Skip to content
/ azure-nzism Public

Terraform sample for Azure NZISM regulatory compliance

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

simonbrady/azure-nzism

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
terraform.tfvars
terraform.tfvars
 
 
variables.tf
variables.tf
 
 

Repository files navigation

azure-nzism

Deploys the Azure New Zealand ISM Restricted regulatory compliance initative using Terraform.

For background see:

Deployment

This sample can assign the policy at resource group, subscription, or management group scope. To set the scope, uncomment and set one of the variables in terraform.tfvars. Note that resource_group_name is the name of a new resource group to create, while management_group_name and subscription_id refer to existing objects.

You can also set additional parameters by editing the parameters local in main.tf. Unlike the blueprint sample or the portal, you need to use the underlying parameter name rather than selecting by display name. You can find these in the parameters section of the initiative definition.

To deploy, run:

terraform init
terraform apply

Mapping controls to policies

Regulatory compliance introduces the concept of controls, which are enforced by zero or more Azure policies (a control without any policies has to be manually enforced by the user). One advantage of deploying this sample is that it's much easier to see the control/policy mapping in the portal than in the initiative source.

To work directly with the source, you can use the Azure CLI to query controls (policy metadata objects) and their associated policy IDs. For example, given this policy definition block in the source:

{
  "policyDefinitionReferenceId": "057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
  "parameters": {
    "effect": {
      "value": "[parameters('effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9')]"
    }
  },
  "groupNames": [
    "NZISM_Security_Benchmark_v1.1_ISM-4"
  ]
},

you can run these commands:

$ az policy metadata show -n "NZISM_Security_Benchmark_v1.1_ISM-4" --query title -o tsv
6.2.6 Resolving vulnerabilities
$ az policy definition list --query "[?name=='057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9'].displayName" -o tsv
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports

Remember there can be more than one policy for a single control.

About

Terraform sample for Azure NZISM regulatory compliance

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages