The azure-native:blueprint:PolicyAssignmentArtifact resource, part of the Pulumi Azure Native provider, defines policy assignment artifacts within Azure Blueprints that apply Azure Policy definitions to management groups or subscriptions. This guide focuses on two capabilities: policy assignment with parameters and management group vs subscription scoping.
Policy assignment artifacts belong to blueprint definitions and reference existing Azure Policy definitions. The examples are intentionally small. Combine them with your own blueprint definitions and policy catalogs.
Enforce tagging policies across management groups
Organizations often need to enforce tagging standards across all resources in a management group hierarchy. Blueprint artifacts apply Azure Policy definitions with parameterized values that can reference blueprint-level parameters.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const policyAssignmentArtifact = new azure_native.blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact", {
artifactName: "costCenterPolicy",
blueprintName: "simpleBlueprint",
displayName: "force costCenter tag on all resources",
kind: "policyAssignment",
parameters: {
tagName: {
value: "costCenter",
},
tagValue: {
value: "[parameter('costCenter')]",
},
},
policyDefinitionId: "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
resourceScope: "providers/Microsoft.Management/managementGroups/ContosoOnlineGroup",
});
import pulumi
import pulumi_azure_native as azure_native
policy_assignment_artifact = azure_native.blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact",
artifact_name="costCenterPolicy",
blueprint_name="simpleBlueprint",
display_name="force costCenter tag on all resources",
kind="policyAssignment",
parameters={
"tagName": {
"value": "costCenter",
},
"tagValue": {
"value": "[parameter('costCenter')]",
},
},
policy_definition_id="/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
resource_scope="providers/Microsoft.Management/managementGroups/ContosoOnlineGroup")
package main
import (
blueprint "github.com/pulumi/pulumi-azure-native-sdk/blueprint/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := blueprint.NewPolicyAssignmentArtifact(ctx, "policyAssignmentArtifact", &blueprint.PolicyAssignmentArtifactArgs{
ArtifactName: pulumi.String("costCenterPolicy"),
BlueprintName: pulumi.String("simpleBlueprint"),
DisplayName: pulumi.String("force costCenter tag on all resources"),
Kind: pulumi.String("policyAssignment"),
Parameters: blueprint.ParameterValueMap{
"tagName": &blueprint.ParameterValueArgs{
Value: pulumi.Any("costCenter"),
},
"tagValue": &blueprint.ParameterValueArgs{
Value: pulumi.Any("[parameter('costCenter')]"),
},
},
PolicyDefinitionId: pulumi.String("/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62"),
ResourceScope: pulumi.String("providers/Microsoft.Management/managementGroups/ContosoOnlineGroup"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var policyAssignmentArtifact = new AzureNative.Blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact", new()
{
ArtifactName = "costCenterPolicy",
BlueprintName = "simpleBlueprint",
DisplayName = "force costCenter tag on all resources",
Kind = "policyAssignment",
Parameters =
{
{ "tagName", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "costCenter",
} },
{ "tagValue", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "[parameter('costCenter')]",
} },
},
PolicyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
ResourceScope = "providers/Microsoft.Management/managementGroups/ContosoOnlineGroup",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.blueprint.PolicyAssignmentArtifact;
import com.pulumi.azurenative.blueprint.PolicyAssignmentArtifactArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policyAssignmentArtifact = new PolicyAssignmentArtifact("policyAssignmentArtifact", PolicyAssignmentArtifactArgs.builder()
.artifactName("costCenterPolicy")
.blueprintName("simpleBlueprint")
.displayName("force costCenter tag on all resources")
.kind("policyAssignment")
.parameters(Map.ofEntries(
Map.entry("tagName", ParameterValueArgs.builder()
.value("costCenter")
.build()),
Map.entry("tagValue", ParameterValueArgs.builder()
.value("[parameter('costCenter')]")
.build())
))
.policyDefinitionId("/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62")
.resourceScope("providers/Microsoft.Management/managementGroups/ContosoOnlineGroup")
.build());
}
}
resources:
policyAssignmentArtifact:
type: azure-native:blueprint:PolicyAssignmentArtifact
properties:
artifactName: costCenterPolicy
blueprintName: simpleBlueprint
displayName: force costCenter tag on all resources
kind: policyAssignment
parameters:
tagName:
value: costCenter
tagValue:
value: '[parameter(''costCenter'')]'
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62
resourceScope: providers/Microsoft.Management/managementGroups/ContosoOnlineGroup
The policyDefinitionId points to an existing Azure Policy definition. The parameters map provides values for the policy’s required inputs; here, tagName is set to a literal string while tagValue uses [parameter('costCenter')] syntax to reference a blueprint-level parameter. The kind property must be set to “policyAssignment”. The resourceScope targets a management group, applying the policy across all subscriptions within that hierarchy.
