Merge pull request #297103 from TomArcherMsft/101-azure-policy

101-azure-policy

Author: JamesJBarnett

articles/governance/policy/assign-policy-terraform.md

@@ -1,207 +1,103 @@
 ---
-title: "Quickstart: New policy assignment with Terraform"
-description: In this quickstart, you use Terraform and Hashicorp Configuration Language (HCL) syntax to create a policy assignment to identify non-compliant resources.
-ms.date: 03/04/2025
+title: 'Quickstart: New policy assignment with Terraform'
+description: In this quickstart, you use Terraform and Hashicorp Configuration Language (HCL) syntax to create a policy assignment to identify noncompliant resources.
+ms.date: 03/26/2025
 ms.topic: quickstart
 ms.custom: devx-track-terraform
 ms.tool: terraform
+#customer intent: As a Terraform user, I want to see how to assign an Azure policy
+content_well_notification: 
+  - AI-contribution
 ---
 
-# Quickstart: Create a policy assignment to identify non-compliant resources using Terraform
+# Quickstart: Create a policy assignment to identify noncompliant resources using Terraform
 
-The first step in understanding compliance in Azure is to identify the status of your resources.
-This quickstart steps you through the process of creating a policy assignment to identify virtual
-machines that aren't using managed disks.
-
-At the end of this process, you identify virtual machines that aren't using managed disks across subscription. They're _non-compliant_ with the policy assignment.
+The first step in understanding compliance in Azure is to identify the status of your resources. This quickstart steps you through the process of creating a policy assignment to identify virtual
+machines that are not using managed disks.
 
 [!INCLUDE [azure-policy-version-default](../includes/policy/policy-version-default.md)]
 
-## Prerequisites
-
-- If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/)
-  account before you begin.
-- [Terraform](https://www.terraform.io/) version 0.12.0 or higher configured in your environment.
-  For instructions, see
-  [Configure Terraform using Azure Cloud Shell](/azure/developer/terraform/get-started-cloud-shell).
-- This quickstart requires that you run Azure CLI version 2.13.0 or later. To find the version, run
-  `az --version`. If you need to install or upgrade, see
-  [Install Azure CLI](/cli/azure/install-azure-cli).
-
-## Create the Terraform configuration, variable, and output file
-
-In this quickstart, you create a policy assignment and assign the [Audit VMs that do not use managed disks](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) definition. This policy definition identifies resources that aren't compliant to the conditions set in the policy definition.
-
-Configure the Terraform configuration, variable, and output files. The Terraform resources
-for Azure Policy use the [Azure Provider](https://www.terraform.io/docs/providers/azurerm/index.html).
-
-1. Create a new folder named `policy-assignment` and change directories into it.
+[!INCLUDE [About Terraform](~/azure-dev-docs-pr/articles/terraform/includes/abstract.md)]
 
-1. Create `main.tf` with the following code:
-
-    > [!NOTE]
-    > To create a Policy Assignment at a Management Group use the [azurerm_management_group_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) resource, for a Resource Group use the [azurerm_resource_group_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_policy_assignment) and for a Subscription use the [azurerm_subscription_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_policy_assignment) resource.
-
-
-    ```terraform
-      provider "azurerm" {
-        features {}
-      }
-
-      terraform {
-      required_providers {
-          azurerm = {
-              source = "hashicorp/azurerm"
-              version = ">= 2.96.0"
-          }
-        }
-      }
-
-      resource "azurerm_subscription_policy_assignment" "auditvms" {
-      name = "audit-vm-manageddisks"
-      subscription_id = var.cust_scope
-      policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
-      description = "Shows all virtual machines not using managed disks"
-      display_name = "Audit VMs without managed disks assignment"
-      }
-    ```
+In this article, you learn how to:
 
-1. Create `variables.tf` with the following code:
+> [!div class="checklist"]
+> * Retrieve the current Azure client configuration.
+> * Create a Azure resource group with the generated random name.
+> * Create Subscription Policy Assignment to identify virtual machines that aren't using managed disks
 
-    ```terraform
-    variable "cust_scope" {
-        default = "{scope}"
-    }
-    ```
-
-   A scope determines what resources or grouping of resources the policy assignment gets enforced on. It could range from a management group to an individual  resource. Be sure to replace `{scope}` with one of the following patterns based on the declared resource:
-
-   - Subscription: `/subscriptions/{subscriptionId}`
-   - Resource group: `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}`
-   - Resource: `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]`
-
-1. Create `output.tf` with the following code:
-
-    ```terraform
-    output "assignment_id" {
-        value = azurerm_subscription_policy_assignment.auditvms.id
-    }
-    ```
+## Prerequisites
 
