![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 39%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
941 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 32%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 1%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Thanks for posting your question in the Microsoft Q&A forum.
To restrict the creation of savings plans to only one subscription (Prod) using Terraform and Azure Policies, you can define a custom policy and assign it to the specific subscription. Here's how you can complete your policy definition:
Policy Definition
resource "azurerm_policy_definition" "restrict_savings_plan" {
name = "restrict-savings-plan-creation"
policy_type = "Custom"
mode = "All"
display_name = "Restrict Savings Plan Creation to Prod Subscription"
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/savingsPlans"
},
{
"not": {
"field": "subscriptionId",
"equals": "YOUR_PROD_SUBSCRIPTION_ID"
}
}
]
},
"then": {
"effect": "Deny"
}
}
POLICY_RULE
}
Policy Assignment
Next, you need to assign this policy to your management group or subscription. Here's an example of how to assign it to a management group:
resource "azurerm_policy_assignment" "restrict_savings_plan_assignment" {
name = "restrict-savings-plan-assignment"
policy_definition_id = azurerm_policy_definition.restrict_savings_plan.id
scope = "/subscriptions/YOUR_PROD_SUBSCRIPTION_ID"
display_name = "Restrict Savings Plan Creation to Prod Subscription"
}
Explanation
- Policy Rule: The policy rule checks if the resource type is
Microsoft.Compute/savingsPlansand if the subscription ID is not equal to your Prod subscription ID. If both conditions are met, the policy denies the creation of the savings plan. - Policy Assignment: The policy is assigned to the specific subscription (Prod) where you want to allow the creation of savings plans.
Replace YOUR_PROD_SUBSCRIPTION_ID with the actual subscription ID of your Prod environment.
By following these steps, you can restrict the creation of savings plans to only your Prod subscription. If you have any further questions or need additional assistance, feel free to ask!
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful