custom landing zone and update on readme page

README.md

@@ -1,18 +1,18 @@
 # Azure Landing Zones for Financial Services Industry in Malaysia
 
-## Background
+# Background
 
 The purpose of the reference implementation is to guide [Bank Negara of Malaysia’s Risk Management in Technology (RMiT) Regulatory Compliance](https://www.bnm.gov.my/documents/20124/963937/Risk+Management+in+Technology+%28RMiT%29.pdf/810b088e-6f4f-aa35-b603-1208ace33619?t=1592866162078). This guide helps to ensure that the Microsoft Malaysian financial institutions customers on building Landing Zones in their Azure environment. The reference implementation is based on [Cloud Adoption Framework for Azure](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) and provides an opinionated implementation that enables to ensure that technology risk management framework (TRMF) 9.2 (e), (f), (g) and cyber resilience framework (CRF) 11.3 (d), (e), (g) remain relevant on an ongoing basis and meet the regulatory compliance by using [NIST SP 800-53 Rev. 4](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4) and [Risk Management in Technology (RMiT) policies.](https://docs.microsoft.com/en-us/azure/governance/policy/samples/rmit-malaysia)
 
-## Architecture
+# Architecture
 
-See architecture documentation for detailed walkthrough of design. (ccoming soon)
+See [architecture documentation for detailed walkthrough of design.](architecture.md)
 
 Deployment to Azure is supported using Azure DevOps Pipelines and can be adopted for other automated deployment systems like GitHub Actions, Jenkins, etc.
 
 The automation is built with Terraform.
 
-## Onboarding to Azure financial services Landing Zone 
+# Onboarding to Azure financial services Landing Zone 
 
 ## Goals 
 - Establishing the necessary risk frameworks, governance structures, policies, procedures to meet RMiT policies
@@ -25,7 +25,7 @@ The automation is built with Terraform.
 - Automatic approval / notification for Risk Management in Technology. Customers must collect evidence, customize to meet their regulatory requirements and submit for Authority to Operate based on their risk profile, requirements and process. Refer [Appendix 7 Risk Assessment Report](https://www.bnm.gov.my/documents/20124/963937/Risk+Management+in+Technology+%28RMiT%29.pdf/810b088e-6f4f-aa35-b603-1208ace33619?t=1592866162078)
 - Compliant on all Azure Policies when the reference implementation is deployed. This is due to the shared responsibility of cloud and customers can choose the Azure Policies to exclude. For example, using Azure Firewall is an Azure Policy that will be non-compliant since majority of the financial institutions customers use Network Virtual Appliances such as Palo Alto, Check Point, Fortinet. Customers must review [Microsoft Defender for Cloud Regulatory Compliance dashboard](https://docs.microsoft.com/en-gb/azure/defender-for-cloud/update-regulatory-compliance-packages) and apply appropriate exemptions.
 
-## How to test
+# How to Deploy Azure Landing Zones via Terraform 
 To add it as a custom initiative:
 New-AzPolicySetDefinition -Name "RMIT Test" -GroupDefinition .\groups.json -PolicyDefinition .\policies.json -Parameter .\params.json
 You can then further assign it in your Azure Portal in whichever scope.
@@ -59,14 +59,14 @@ role: Management Group Contributor
 Scope: subscription (targetted subscription)
 role: User Access Administrator
 
-### Deployment Steps
-### 1. Clone the repo and go to terraform directory where the configuration codes reside.
+## Deployment Steps
+## 1. Clone the repo and go to terraform directory where the configuration codes reside.
 ```
 git clone git@github.com:Azure/regulatory-compliance-initiatives.git
 cd regulatory-compliance-initiatives/terraform/
 ```
 
-### 2. Login to your identity
+## 2. Login to your identity
 You may follow the guide in this documentation for further reference
 https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/azure_cli
 
@@ -102,7 +102,7 @@ az account list
 az account set --subscription="SUB_ID_HERE"
 ```
 
-### 3. Run Terraform
+## 3. Run Terraform
 Once you have logged in, make sure you are in the right directory shown in step 1, and run the following commands.
 
