salt.states.azurearm_resource

Azure (ARM) Resource State Module

New in version 2019.2.0.

maintainer

<devops@decisionlab.io>

maturity

new

depends
platform

linux

configuration

This module requires Azure Resource Manager credentials to be passed as a dictionary of keyword arguments to the connection_auth parameter in order to work properly. Since the authentication parameters are sensitive, it's recommended to pass them to the states via pillar.

Required provider parameters:

if using username and password:
  • subscription_id

  • username

  • password

if using a service principal:
  • subscription_id

  • tenant

  • client_id

  • secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:
  • AZURE_PUBLIC_CLOUD (default)

  • AZURE_CHINA_CLOUD

  • AZURE_US_GOV_CLOUD

  • AZURE_GERMAN_CLOUD

Example Pillar for Azure Resource Manager authentication:

azurearm:
    user_pass_auth:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        username: fletch
        password: 123pass
    mysubscription:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        tenant: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        client_id: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        secret: XXXXXXXXXXXXXXXXXXXXXXXX
        cloud_environment: AZURE_PUBLIC_CLOUD

Example states using Azure Resource Manager authentication:

{% set profile = salt['pillar.get']('azurearm:mysubscription') %}
Ensure resource group exists:
    azurearm_resource.resource_group_present:
        - name: my_rg
        - location: westus
        - tags:
            how_awesome: very
            contact_name: Elmer Fudd Gantry
        - connection_auth: {{ profile }}

Ensure resource group is absent:
    azurearm_resource.resource_group_absent:
        - name: other_rg
        - connection_auth: {{ profile }}
salt.states.azurearm_resource.policy_assignment_absent(name, scope, connection_auth=None)

New in version 2019.2.0.

Ensure a policy assignment does not exist in the provided scope.

Parameters
  • name -- Name of the policy assignment.

  • scope -- The scope of the policy assignment.

connection_auth

A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

salt.states.azurearm_resource.policy_assignment_present(name, scope, definition_name, display_name=None, description=None, assignment_type=None, parameters=None, connection_auth=None, **kwargs)

New in version 2019.2.0.

Ensure a security policy assignment exists.

Parameters
  • name -- Name of the policy assignment.

  • scope -- The scope of the policy assignment.

  • definition_name -- The name of the policy definition to assign.

  • display_name -- The display name of the policy assignment.

  • description -- The policy assignment description.

  • assignment_type -- The type of policy assignment.

  • parameters -- Required dictionary if a parameter is used in the policy rule.

  • connection_auth -- A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure policy assignment exists:
    azurearm_resource.policy_assignment_present:
        - name: testassign
        - scope: /subscriptions/bc75htn-a0fhsi-349b-56gh-4fghti-f84852
        - definition_name: testpolicy
        - display_name: Test Assignment
        - description: Test assignment for testing assignments.
        - connection_auth: {{ profile }}
salt.states.azurearm_resource.policy_definition_absent(name, connection_auth=None)

New in version 2019.2.0.

Ensure a policy definition does not exist in the current subscription.

Parameters
  • name -- Name of the policy definition.

  • connection_auth -- A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

salt.states.azurearm_resource.policy_definition_present(name, policy_rule=None, policy_type=None, mode=None, display_name=None, description=None, metadata=None, parameters=None, policy_rule_json=None, policy_rule_file=None, template='jinja', source_hash=None, source_hash_name=None, skip_verify=False, connection_auth=None, **kwargs)

New in version 2019.2.0.

Ensure a security policy definition exists.

Parameters
  • name -- Name of the policy definition.

  • policy_rule -- A YAML dictionary defining the policy rule. See Azure Policy Definition documentation for details on the structure. One of policy_rule, policy_rule_json, or policy_rule_file is required, in that order of precedence for use if multiple parameters are used.

  • policy_rule_json --

    A text field defining the entirety of a policy definition in JSON. See Azure Policy Definition documentation for details on the structure. One of policy_rule, policy_rule_json, or policy_rule_file is required, in that order of precedence for use if multiple parameters are used. Note that the name field in the JSON will override the name parameter in the state.

  • policy_rule_file --

    The source of a JSON file defining the entirety of a policy definition. See Azure Policy Definition documentation for details on the structure. One of policy_rule, policy_rule_json, or policy_rule_file is required, in that order of precedence for use if multiple parameters are used. Note that the name field in the JSON will override the name parameter in the state.

  • skip_verify -- Used for the policy_rule_file parameter. If True, hash verification of remote file sources (http://, https://, ftp://) will be skipped, and the source_hash argument will be ignored.

  • source_hash -- This can be a source hash string or the URI of a file that contains source hash strings.

  • source_hash_name -- When source_hash refers to a hash file, Salt will try to find the correct hash by matching the filename/URI associated with that hash.

  • policy_type -- The type of policy definition. Possible values are NotSpecified, BuiltIn, and Custom. Only used with the policy_rule parameter.

  • mode -- The policy definition mode. Possible values are NotSpecified, Indexed, and All. Only used with the policy_rule parameter.

  • display_name -- The display name of the policy definition. Only used with the policy_rule parameter.

  • description -- The policy definition description. Only used with the policy_rule parameter.

  • metadata -- The policy definition metadata defined as a dictionary. Only used with the policy_rule parameter.

  • parameters -- Required dictionary if a parameter is used in the policy rule. Only used with the policy_rule parameter.

  • connection_auth -- A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure policy definition exists:
    azurearm_resource.policy_definition_present:
        - name: testpolicy
        - display_name: Test Policy
        - description: Test policy for testing policies.
        - policy_rule:
            if:
              allOf:
                - equals: Microsoft.Compute/virtualMachines/write
                  source: action
                - field: location
                  in:
                    - eastus
                    - eastus2
                    - centralus
            then:
              effect: deny
        - connection_auth: {{ profile }}
salt.states.azurearm_resource.resource_group_absent(name, connection_auth=None)

New in version 2019.2.0.

Ensure a resource group does not exist in the current subscription.

Parameters
  • name -- Name of the resource group.

  • connection_auth -- A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

salt.states.azurearm_resource.resource_group_present(name, location, managed_by=None, tags=None, connection_auth=None, **kwargs)

New in version 2019.2.0.

Ensure a resource group exists.

Parameters
  • name -- Name of the resource group.

  • location -- The Azure location in which to create the resource group. This value cannot be updated once the resource group is created.

  • managed_by -- The ID of the resource that manages this resource group. This value cannot be updated once the resource group is created.

  • tags -- A dictionary of strings can be passed as tag metadata to the resource group object.

  • connection_auth -- A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure resource group exists:
    azurearm_resource.resource_group_present:
        - name: group1
        - location: eastus
        - tags:
            contact_name: Elmer Fudd Gantry
        - connection_auth: {{ profile }}