Azure
/
Enterprise-Scale
зеркало из https://github.com/Azure/Enterprise-Scale.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

PR for GH1319 (#1322)

This commit is contained in:
Panagiotis Korologos 2023-05-16 14:11:54 +03:00 коммит произвёл GitHub
Родитель 58b0be52c7
Коммит 6295867b68
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
11 изменённых файлов: 31 добавлений и 541 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
README.md
Просмотреть файл

@ -35,7 +35,7 @@ The Enterprise-Scale reference implementations in this repository are intended t
| Be aligned with cloud providers platform roadmap | Yes |
| UI Experience and simplified setup | Yes, Azure portal |
| All critical services are present and properly configured according to recommend best practices for identity & access management, governance, security, network and logging | Yes, using a multi-subscription design, aligned with Azure platform roadmap |
| Automation capabilities (IaC/DevOps) | Yes: ARM, Policy, GitHub/Azure DevOps CI/CD pipeline option included |
| Automation capabilities (IaC/DevOps) | Yes: ARM, Policy, Bicep and Terraform Modules |
| Provides long-term self-sufficiency | Yes, enterprise-scale architecture -> 1:N landing zones. Approach & architecture prepare the customer for long-term self-sufficiency, the RIs are there to get you started |
| Enables migration velocity across the organization | Yes, enterprise-scale architecture -> 1:N landing zones, Architecture includes designs for segmentation and separation of duty to empower teams to act within appropriate landing zones |
| Achieves operational excellence | Yes. Enables autonomy for platform and application teams with a policy driven governance and management |

1
docs/reference/adventureworks/README.md
Просмотреть файл

@ -59,7 +59,6 @@ By default, all recommendations are enabled and you must explicitly disable them
- Azure Security Center (Standard or Free tier)
- Azure Sentinel
- Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics
- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git.
- An Azure subscription dedicated for **connectivity**, which deploys core Azure networking resources such as:
- A hub virtual network
- Azure Firewall (optional - deployment across Availability Zones)

1
docs/reference/contoso/Readme.md
Просмотреть файл

@ -54,7 +54,6 @@ The rest of the options across the different blades will depend on your environm
- Azure Security Center (Standard or Free tier)
- Azure Sentinel
- Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics
- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git.
- An Azure Subscription dedicated for **connectivity**, which deploys core Azure networking resources such as:
- Azure VWAN
- VWAN Hub

1
docs/reference/wingtip/README.md
Просмотреть файл

@ -63,7 +63,6 @@ By default, all recommendations are enabled, and you must explicitly disable the
- Azure Sentinel
- Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics
- (Optionally) An Azure subscription dedicated for Identity in case your organization requires to have Active Directory Domain Controllers in a dedicated subscription.
- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git.
- Landing Zone Management Group for Online applications that will be internet-facing, where a virtual network is optional and hybrid connectivity is not required.
- This is where you will create your Subscriptions that will host your online workloads.
- Landing zone subscriptions for Azure native, internet-facing Online applications and resources.

232
docs/wiki/Create-Landingzones.md
Просмотреть файл

@ -1,230 +1,18 @@
## In this Section
## Create landing zones (subscriptions) via Subscription Vending
- [In this Section](#in-this-section)
- [Create landing zones (subscription) using AzOps](#create-landing-zones-subscription-using-azops)
- [Pre-requisites](#pre-requisites)
- [Enable Service Principal to create landing zones](#enable-service-principal-to-create-landing-zones)
- [ARM template repository](#arm-template-repository)
- [Create a new landing zone (subscriptions)](#create-a-new-landing-zone-subscriptions)
The approach of "Subscription Vending", materializes and standardizes the ALZ "Subscription Democratization" Design Principle, by formulating a process for requesting, deploying and governing Azure Subscriptions, and by doing so enabling the Applications Teams to onboard their workloads in a fast, yet deterministic way.
