Skip to main content

azure_management_group resource

Use the azure_management_group InSpec audit resource to test the properties of an Azure management group.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

An azure_management_group resource block identifies a management group by its name or the resource_id.

describe azure_management_group(name: 'ABCD-1234') do
  it { should exist }
end

describe azure_management_group(resource_id: '/providers/Microsoft.Management/managementGroups/{groupId}') do
  it { should exist }
end

Parameters

name
Management group name. 20000000-0001-0000-0000-000000000000.
group_id
Alias for the name parameter.
resource_id
The unique resource ID. /providers/Microsoft.Management/managementGroups/{groupId}.
expand
Optional. The expand: 'children' includes children in the response. The expand: 'path' includes the path from the root group to the current group.
recurse
Optional. The recurse: true includes the entire hierarchy in the response. Note that expand: 'children' will be set if recurse is set to true.
filter Optional
A filter allows the exclusion of subscriptions from results (i.e., filter: 'children.childType ne Subscription').

Either one of the parameter sets can be provided for a valid query along with the optional parameters:

  • resource_id
  • name
  • group_id

Properties

tenant_id
The management group tenant ID.
parent_name
The management group parent name.
parent_id
The management group parent resource ID. /providers/Microsoft.Management/managementGroups/{groupId}.
children_display_names
The list of management group children display names.
children_ids
The list of management group children IDs.
children_names
The list of management group children names.
children_types
The list of management group children types.

For properties applicable to all resources, such as type, name, id, and properties, refer to azure_generic_resource.

Also, see the Azure documentation for other available properties. You can access any attribute in the response with the key names separated by dots (.).

Examples

Test Tenant ID, Parent Name, Children Display Name:

describe azure_management_group(group_id: 'ABC-1234', recurse: true, expand: 'CHILDREN') do
  its('tenant_id') { should eq('00000000-0000-0000-0000-000000000000') }
  its('parent_name') { should eq('MyGroupsParentName') }
  its('children_display_names') { should include('I am a child of the group!') }
end

See integration tests for more examples.

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

# If we expect a resource to always exist.

describe azure_management_group(name: 'ABCD-1234') do
  it { should exist }
end

not_exists

# If we expect a resource to never exist.

describe azure_management_group(name: 'ABCD-1234') do
  it { should_not exist }
end

Azure permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Thank you for your feedback!

×