Sentinel policy to mandate AzurePolicyforLinux/AzurePolicyforWindows VM/VMSS extensions

In azure, we have a total of 6 ways to create VMs either with VM or VMSS resources:

We would want to mandate all VMs gets created using any of the above resources should always also have extensions on those machine using below resources:
azurerm_virtual_machine_extension & azurerm_virtual_machine_scale_set_extension

resource “azurerm_virtual_machine_extension” “example” {
name = “AzurePolicyforLinux”
virtual_machine_id =
publisher = “Microsoft.GuestConfiguration”
type = “ConfigurationforLinux”
type_handler_version = “1.0”
settings = <<SETTINGS
“commandToExecute”: “hostname && uptime”

resource “azurerm_virtual_machine_scale_set_extension” “example” {
name = “example”
virtual_machine_scale_set_id =
publisher = “Microsoft.GuestConfiguration”
type = “ConfigurationforLinux”
type_handler_version = “1.0”
settings = jsonencode({
“commandToExecute” = “echo $HOSTNAME”

I can do it using finding the length of all the resources and doing a lot of if…else but wanted to look for a simple and better option to handle this use-case.

@hcrhall Can you suggest something on this? Thanks

@jhabikal21 sure thing, if you can share a policy example using the Sentinel Playground that includes mock data that would be great.

Sentinel Playground @hcrhall

I’ve just taken a look and I was wondering how you name the VMs and Extension resources in your Terraform configuration?

This seems like the most logical key to use in order to validate your configuration. If you use modularization to deploy a standard VM in your organization, then you could use a filter expression to cross-reference the various resource types.