---
For further details, one can look into the following articles:
- [Deploy Azure landing zones (Subscription Vending)](https://learn.microsoft.com/azure/architecture/landing-zones/landing-zone-deploy#subscription-vending)
- [Subscription vending implementation guidance](https://learn.microsoft.com/azure/architecture/landing-zones/subscription-vending)
## Create landing zones (subscription) using AzOps
The respective Bicep and Terraform automation / IaC Modules for Subscription Vending, can be found in:
Managing all the platform resources in a a single repository is one of the guiding principle for PlatformOps to manage the platform. Subscriptions representing landing zones are resource types manage by the PlatformOps team. As every other platform resource type subscriptions are created using the ARM API. For Subscriptions the API and versions vary and depend on the commercial contract.
- [Bicep Subscription Vending](https://github.com/Azure/bicep-lz-vending)
- [Terraform Subscription Vending](https://registry.terraform.io/modules/Azure/lz-vending/azurerm/latest)
More broader information on programmatical creation of Azure Subscriptions (EA/MCA/MPA) via the latest APIs, can be found on the following articles:
- [Enterprise Enrollment (EA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-enterprise-agreement)
- [Microsoft Customer Agreement (MCA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement)
- [Microsoft Partner Agreement (MPA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-partner-agreement)
This article describes the flow to create subscriptions/landing zones in an Enterprise Enrollment (EA). Natively in Azure, *enrollment owner* have the permission to create and own subscriptions. *Enrollment owners* are user identities in Azure AD and in order to create subscriptions in an fully automated process the permission to create subscription need to be delegate to a Service Principal (SPN) or Managed Service Identity (MSI).
One of the benefits using this approach is the management of platform security and governance in a single place and built into the platform repository and pipeline(s).
## Pre-requisites
Before getting started with this first steps ensure that AzOps has been [setup and configured for the target environment](./Deploying-Enterprise-Scale#validation-post-deployment-github). In this documentation the same Service Principal will be used to to assign the permission to create landing zones (subscription).
For the Service Principal permissions to create subscriptions, access to an *enrollment account* that has a billing id associated is required.
>Note: When using this Service Principal the subscription will be created under specified billing scope of *enrollment account*. Multiple enrollment account permissions can be granted to a Service Principal. The billing scope will be specified in the ARM template during the subscription creation process.
Creating Azure subscriptions programmatically is allowed on specific types of Azure agreement types (EA, MCA, MPA). Refer to guidance on [Creating Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription) to know supported agreement types.
## Enable Service Principal to create landing zones
This section describes how AzOps is used to create subscriptions (landing zones) under management groups using ARM templates. In the following steps the *Enrollment account subscription creator* role will be assigned to a SPN as illustrated in the following article:
![EA account / Service Principal](./media/ea-account-spn.png)
**Login and fetch access token**
Login with the *enrollment account* (e.g. with `Login-AzAccount`) and execute the following commands to fetch a valid access token for the account:
```powershell
# Provide the objectId of the AzOps service principal to grant access to enrolment account.
$spnObjectId = (Get-AzADServicePrincipal -DisplayName "MyAzOpsSPN").Id
# Fetching new token
$token = Get-AzAccessToken
```
**List all the billing accounts and enrollment accounts**
As a next step, list and identify the "billing account" and *enrollment account* the user has access to. These two information are required to request the roles available and to assign the permissions to the Service Principal.
The following scripts lists the *billing account* and "enrollment account" and assigns it to a variables which will be used later in this guide.
```powershell
# Request billing accounts that the identity has access to
$listOperations = @{
Uri = "https://management.azure.com/providers/Microsoft.Billing/billingaccounts?api-version=2020-05-01"
Headers = @{
Authorization = "Bearer $($token.Token)"
'Content-Type' = 'application/json'
}
Method = 'GET'
}
$listBillingAccount = Invoke-RestMethod @listOperations
# List billing accounts
$listBillingAccount | ConvertTo-Json -Depth 100
# Select first billing account and the corresponding enrollment account
$billingAccount = $listBillingAccount.value[0].id
$enrollmentAccountId = $listBillingAccount.value[0].properties.enrollmentAccounts[0].id
```
**Read existing role definitions for the enrolment account**
Multiple role definitions exists on an *enrollment account*. When this article was written the following role definitions exist:
| Role name | ID |
| :-------------------------------------- | :----------------------------------- |
| Enrollment account owner | c15c22c0-9faf-424c-9b7e-bd91c06a240b |
| Enrollment account subscription creator | a0bcee42-bf30-4d1b-926a-48d21664ef71 |
Both role definitions have the `Microsoft.Subscription/subscriptions/write` permission required to create subscriptions. *Enrollment account subscription creator* can be assigned to a Service Principal.
```powershell
# Get billing roleDefinitions available at scope
$listRbacObj = @{
Uri = "https://management.azure.com/$($enrollmentAccountId)/billingRoleDefinitions?api-version=2019-10-01-preview"
Headers = @{
Authorization = "Bearer $($token.Token)"
'Content-Type' = 'application/json'
}
Method = "GET"
}
$listRbac = Invoke-WebRequest @listRbacObj
$listRbac.Content | ConvertFrom-Json | ConvertTo-Json -Depth 100
```
**Assign permission (role assignment)**
As a last step the Service Principal will be granted access to the *enrolment account* by assigning a role with the `Microsoft.Subscription/subscriptions/write` permission. Built-in role *Enrollment account subscription creator (GUID: a0bcee42-bf30-4d1b-926a-48d21664ef71)* is required.
```powershell
# roledefinitonId (billingRoleDefinitions) has be equal to the role id of the "enrollment account subscription creator" role listed in the rbacContent object
$roleAssignmentBody = @"
{
"properties": {
"principalId": "$($spnObjectId)",
"roleDefinitionId": "$($enrollmentAccountId)/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71"
}
}
"@
# Generate new GUID for the role assignment
$rbacGuid = New-Guid
# Assign 'Enrollment account subscription creator' role to the SPN
$assignRbac = @{
Uri = "https://management.azure.com/$($enrollmentAccountId)/billingRoleAssignments/$($rbacGuid)?api-version=2019-10-01-preview"
Headers = @{
Authorization = "Bearer $($token.Token)"
'Content-Type' = 'application/json'
}
Method = "PUT"
Body = $roleAssignmentBody
UseBasicParsing = $true
}
$assignedRbac = Invoke-RestMethod @assignRbac
```
After the role is successfully assigned Service Principal can be used to create subscriptions (landing zones).
>Note: The Service Principal can be granted access to multiple *enrolment accounts*. To enable this, execute this sequence multiple times (once per *enrollment account*).
## ARM template repository
PlatformOps will use AzOps CI/CD pipelines to create subscriptions (landing zones) before handing it out to application teams. [Steps below](#create-a-subscription-landing-zone-using-azops) will use this approach to create a subscription.
>Hint: Different examples are published in the Enterprise-Scale repository to automate landing zone creation [here](https://github.com/Azure/Enterprise-Scale/tree/main/examples/landing-zones).
## Create a new landing zone (subscriptions)
Creating a landing zone (subscription) is as simple as creating any other resource in Azure. The same sequence of steps will be needed as used for other platform resource deployments (e.g. [deploy a policyAssignments](./Deploying-Enterprise-Scale#create-new-policy-assignment-for-validation)).
To successfully deploy a subscription using AzOps the following steps will be required:
- 'Connect' AzOps to the Azure Environment, ensure that ['Pull' workflow runs successfully](./Deploying-Enterprise-Scale#validation-post-deployment-github)
- Enable the AzOps SPN for subscription creation as documented [here](#enable-service-principal-to-create-landing-zones)
- Ensure that SPN has Owner permissions at the target management group the subscription will be deployed under
The following steps will deploy an empty subscription under the '*company-prefix*-online' management group
1. Create a new branch 'new-landing-zone' in your AzOps Git repository and make it current
> Git command: `git checkout -b new-landing-zone`)
2. Copy the file [emptySubscription.json](https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/examples/landing-zones/empty-subscription/emptySubscription.json) or the example below and save it to the '*company-prefix*-online' folder in the folder structure.
ARM template to create an empty subscription:
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"subscriptionAliasName": {
"type": "string",
"metadata": {
"description": "Provide a name for the alias. This name will also be the display name of the subscription."
}
},
"billingAccountId": {
"type": "string",
"metadata": {
"description": "Provide the full resourceId of the MCA or the enrollment account id used for subscription creation."
