diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md index 3b4da3d..94c0a0f 100644 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md +++ b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md @@ -7,7 +7,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, ### 2.2.1.1 Azure DevOps with Bicep -1. Create a new folder on you local drive called `accelerator`. +1. Create a new folder on your local drive called `accelerator`. 1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. 1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. @@ -110,6 +110,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, 1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from the relevant input file for your chosen starter module: 1. Complete Multi Region - [inputs-azure-devops-terraform-complete-multi-region.yaml][example_powershell_inputs_azure_devops_terraform_complete_multi_region] + 1. Financial Services Industry Landing Zone - [inputs-azure-devops-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_azure_devops_terraform_financial_services_industry_landing_zone] 1. Sovereign Landing Zone - [inputs-azure-devops-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_azure_devops_terraform_sovereign_landing_zone] 1. Basic - [inputs-azure-devops-terraform-basic.yaml][example_powershell_inputs_azure_devops_terraform_basic] 1. Hub Networking - [inputs-azure-devops-terraform-hubnetworking.yaml][example_powershell_inputs_azure_devops_terraform_hubnetworking] @@ -150,6 +151,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, 1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - [Terraform Complete Multi Region Starter Module][wiki_starter_module_terraform_complete_multi_region]: Management groups, policies, Multi Region hub networking with fully custom configuration. + - [Terraform Financial Services Industry Landing Zone Starter Module][wiki_starter_module_terraform_financial_services_industry_landing_zone]: Management groups, policies, hub networking for the Financial Services Industry Landing Zone. - [Terraform Sovereign Landing Zone Starter Module][wiki_starter_module_terraform_sovereign_landing_zone]: Management groups, policies, hub networking for the Sovereign Landing Zone. - [Terraform Basic Starter Module][wiki_starter_module_terraform_basic]: Management groups and policies. - [Terraform Hub Networking Starter Module][wiki_starter_module_terraform_hubnetworking]: Management groups, policies and hub networking. @@ -188,6 +190,7 @@ Now head to [Phase 3][wiki_quick_start_phase_3]. [wiki_starter_module_terraform_hubnetworking]: %5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking "Wiki - Start Modules - Terraform Hub Networking" [wiki_starter_module_terraform_complete]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete "Wiki - Starter Modules - Terraform Complete" [wiki_starter_module_terraform_complete_multi_region]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete-Multi-Region "Wiki - Starter Modules - Terraform Complete Multi Region" +[wiki_starter_module_terraform_financial_services_industry_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone "Wiki - Starter Modules - Terraform Financial Services Industry Landing Zone" [wiki_starter_module_terraform_sovereign_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone "Wiki - Starter Modules - Terraform Sovereign Landing Zone" [wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" [example_powershell_inputs_azure_devops_bicep_complete]: examples/powershell-inputs/inputs-azure-devops-bicep-complete.yaml "Example - PowerShell Inputs - Azure DevOps - Bicep - Complete" @@ -195,4 +198,5 @@ Now head to [Phase 3][wiki_quick_start_phase_3]. [example_powershell_inputs_azure_devops_terraform_hubnetworking]: examples/powershell-inputs/inputs-azure-devops-terraform-hubnetworking.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Hub Networking" [example_powershell_inputs_azure_devops_terraform_complete]: examples/powershell-inputs/inputs-azure-devops-terraform-complete.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete" [example_powershell_inputs_azure_devops_terraform_complete_multi_region]: examples/powershell-inputs/inputs-azure-devops-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete Multi Region" +[example_powershell_inputs_azure_devops_terraform_financial_services_industry_landing_zone]: examples/powershell-inputs/inputs-azure-devops-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Financial Services Industry Landing Zone" [example_powershell_inputs_azure_devops_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-azure-devops-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Sovereign Landing Zone" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md index c93da27..492d601 100644 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md +++ b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md @@ -7,7 +7,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, ### 2.2.2.1 GitHub with Bicep -1. Create a new folder on you local drive called `accelerator`. +1. Create a new folder on your local drive called `accelerator`. 