Replies: 1 comment
-
|
I had somewhat the same issues. Fixed it by flipping the customer tenantid with your own tenant id: here is a template of the global-settings.jsonc: {
"$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json",
"pacOwnerId": "00000000-0000-0000-0000-000000000001",
"pacEnvironments": [
{
"pacSelector": "Lighthousecustomer1",
"cloud": "AzureCloud",
"tenantId": "< Guid of your own tenant >",
"managingTenant": [
{
"managingTenantId": "< Guid of the tenant of your customer >"
},
{
"managingTenantRootScope": [
"/subscriptions/< Sub ID of the customer >"
]
}
],
"defaultContext": "<Sub ID of the customer>",
"deploymentRootScope": "/subscriptions/<Sub ID of the customer>",
"desiredState": {
"strategy": "ownedOnly",
"keepDfcSecurityAssignments": true,
"doNotDisableDeprecatedPolicies": false
},
"skipResourceValidationForExemptions": false,
"managedIdentityLocation": "westeurope"
},
{
"pacSelector": "Lighthousecustomer1",
"cloud": "AzureCloud",
"tenantId": "< Guid of your own tenant >",
"managingTenant": [
{
"managingTenantId": "< Guid of the tenant of your customer >"
},
{
"managingTenantRootScope": [
"/subscriptions/< Sub ID of the customer >"
]
}
],
"defaultContext": "<Sub ID of the customer>",
"deploymentRootScope": "/subscriptions/<Sub ID of the customer>",
"desiredState": {
"strategy": "ownedOnly",
"keepDfcSecurityAssignments": true,
"doNotDisableDeprecatedPolicies": false
},
"skipResourceValidationForExemptions": false,
"managedIdentityLocation": "westeurope"
},
{
"pacSelector": "Lighthousecustomer2",
"cloud": "AzureCloud",
"tenantId": "< Guid of your own tenant >",
"managingTenant": [
{
"managingTenantId": "< Guid of the tenant of your customer >"
},
{
"managingTenantRootScope": [
"/subscriptions/< Sub ID of the customer >"
]
}
],
"defaultContext": "<Sub ID of the customer>",
"deploymentRootScope": "/subscriptions/<Sub ID of the customer>",
"desiredState": {
"strategy": "ownedOnly",
"keepDfcSecurityAssignments": true,
"doNotDisableDeprecatedPolicies": false
},
"skipResourceValidationForExemptions": false,
"managedIdentityLocation": "westeurope"
}
]
} |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello All,
I'm struggling to understand how deployment to Azure Lighthouse delegated subscriptions can be done. I've used the code from the example and adjusted according to my environment:
{
"schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json",
"pacOwnerId" : "06c75b24-7ae6-4b95-a644-4b6c7ebb7968",
"pacEnvironments": [
{
"pacSelector": "DEMO-TENANT",
"cloud": "AzureCloud",
"tenantId": "customer tenant ID",
"managingTenant": {
"managingTenantId": "my tenant ID",
"managingTenantRootScope": [
"/subscriptions/I put customer delegated subscription id that require additional role assignment"
]
},
"deploymentRootScope": "/providers/Microsoft.Management/managementGroups/intermediate MG group",
"desiredState": {
"strategy": "full",
"keepDfcSecurityAssignments": false,
"doNotDisableDeprecatedPolicies" : false
},
"managedIdentityLocation": "swedencentral"
}
]
}
For authentication, I used a service principal with the role assignment of contributor on the delegated Azure subscriptions. That service principal belongs to my tenant (Managing tenant). Since Azure Lighthouse doesn't support management groups my only option is to scope deployment at the subscription level. So the question is, how the policy assignment json should look like. The documentation doesn't provide this information. (or at least I have not seen it).
What I'd like to achieve is the following:
Is this a supported scenario? If yes, can anyone post an example of global-settings.jsonc and policy assignment file? Would be great to understand if EPAC covers the following use case. If yes, then how the configuration should look like.
Many thanks.
Beta Was this translation helpful? Give feedback.
All reactions