}
},
"targetManagementGroup": {
"type": "string",
"metadata": {
"description": "Provide the resourceId of the target management group to place the subscription."
}
}
},
"resources": [
{
"scope": "/", // routing the request to tenant root
"name": "[parameters('subscriptionAliasName')]",
"type": "Microsoft.Subscription/aliases",
"apiVersion": "2020-09-01",
"properties": {
"workLoad": "Production",
"displayName": "[parameters('subscriptionAliasName')]",
"billingScope": "[parameters('billingAccountId')]",
"managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroup'))]"
}
}
],
"outputs": {}
}
```
3. Create a `emptySubscription.parameters.json` file in the same folder with the parameters below and update the values appropriate.
- `subscriptionAliasName` - Tenant wide unique alias for the subscription. Will also become the display name for the subscription.
- `billingAccountId` - Provide the full resourceId of the MCA or the enrollment account id used for subscription creation (e.g. `/providers/Microsoft.Billing/billingAccounts/<billingAccountId>/enrollmentAccounts/<enrollmentAccountId`)
- `targetManagementGroup` - Provide the resourceId of the target management group to place the subscription.
``` json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"subscriptionAliasName": {
"value": ""
},
"billingAccountId": {
"value": ""
},
"targetManagementGroup": {
"value": ""
}
}
}
```
4. Commit the new content to the branch and create a PR (`new-landing-zone` branch -> `main`)
> Hint: As part of the PR validation AzOps deploys the new subscriptions and merges the changes to the `main` branch.
5. Validate in subscription creation was successful using the Azure Portal

16
docs/wiki/Deploying-ALZ-Foundation.md
Просмотреть файл

@ -44,11 +44,7 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu
![Azure Security Center Email Contact](./media/clip_image014asc.jpg)
## 6. Platform DevOps and Automation
Azure landing zone portal accelerator provides an integrated CI/CD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. For detailed steps for setting up this configuration, refer to the [Deploy Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article.
## 7. Network topology and connectivity
## 6. Network topology and connectivity
On the *Network topology and connectivity* blade, you can configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology.
@ -56,7 +52,7 @@ On the *Network topology and connectivity* blade, you can configure the core net
![Network](https://user-images.githubusercontent.com/79409563/137819649-d1bb97eb-fda7-446a-b9cd-9f447306d3f6.jpg)
## 8. Identity
## 7. Identity
On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned.
@ -64,24 +60,24 @@ On the *Identity* blade you can specify if you want to assign recommended polici
![Identity](https://user-images.githubusercontent.com/79409563/137819658-2efaed58-14f0-46f6-81f5-ff1e6859e9d3.jpg)
## 9. Landing zone configuration
## 8. Landing zone configuration
In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. In the bottom two sections you can optionally bring in N number of subscriptions that will be bootstrapped as landing zones, governed by Azure Policy. You can indicate which subscriptions you would like to be bootstrapped as landing zones for corp connectivity and which ones for online connectivity only. Please note that for this [scenario](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) we only require *online* landing zones.
![Landingzone](./media/alz-portal-landingzones.jpg)
## 10. Decommissioned/Sandbox
## 9. Decommissioned/Sandbox
You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled.
![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg)
## 11. Review + create
## 10. Review + create
*Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create*
![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg)
## 12. Post deployment activities
## 11. Post deployment activities
Once Azure landing zone portal accelerator has been deployed, you can grant your application teams/business units access to their respective landing zones. Whenever there is a need for a new landing zone, you can place them into the Online management group.

17
docs/wiki/Deploying-ALZ-HubAndSpoke.md
Просмотреть файл

@ -44,12 +44,7 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu
![Azure Security Center Email Contact](./media/clip_image014asc.jpg)
## 6. Platform DevOps and Automation
Azure landing zone portal accelerator provides an integrated CICD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. For detailed steps for setting up this configuration, refer to the [Deploy Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article.
## 7. Network topology and connectivity
## 6. Network topology and connectivity
On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must:
* In the Deploy network topology option, select either "Hub and spoke with Azure Firewall" or "Hub and spoke with your own third-party NVA". For this example, we will select the "Hub and spoke with Azure Firewall".
