Skip to main content

azure_policy_definition resource

Use the azure_policy_definition InSpec audit resource to test the properties and configuration of an Azure Policy definition.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

name or the resource_id are required parameters.

describe azure_policy_definition(name: 'MY_POLICY') do
  it { should exist }
end

describe azure_policy_definition(resource_id: '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}') do
  it { should exist }
end

Parameters

name
Name of the policy definition. policyDefinitionName.
built_in Optional
Indicates whether the policy definition is built-in. Defaults to false if not supplied. This should not be used when resource_id is provided.
resource_id
The unique resource ID.

Either one of the parameter sets can be provided for a valid query:

  • resource_id
  • name
  • name and built_in

Properties

properties.description
The policy definition description.
properties.displayName
The display name of the policy definition.
properties.policyType
The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.
properties.policyRule
The policy rule.

For properties applicable to all resources, such as type, name, id, and properties, refer to azure_generic_resource.

Also, see the Azure documentation for other available properties. You can access any attribute in the response with the key names separated by dots (.). For example, properties.<attribute>.

Examples

Test a policy definition display name:

describe azure_policy_definition(name: 'MY_POLICY') do
  its('properties.displayName') { should cmp "Enforce 'owner' tag on resource groups" }
end

Test a policy definition rule:

describe azure_policy_definition(name: 'MY_POLICY', built_in: true ) do
  its('properties.policyRule.then.effect') { should cmp 'deny' }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

custom

Test if a policy definition type is Custom or not.

describe azure_policy_definition(name: 'MY_POLICY') do
  it { should be_custom }
end

exists

# If we expect a resource to always exist.

describe azure_policy_definition(name: 'MY_POLICY', built_in: true ) do
  it { should exist }
end

not_exists

# If we expect a resource to never exist.

describe azure_policy_definition(name: 'MY_POLICY') do
  it { should_not exist }
end

Azure permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Thank you for your feedback!

×