1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. 1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. @@ -100,6 +100,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, 1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from the relevant input file for your chosen starter module: 1. Complete Multi Region - [inputs-github-terraform-complete-multi-region.yaml][example_powershell_inputs_github_terraform_complete_multi_region] + 1. Financial Services Industry Landing Zone - [inputs-github-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_github_terraform_financial_services_industry_landing_zone] 1. Sovereign Landing Zone - [inputs-github-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_github_terraform_sovereign_landing_zone] 1. Basic - [inputs-github-terraform-basic.yaml][example_powershell_inputs_github_terraform_basic] 1. Hub Networking - [inputs-github-terraform-hubnetworking.yaml][example_powershell_inputs_github_terraform_hubnetworking] @@ -136,6 +137,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, 1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - [Terraform Complete Multi Region Starter Module][wiki_starter_module_terraform_complete_multi_region]: Management groups, policies, Multi Region hub networking with fully custom configuration. + - [Terraform Financial Services Industry Landing Zone Starter Module][wiki_starter_module_terraform_financial_services_industry_landing_zone]: Management groups, policies, hub networking for the Financial Services Industry Landing Zone. - [Terraform Sovereign Landing Zone Starter Module][wiki_starter_module_terraform_sovereign_landing_zone]: Management groups, policies, hub networking for the Sovereign Landing Zone. - [Terraform Basic Starter Module][wiki_starter_module_terraform_basic]: Management groups and policies. - [Terraform Hub Networking Starter Module][wiki_starter_module_terraform_hubnetworking]: Management groups, policies and hub networking. @@ -174,6 +176,7 @@ Now head to [Phase 3][wiki_quick_start_phase_3]. [wiki_starter_module_terraform_hubnetworking]: %5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking "Wiki - Start Modules - Terraform Hub Networking" [wiki_starter_module_terraform_complete]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete "Wiki - Starter Modules - Terraform Complete" [wiki_starter_module_terraform_complete_multi_region]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete-Multi-Region "Wiki - Starter Modules - Terraform Complete Multi Region" +[wiki_starter_module_terraform_financial_services_industry_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone "Wiki - Starter Modules - Terraform Financial Services Industry Landing Zone" [wiki_starter_module_terraform_sovereign_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone "Wiki - Starter Modules - Terraform Sovereign Landing Zone" [wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" [example_powershell_inputs_github_bicep_complete]: examples/powershell-inputs/inputs-github-bicep-complete.yaml "Example - PowerShell Inputs - GitHub - Bicep - Complete" @@ -181,4 +184,5 @@ Now head to [Phase 3][wiki_quick_start_phase_3]. [example_powershell_inputs_github_terraform_hubnetworking]: examples/powershell-inputs/inputs-github-terraform-hubnetworking.yaml "Example - PowerShell Inputs - GitHub - Terraform - Hub Networking" [example_powershell_inputs_github_terraform_complete]: examples/powershell-inputs/inputs-github-terraform-complete.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete" [example_powershell_inputs_github_terraform_complete_multi_region]: examples/powershell-inputs/inputs-github-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete Multi Region" +[example_powershell_inputs_github_terraform_financial_services_industry_landing_zone]: examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - GitHub - Terraform - Financial Services Industry Landing Zone" [example_powershell_inputs_github_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-github-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - GitHub - Terraform - Sovereign Landing Zone" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Local.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Local.md index 7f9f0b6..34cccf4 100644 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Local.md +++ b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Local.md @@ -7,7 +7,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, ### 2.2.3.1 Local File System with Bicep -1. Create a new folder on you local drive called `accelerator`. +1. Create a new folder on your local drive called `accelerator`. 1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. 