Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update policy assignment to be opt-in for Terraform #459

Merged
merged 3 commits into from
Oct 14, 2021
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,12 +63,12 @@ az deployment group create \

### Deploying with Terraform

By default, the Terraform implementaiton at `src/terraform/mlz/main.tf` will assign the NIST 800-53 policies. You can disable this by providing a `false` value to the `create_policy_assignment` variable:
The Terraform implementaiton at `src/terraform/mlz/main.tf` supports assigning NIST 800-53 policies. You can enable this by providing a `true` value to the `create_policy_assignment` variable:

```plaintext
cd src/terraform/mlz
terraform init
terraform apply -var="create_policy_assignment=false"
terraform apply -var="create_policy_assignment=true"
```

After the resources are deployed, you will need to go into go into each assignment and retrieve the managed identity and modify its role access to contributor scoped to the associated resource group. This is due to the initiative including modify and deploy policies that act on resources, like deploying the require policy guest configuration extensions to VMs.
Expand Down
24 changes: 24 additions & 0 deletions src/terraform/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ Read on to understand the [prerequisites](#Prerequisistes), how to get started,

Deploying to a Cloud other than Azure Commercial? This requires updating the `azurerm` provider block `environment` and `metadata_host` values. Checkout the [Deploying to Other Clouds](#Deploying-to-Other-Clouds) documentation.

Looking to assign Azure Policy? This template supports assigning NIST 800-53 policies. See the [policies documentation](../../docs/policies.md) for more information.

### Login to Azure CLI

1. Log in using the Azure CLI
Expand Down Expand Up @@ -162,6 +164,28 @@ Here's the docs on `terraform destroy`: <https://www.terraform.io/docs/cli/comma

This command will attempt to remove all the resources that were created by `terraform apply` and could take up to 45 minutes.

## Assigning Azure Policy

This template supports assigning NIST 800-53 policies. See the [policies documentation](../../docs/policies.md) for more information.

You can enable this by providing a `true` value to the `create_policy_assignment` variable.

At `apply` time:

```plaintext
terraform apply -var="create_policy_assignment=true"
```

Or, by updating `src/terraform/mlz/variables.tf`:

```terraform
variable "create_policy_assignment" {
description = "Assign Policy to deployed resources?"
type = bool
default = true
}
```

## Deploying new Spoke Networks

Once you've deployed Mission LZ, you can use the Tier 3 module to deploy and peer new Spoke Networks and workloads to the Hub and Firewall.
Expand Down
2 changes: 1 addition & 1 deletion src/terraform/mlz/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ variable "jumpbox_linux_vm_version" {
variable "create_policy_assignment" {
description = "Assign Policy to deployed resources?"
type = bool
default = true
default = false
}

#################################
Expand Down