 ```
@@ -111,10 +111,103 @@ terraform plan
 ```
 You may take this opportunity to verify the planned changes after running terraform plan as it does not apply to your environment yet. Otherwise proceed for deployment by running 
 ```
-terraform apply -auto-approve
+terraform apply -auto-approve -parallelism=50
 ```
 This process may take up to 30 minutes. Once the run is complete, you may review the changes in the portal under "Management Groups" and "Azure Policy"
 
+# How to modify management group
+
+Management Groups enable organizations to efficiently manage access, governance and compliance across all subscriptions. Azure management groups provide a level of scope above subscriptions. Subscriptions are organized into containers called "management groups" and apply Azure Policies and role-based access control to the management groups. All subscriptions within a management group automatically inherit the settings applied to the management group.
+
+Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have. All subscriptions within a single management group must trust the same Azure Active Directory tenant.
+
+Azure Landing Zones for Financial Services Industry in Malaysia recommends the following Management Group structure. This structure can be customized based on your organization's requirements. Specifically:
+
+- Landing Zones will be split by 3 groups of environments (DEV/TEST, QA, PROD).
+- Sandbox management group is used for any new subscriptions that will be created. This will remove the subscription sprawl from the Root - Tenant Group and will pull all subscriptions into the security compliance.
+
+
+## To change Management Group name 
+modify variables.tf following parameter value
+```
+variable "root_name" {
+  type    = string
+  default = "Bank Management Group"
+}
+
+variable "root_id" {
+  type    = string
+  default = "fsieszl"
+}
+
+```
+To change root group name visit [Changing Root Parent ID](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/190)  
+# Deploy Demo Landing Zone Archetypes 
+
+To deploy Enterprise-scale with a starter configuration based mainly on module defaults, including the additional Management Groups used for demonstrating the Enterprise-scale Landing Zone archetypes:
+
+- Corp
+- Online
+- SAP
+
+Visit [Examples] [Deploy Demo Landing Zone Archetypes](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes)
+
+modify main.tf following parameter value set the vaule "true"
+```
+  # Configuration settings for optional landing zones
+  deploy_corp_landing_zones   = true
+  deploy_online_landing_zones = true
+  deploy_sap_landing_zones    = true
+  deploy_demo_landing_zones   = false
+
+```
+## Deploy Custom Landing Zone 
+
+As we stated above this structure can be customized based on your organization's requirements. Specifically:
+
+for example the below Landing Zones will be split by 3 groups of environments 
+- Production
+- Pre-Production
+- Non-Production
+
+You can change this vaule to anything DEV, TEST, PROD or something like [What about our management group hierarchy?](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/faq) the detail guide how to modify the main object parameters [refe to our custom landing zone](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BVariables%5D-custom_landing_zones)
+
+```
+#custom landing zone deployment
+custom_landing_zones = {
+    "${var.root_id}-production" = {
+      display_name               = "Production"
+      parent_management_group_id = "${var.root_id}-landing-zones"
+      subscription_ids           = []
+      archetype_config = {
+        archetype_id   = "default_empty"
+        parameters     = {}
+        access_control = {}
+      }
+    }
+    "${var.root_id}-pre-production" = {
+      display_name               = "Pre-Production"
+      parent_management_group_id = "${var.root_id}-landing-zones"
+      subscription_ids           = []
+      archetype_config = {
+        archetype_id   = "default_empty"
+        parameters     = {}
+        access_control = {}
+      }
+    }
+    "${var.root_id}-non-production" = {
+      display_name               = "Non-Production"
+      parent_management_group_id = "${var.root_id}-landing-zones"
+      subscription_ids           = []
+      archetype_config = {
+        archetype_id   = "default_empty"
+        parameters     = {}
+        access_control = {}
+      }
+    }
+  }
+```
+
 ## Contributing
 
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a

architecture.md

@@ -0,0 +1,56 @@
+# Azure Landing Zones for Financial Services Industry in Malaysia
+
+The purpose of the reference implementation is to guide [Bank Negara of Malaysia’s Risk Management in Technology (RMiT) Regulatory Compliance](https://www.bnm.gov.my/documents/20124/963937/Risk+Management+in+Technology+%28RMiT%29.pdf/810b088e-6f4f-aa35-b603-1208ace33619?t=1592866162078). This guide helps to ensure that the Microsoft Malaysian financial institutions customers on building Landing Zones in their Azure environment. The reference implementation is based on [Cloud Adoption Framework for Azure](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) and provides an opinionated implementation that enables to ensure that technology risk management framework (TRMF) 9.2 (e), (f), (g) and cyber resilience framework (CRF) 11.3 (d), (e), (g) remain relevant on an ongoing basis and meet the regulatory compliance by using [NIST SP 800-53 Rev. 4](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4) and [Risk Management in Technology (RMiT) policies.](https://docs.microsoft.com/en-us/azure/governance/policy/samples/rmit-malaysia)