1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. @@ -95,6 +95,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, 1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from the relevant input file for your chosen starter module: 1. Complete Multi Region - [inputs-local-terraform-complete-multi-region.yaml][example_powershell_inputs_local_terraform_complete_multi_region] + 1. Financial Services Industry Landing Zone - [inputs-local-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_local_terraform_financial_service_industry_landing_zone] 1. Sovereign Landing Zone - [inputs-local-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_local_terraform_sovereign_landing_zone] 1. Basic - [inputs-local-terraform-basic.yaml][example_powershell_inputs_local_terraform_basic] 1. Hub Networking - [inputs-local-terraform-hubnetworking.yaml][example_powershell_inputs_local_terraform_hubnetworking] @@ -126,6 +127,7 @@ Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, 1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - [Terraform Complete Multi Region Starter Module][wiki_starter_module_terraform_complete_multi_region]: Management groups, policies, Multi Region hub networking with fully custom configuration. + - [Terraform Financial Services Industry Landing Zone Starter Module][wiki_starter_module_terraform_financial_services_industry_landing_zone]: Management groups, policies, hub networking for the Financial Services Industry Landing Zone. - [Terraform Sovereign Landing Zone Starter Module][wiki_starter_module_terraform_sovereign_landing_zone]: Management groups, policies, hub networking for the Sovereign Landing Zone. - [Terraform Basic Starter Module][wiki_starter_module_terraform_basic]: Management groups and policies. - [Terraform Hub Networking Starter Module][wiki_starter_module_terraform_hubnetworking]: Management groups, policies and hub networking. @@ -165,6 +167,7 @@ Now head to [Phase 3][wiki_quick_start_phase_3]. [wiki_starter_module_terraform_hubnetworking]: %5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking "Wiki - Start Modules - Terraform Hub Networking" [wiki_starter_module_terraform_complete]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete "Wiki - Starter Modules - Terraform Complete" [wiki_starter_module_terraform_complete_multi_region]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete-Multi-Region "Wiki - Starter Modules - Terraform Complete Multi Region" +[wiki_starter_module_terraform_financial_services_industry_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone "Wiki - Starter Modules - Terraform Financial Services Industry Landing Zone" [wiki_starter_module_terraform_sovereign_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone "Wiki - Starter Modules - Terraform Sovereign Landing Zone" [wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" [example_powershell_inputs_local_bicep_complete]: examples/powershell-inputs/inputs-local-bicep-complete.yaml "Example - PowerShell Inputs - Local - Bicep - Complete" @@ -172,4 +175,5 @@ Now head to [Phase 3][wiki_quick_start_phase_3]. [example_powershell_inputs_local_terraform_hubnetworking]: examples/powershell-inputs/inputs-local-terraform-hubnetworking.yaml "Example - PowerShell Inputs - Local - Terraform - Hub Networking" [example_powershell_inputs_local_terraform_complete]: examples/powershell-inputs/inputs-local-terraform-complete.yaml "Example - PowerShell Inputs - Local - Terraform - Complete" [example_powershell_inputs_local_terraform_complete_multi_region]: examples/powershell-inputs/inputs-local-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - Local - Terraform - Complete Multi Region" +[example_powershell_inputs_local_terraform_financial_service_industry_landing_zone]: examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - Local - Terraform - Financial Services Industry Landing Zone" [example_powershell_inputs_local_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-local-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Local - Terraform - Sovereign Landing Zone" diff --git a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone.md b/docs/wiki/[User-Guide]-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone.md new file mode 100644 index 0000000..f99ec52 --- /dev/null +++ b/docs/wiki/[User-Guide]-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone.md @@ -0,0 +1,380 @@ + +The `financial_services_landing_zone` starter module provides full customization of the Financial Services Industry Landing Zone (FSILZ) using the `inputs.yaml` file. The `inputs.yaml` file provides the ability to enable and disable modules, configure module inputs and outputs, and configure module resources. +A custom `inputs.yaml` file can be passed to the `inputs` argument of the ALZ PowerShell Module. This allows you to firstly design your Azure Landing Zone, and then deploy it. + +The default `inputs.yaml` file will need to be modified based on the documentation below. + +Example input files can be found here: + +- [inputs-azure-devops-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_azure_devops_terraform_financial_services_industry_landing_zone] +- [inputs-github-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_github_terraform_financial_services_industry_landing_zone] +- [inputs-local-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_local_terraform_financial_services_industry_landing_zone] + +The