-## Initialize Terraform and create plan
+- Create an Azure account with an active subscription. You can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 
-Initialize Terraform to download the necessary providers and then create a plan.
+- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure)
 
-1. Run the [terraform init](https://www.terraform.io/docs/commands/init.html) command. This command
-   downloads the Azure modules required to create the Azure resources in the Terraform
-   configuration.
+## Implement the Terraform code
 
-   ```bash
-   terraform init
-   ```
+The sample code for this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/101-azure-policy). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/101-azure-policy/TestRecord.md). See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform)
 
-   :::image type="content" source="./media/assign-policy-terraform/terraform-initialize.png" alt-text="Screenshot of running the terraform init command that shows downloading the azurerm module and a success message.":::
+1. Create a directory in which to test and run the sample Terraform code, and make it the current directory.
 
-1. Authenticate with [Azure CLI](/cli/azure/) for Terraform. For more information, see
-   [Azure Provider: Authenticating using the Azure CLI](https://www.terraform.io/docs/providers/azurerm/guides/azure_cli.html).
+1. Create a file named `providers.tf` and insert the following code.
+    :::code language="Terraform" source="~/terraform_samples/quickstart/101-azure-policy/providers.tf":::
 
-   ```azurecli
-   az login
-   ```
+1. Create a file named `main.tf` and insert the following code.
+    :::code language="Terraform" source="~/terraform_samples/quickstart/101-azure-policy/main.tf":::
 
-1. Create the execution plan with the
-   [terraform plan](https://www.terraform.io/docs/commands/plan.html) command and **out** parameter.
+1. Create a file named `variables.tf` and insert the following code.
+    :::code language="Terraform" source="~/terraform_samples/quickstart/101-azure-policy/variables.tf":::
 
-   ```bash
-   terraform plan -out assignment.tfplan
-   ```
+1. Create a file named `outputs.tf` and insert the following code.
+    :::code language="Terraform" source="~/terraform_samples/quickstart/101-azure-policy/outputs.tf":::
 
-   :::image type="content" source="./media/assign-policy-terraform/terraform-plan-out.png" alt-text="Screenshot of running the terraform plan command and out parameter to show the Azure resource that would be created.":::
+## Specify scope
 
-   > [!NOTE]
-   > For information about persisting execution plans and security, see
-   > [Terraform Plan: Security Warning](https://www.terraform.io/docs/commands/plan.html#security-warning).
+A scope determines what resources or grouping of resources the policy assignment gets enforced on. It could range from a management group to an individual resource. To use any of the following scopes, update the `scope` variable in the `variables.tf` file. If you leave the `scope` variable value blank, the "subscription" scope is used.
 
-## Apply the Terraform execution plan
+- Subscription: `/subscriptions/<subscription_id>`
+- Resource group: `/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>`
+- Resource: `/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<resource_provider_namespace>/[{parentResourcePath}/]`
 
-Apply the execution plan.
+## Initialize Terraform
 
-Run the [terraform apply](https://www.terraform.io/docs/commands/apply.html) command and specify the
-`assignment.tfplan` already created.
+> [!IMPORTANT]
+> If you are using the 4.x azurerm provider, you must [explicitly specify the Azure subscription ID](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/4.0-upgrade-guide#specifying-subscription-id-is-now-mandatory) to authenticate to Azure before running the Terraform commands.
+>
+> One way to specify the Azure subscription ID without putting it in the `providers` block is to specify the subscription ID in an environment variable named `ARM_SUBSCRIPTION_ID`.
+>
+> For more information, see the [Azure provider reference documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#argument-reference).
 
