-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathpolicy.tf
More file actions
49 lines (46 loc) · 1.51 KB
/
policy.tf
File metadata and controls
49 lines (46 loc) · 1.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#########################################################################
# Policy (https://learn.microsoft.com/azure/governance/policy/overview) #
#########################################################################
variable policy {
type = object({
denyPasswordAuthLinux = object({
enable = bool
})
})
}
resource azurerm_subscription_policy_assignment deny_password_auth_linux {
count = var.policy.denyPasswordAuthLinux.enable ? 1 : 0
name = azurerm_policy_definition.deny_password_auth_linux.name
policy_definition_id = azurerm_policy_definition.deny_password_auth_linux.id
subscription_id = "/subscriptions/${data.azurerm_subscription.current.subscription_id}"
location = azurerm_resource_group.foundation.location
identity {
type = "UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.main.id
]
}
}
resource azurerm_policy_definition deny_password_auth_linux {
name = "denyPasswordAuthLinux"
display_name = "Deny Linux VM password authentication"
policy_type = "Custom"
mode = "Indexed"
policy_rule = jsonencode({
if = {
allOf = [
{
field = "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType"
equals = "Linux"
},
{
field = "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.disablePasswordAuthentication"
equals = "false"
}
]
},
then = {
effect = "deny"
}
})
}