@ -74,12 +69,12 @@ Depending on your requirements, you may choose to deploy additional network infr
![img](./media/clip_image036b.png)
## 8. Identity
## 7. Identity
On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.
![img](./media/clip_image036c.png)
## 9. Landing zone configuration
## 8. Landing zone configuration
In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit.
@ -91,18 +86,18 @@ As part of the policies that you can assign to your landing zones, the Azure lan
![Landing zone configuration](./media/clip_image037.jpg)
## 10. Decommissioned/Sandbox
## 9. Decommissioned/Sandbox
You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled.
![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg)
## 11. Review + create
## 10. Review + create
*Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create*
![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg)
## 12. Post deployment activities
## 11. Post deployment activities
Once Azure landing zone portal accelerator has deployed, you can grant your application teams/business units access to their respective landing zones. Whenever theres a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements.

2
docs/wiki/Deploying-ALZ-Platform-DevOps.md
Просмотреть файл

@ -4,7 +4,7 @@
As of May 2023, the Azure Portal experience (accelerator) of the ALZ Reference Implementation (RI), will not include the "Platform DevOps and automation" section anymore.
Consequently, users interested in Platform DevOps and Automation, are encouraged to use either the respective ALZ Bicep Modules (https://github.com/Azure/ALZ-Bicep), or the ALZ Terraform Module (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale).
Consequently, users interested in Platform DevOps and Automation, are encouraged to use either the respective [ALZ Bicep Modules](https://github.com/Azure/ALZ-Bicep), or the [ALZ Terraform Module](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale).
> [AzOps](https://github.com/Azure/AzOps) can still be used, if desired, but please see the [AzOps](https://github.com/Azure/AzOps) repo for setup and configuration instructions as well as any support requirements via the repos issues.

16
docs/wiki/Deploying-ALZ-VWAN.md
Просмотреть файл

@ -44,11 +44,7 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu
![Azure Security Center Email Contact](./media/clip_image014asc.jpg)
## 6. Platform DevOps and Automation
Azure landing zone portal accelerator provides an integrated CI/CD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. For detailed steps for setting up this configuration, refer to the [Deploy Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article.
## 7. Network topology and connectivity
## 6. Network topology and connectivity
On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology. For this scenario:
@ -67,13 +63,13 @@ Depending on your requirements, you may choose to deploy additional network infr
![vwan](./media/clip_image078.jpg)
## 8. Identity
## 7. Identity
On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.
![img](./media/clip_image036c.png)
## 9. Landing zone configuration
## 8. Landing zone configuration
In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit.
@ -85,18 +81,18 @@ As part of the policies that you can assign to your landing zones, the Azure lan
![Graphical user interface, application Description automatically generated](./media/clip_image037.jpg)
## 10. Decommissioned/Sandbox
## 9. Decommissioned/Sandbox
You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled.
![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg)
## 11. Review + create
## 10. Review + create
*Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create*
![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg)
## 12. Post deployment activities
## 11. Post deployment activities
Once Azure landing zone portal accelerator is deployed, you can grant your application teams/business units access to their respective landing zones. Whenever theres a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements.

283
docs/wiki/Deploying-ALZ.md
Просмотреть файл

@ -2,9 +2,7 @@
- [Pre-requisites](#pre-requisites)
- [Reference implementation deployment](#reference-implementation-deployment)
- [Validation post deployment (GitHub)](#validation-post-deployment-github)
- [Post deployment activities](#post-deployment-activities)
- [Operating the Azure platform using AzOps (Infrastructure as Code with GitHub Actions)](#operating-the-azure-platform-using-azops-infrastructure-as-code-with-github-actions)
---
Azure landing zone portal accelerator can be deployed both from the Azure portal directly, or from [GitHub](https://github.com/Azure/Enterprise-Scale#deploying-enterprise-scale-architecture-in-your-own-environment)
@ -96,58 +94,6 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu
![Azure Security Center Email Contact](./media/clip_image014asc.jpg)
### Platform DevOps and Automation
You can choose to bootstrap your CI/CD pipeline (GitHub with GitHub actions). Provide your GitHub user/org name, the preferred name of the GitHub repository that is to be created, as well as the PA token that the deployment will use to create a new repository and discover the Azure landing zone deployment ARM templates and merge them into your main branch.
