(AzureCXP) fixes MicrosoftDocs/azure-docs#103542

SwathiDhanwada-MSFT · web-flow · commit 161f3a35e66c · 2023-01-17T21:35:03.000+05:30
diff --git a/articles/governance/policy/assign-policy-terraform.md b/articles/governance/policy/assign-policy-terraform.md
@@ -12,7 +12,7 @@ This quickstart steps you through the process of creating a policy assignment to
 machines that aren't using managed disks.
 
 At the end of this process, you'll successfully identify virtual machines that aren't using managed
-disks. They're _non-compliant_ with the policy assignment.
+disks across subscription. They're _non-compliant_ with the policy assignment.
 
 ## Prerequisites
 
@@ -38,6 +38,10 @@ for Azure Policy use the
 1. Create a new folder named `policy-assignment` and change directories into it.
 
 1. Create `main.tf` with the following code:
+ 
+> [!NOTE]
+> To create a Policy Assignment at a Management Group use the [azurerm_management_group_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) resource, for a Resource Group use the [azurerm_resource_group_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_policy_assignment) and for a Subscription use the [azurerm_subscription_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_policy_assignment) resource.
+   
 
     ```hcl
     provider "azurerm" {
@@ -53,9 +57,9 @@ for Azure Policy use the
      } 
     }
 
-    resource "azurerm_resource_policy_assignment" "auditvms" { 
+    resource "azurerm_subscription_policy_assignment" "auditvms" { 
      name = "audit-vm-manageddisks" 
-     resource_id = var.cust_scope 
+     subscription_id = var.cust_scope 
      policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" 
      description = "Shows all virtual machines not using managed disks" 
      display_name = "Audit VMs without managed disks assignment" 
@@ -72,7 +76,7 @@ for Azure Policy use the
 
    A scope determines what resources or grouping of resources the policy assignment gets enforced
    on. It could range from a management group to an individual resource. Be sure to replace
-   `{scope}` with one of the following patterns:
+   `{scope}` with one of the following patterns based on the declared resource:
 
    - Subscription: `/subscriptions/{subscriptionId}`
    - Resource group: `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}`
@@ -144,7 +148,7 @@ returned by `terraform apply`. With it, run the following command to get the res
 non-compliant resources that are output into a JSON file:
 
 ```console
-armclient post "/subscriptions/<subscriptionID>/resourceGroups/<rgName>/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$filter=IsCompliant eq false and PolicyAssignmentId eq '<policyAssignmentID>'&$apply=groupby((ResourceId))" > <json file to direct the output with the resource IDs into>
+armclient post "/subscriptions/<subscriptionID>/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$filter=IsCompliant eq false and PolicyAssignmentId eq '<policyAssignmentID>'&$apply=groupby((ResourceId))" > <json file to direct the output with the resource IDs into>
 ```
 
 Your results resemble the following example:
