The azure-native:blueprint:PolicyAssignmentArtifact resource, part of the Pulumi Azure Native provider, defines policy assignment artifacts within Azure Blueprints that apply Azure Policy definitions to management groups or subscriptions. This guide focuses on two capabilities: policy assignment with parameters and management group vs subscription scoping.
Policy assignment artifacts belong to blueprint definitions and reference existing Azure Policy definitions. The examples are intentionally small. Combine them with your own blueprint definitions and policy catalogs.
Enforce tagging policies across management groups
Organizations often need to enforce tagging standards across all resources in a management group hierarchy. Blueprint artifacts apply Azure Policy definitions with parameterized values that can reference blueprint-level parameters.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const policyAssignmentArtifact = new azure_native.blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact", {
artifactName: "costCenterPolicy",
blueprintName: "simpleBlueprint",
displayName: "force costCenter tag on all resources",
kind: "policyAssignment",
parameters: {
tagName: {
value: "costCenter",
},
tagValue: {
value: "[parameter('costCenter')]",
},
},
policyDefinitionId: "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
resourceScope: "providers/Microsoft.Management/managementGroups/ContosoOnlineGroup",
});
import pulumi
import pulumi_azure_native as azure_native
policy_assignment_artifact = azure_native.blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact",
artifact_name="costCenterPolicy",
blueprint_name="simpleBlueprint",
display_name="force costCenter tag on all resources",
kind="policyAssignment",
parameters={
"tagName": {
"value": "costCenter",
},
"tagValue": {
"value": "[parameter('costCenter')]",
},
},
policy_definition_id="/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
resource_scope="providers/Microsoft.Management/managementGroups/ContosoOnlineGroup")
package main
import (
blueprint "github.com/pulumi/pulumi-azure-native-sdk/blueprint/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := blueprint.NewPolicyAssignmentArtifact(ctx, "policyAssignmentArtifact", &blueprint.PolicyAssignmentArtifactArgs{
ArtifactName: pulumi.String("costCenterPolicy"),
BlueprintName: pulumi.String("simpleBlueprint"),
DisplayName: pulumi.String("force costCenter tag on all resources"),
Kind: pulumi.String("policyAssignment"),
Parameters: blueprint.ParameterValueMap{
"tagName": &blueprint.ParameterValueArgs{
Value: pulumi.Any("costCenter"),
},
"tagValue": &blueprint.ParameterValueArgs{
Value: pulumi.Any("[parameter('costCenter')]"),
},
},
PolicyDefinitionId: pulumi.String("/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62"),
ResourceScope: pulumi.String("providers/Microsoft.Management/managementGroups/ContosoOnlineGroup"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var policyAssignmentArtifact = new AzureNative.Blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact", new()
{
ArtifactName = "costCenterPolicy",
BlueprintName = "simpleBlueprint",
DisplayName = "force costCenter tag on all resources",
Kind = "policyAssignment",
Parameters =
{
{ "tagName", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "costCenter",
} },
{ "tagValue", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "[parameter('costCenter')]",
} },
},
PolicyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
ResourceScope = "providers/Microsoft.Management/managementGroups/ContosoOnlineGroup",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.blueprint.PolicyAssignmentArtifact;
import com.pulumi.azurenative.blueprint.PolicyAssignmentArtifactArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policyAssignmentArtifact = new PolicyAssignmentArtifact("policyAssignmentArtifact", PolicyAssignmentArtifactArgs.builder()
.artifactName("costCenterPolicy")
.blueprintName("simpleBlueprint")
.displayName("force costCenter tag on all resources")
.kind("policyAssignment")
.parameters(Map.ofEntries(
Map.entry("tagName", ParameterValueArgs.builder()
.value("costCenter")
.build()),
Map.entry("tagValue", ParameterValueArgs.builder()
.value("[parameter('costCenter')]")
.build())
))
.policyDefinitionId("/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62")
.resourceScope("providers/Microsoft.Management/managementGroups/ContosoOnlineGroup")
.build());
}
}
resources:
policyAssignmentArtifact:
type: azure-native:blueprint:PolicyAssignmentArtifact
properties:
artifactName: costCenterPolicy
blueprintName: simpleBlueprint
displayName: force costCenter tag on all resources
kind: policyAssignment
parameters:
tagName:
value: costCenter
tagValue:
value: '[parameter(''costCenter'')]'
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62
resourceScope: providers/Microsoft.Management/managementGroups/ContosoOnlineGroup
The policyDefinitionId points to an existing Azure Policy definition. The parameters map provides values for the policy’s required inputs; here, tagName is set to a literal string while tagValue uses [parameter('costCenter')] syntax to reference a blueprint-level parameter. The kind property must be set to “policyAssignment”. The resourceScope targets a management group, applying the policy across all subscriptions within that hierarchy.
Apply policies at subscription scope
When blueprints target individual subscriptions rather than management groups, the artifact configuration remains the same but the resourceScope changes to a subscription ID.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const policyAssignmentArtifact = new azure_native.blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact", {
artifactName: "costCenterPolicy",
blueprintName: "simpleBlueprint",
displayName: "force costCenter tag on all resources",
kind: "policyAssignment",
parameters: {
tagName: {
value: "costCenter",
},
tagValue: {
value: "[parameter('costCenter')]",
},
},
policyDefinitionId: "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
resourceScope: "subscriptions/00000000-0000-0000-0000-000000000000",
});
import pulumi
import pulumi_azure_native as azure_native
policy_assignment_artifact = azure_native.blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact",
artifact_name="costCenterPolicy",
blueprint_name="simpleBlueprint",
display_name="force costCenter tag on all resources",
kind="policyAssignment",
parameters={
"tagName": {
"value": "costCenter",
},
"tagValue": {
"value": "[parameter('costCenter')]",
},
},
policy_definition_id="/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
resource_scope="subscriptions/00000000-0000-0000-0000-000000000000")
package main
import (
blueprint "github.com/pulumi/pulumi-azure-native-sdk/blueprint/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := blueprint.NewPolicyAssignmentArtifact(ctx, "policyAssignmentArtifact", &blueprint.PolicyAssignmentArtifactArgs{
ArtifactName: pulumi.String("costCenterPolicy"),
BlueprintName: pulumi.String("simpleBlueprint"),
DisplayName: pulumi.String("force costCenter tag on all resources"),
Kind: pulumi.String("policyAssignment"),
Parameters: blueprint.ParameterValueMap{
"tagName": &blueprint.ParameterValueArgs{
Value: pulumi.Any("costCenter"),
},
"tagValue": &blueprint.ParameterValueArgs{
Value: pulumi.Any("[parameter('costCenter')]"),
},
},
PolicyDefinitionId: pulumi.String("/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62"),
ResourceScope: pulumi.String("subscriptions/00000000-0000-0000-0000-000000000000"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var policyAssignmentArtifact = new AzureNative.Blueprint.PolicyAssignmentArtifact("policyAssignmentArtifact", new()
{
ArtifactName = "costCenterPolicy",
BlueprintName = "simpleBlueprint",
DisplayName = "force costCenter tag on all resources",
Kind = "policyAssignment",
Parameters =
{
{ "tagName", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "costCenter",
} },
{ "tagValue", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "[parameter('costCenter')]",
} },
},
PolicyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
ResourceScope = "subscriptions/00000000-0000-0000-0000-000000000000",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.blueprint.PolicyAssignmentArtifact;
import com.pulumi.azurenative.blueprint.PolicyAssignmentArtifactArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policyAssignmentArtifact = new PolicyAssignmentArtifact("policyAssignmentArtifact", PolicyAssignmentArtifactArgs.builder()
.artifactName("costCenterPolicy")
.blueprintName("simpleBlueprint")
.displayName("force costCenter tag on all resources")
.kind("policyAssignment")
.parameters(Map.ofEntries(
Map.entry("tagName", ParameterValueArgs.builder()
.value("costCenter")
.build()),
Map.entry("tagValue", ParameterValueArgs.builder()
.value("[parameter('costCenter')]")
.build())
))
.policyDefinitionId("/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62")
.resourceScope("subscriptions/00000000-0000-0000-0000-000000000000")
.build());
}
}
resources:
policyAssignmentArtifact:
type: azure-native:blueprint:PolicyAssignmentArtifact
properties:
artifactName: costCenterPolicy
blueprintName: simpleBlueprint
displayName: force costCenter tag on all resources
kind: policyAssignment
parameters:
tagName:
value: costCenter
tagValue:
value: '[parameter(''costCenter'')]'
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62
resourceScope: subscriptions/00000000-0000-0000-0000-000000000000
The resourceScope now uses the subscription format instead of a management group path. All other properties (policyDefinitionId, parameters, kind) work identically. This allows the same blueprint to be applied at different organizational levels.
Beyond these examples
These snippets focus on specific policy assignment artifact features: policy assignment with parameterization and management group and subscription scoping. They’re intentionally minimal rather than full blueprint definitions.
The examples reference pre-existing infrastructure such as Azure Blueprint definitions, Azure Policy definitions, and management groups or subscriptions. They focus on configuring the artifact rather than creating the surrounding blueprint structure.
To keep things focused, common artifact patterns are omitted, including:
- Artifact dependencies (dependsOn)
- Resource group targeting (resourceGroup)
- Multi-artifact blueprints with ARM templates and role assignments
- Blueprint parameter definitions and value passing
These omissions are intentional: the goal is to illustrate how policy assignment artifacts are wired, not provide drop-in governance modules. See the PolicyAssignmentArtifact resource reference for all available configuration options.
Let's configure Azure Blueprint Policy Assignment Artifacts
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Scope & Targeting
What's the difference between management group and subscription scope?
Management group scope uses the format
/providers/Microsoft.Management/managementGroups/{managementGroup}, while subscription scope uses /subscriptions/{subscriptionId}.Can I change the resourceScope after creating the artifact?
No,
resourceScope is immutable and cannot be changed after creation. You must recreate the artifact to change the scope.What does the resourceGroup property do?
It specifies the name of the resource group placeholder to which the policy will be assigned.
Configuration & Parameters
How do I reference blueprint parameters in policy parameters?
Use the syntax
[parameter('parameterName')] in the parameter value. For example, to reference a blueprint parameter named costCenter, use [parameter('costCenter')].What value should I use for the kind property?
The
kind property must be set to policyAssignment for this resource type.What's the format for policyDefinitionId?
Use the full Azure resource ID path:
/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionGuid}.Artifact Management
What properties are immutable after creation?
The properties
artifactName, blueprintName, and resourceScope cannot be changed after the artifact is created. Changes to these properties require recreating the resource.How do I control the deployment order of artifacts?
Use the
dependsOn property with an array of artifact names that must be deployed before this artifact.What's the difference between displayName and artifactName?
artifactName is the immutable identifier used in the resource path, while displayName is a user-friendly one-liner that explains the resource and can be changed.