Select Language:

Are you looking to add a built-in Azure Policy to your Microsoft Accelerator Landing Zone (ALZ) deployment using Terraform? Here’s a simple step-by-step guide to help you do just that.

First, you need to identify the specific policy you want to apply. Azure has a built-in policy called “Ensure that public network access is disabled in managed disks.” You can find this policy in the Azure portal under Policy → Definitions, or you can use Terraform’s data sources to get it programmatically with this code:

hcl
data “azurerm_policy_definition” “disable_disk_public_network” {
display_name = “Ensure that public network access is disabled in managed disks”
}

Next, you’ll add a new policy assignment within your ALZ configuration. The ALZ Terraform project offers a variable called “policy_assignments” in the management group landing zone module. You can add your new policy like this, usually in your landing_zone.mgmt_group.tfvars file:

hcl
policy_assignments = {
disable_disk_public_network = {
display_name = “Disable public network access for managed disks”
description = “Ensure public network access is disabled on all Managed Disks”
policy_definition_id = data.azurerm_policy_definition.disable_disk_public_network.id
enforcement_mode = “Enabled” # or “Default”
parameters = {} # No parameters needed for this policy

scope = var.management_group_id # Use default if not specified

}
}

Once you’ve added the policy, run these Terraform commands from your command line in the landingzones/mgmtgroup directory:

bash
terraform init
terraform plan -var-file=landing_zone.mgmt_group.tfvars
terraform apply -var-file=landing_zone.mgmt_group.tfvars

This process will attach the new policy to your management group, and it will automatically apply to all subscriptions beneath it.

Finally, verify that the policy is in effect. It may take about 15–30 minutes for Azure to process the new policy assignment. Then follow these steps:

In the Azure portal, go to Policy → Assignments.
Look for the “Disable public network access for managed disks” assignment at the management group level.
Check the Compliance tab to ensure no resources are violating the policy by having public endpoints.

Following this guide should help you effectively apply this security policy across your environment using Terraform. If you have any questions or run into issues, feel free to ask!