![Graphical user interface, text, application Description automatically generated](./media/clip_image015.png)
1.1.1 To create a PA token, follow the instructions here: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token
1.1.2 Ensure the PA token has the following permissions:
![Graphical user interface, text, application Description automatically generated](./media/github_developer_createPAT.png)
> For Microsoft employees who are enrolled into the Azure GitHub organization, you must also authorize the PA token to this Org!
![Graphical user interface, text, application, email Description automatically generated](./media/github_developer_enablesso.png)
![Graphical user interface, text, application, email Description automatically generated](./media/github_developer_disablesso.png)
1.2 Lastly, a Service Principal is required for Git to authenticate to – and be authorized to your Azure tenant. You can either use an existing Service Principal or create a new one. The Service Principal will be granted *Owner* permission on the top level Management Group that gets created.
1.2.1 If using an existing Service Principal, ensure you have the *client secret* as this must be provided as the *Password* for the service principal and confirm it has the right level of permission.
![Graphical user interface, text, application Description automatically generated](./media/clip_image020.jpg)
1.2.2 If creating a new Service Principal, select "Create New" and click on Make selection” and the portal will open a new blade for app registration
![img](./media/clip_image022.png)
![img](./media/clip_image024.png)
Once the App has been registered, you must explicitly create a new secret.
![img](./media/clip_image026.png)
![img](./media/clip_image028.jpg)
Make sure to note down the “Value” of the new client secret.
![img](./media/clip_image030.jpg)
The default API Permissions for this App are “User.Read”, as depicted below:
![img](./media/clip_image032.jpg)
After copying the secret, go to “Azure landing zone accelerator” (in the upper left) to return to the deployment.
![img](./media/clip_image034.png)
At this point, paste the client secret value of the newly created client secret from a few step above into the Password field.
![Graphical user interface, application Description automatically generated](./media/clip_image035.png)
### Network topology and connectivity
On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology (for this scenario, select either "Hub and spoke with Azure Firewall" or "Hub and spoke with your own third-party NVA"), provide the address space to be assigned to the hub virtual network, select an Azure region where the hub virtual network will be created and provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. For this example, we will select the "Hub and spoke with Azure Firewall" network topology.
@ -164,7 +110,6 @@ Depending on your requirements, you may choose to deploy additional network infr
![img](./media/clip_image036b.png)
### Identity
On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.
@ -186,234 +131,6 @@ As part of the policies that you can assign to your landing zones, the Azure lan
![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg)
### Validation post deployment (GitHub)
Once Azure landing zone has deployed and you enabled the CI/CD bootstrap, you should validate in your GitHub account that:
* A new repository has been created, with the name provided during setup.
![Graphical user interface, text, application Description automatically generated](./media/clip_image040.png)
* 4 Secrets are created into this GitHub repository.
- ARM_CLIENT_ID = Service Principal
- ARM_CLIENT_SECRET = Service Principal Client Secret created in the Tenant
- ARM_SUBSCRIPTION_ID = The management subscription ID created in the Tenant
- ARM_TENANT_ID = Tenant ID of the Azure Tenant that was used to create ESLZ
![img](./media/clip_image042.jpg)
* A Pull Request is either in progress or has completed and automatically merged into the main branch. Using the "AzOps - Pull" workflow.
![img](./media/clip_image044.png)
* The Azure hierarchy that is created using ARM templates as part of the Azure landing zone setup, such as management groups, subscription organization as well as policy definitions, policy assignments and role assignments are pulled and organized into the GitHub repository:
![AzOps Initial Pull Commit](./media/azops-initial-commit.png)
* In each folder, you will find the ARM templates that were deployed at the scopes during the Azure landing zone accelerator setup. E.g., on the intermediate root group, you will find all policy definitions, and depending on the selection you made during the deployment, you will find resource templates in the platform subscriptions. Users can – whenever they are ready, start using these templates and bring their own templates to manage the platform using ARM templates and infrastructure as code.