following table describes the inputs for the `financial_services_landing_zone` starter module. + +| Input | Required | Type | Default Value | Description | +| - | -- | --- | ---- | ----- | +| `allowed_locations` | Required | List | | This is a list of Azure regions all workloads running outside of the Confidential Management Group scopes are allowed to be deployed into. | +| `allowed_locations_for_confidential_computing` | Required | List | | This is a list of Azure regions all workloads running inside of the Confidential Management Group scopes are allowed to be deployed into. | +| `az_firewall_policies_enabled` | | Boolean | `true` | Set to `true` to deploy a default Azure Firewall Policy resource if `enable_firewall` is also `true`. | +| `apply_alz_archetypes_via_architecture_definition_template` | | Boolean | `true` | This controls whether to apply the ALZ archetypes (polcy assignments) to the Financial Services Industry Landing Zone deployment. | +| `bastion_outbound_ssh_rdp_ports` | | List | `["22", "3389"]` | List of outbound remote access ports to enable on the Azure Bastion NSG if `deploy_bastion` is also `true`. | +| `custom_subnets` | | Map | See `inputs.yaml` for default object. | Map of subnets and their configurations to create within the hub network. | +| `customer` | | String | `"Country/Region"` | Customer name to use when branding the compliance dashboard. | +| `customer_policy_sets` | | Map | See the Custom Compliance section below for details. | Map of customer specified policy initiatives to apply alongside the Financial Services Industry Landing Zone | +| `default_postfix` | Required | String | | Postfix value to append to all resources. | +| `default_prefix` | | String | | Prefix value to append to all resources. | +| `deploy_bastion` | | Boolean | `true` | Set to `true` to deploy Azure Bastion within the hub network. | +| `deploy_ddos_protection` | | Boolean | `true` | Set to `true` to deploy Azure DDoS Protection within the hub network. | +| `deploy_hub_network` | | Boolean | `true` | Set to `true` to deploy the hub network. | +| `deploy_log_analytics_workspace` | | Boolean | `true` | Set to `true` to deploy Azure Log Analytics Workspace. | +| `enable_firewall` | | Boolean | `true` | Set to `true` to deploy Azure Firewall within the hub network. | +| `enable_telemetry` | | Boolean | `true` | Set to `false` to opt out of telemetry tracking. We use telemetry data to understand usage rates to help prioritize future development efforts. | +| `express_route_gateway_config` | | Map | `{name: "noconfigEr"}` | Leave as default to not deploy an ExpressRoute Gateway. See the Network Connectivity section below for details. | +| `hub_network_address_prefix` | | CIDR | "10.20.0.0/16" | This is the CIDR to use for the hub network. | +| `landing_zone_management_group_children` | | Map | | See the Customize Application Landing Zones section below for details. | +| `log_analytics_workspace_retention_in_days` | | Numeric | 365 | Number of days to retain logs in the Log Analytics Workspace. | +| `ms_defender_for_cloud_email_security_contact` | | Email | `security_contact@replaceme.com` | Email address to use for Microsoft Defender for Cloud. | +| `policy_assignment_enforcement_mode` | | String | `Default` | The enforcement mode to use for the Financial Services Industry Baseline Policy initiatives. | +| `policy_effect` | | String | `Deny` | The effect to use for the Financial Services Industry Baseline Policy initiatives, when policies support multiple effects. | +| `policy_exemptions` | | Map | See the Custom Compliance section below for details. | Map of customer specified policy exemptions to use alongside the Financial Services Industry Landing Zone. | +| `subscription_billing_scope` | Required | String | | Only required if you have not provided existing subscription IDs for management, connectivity, and identity. | +| `tags` | | Map | See the Custom Tagging section below for details. | Set of tags to apply to all resources deployed. | +| `use_premium_firewall` | | Boolean | `true` | Set to `true` to deploy Premium SKU of the Azure Firewall if `enable_firewall` is also `true`. | +| `vpn_gateway_config` | | Map | `{name: "noconfigEr"}` | Leave as default to not deploy an VPN Gateway. See the Network Connectivity section below for details. | + +## Custom Compliance + +### Custom Policy Sets + +An example of the format for the `customer_policy_sets` map is as follows: + +```yaml +customer_policy_sets: { + assignment1: { + policySetDefinitionId: "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f", + policySetAssignmentName: "FedRAMPHigh", + policySetAssignmentDisplayName: "FedRAMP High", + policySetAssignmentDescription: "FedRAMP High", + policySetManagementGroupAssignmentScope: "/providers/Microsoft.management/managementGroups/", + policyParameterFilePath: "./policy_parameters/policySetParameterSampleFile.json" + } +} +``` + +### Policy Exemptions + +An example of the format for the `policy_exemptions` map is as follows: + +```yaml +policy_exemptions: { + policy_exemption1: { + name: "globalexemption", + display_name: "global", + description: "test", + management_group_id: "/providers/Microsoft.management/managementGroups/", + policy_assignment_id: "/providers/microsoft.management/managementGroups//providers/microsoft.Authorization/policyassignments/enforce-fsi-global", + policy_definition_reference_ids: ["AllowedLocations"] + } +} +``` + +## Customize Application Landing Zones + +### Landing Zone Management Group Children + +An example of the format for the `landing_zone_management_group_children` map is as follows: + +```yaml +landing_zone_management_group_children: { + child1: { + id: "child1", + display_name: "Landing zone child one" + } +} +``` + +## Custom Tagging + +### Tags + +An example of the format for the `tags` map is as follows: + +```yaml +tags: { + Environment: "Production", + ServiceName: "FSILZ" +} +``` + +## Network Connectivity + +### ExpressRoute Gateway Config + +An example of the format for the `express_route_gateway_config` map is as follows: + +```yaml +express_route_gateway_config: { + name: "express_route", + gatewayType: "ExpressRoute", + sku: "ErGw1AZ", + vpnType: "RouteBased", + vpnGatewayGeneration: null, + enableBgp: false, + activeActive: false, + enableBgpRouteTranslationForNat: false, + enableDnsForwarding: false, + asn: 65515, + bgpPeeringAddress: "", + peerWeight: 5 +} +``` + +### VPN Gateway Config + +An example of the format for the `vpn_gateway_config` map is as follows: + +```yaml +vpn_gateway_config: { + name: "vpn_gateway", + gatewayType: "Vpn", + sku: "VpnGw1", + vpnType: "RouteBased", + vpnGatewayGeneration: "Generation1", + enableBgp: false, + activeActive: false, + enableBgpRouteTranslationForNat: false, + enableDnsForwarding: false, + bgpPeeringAddress: "", + asn: 65515, + peerWeight: 5, + vpnClientConfiguration: { + vpnAddressSpace: ["10.2.0.0/24"] + } +} +``` + +## Known Issues + +The following are known issues with the Public Preview release for the Financial Services Industry Landing Zone. + +### Multiple Inputs for Location + +The inputs for `bootstrap_location` and `starter_locations` must be identical. + +### Terraform Plan or Apply Fails After Updating tfvars + +Any updates should be made to the inputs file(e.g., inputs-local-terraform-financial-services-landing-zone.yaml) and re-run the ALZ powershell & rerun the Phase 3 of Deployment. + +### Invalid Hub Network Address Prefix or Subnet Address Prefix + +There is no validation done to ensure subnets fall within the hub network CIDR or that subnets do not overlap. These issues will be uncovered during apply. + +### Unable to Build Authorizer for Resource Manager API + +It is necessary to rerun `az login` after creating subscriptions for terraform to pick up that they exist. + +### Unable to Update Address Prefixes + +Updating the address prefix on either the hub network or subnets is not supported at this time. + +### Unable to Change Top Level or Sub Level Management Group Names + +Modifying the Top Level or Sub Level Management Group name is not supported at this time. + +### Tags are Not Applied to All Resources + +Certain resources are not receiving the default tags. This will be addressed in a future release. + +### Default Compliance Score is not 100% + +Certain resources will show as being out of compliance by default. This will be addressed in a future release. + +## Further details on the Financial Services Industry Landing Zone Starter Module + +The Terraform-based deployment for the Financial Services Industry Landing Zone (FSILZ) provides an Enterprise Scale Landing Zone with compliance posture + +### High Level Design + +![Alt text](.\media\starter-module-microsoft_cloud_for_financial_services_industry.png) + +### Terraform Modules + +#### `alz-archetypes` and `fsilz-archetypes` + +The `alz-archetypes` and `fsilz-archetypes` are different from Terraform modules, but are used to deploy the management group hierarchy, policy assignments and management resources including the Financial Services Industry policies. For more information on the archetypes, view the [ALZ archetypes](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/alz/) and the [FSILZ archetypes](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/fsi/). + +#### `subscription-vending` + +The `subscription-vending` module is used to deploy the subscriptions and move them within the right management group scopes. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-lz-vending/tree/main/modules/subscription). + +#### `hubnetworking` + +The `hubnetworking` module is used to deploy the hub VNET, Azure Firewall , Route Tables, and other networking primitives into the connectivity subscription. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-hubnetworking). + +#### `private-link` + +The `private-link` module is used to deploy default private link private DNS Zones. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-network-private-link-private-dns-zones). + +#### `alz-management` + +The `alz-management` module is used to deploy a set of management resources such as those for centralized logging. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-alz-management). + +#### `resource-group` + +The `resource-group` module is used to deploy a variety of resource groups within the default subscriptions. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-resources-resourcegroup). + +#### `portal-dashboard` + +The `portal-dashboard` module is used to deploy the default compliance dashboard. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-portal-dashboard). + +#### `azure-bastion` + +The `azure-bastion` module is used to deploy Azure Bastion for remote access. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-bastionhost). + +#### `firewall-policy` + +The `firewall-policy` module is used to deploy a default Azure Firewall Policy for further configuration. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-firewallpolicy). + +#### `ddos-protection` + +The `ddos-protection` module is used to deploy a Standard SKU DDoS Protection Plan resource for network security. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-ddosprotectionplan). + +#### `public-ip` + +The `public-ip` module is used to deploy a Azure Public IP resoures for offerings that need inbound public internet access such as the VPN and ExpressRoute Gateways. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-publicipaddress). + +#### `networksecuritygroup` + +The `networksecuritygroup` module is used to deploy a default NSG for the Azure Bastion subnet to restrict ingress and egress network access. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-networksecuritygroup). + +### Exemptions + +#### 1. Customer might change Policy assignments at Management Groups level + +Please follow the below example to change the Policy Assignments (example: Data Residency being moved to Root level) + +In deployment workspace, navigate to: +starter\{version}\microsoft_cloud_for_industry\financial_services_landing_zone\templates\fsi.alz_architecture_definition.json.tftpl + +Update fsi.alz_architecture_definition.json.tftpl file with preferred archetype management group assignments, e.g., to add so_01_data_residency to the “Financial Services Industry Landing Zone” management group, make the following change: + +Before update: + +```json +{ + "name": "${architecture_definition_name}", + "management_groups": [ + { + "archetypes": [${root_archetypes}, "fsi_root", "tr_01_logging", "re_01_zonal_residency", "so_04_cmk"], + "display_name": "FSI Landing Zone", + "exists": false, + "id": "${root_management_group_id}", + "parent_id": null + }, + ] + ... +} +``` + +After update: + +```json +{ + "name": "${architecture_definition_name}", + "management_groups": [ + { + "archetypes": [${root_archetypes}, "fsi_root", "tr_01_logging", "re_01_zonal_residency", "so_04_cmk", "so_01_data_residency"], + "display_name": "FSI Landing Zone", + "exists": false, + "id": "${root_management_group_id}", + "parent_id": null + }, + ] + ... +} +``` + +Run Deploy-Accelerator command from phase 2 and then continue with phase 3 + +#### 2. Instructions for setting Policy Assignment parameter values + +Please follow the below example to change the Policy Assignment parameter values (e.g., DDOS Protection Plan ID needs to be updated) + +Please Note: Policy Assignment parameter values are only applicable for DDOS Protection Plan & Log Analytics Workspace + +In the "management_groups" module located in file: + +starter\{version}\microsoft_cloud_for_industry\financial_services_landing_zone\locals.tf + +Users should go into locals.tf file & update the values for ddosProtectionPlanId & logAnalyticsWorkspaceId. + +Code needing update: + +```terraform + fsi_policy_default_values = { + policyEffect = jsonencode({ value = var.policy_effect }) + allowedLocationsForConfidentialComputing = jsonencode({ value = var.allowed_locations_for_confidential_computing }) + allowedLocations = jsonencode({ value = var.allowed_locations }) + ddosProtectionPlanId = jsonencode({ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.Network/ddosProtectionPlans/placeholder" }) + ddosProtectionPlanEffect = jsonencode({ value = var.deploy_ddos_protection ? "Audit" : "Disabled" }) + emailSecurityContact = jsonencode({ value = var.ms_defender_for_cloud_email_security_contact }) + logAnalyticsWorkspaceId = jsonencode({ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/placeholder/providers/Microsoft.OperationalInsights/workspaces/placeholder-la" }) + } +``` + +Below is an example of where to locate the DDOS Protection Plan & Log Analytics Workspace IDs from the Financial Services Industry starter module terrafrom output. The output will be displayed after the deployment has completed: + +```text +Apply complete! Resources: 862 added, 0 changed, 0 destroyed. + +Outputs: + +dashboard_info = <" +starter_locations: [""] # NOTE: FSI only support a single region by design +root_parent_management_group_id: "" +subscription_id_management: "" +subscription_id_identity: "" +subscription_id_connectivity: "" + +# