs of the associated managed identities.

Filter: identityPrincipalId

identityTenantIds
The tenant IDs of the associated managed identities.

Filter: identityTenantId

identityTypes
The identity types of the associated managed identities.

Filter: identityType

Examples

Check that all assigned policies are in enforcing mode

describe azure_policy_assignments.where{ enforcement_mode == 'DoNotEnforce' } do
    it {should_not exist}
    its('display_names') {should eq []}
end

Check that no policies were modified in the last 30 days

last_30_days = Time.now() - (60*60*24*30)

describe azure_policy_assignments.where{ (updatedOn > last_30_days) || (createdOn > last_30_days) } do
  it {should_not exist}
  its('ids') {should eq []}
end

Azure Permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Edit this page on GitHub

Thank you for your feedback!

×