Share via

How to enable azure policy assignment for existing default policy azure using Microsoft accelerator landing zone with Terraform

Satish B 170 Reputation points
2026-04-14T17:27:57.8866667+00:00

How to enable azure policy assignment for existing default azure(Ensure that public network access is disabled in Managed Disks) using Microsoft accelerator landing zone with Terraform.

Please find link :: https://github.com/Azure/alz-terraform-accelerator

Please suggest

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

Answer accepted by question author

  1. Jose Benjamin Solis Nolasco 7,996 Reputation points Volunteer Moderator
    2026-04-14T18:11:54.0433333+00:00

    Welcome to Microsoft Q&A

    Hello Satish, I hope you are doing well,

    In the ALZ Terraform Accelerator, policies aren't assigned one by one. Instead, they are bundled together into templates called "Archetypes" (like the default "Landing Zone" archetype).

    To turn on the specific policy for blocking public access to Managed Disks, you need to "extend" the default archetype.

    How to do it:

    Open your Terraform project and look for the /lib folder.

    Create a new file inside it called archetype_extension_es_landing_zones.tmpl.json (replace es_landing_zones with whichever management group you are targeting).

    Add a simple JSON block that tells Terraform to append your disk policy to the existing Microsoft list.

    When you run terraform apply, the module will automatically merge your new Managed Disks policy with the Microsoft defaults and apply it to the management group.

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva shunmugam Nadessin 9,625 Reputation points Microsoft External Staff Moderator
    2026-04-14T19:30:20.3933333+00:00

    Hello Satish B,

    Thank you for reaching out to the Microsoft Q&A forum. 

    When investigated we see  you want to take the built-in Azure Policy “Ensure that public network access is disabled in managed disks” and bake it into your Microsoft Accelerator Landing Zone (ALZ) Terraform deployment. Here’s a high-level approach you can follow:

    Identify the built-in policy definition You can either look it up in the portal under Policy → Definitions (the built-in name is something like “Disk_PublicNetworkAccess_ShouldBeDisabled”) or use Terraform’s data source:

    data "azurerm_policy_definition" "disable_disk_public_network" {

      display_name = "Ensure that public network access is disabled in managed disks"

    }

    Add a policy assignment in your ALZ module The ALZ accelerator exposes a “policy_assignments” variable in the management-group landing zone. In your landing_zone.mgmt_group.tfvars (or wherever you drive your ALZ config), append an entry like this:

    policy_assignments = {

      disable_disk_public_network = {

        display_name         = "Disable public network access for managed disks"

        description          = "Ensure public network access is disabled on all Managed Disks"

        policy_definition_id = data.azurerm_policy_definition.disable_disk_public_network.id

        enforcement_mode     = "Enabled"      # or "Default"

        parameters           = {}             # this built-in has no parameters

        # scope              = var.management_group_id  # defaults to the MG this landing zone targets

      }

    } 

    Run Terraform

    cd landingzones/mgmtgroup

    terraform init

    terraform plan -var-file=landing_zone.mgmt_group.tfvars

    terraform apply -var-file=landing_zone.mgmt_group.tfvars

    That will push the new assignment into your management group (and down to all subscriptions under it).

    Verify

      • Allow ~15–30 minutes for Azure Policy to propagate.
      • In the portal, go to Policy → Assignments and look for your new “Disable public network access for managed disks” assignment under the target scope.
      • Check the Compliance tab to confirm no new “Allowed resources” are found with public endpoints.

    Reference list

    • ALZ Terraform Accelerator GitHub: https://github.com/Azure/alz-terraform-accelerator

    • Quickstart: Assign a policy using Terraform: https://learn.microsoft.com/azure/governance/policy/assign-policy-terraform

    • Azure Policy concepts & assignment structure: https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure

    Hope this helps! Let me know if you have any follow-ups.

  2. Q&A Assist
    2026-04-14T17:28:17.2233333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In the Azure landing zone Terraform accelerator, Azure Policy is managed as code. To assign an additional built-in policy such as “Ensure that public network access is disabled in Managed Disks” you extend the policy library and the policy assignments in Terraform rather than assigning it manually in the portal.

    A high-level approach aligned with the accelerator and Azure landing zone guidance is:

    1. Decide where to manage policy-as-code
      • If the environment is using the Azure landing zone Terraform accelerator (ALZ - Terraform), follow the accelerator’s pattern for policy management instead of assigning policies directly in the portal.
      • For large/complex environments, consider using Enterprise Policy as Code (EPAC) as the single source of truth for policy deployment. EPAC supports Terraform-based landing zones and integrates with Azure DevOps or GitHub Actions pipelines for deployment.
    2. Extend the policy library in the accelerator
      • In the ALZ Terraform implementation, policies are typically grouped into a “library” (for example, archetypes or custom library modules). To add the “Ensure that public network access is disabled in Managed Disks” built-in policy:
        • Add a reference to the built-in policy definition ID into the accelerator’s custom policy library (for example, in the custom library configuration used by ALZ Terraform).
        • If the accelerator uses archetype definitions, include the policy definition ID in the appropriate archetype so it is applied at the desired management group or subscription scope.
      • Follow the ALZ Terraform guidance for using a custom library: see the “using a custom library” documentation for Azure Verified Modules (AVM) for Platform landing zone (ALZ) - Terraform.
    3. Add or modify the policy assignment in Terraform
      • Use the accelerator’s existing Terraform modules for policy assignments. If a module is already used to assign other built-in policies at the Intermediate Root Management Group or subscription level, extend that module input to include the new policy.
      • If defining a policy assignment directly with Terraform and the AzAPI provider, use the Microsoft.Authorization/policyAssignments@2019-06-01 resource type. Key properties:
        • name: name of the assignment.
        • parent_id: ID of the management group or subscription where the assignment is attached.
        • properties.policyDefinitionId: the built-in policy definition ID for “Ensure that public network access is disabled in Managed Disks”.
        • properties.scope: scope where the policy is enforced (management group, subscription, or resource group).
        • properties.parameters: if the built-in policy requires parameters, supply them here.
      • Keep policy assignments in the same Terraform state and pipeline as the rest of the landing zone so that policy remains managed by code.
    4. Deploy via CI/CD
      • Use the same deployment method as the rest of the accelerator (Azure DevOps, GitHub Actions, or other pipeline) to apply the Terraform changes.
      • Ensure that policy changes are reviewed and tested in a non-production landing zone before promotion.
    5. Consider EPAC if replacing existing policy deployment
      • If the environment is moving away from the built-in Azure landing zone policy deployment mechanism, EPAC can replace the policy deployment capabilities of the Azure landing zone reference architectures and become the source of truth for policy.
      • EPAC supports complex management group structures and can coexist with existing policies using a desired state strategy, then gradually take over policy management.
    6. Validate compliance
      • After deployment, use Azure Policy compliance views to confirm that the new policy assignment is in place and that managed disks are evaluated for public network access.
      • If using Azure landing zones, remember that the MCSB initiative is already assigned by default at the Intermediate Root Management Group; ensure the new policy does not conflict with existing initiatives.

    If the policy assignment needs to be removed or changed later, update the Terraform configuration (or EPAC configuration) and redeploy rather than deleting assignments manually in the portal, to keep the landing zone consistent with policy-as-code practices.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.