Skip to main content

azure_policy_assignments Resource

[edit on GitHub]

Use the azure_policy_assignments InSpec resource to examine assignments of Azure policy to resources and resource groups.

Azure REST API Version, Endpoint, and HTTP Client Parameters

This resource interacts with API versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, this resource uses the latest version. For more information, refer to the azure_generic_resource document.

Unless defined, this resource uses the azure_cloud global endpoint and default values for the HTTP client. For more information, refer to the resource pack README.

Installation

This resource is available in the Chef InSpec Azure resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your Azure environment for InSpec and creating an InSpec profile that uses the InSpec Azure resource pack.

Syntax 

describe azure_policy_assignments do
  it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

Please review the Azure documentation for a full description of the available properties.

ids
The ID of this policy assignment.

Filter: id

types
The Azure resource type.

Filter: type

names
The names of the policy assignments.

Filter: name

locations
The locations of the policy assignments.

Filter: location

tags
The tags of the policy assignments.

Filter: tags

displayNames
The display names of the policy assignments.

Filter: displayName

policyDefinitionIds
The IDs of the policies being assigned by these policy assignments.

Filter: policyDefinitionId

scopes
The scope of the policy assignments (which resources they are being attached to).

Filter: scope

notScopes
The scopes which are excluded from these policy assignments (blocks inheritance).

Filter: notScopes

parameters
The override parameters passed to the base policy by this assignment.

Filter: parameters

enforcementMode
The enforcement modes of these policy assignments.

Filter: enforcementModes

assignedBys
The IDs that assigned these policies.

Filter: assignedBy

parameterScopes
Unknown - no data observed in this field in the wild.

Filter: parameterScopes

created_bys
The IDs that created these policy assignments.

Filter: created_by

createdOns
The dates these policy assignments were created (as a Ruby Time object).

Filter: createdOn

updatedBys
The IDs that updated these policy assignments.

Filter: updatedBy

updatedOns
The dates these policy assignments were updated (as a Ruby Time object).

Filter: updatedOn

identityPrincipalIds
The principal IDs of the associated managed identities.

Filter: identityPrincipalId

identityTenantIds
The tenant IDs of the associated managed identities.

Filter: identityTenantId

identityTypes
The identity types of the associated managed identities.

Filter: identityType

Examples

Check that all assigned policies are in enforcing mode.

describe azure_policy_assignments.where{ enforcement_mode == 'DoNotEnforce' } do
    it {should_not exist}
    its('display_names') {should eq []}
end

Check that no policies were modified in the last 30 days.

last_30_days = Time.now() - (60*60*24*30)

describe azure_policy_assignments.where{ (updatedOn > last_30_days) || (createdOn > last_30_days) } do
  it {should_not exist}
  its('ids') {should eq []}
end

Azure Permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Was this page helpful?

×









Search Results