Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sync-ALZPolicies assignment template files not aligned with caf-entperise-scale archetypes #772

Closed
heintonny opened this issue Oct 14, 2024 · 3 comments
Closed

Sync-ALZPolicies assignment template files not aligned with caf-entperise-scale archetypes #772

heintonny opened this issue Oct 14, 2024 · 3 comments
Labels
awaiting response question Further information is requested

Comments

@heintonny
Copy link

Describe the bug
When we sync the ALZ policies the Assignment template files is the closest we get to the archetype definitions as in caf-entperise-scale. The Assignment template files is not fully aligned with the archetype definitions in caf-enterprise-scale, we think they should be aligned.

Ex. The GuardRails (GR) assignment initiative is sugested assigned to management group landing-zones. The archetype for es-landing-zones only sugests the GR assignment for key vault not the complete GR initiative. The defaults and policies in the full GR initiative dont align well with the Online archetype located below es-landing-zone so we think the GR initiative should only be assigned to platform and corp, no online.

https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json

To Reproduce
Steps to reproduce the behavior:

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
From the ALZ-WorkloadGuardRails.jsonc
Image

From the car-enterprise-scale archetype definitions:
Image

EPAC Version
10.6.2
@heintonny heintonny added the bug Something isn't working label Oct 14, 2024
@anwather
Copy link
Collaborator

Hi - the workload guard rails assignment file is designed to be able to deploy the workload specific compliance guardrails for ALZ as described at https://www.azadvertizer.net/azpolicyadvertizer_all.html . They are an optional deployment but by default when selected and deployed by the portal experiance they target the platform and landing zones management groups.

Key vault guardrails are the exception - they are always deployed at the platform and landing zone management group as described at https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies - which is why you can see them in the terraform archetypes, and why they are included in the ALZ-Platform-Default.jsonc and ALZ-LandingZones-Default.jsonc files.

There is also a key vault supplementary set of policies which make up the option workload specific guardrails - this is included as part of the ALZ-WorkloadGuardrails.jsonc file.

@anwather anwather added question Further information is requested awaiting response and removed bug Something isn't working labels Oct 14, 2024
@heintonny
Copy link
Author

Hi Anwather, thanks for clarification. Still not sure if all the default fits very good into Online Archetype, but I will investigate further.

@anwather
Copy link
Collaborator

I've closed this for now - feel free to reopen, I would mention that the Online archtetype (for online management group) doesn't have any policies assigned to it by default. Not sure if that is what you mean

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting response question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anwather @heintonny