![AzOps - Inside root folder](./media/azops-inside-root-dir.png)
## Post deployment activities
Once Azure landing zones has deployed, you can grant your application teams/business units access to their respective landing zones. Whenever theres a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements.
## Operating the Azure platform using AzOps (Infrastructure as Code with GitHub Actions)
When you have deployed Azure landing zone accelerator with GitHub integration, you will have a ready-to-go repository with integrated GitHub Actions containing all the ARM templates that were used during deployment, organized in the following way:
* Management group tree structure represented as folders in Git
* Subscriptions represented as folders in their respective management group folder in Git
* Resource Groups represented as folders in their respective subscription folder in Git
* Policy Definitions, Policy Set Definitions, Role Definitions, and Role Assignments as composite ARM resource templates partitioned at the folder representing the respective scope in Azure (management group, subscription)
* Resources (e.g., virtual networks, Log Analytics workspace, Automation account etc.) represented as composite ARM resource templates into their respective resource group (folder)
You can edit/update the existing ARM templates in your repository and GitHub actions will push (deploy) to the respective Azure scope. You can also author and bring your own ARM templates and deploy them to the respective Azure scope.
The following section will demonstrate how one can operationalize Azure landing zones accelerator using ARM templates, via the GitHub repository that got created using AzOps (GitHub Actions).
### What is AzOps?
AzOps is an opinionated CI/CD pipeline to operationalize the Azure *platform* and *landing zones* that enables organizations to focus on the ARM template development, and not having to deal with multiple deployment scripts targeting different Azure scopes. The organization and folder structure in Git is dynamically representing the Azure graph (management groups (parent, child relationships), and subscription organization), so the platform operators can easily determine at which *scope* they want to invoke the ARM template deployment by simply making a PR with the ARM template(s) and parameter files (optionally), and AzOps will invoke the deployment accordingly.
Also, when theres a new *scope* (management groups, subscriptions, and resource groups) being created, either explicitly via the pipeline – and also out of band (via Portal, CLI, PS etc.), AzOps will discover these and represent them correctly back into Git.
### Create new Policy Assignment for validation
Azure landing zones Policy Driven Governance principle relies on Azure Policy to determine the goal state of the overall platform. As an example, this exercise will demonstrate how a developer can make a new policy assignment at the “Online” landing zone management group scope.
1. In GitHub, navigate to your repository and click on the `root` folder. From here, navigate to your <prefix>-online folder which represents the management group for all your online landing zones.
![AzOps - path to online folder](./media/azops-online-path.png)
2. Click on Add file, and Create new file.
3. Name the file `locationAssignment.json`
4. Copy and paste the following ARM template json
``` json
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentEnforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "DoNotEnforce",
"metadata": {
"description": "Input will determine if the policyAssignment should be enforced or not."
}
},
"policyDefinitionId": {
"type": "string",
"defaultValue": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"metadata": {
"description": "Provide the policyDefinition resourceId"
}
},
"policyAssignmentName": {
"type": "string",
"defaultValue": "AllowedLocations"
},
"policyDescription": {
"type": "string",
"defaultValue": "Policy to ringfence Azure regions."
},
"listOfAllowedLocations": {
"type": "array",
"defaultValue": [
"westeurope",
"northeurope"
]
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[parameters('policyAssignmentName')]",
"identity": {
"type": "SystemAssigned"
},
"location": "[deployment().location]",
"properties": {
"description": "[parameters('policyDescription')]",
"displayName": "[parameters('policyDescription')]",
"policyDefinitionId": "[parameters('policyDefinitionId')]",
"enforcementMode": "[parameters('policyAssignmentEnforcementMode')]",
"parameters": {
"listOfAllowedLocations": {
"value": "[parameters('listOfAllowedLocations')]"
}
}
}
}
]
}
```
5. Examine the file and note that we are using default values for the parameters. You could modify these, or you could also provide a `locationAssignment.parameters.json` file to provide the parameters.
6. On the Commit new file option, select Create a new branch for this commit and start a pull request, and give it a name.
![AzOps - Create PR from GitHub](media/azops-create-pr.png)
7. Click Propose new file' and on the next page, click 'Create Pull Request." A new Pull Request is being created which will trigger the "AzOps - Validate" workflow. Go to Actions to monitor the process.
![AzOps - Validate Workflow](media/azops-pr-validate-action.png)
8. Once completed, the pull request will show WhatIf results as a comment.
![AzOps - Validate comment in Pull Request](media/azops-pr-validate-comment.png)
9. You should review the comment and then approve the pull request by completing the pull request by clicking "Squash and merge". You can also delete the branch once the merge has completed.
10. This will then kick-off the "AzOps - Push" workflow, that can be monitored under actions.
![AzOps - Push workflow](media/azops-push-workflow.png)
11. In Azure portal, you can navigate to the <prefix>-online management group and verify that the deployment resource got created and deployed successfully. Each deployment invoked via AzOps will have an AzOps prefix.
![AzOps - ARM Deployment](media/azops-deployment.png)
12. Navigate to Policies on the <prefix>-online management group and verify that theres a new assignment called Policy to ring-fence Azure regions.
![AzOps - Policy Assigned](media/azops-policy-assigned-online.png)
13. Click on Edit assignment to verify that the Policy is not being enforced but will only scan for compliance and validate resources per the policy rule defined in the policy definition.
![AzOps - Policy Disabled](media/azops-policy-disabled.png)
Once the policy compliance scan has completed, you will get a compliance result for the policy you assigned to validate the effect is working as intended, before going to the next step to update the enforcement mode. I.e., this policy will prevent resources being created outside of the allowed locations specified.
### Update a Policy Assignment to enforce
In this exercise, we will modify the existing policy assignment to ensure the policy effect will be enforced.
1. Navigate the locationAssignment.json file you placed into the <prefix>-online folder, representing the online landing zone.
2. Click on Edit this file ![img](./media/clip_image063.png)
3. Change the parameter “policyAssignmentEnforcementMode” default value to be Default.
![Graphical user interface, text, application, email Description automatically generated](./media/clip_image065.jpg)
1. On the Commit changes dialogue box, select Create a new branch for this commit and start a pull request, and provide a branch name. Click Propose changes and create the pull request
![Graphical user interface, text, application, email Description automatically generated](./media/ESLZ-Update-location-assignment-policy.JPG)
This will now start the same process as above by validating and showing a WhatIf output as a comment on the pull request. Once reviewed, approved and merged the AzOps push workflow will trigger and deploy the template with the updated property so that the policy effect will be enforced (in this case, deny resource creation outside of the ringfenced Azure regions).
Once the job has completed, you can revisit the policy in Azure portal and see that the policy enforcement is set to Enabled.
![AzOps - Policy Assignment Mode Changed](media/azops-policy-enforcement-mode-change.png)
### Create new Role Assignment on a landing zone
To grant a user, a group, or a service principal access to a landing zone (subscription), you can use the following ARM template where you provide the principalId (object id of the user, group, or service principal) as input to the parameter, and place the template into the subscription folder into your landing zone management group(s).
Replace Provide-Principal-Id with ID of the principal.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"defaultValue": "<Provide-Principal-Id>",
"metadata": {
"description": "Provide the objectId of the principal (user, group, SPN, managed identity etc.) that will be granted RBAC at scope."
}
},
"roleDefinitionId": {
"type": "string",
"defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"metadata": {
"description": "Provide the id of the built-in roleDefinition. Default is 'Contributor'."
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2017-09-01",
"name": "[guid(parameters('principalId'))]",
"properties": {
"principalId": "[parameters('principalId')]",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]"
}
}
]
}
```

1
docs/wiki/Whats-new.md
Просмотреть файл

@ -67,6 +67,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
- [Tech Community Blog: Azure Monitor Baseline Alerts (Preview)](https://techcommunity.microsoft.com/t5/azure-governance-and-management/azure-monitor-baseline-alerts-preview/ba-p/3810463) published
- Updated wiki documentation to so reflect the removal of the "Platform DevOps and automation" section from ALZ Portal Accelerator
- Added support for Azure Firewall Basic SKU to Hub & Spoke and Virtual WAN deployments in the ALZ Portal Accelerator
- Updated wiki documentation towards Subscription Vending approach for landing zone (subscription) creation
#### Tooling