Skip to main content

azure_policy_assignments resource

Use the azure_policy_assignments InSpec resource to examine assignments of the Azure policy to resources and resource groups.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

describe azure_policy_assignments do
  it { should exist }
end

Parameters

This resource does not require any parameters.

Properties

Please review the Azure documentation for a full description of the available properties.

ids
The ID of this policy assignment.

Filter: id

types
The Azure resource type.

Filter: type

names
The names of the policy assignments.

Filter: name

locations
The locations of the policy assignments.

Filter: location

tags
The tags of the policy assignments.

Filter: tags

displayNames
The display names of the policy assignments.

Filter: displayName

policyDefinitionIds
The IDs of the policies being assigned by these policy assignments.

Filter: policyDefinitionId

scopes
The scope of the policy assignments (which resources they are being attached to).

Filter: scope

notScopes
The scopes which are excluded from these policy assignments (blocks inheritance).

Filter: notScopes

parameters
The override parameters passed to the base policy by this assignment.

Filter: parameters

enforcementMode
The enforcement modes of these policy assignments.

Filter: enforcementModes

assignedBys
The IDs that assigned these policies.

Filter: assignedBy

parameterScopes
Unknown - no data observed in this field in the wild.

Filter: parameterScopes

created_bys
The IDs that created these policy assignments.

Filter: created_by

createdOns
The dates these policy assignments were created (as a Ruby Time object).

Filter: createdOn

updatedBys
The IDs that updated these policy assignments.

Filter: updatedBy

updatedOns
The dates these policy assignments were updated (as a Ruby Time object).

Filter: updatedOn

identityPrincipalIds
The principal IDs of the associated managed identities.

Filter: identityPrincipalId

identityTenantIds
The tenant IDs of the associated managed identities.

Filter: identityTenantId

identityTypes
The identity types of the associated managed identities.

Filter: identityType

Examples

Check that all assigned policies are in enforcing mode:

describe azure_policy_assignments.where{ enforcement_mode == 'DoNotEnforce' } do
    it {should_not exist}
    its('display_names') {should eq []}
end

Check that no policies were modified in the last 30 days:

last_30_days = Time.now() - (60*60*24*30)

describe azure_policy_assignments.where{ (updatedOn > last_30_days) || (createdOn > last_30_days) } do
  it {should_not exist}
  its('ids') {should eq []}
end

Azure permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Thank you for your feedback!

×