Manual Test Runbook — M6: Data Residency (Allowed Regions Only)

Owner: Sagar | Time: ~10 min (Parts A + B) · +15 min (optional Part C live apply + enforce drill) | Sandbox: snowops-sandbox-01

Promotes M6 (modules/azure/data-residency-policy/) from 🟦 Code Complete → 🟩 Shipped. Part C cost ~$0. M6 is validate-only in the automated suite — same pattern as M1/M3/J2/H3/B5. The Allowed-locations built-ins enforce Deny intrinsically (no Audit mode), so the live drill uses enforce = false → true.

Prerequisites

Sandbox subscription access active (PIM activated if required)
az login done; sandbox subscription selected
Identity has Owner OR Resource Policy Contributor on the sandbox sub
Local tooling: terraform >= 1.6, go >= 1.22, az CLI >= 2.50
Working directory: repo root

Steps

Part A — terraform fmt + validate (offline, ~3 min)

```bash terraform -chdir=modules/azure/data-residency-policy fmt -recursive -check terraform -chdir=modules/azure/data-residency-policy init -backend=false -input=false terraform -chdir=modules/azure/data-residency-policy validate

terraform -chdir=modules/azure/data-residency-policy/examples/basic init -backend=false -input=false terraform -chdir=modules/azure/data-residency-policy/examples/basic validate ```

Expected: Success! for both.

bash cd tests/terratest go test -v -timeout 5m ./modules/azure/... -run TestDataResidencyPolicyValidate

Expected: PASS (exercises both the resource + resource-group Allowed-locations references).

Part B — full Terratest suite (offline, ~3 min)

bash cd tests/terratest && go test -count=1 -timeout 15m ./...

Expected: 31 top-level tests green.

Part C — live apply + enforce drill (sandbox, ~15 min, ~$0)

Apply with enforce = false first (assignment created but does not block), restricting to a single region so an out-of-region create is easy to test:

cd modules/azure/data-residency-policy/examples/basic
terraform init -input=false
terraform apply -auto-approve \
  -var "subscription_id=$SNOWOPS_SANDBOX_SUBSCRIPTION_ID" \
  -var "tenant_id=$SNOWOPS_SANDBOX_TENANT_ID" \
  -var 'allowed_locations=["eastus"]' \
  -var "enforce=false"

Confirm the assignment + its region list:

az policy assignment show --name snowops-data-residency \
  --query "{enforcement:enforcementMode, regions:parameters.listOfAllowedLocations.value}" -o json

Expected: enforcement = DoNotEnforce; regions ["eastus"].

Flip to enforce and attempt an out-of-region create (allow a few minutes for propagation):

terraform apply -auto-approve \
  -var "subscription_id=$SNOWOPS_SANDBOX_SUBSCRIPTION_ID" \
  -var "tenant_id=$SNOWOPS_SANDBOX_TENANT_ID" \
  -var 'allowed_locations=["eastus"]' \
  -var "enforce=true"

az group create -n m6-probe-rg -l westeurope   # OUT of the eastus boundary

Expected: the westeurope RG create is denied with RequestDisallowedByPolicy (the allowed_locations_rg reference). An eastus create succeeds.

bash az group delete -n m6-probe-rg --yes --no-wait # only if it was created

Pass criteria

Part A — module + example validate; TestDataResidencyPolicyValidate passes
Part B — full offline suite passes (31 top-level)
(Part C) assignment created with the region list; enforce=false does not block
(Part C) under enforce=true an out-of-region create is denied; an in-region create succeeds
All test resources removed

Teardown

cd modules/azure/data-residency-policy/examples/basic
terraform destroy -auto-approve \
  -var "subscription_id=$SNOWOPS_SANDBOX_SUBSCRIPTION_ID" \
  -var "tenant_id=$SNOWOPS_SANDBOX_TENANT_ID" \
  -var 'allowed_locations=["eastus"]'
az group delete -n m6-probe-rg --yes --no-wait   # if created

Sign-off

Tester: _ | Date: _ | Result: PASS / FAIL / N/A
Notes: