-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add sovereign landing zone (#177)
<!-- Thank you for submitting a Pull Request. Please fill out the template below.--> ## Overview/Summary Addition of Sovereign Landing Zone starter module. ## This PR fixes/adds/changes/removes N/A ### Breaking Changes None ## Testing Evidence Please provide any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate). ## As part of this Pull Request I have - [x] Checked for duplicate [Pull Requests](https://github.com/Azure/alz-terraform-accelerator/pulls) - [x] Associated it with relevant [issues](https://github.com/Azure/alz-terraform-accelerator/issues), for tracking and closure. - [x] Ensured my code/branch is up-to-date with the latest changes in the `main` [branch](https://github.com/Azure/alz-terraform-accelerator/tree/main) - [x] Performed testing and provided evidence. - [x] Updated relevant and associated documentation. --------- Co-authored-by: VeronicaSea <[email protected]>
- Loading branch information
1 parent
a6bfafd
commit 3497209
Showing
18 changed files
with
2,393 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
templates/microsoft_cloud_for_industry/sovereign_landing_zone/.gitignore
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
.alzlib |
184 changes: 184 additions & 0 deletions
184
templates/microsoft_cloud_for_industry/sovereign_landing_zone/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,184 @@ | ||
# Azure Landing Zones Accelerator Starter Module for Terraform - Sovereign Landing Zone | ||
|
||
This module is part of the Azure Landing Zones Accelerator solution. It is Sovereign Landing Zone implementation of the Azure Landing Zones Platform Landing Zone for Terraform. | ||
|
||
It deploys the Sovereign Landing Zone (SLZ) with an equivalent compliance posture as to our [Bicep implementation](https://aka.ms/slz/bicep). | ||
|
||
The module deploys the following resources: | ||
|
||
- Management group hierarchy | ||
- Management group scope for confidential computing resources | ||
- Azure Policy definitions and assignments | ||
- Sovereign Baseline Policy Initiatives | ||
- Role definitions | ||
- Management resources, including Log Analytics workspace and Automation account | ||
- Hub virtual network including Azure Bastion and Azure Firewall | ||
- DDOS protection plan | ||
- Private DNS zones | ||
|
||
## Usage | ||
|
||
The module is intended to be used with the [Azure Landing Zones Accelerator](https://aka.ms/alz/accelerator/docs). Head over there to get started and review the microsoft_cloud_for_sovereignty starter module during Phase 2. A copy of the `inputs.yaml` file to use can be found [here](https://aka.ms/slz/terraform/inputs). | ||
|
||
## Inputs Parameters | ||
|
||
The description of inputs for this module are found in ALZ Accelerator documentation [here](https://aka.ms/slz/terraform/inputs). | ||
|
||
## Custom Compliance | ||
|
||
### Custom Policy Sets | ||
|
||
An example of the format for the `customer_policy_sets` map is as follows: | ||
|
||
```yaml | ||
customer_policy_sets: { | ||
assignment1: { | ||
policySetDefinitionId: "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f", | ||
policySetAssignmentName: "FedRAMPHigh", | ||
policySetAssignmentDisplayName: "FedRAMP High", | ||
policySetAssignmentDescription: "FedRAMP High", | ||
policySetManagementGroupAssignmentScope: "/providers/Microsoft.management/managementGroups/<MG-ID-SCOPE>", | ||
policyParameterFilePath: "./policy_parameters/policySetParameterSampleFile.json" | ||
} | ||
} | ||
``` | ||
|
||
### Policy Exemptions | ||
|
||
An example of the format for the `policy_exemptions` map is as follows: | ||
|
||
```yaml | ||
policy_exemptions: { | ||
policy_exemption1: { | ||
name: "globalexemption", | ||
display_name: "global", | ||
description: "test", | ||
management_group_id: "/providers/Microsoft.management/managementGroups/<MG-ID-SCOPE>", | ||
policy_assignment_id: "/providers/microsoft.management/managementGroups/<MG-ID-SCOPE>/providers/microsoft.Authorization/policyassignments/enforce-sovereign-global", | ||
policy_definition_reference_ids: ["AllowedLocations"] | ||
} | ||
} | ||
``` | ||
|
||
## Customize Application Landing Zones | ||
|
||
