This module contains the reference Azure policy & initiative (policySet) definitions from Enterprise-Scale.
It will deploy the definitions to the supplied Azure AD Management Group.
It is very simple to get the policies deployed:
module "azopsreference" {
source = ""
management_group_name =
Each policy & initiative definition has its own output, allowing you to reference the policy definition in an assignment:
resource "azurerm_policy_assignment" "deploy_diag_loganalytics" {
name = "Deploy-Diag-LogAnalytics"
scope =
policy_definition_id =
description = "Ensure resources have diagnostic settings configured to forward to Log Analytics"
display_name = "Deploy-Diag-LogAnalytics"
location = var.default_location
identity {
type = "SystemAssigned"
parameters = <<PARAMETERS
"logAnalytics": {
"value": "${}"
For initiatives (policySets), there is an additional output, an array of all the contained policy definition objects. This can be useful when creating remediation tasks for each of the definitions:
resource "azurerm_policy_remediation" "deploy_diag_loganalytics" {
count = length(module.azopsreference.diagnostic_policy_definitions)
name = lower(module.azopsreference.diagnostic_policy_definitions[count.index].name)
scope =
policy_assignment_id =
policy_definition_reference_id = replace(module.azopsreference.diagnostic_policy_definitions[count.index].name, "-", "")
This Terraform is automatically generated from the JSON files from Enterprise Scale. You can see the GitHub action and script that accomplished this in this repo.