Apply policies at subscription scope
When blueprints target individual subscriptions rather than management groups, the artifact configuration remains the same but the resourceScope changes to a subscription ID.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const policyAssignmentArtifact = new azure_native.blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact", {
artifactName: "costCenterPolicy",
blueprintName: "simpleBlueprint",
displayName: "force costCenter tag on all resources",
kind: "policyAssignment",
parameters: {
tagName: {
value: "costCenter",
},
tagValue: {
value: "[parameter('costCenter')]",
},
},
policyDefinitionId: "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
resourceScope: "subscriptions/00000000-0000-0000-0000-000000000000",
});
import pulumi
import pulumi_azure_native as azure_native
policy_assignment_artifact = azure_native.blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact",
artifact_name="costCenterPolicy",
blueprint_name="simpleBlueprint",
display_name="force costCenter tag on all resources",
kind="policyAssignment",
parameters={
"tagName": {
"value": "costCenter",
},
"tagValue": {
"value": "[parameter('costCenter')]",
},
},
policy_definition_id="/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
resource_scope="subscriptions/00000000-0000-0000-0000-000000000000")
package main
import (
blueprint "github.com/pulumi/pulumi-azure-native-sdk/blueprint/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := blueprint.NewPolicyAssignmentArtifact(ctx, "policyAssignmentArtifact", &blueprint.PolicyAssignmentArtifactArgs{
ArtifactName: pulumi.String("costCenterPolicy"),
BlueprintName: pulumi.String("simpleBlueprint"),
DisplayName: pulumi.String("force costCenter tag on all resources"),
Kind: pulumi.String("policyAssignment"),
Parameters: blueprint.ParameterValueMap{
"tagName": &blueprint.ParameterValueArgs{
Value: pulumi.Any("costCenter"),
},
"tagValue": &blueprint.ParameterValueArgs{
Value: pulumi.Any("[parameter('costCenter')]"),
},
},
PolicyDefinitionId: pulumi.String("/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62"),
ResourceScope: pulumi.String("subscriptions/00000000-0000-0000-0000-000000000000"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var policyAssignmentArtifact = new AzureNative.Blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact", new()
{
ArtifactName = "costCenterPolicy",
BlueprintName = "simpleBlueprint",
DisplayName = "force costCenter tag on all resources",
Kind = "policyAssignment",
Parameters =
{
{ "tagName", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "costCenter",
} },
{ "tagValue", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "[parameter('costCenter')]",
} },
},
PolicyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
ResourceScope = "subscriptions/00000000-0000-0000-0000-000000000000",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.blueprint.PolicyAssignmentArtifact;
import com.pulumi.azurenative.blueprint.PolicyAssignmentArtifactArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policyAssignmentArtifact = new PolicyAssignmentArtifact("policyAssignmentArtifact", PolicyAssignmentArtifactArgs.builder()
.artifactName("costCenterPolicy")
.blueprintName("simpleBlueprint")
.displayName("force costCenter tag on all resources")
.kind("policyAssignment")
.parameters(Map.ofEntries(
Map.entry("tagName", ParameterValueArgs.builder()
.value("costCenter")
.build()),
Map.entry("tagValue", ParameterValueArgs.builder()
.value("[parameter('costCenter')]")
.build())
))
.policyDefinitionId("/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62")
.resourceScope("subscriptions/00000000-0000-0000-0000-000000000000")
.build());
}
}
resources:
policyAssignmentArtifact:
type: azure-native:blueprint:PolicyAssignmentArtifact
properties:
artifactName: costCenterPolicy
blueprintName: simpleBlueprint
displayName: force costCenter tag on all resources
kind: policyAssignment
parameters:
tagName:
value: costCenter
tagValue:
value: '[parameter(''costCenter'')]'
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62
resourceScope: subscriptions/00000000-0000-0000-0000-000000000000
The resourceScope now uses the subscription format instead of a management group path. All other properties (policyDefinitionId, parameters, kind) work identically. This allows the same blueprint to be applied at different organizational levels.
Beyond these examples
These snippets focus on specific policy assignment artifact features: policy assignment with parameterization and management group and subscription scoping. They’re intentionally minimal rather than full blueprint definitions.
The examples reference pre-existing infrastructure such as Azure Blueprint definitions, Azure Policy definitions, and management groups or subscriptions. They focus on configuring the artifact rather than creating the surrounding blueprint structure.
To keep things focused, common artifact patterns are omitted, including:
- Artifact dependencies (dependsOn)
- Resource group targeting (resourceGroup)
- Multi-artifact blueprints with ARM templates and role assignments
- Blueprint parameter definitions and value passing
These omissions are intentional: the goal is to illustrate how policy assignment artifacts are wired, not provide drop-in governance modules. See the PolicyAssignmentArtifact resource reference for all available configuration options.
Let's configure Azure Blueprint Policy Assignment Artifacts
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Scope
What are the required properties for a policy assignment artifact?
Three properties are required:
kind (must be “policyAssignment”), parameters (parameter values for the policy definition), and policyDefinitionId (Azure resource ID of the policy definition).How do I scope a policy assignment artifact to a management group or subscription?
Use
resourceScope with the format providers/Microsoft.Management/managementGroups/{managementGroup} for management groups or subscriptions/{subscriptionId} for subscriptions.What properties can't be changed after creation?
Three properties are immutable:
artifactName, blueprintName, and resourceScope. Changing any of these requires replacing the resource.Parameters & References
How do I reference blueprint parameters in policy parameters?
Use the syntax
[parameter('parameterName')] as the parameter value. For example, tagValue: "[parameter('costCenter')]" references a blueprint parameter named costCenter.Can I assign policies to specific resource groups within a blueprint?
Yes, use the
resourceGroup property to specify the name of the resource group placeholder where the policy will be assigned.Dependencies & Lifecycle
How do I control the deployment order of artifacts in a blueprint?
Use the
dependsOn property with an array of artifact names that must be deployed before this artifact.Is this resource using a preview API version?
Yes, this resource uses Azure REST API version 2018-11-01-preview, which is a preview version.