azure_policy_assignments Resource
Use the azure_policy_assignments
InSpec resource to examine assignments of Azure policy to resources and resource groups.
Azure REST API Version, Endpoint, and HTTP Client Parameters
This resource interacts with API versions supported by the resource provider.
The api_version
can be defined as a resource parameter.
If not provided, this resource uses the latest version.
For more information, refer to the azure_generic_resource
document.
Unless defined, this resource uses the azure_cloud
global endpoint and default values for the HTTP client.
For more information, refer to the resource pack README.
Installation
This resource is available in the Chef InSpec Azure resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your Azure environment for InSpec and creating an InSpec profile that uses the InSpec Azure resource pack.
Syntax
describe azure_policy_assignments do
it { should exist }
end
Parameters
This resource does not require any parameters.
Properties
Please review the Azure documentation for a full description of the available properties.
ids
- The ID of this policy assignment.
Filter: id
types
- The Azure resource type.
Filter: type
names
- The names of the policy assignments.
Filter: name
locations
- The locations of the policy assignments.
Filter: location
tags
- The tags of the policy assignments.
Filter: tags
displayNames
- The display names of the policy assignments.
Filter: displayName
policyDefinitionIds
- The IDs of the policies being assigned by these policy assignments.
Filter: policyDefinitionId
scopes
- The scope of the policy assignments (which resources they are being attached to).
Filter: scope
notScopes
- The scopes which are excluded from these policy assignments (blocks inheritance).
Filter: notScopes
parameters
- The override parameters passed to the base policy by this assignment.
Filter: parameters
enforcementMode
- The enforcement modes of these policy assignments.
Filter: enforcementModes
assignedBys
- The IDs that assigned these policies.
Filter: assignedBy
parameterScopes
- Unknown - no data observed in this field in the wild.
Filter: parameterScopes
created_bys
- The IDs that created these policy assignments.
Filter: created_by
createdOns
- The dates these policy assignments were created (as a Ruby Time object).
Filter: createdOn
updatedBys
- The IDs that updated these policy assignments.
Filter: updatedBy
updatedOns
- The dates these policy assignments were updated (as a Ruby Time object).
Filter: updatedOn
identityPrincipalIds
- The principal IDs of the associated managed identities.
Filter: identityPrincipalId
identityTenantIds
- The tenant IDs of the associated managed identities.
Filter: identityTenantId
identityTypes
- The identity types of the associated managed identities.
Filter: identityType
Examples
Check that all assigned policies are in enforcing mode.
describe azure_policy_assignments.where{ enforcement_mode == 'DoNotEnforce' } do
it {should_not exist}
its('display_names') {should eq []}
end
Check that no policies were modified in the last 30 days.
last_30_days = Time.now() - (60*60*24*30)
describe azure_policy_assignments.where{ (updatedOn > last_30_days) || (createdOn > last_30_days) } do
it {should_not exist}
its('ids') {should eq []}
end
Azure Permissions
Your Service Principal must be set up with at least a contributor
role on the subscription you wish to test.