terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Enable "managed" Policy Assignment parameters for custom Management Group hierarchies

Open mlomat opened this issue 2 years ago • 9 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

Hello team,

In my use case, I decided to use custom org structure and have little different names. So instead of e.g. org-identity, I would like to have custom name e.g. mysuffix-identity-mypostfix. Exactly this same for Identity and management. Everything is working fine when I inject my structure over custom landing zones, but I also want to use your out-of-the-box archetypes. Which is also working, the only problem is with assignments of the policies, in your code you have e.g. 

locals {
  archetype_config_overrides = {
    "${local.root_id}-identity" = {
      parameters = {
        Deny-Public-IP = {
          effect = "Deny"
        }
        Deny-RDP-From-Internet = {
          effect = "Deny"
        }
        Deny-Subnet-Without-Nsg = {
          effect = "Deny"
        }
        Deploy-VM-Backup = {
          effect            = "deployIfNotExists"
          exclusionTagName  = ""
          exclusionTagValue = []
        }
      }
      enforcement_mode = {
        Deny-Public-IP          = local.deploy_enable_deny_public_ip
        Deny-RDP-From-Internet  = local.deploy_enable_deny_rdp_from_internet
        Deny-Subnet-Without-Nsg = local.deploy_enable_deny_subnet_without_nsg
        Deploy-VM-Backup        = local.deploy_enable_deploy_azure_backup_on_vms
      }
    }
  }
}

Where you are assuming that name of the connectivity will be based on root_id (same for management and connectivity). I would like to have option to overwrite it with my own name for management group id.

Describe the solution you'd like

So would be nice to have option in advance settings to pass my own: management, identity, connectivity management group names or at least prefix and suffix similar as you have for resources in advance options.

Additional context

mlomat avatar May 19 '22 09:05 mlomat

Something like code below and I will add this same for connectivity and management.

locals {
  enabled  = var.enabled
  root_id  = var.root_id
  settings = var.settings
  identity_management_group_name = coalesce(var.custom_identity_mg_name, "${local.root_id}-identity")
}

# Logic to determine whether specific resources
# should be created by this module
locals {
  deploy_identity                          = local.enabled && local.settings.identity.enabled
  deploy_enable_deny_public_ip             = local.deploy_identity && local.settings.identity.config.enable_deny_public_ip
  deploy_enable_deny_rdp_from_internet     = local.deploy_identity && local.settings.identity.config.enable_deny_rdp_from_internet
  deploy_enable_deny_subnet_without_nsg    = local.deploy_identity && local.settings.identity.config.enable_deny_subnet_without_nsg
  deploy_enable_deploy_azure_backup_on_vms = local.deploy_identity && local.settings.identity.config.enable_deploy_azure_backup_on_vms
}

# Archetype configuration overrides
locals {
  archetype_config_overrides = {
    "${local.identity_management_group_name}" = {
      parameters = {
        Deny-Public-IP = {
          effect = "Deny"
        }
        Deny-RDP-From-Internet = {
          effect = "Deny"
        }
        Deny-Subnet-Without-Nsg = {
          effect = "Deny"
        }
        Deploy-VM-Backup = {
          effect            = "deployIfNotExists"
          exclusionTagName  = ""
          exclusionTagValue = []
        }
      }
      enforcement_mode = {
        Deny-Public-IP          = local.deploy_enable_deny_public_ip
        Deny-RDP-From-Internet  = local.deploy_enable_deny_rdp_from_internet
        Deny-Subnet-Without-Nsg = local.deploy_enable_deny_subnet_without_nsg
        Deploy-VM-Backup        = local.deploy_enable_deploy_azure_backup_on_vms
      }
    }
  }
}

mlomat avatar May 19 '22 09:05 mlomat

Sorry, no idea how / if possible to highlight something with custom color in code snippet xD image

mlomat avatar May 19 '22 09:05 mlomat

Hi @mlomat ... seems a relatively straightforward and sensible addition, and great that you've already thought this through with some pointers as to how it might be implemented,

I'll discuss with the team and see what we can do around this. Thank you

krowlandson avatar May 19 '22 09:05 krowlandson

Trigger ADO Sync

jtracey93 avatar Sep 09 '22 15:09 jtracey93

Trigger ADO Sync

krowlandson avatar Oct 14 '22 07:10 krowlandson

This should be a capability provided as part of addressing the following issue:

  • #115

krowlandson avatar Dec 19 '22 14:12 krowlandson

Just leaving a note here for consideration...

Would it work to remove the scope element completely for managed policies and just make the managed policy parameters available to all scopes by default?

The module already quietly discards (or rather ignores) parameters for policies which aren't applicable at the current scope. This would negate the need to worry about additional logic as all of our managed policies [currently] are only assigned to a single scope.

Also, custom specified parameters at individual scopes take precedence over those managed within the module, so customization will still be possible.

cc: @mlomat, @jtracey93, @matt-FFFFFF

krowlandson avatar Jan 03 '23 13:01 krowlandson

AB#26868

matt-FFFFFF avatar Mar 03 '23 15:03 matt-FFFFFF

Part of v.next

matt-FFFFFF avatar Mar 03 '23 15:03 matt-FFFFFF