+
+## Table of Contents
+
+1. Key Decisions
+2. Security Controls
+3. Management Groups
+4. Identity
+5. Network
+6. Logging
+7. Tagging
+8. Archetypes
+9. Automation
+
+#  1. Key Decisions
+
+# 2. Security Controls
+
+# 3. Management Groups
+
+[Management Groups](https://docs.microsoft.com/azure/governance/management-groups/overview) enable organizations to efficiently manage access, governance and compliance across all subscriptions. Azure management groups provide a level of scope above subscriptions. Subscriptions are organized into containers called "management groups" and apply Azure Policies and role-based access control to the management groups. All subscriptions within a management group automatically inherit the settings applied to the management group.
+
+Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have. All subscriptions within a single management group must trust the same Azure Active Directory tenant.
+
+Azure Landing Zones for Financial Services Industry in Malaysia recommends the following Management Group structure. This structure can be customized based on your organization's requirements. Specifically:
+
+- Landing Zones will be split by 3 groups of environments.
+    - Production
+    - Pre-Production
+    - Non-Production
+- Sandbox management group is used for any new subscriptions that will be created. This will remove the subscription sprawl from the Root - Tenant Group and will pull all subscriptions into the security compliance.
+
+### Management Group Structure
+
+![Management Group Structure](images/my-management-group.jpg)
+
+Customers with existing management group structure can consider merging the recommended structure to continue to use the existing structure. The new structure deployed side-by-side will enable the ability to:
+
+- Configure all controls in the new management group without impacting existing subscriptions.
+- Migrate existing subscriptions one-by-one (or small batches) to the new management group to reduce the impact of breaking changes.
+- Learn from each migration, apply policy exemptions, and reconfigure Policy assignment scope from pubsec to another scope that's appropriate.
+
+
+# 4. Identity
+
+# 5. Network
+
+# 6. Logging
+
+# 7. Tagging
+
+# 8. Archetypes
+
+# 9. Automation

images/my-management-group.jpg:Zone.Identifier

@@ -0,0 +1,3 @@
+[ZoneTransfer]
+LastWriterPackageFamilyName=Microsoft.ScreenSketch_8wekyb3d8bbwe
+ZoneId=3

terraform/lib/archetype_definition/archetype_extension_es_root.json

@@ -13,4 +13,4 @@
             "access_control": {}
         }
     }
-}f
+}

terraform/main.tf

@@ -10,7 +10,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.0.0"
+  version = "1.1.1"
 
   providers = {
     azurerm              = azurerm
@@ -27,4 +27,54 @@ module "enterprise_scale" {
   subscription_id_management     = data.azurerm_client_config.core.subscription_id
   configure_management_resources = local.configure_management_resources
 
+  # Configuration settings for optional landing zones
+  deploy_corp_landing_zones   = false
+  deploy_online_landing_zones = false
+  deploy_sap_landing_zones    = false
+  deploy_demo_landing_zones   = false
+
+  custom_landing_zones = {
+    "${var.root_id}-production" = {
+      display_name               = "Production"
+      parent_management_group_id = "${var.root_id}-landing-zones"
+      subscription_ids           = []
+      archetype_config = {
+        archetype_id   = "default_empty"
+        parameters     = {}
+        access_control = {}
+      }
+    }
+    "${var.root_id}-pre-production" = {
+      display_name               = "Pre-Production"
+      parent_management_group_id = "${var.root_id}-landing-zones"
+      subscription_ids           = []
+      archetype_config = {
+        archetype_id   = "default_empty"
+        parameters     = {}
+        access_control = {}
+      }
+    }
+    "${var.root_id}-non-production" = {
+      display_name               = "Non-Production"
+      parent_management_group_id = "${var.root_id}-landing-zones"
+      subscription_ids           = []
+      archetype_config = {
+        archetype_id   = "default_empty"
+        parameters     = {}
+        access_control = {}
+      }
+      # archetype_config = {
+      #   archetype_id   = "customer_online"
+      #   parameters     = {
+      #     Deny-Resource-Locations = {
+      #       listOfAllowedLocations = ["eastus",]
+      #     }
+      #     Deny-RSG-Locations = {
+      #       listOfAllowedLocations = ["eastus",]
+      #     }
+      #   }
+      #   access_control = {}
+      # }
+    }
+  }
 }

terraform/settings.management.tf

@@ -30,6 +30,7 @@ locals {
           enable_defender_for_dns            = true
           enable_defender_for_key_vault      = true
           enable_defender_for_kubernetes     = true
+          enable_defender_for_oss_databases  = true
           enable_defender_for_servers        = true
           enable_defender_for_sql_servers    = true
           enable_defender_for_sql_server_vms = true

terraform/variables.tf

@@ -2,12 +2,12 @@
 
 variable "root_id" {
   type    = string
-  default = "banknegara"
+  default = "my-bank"
 }
 
 variable "root_name" {
   type    = string
-  default = "Bank Negara Malaysia"
+  default = "Bank Management Group"
 }
 
 variable "deploy_management_resources" {