### Landing Zone Management Group Children | ||
|
||
An example of the format for the `landing_zone_management_group_children` map is as follows: | ||
|
||
```yaml | ||
landing_zone_management_group_children: { | ||
child1: { | ||
id: "child1", | ||
display_name: "Landing zone child one" | ||
} | ||
} | ||
``` | ||
|
||
## Custom Tagging | ||
|
||
### Tags | ||
|
||
An example of the format for the `tags` map is as follows: | ||
|
||
```yaml | ||
tags: { | ||
Environment: "Production", | ||
ServiceName: "SLZ" | ||
} | ||
``` | ||
|
||
## Network Connectivity | ||
|
||
### ExpressRoute Gateway Config | ||
|
||
An example of the format for the `express_route_gateway_config` map is as follows: | ||
|
||
```yaml | ||
express_route_gateway_config: { | ||
name: "express_route", | ||
gatewayType: "ExpressRoute", | ||
sku: "ErGw1AZ", | ||
vpnType: "RouteBased", | ||
vpnGatewayGeneration: null, | ||
enableBgp: false, | ||
activeActive: false, | ||
enableBgpRouteTranslationForNat: false, | ||
enableDnsForwarding: false, | ||
asn: 65515, | ||
bgpPeeringAddress: "", | ||
peerWeight: 5 | ||
} | ||
``` | ||
|
||
### VPN Gateway Config | ||
|
||
An example of the format for the `vpn_gateway_config` map is as follows: | ||
|
||
```yaml | ||
vpn_gateway_config: { | ||
name: "vpn_gateway", | ||
gatewayType: "Vpn", | ||
sku: "VpnGw1", | ||
vpnType: "RouteBased", | ||
vpnGatewayGeneration: "Generation1", | ||
enableBgp: false, | ||
activeActive: false, | ||
enableBgpRouteTranslationForNat: false, | ||
enableDnsForwarding: false, | ||
bgpPeeringAddress: "", | ||
asn: 65515, | ||
peerWeight: 5, | ||
vpnClientConfiguration: { | ||
vpnAddressSpace: ["10.2.0.0/24"] | ||
} | ||
} | ||
``` | ||
|
||
## Known Issues | ||
|
||
The following are known issues with the Public Preview release for the SLZ. | ||
|
||
### Multiple Resources Destroyed and Recreated During Second Execution | ||
|
||
Occasionally, terraform will attempt to recreate many resources under a subscription despite no resource configurations being changed. A temporary work around can be done by updating `locals.tf` with the following: | ||
|
||
```terraform | ||
locals { | ||
subscription_id_management = "management_subscription_id" | ||
subscription_id_connectivity = "connectivity_subscription_id" | ||
subscription_id_identity = "identity_subscription_id" | ||
} | ||
``` | ||
|
||
### Multiple Inputs for Location | ||
|
||
The inputs for `bootstrap_location` and `starter_locations` and `default_location` must be identical. In a future release, we will have defaults and overrides for these values. | ||
|
||
### Terraform Plan or Apply Fails After Updating tfvars | ||
|
||
Any updates should be made to the `inputs.yaml` file and the tfvars will be updated upon executing the `Deploy-Accelerator` PowerShell command. | ||
|
||
### Invalid Hub Network Address Prefix or Subnet Address Prefix | ||
|
||
There is no validation done to ensure subnets fall within the hub network CIDR or that subnets do not overlap. These issues will be uncovered during apply. | ||
|
||
### Unable to Build Authorizer for Resource Manager API | ||
|
||
It is necessary to rerun `az login` after creating subscriptions for terraform to pick up that they exist. | ||
|
||
### Unable to Update Address Prefixes | ||
|
||
Updating the address prefix on either the hub network or subnets is not supported at this time. | ||
|
||
### Unable to Change Top Level or Sub Level Management Group Names | ||
|
||
Modifying the Top Level or Sub Level Management Group name is not supported at this time. | ||
|
||
### Tags are Not Applied to All Resources | ||
|
||
Certain resources are not receiving the default tags. This will be addressed in a future release. | ||
|
||
### Default Compliance Score is not 100% | ||
|
||
Certain resources will show as being out of compliance by default. This will be addressed in a future release. |
6 changes: 6 additions & 0 deletions
6
templates/microsoft_cloud_for_industry/sovereign_landing_zone/data.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# This allows us to get the tenant id | ||
data "azurerm_client_config" "current" {} | ||
|
||
data "azuread_domains" "default" { | ||
only_initial = true | ||
} |
Oops, something went wrong.