-```bash
-terraform apply assignment.tfplan
-```
+[!INCLUDE [terraform-init.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-init.md)]
 
-:::image type="content" source="./media/assign-policy-terraform/terraform-apply.png" alt-text="Screenshot of running the terraform apply command and the resulting resource creation.":::
+## Create a Terraform execution plan
 
-With the `Apply complete! Resources: 1 added, 0 changed, 0 destroyed.` message, the policy
-assignment is now created. Since we defined the `outputs.tf` file, the _assignment\_id_ is also
-returned.
+[!INCLUDE [terraform-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan.md)]
 
-## Identify non-compliant resources
+## Apply a Terraform execution plan
 
-To view the resources that aren't compliant under this new assignment, use the _assignment\_id_
-returned by ```terraform apply```. With it, run the following command to get the resource IDs of the
-non-compliant resources that are output into a JSON file:
+[!INCLUDE [terraform-apply-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-apply-plan.md)]
 
-```console
-armclient post "/subscriptions/<subscriptionID>/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$filter=IsCompliant eq false and PolicyAssignmentId eq '<policyAssignmentID>'&$apply=groupby((ResourceId))" > <json file to direct the output with the resource IDs into>
-```
+## Verify the results
 
-Your results resemble the following example:
+1. Get the `_assignment\_id_` returned by `terraform apply`.
 
-```json
-{
-  "@odata.context": "https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest",
-  "@odata.count": 3,
-  "value": [
-    {
-      "@odata.id": null,
-      "@odata.context": "https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
-      "ResourceId": "/subscriptions/<subscriptionId>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachineId>"
-    },
-    {
-      "@odata.id": null,
-      "@odata.context": "https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
-      "ResourceId": "/subscriptions/<subscriptionId>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachine2Id>"
-    },
-    {
-      "@odata.id": null,
-      "@odata.context": "https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
-      "ResourceId": "/subscriptions/<subscriptionName>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachine3ID>"
-    }
-  ]
-}
-```
+1. run the following command to view the resources that are not compliant under your new policy assignment.
 
-The results are comparable to what you'd typically see listed under **Non-compliant resources** in
-the Azure portal view.
+    ```console
+    armclient post "/subscriptions/<subscription_id>/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$filter=IsCompliant eq false and PolicyAssignmentId eq '<policyAssignmentID>'&$apply=groupby((ResourceId))" > <json file to direct the output with the resource IDs into>
+    ```
+    
+1. The results are comparable to what you see listed under **Noncompliant resources** in the Azure portal view.
 
 ## Clean up resources
 
-To remove the assignment created, use Azure CLI or reverse the Terraform execution plan with
-`terraform destroy`.
-
-- Azure CLI
+[!INCLUDE [terraform-plan-destroy.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan-destroy.md)]
 
-  ```azurecli-interactive
-  az policy assignment delete --name 'audit-vm-manageddisks' --scope '/subscriptions/<subscriptionID>/<resourceGroupName>'
-  ```
+## Troubleshoot Terraform on Azure
 
-- Terraform
-
-  ```bash
-  terraform destroy
-  ```
+[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot).
 
 ## Next steps
 
-In this quickstart, you assigned a policy definition to identify non-compliant resources in your
-Azure environment.
-
-To learn more about assigning policies to validate that new resources are compliant, continue to the
-tutorial for:
-
 > [!div class="nextstepaction"]
 > [Tutorial: Create and manage policies to enforce compliance](./tutorials/create-and-manage.md)

articles/storage-actions/storage-tasks/storage-task-quickstart-terraform.md

@@ -7,7 +7,7 @@ ms.service: azure-storage-actions
 ms.custom: devx-track-terraform;build-2023-metadata-update
 ms.topic: quickstart
 ms.author: normesta
-ms.date: 03/25/2025
+ms.date: 03/26/2025
 #customer intent: As a Terraform user, I want to see how to create a storage task using Terraform.
 content_well_notification: 
   - AI-contribution
@@ -17,16 +17,17 @@ content_well_notification:
 
 A storage task can perform operations on blobs in an Azure Storage account. As you create a task, you can define the conditions that must be met by each object (container or blob), and the operations to perform on the object. You can also identify one or more Azure Storage account targets. See [What are Azure Storage Actions?](../overview.md).
 
-In this how-to article, you'll learn how to create a storage task using Terraform.
+In this how-to article, you learn how to create a storage task using Terraform.
 
 > [!IMPORTANT]
 > Azure Storage Actions is currently in PREVIEW and is available in these [regions](../overview.md#supported-regions).
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
 [!INCLUDE [About Terraform](~/azure-dev-docs-pr/articles/terraform/includes/abstract.md)]
 
+In this article, you learn how to:
+
 > [!div class="checklist"]
-> * Retrieve the current Azure client configuration.
 > * Generate a random name for the resource group.
 > * Create a new Azure resource group with the generated name.
 > * Generate a random string to be used as the storage task name.