Deployment of Azure Policy using Terraform

Welcome to Codebeamer AI Help Center > Setting Up the Codebeamer AI > Customer-hosted Codebeamer AI > Deploying Customer-hosted Codebeamer AI > Deployment of Azure Policy using Terraform

This section describes how to provision Azure policies required for Codebeamer AI customer-hosted deployment by running Terraform.

Step1: Set environment variable

Set the following in environment variables for the values noted for infrastructure service principal.

• ARM_CLIENT_ID

• ARM_CLIENT_SECRET

• ARM_TENANT_ID

• ARM_SUBSCRIPTION_ID

For more information, refer to Prerequisites.

Step2: Configure Azure Policy Terraform input parameters

Configure Terraform variables file, policy.tfvars, required for deployment.

1. Go to the template file terraform/deployment-profiles/policy-templates/policy.tfvars.

2. Create a copy of policy.tfvars.template with the name policy.tfvars.

3. Update the following required parameters. Refer to Terraform outputs from infrastructure deployment to get these variable values.

Variable	Description
subscription_id	Azure subscription where policy will be applied.
location	Azure region. It must match IaC deployment.
resource_group_name	Target resource group where policies will be assigned.
allowed_oidc_issuers	AKS OIDC issuer URL. This is used for workload identity restriction.
allowed_private_endpoint_subnet_ids	Subnet IDs where private endpoints are allowed.
environment	Unique environment name. This is used for policy naming.

File example:

subscription_id                     = "<subscription_id>"
location                            = "<region>"
resource_group_name                 = "<resource_group_name>"
allowed_oidc_issuers                = ["<oidc_issuer>"]
allowed_private_endpoint_subnet_ids = ["<subnet_id>"]
environment                         = "<environment_name>"

Step3: Configure Terraform backend - Azure storage account

Update terraform\deployment-profiles\policy-templates\backend.conf file with storage account details. For more information, refer to Prerequisites.

File example:

resource_group_name  = "<resource_group_name>"
storage_account_name = "<storage_account_name>"
container_name       = "<container_name>"
key                  = "<terraform.tfstate>"

Step4: Run Terraform deployment

1. Switch to the Azure Policy Terraform directory.

cd terraform/deployment-profiles/policy-templates

2. Initialize Terraform.

terraform init -backend-config=backend.conf

3. Plan Terraform.

terraform plan -var-file=policy.tfvars

During Terraform plan, verify the following:

◦ All required policy definitions are being created. For more information, see Customer-hosted Codebeamer AI.

◦ Policy initiative is created

◦ Policy assignment is applied to the target resource group

◦ Policy exemption with a defined validity period has been created.

4. Apply Terraform.

terraform apply -var-file=policy.tfvars

Was this helpful?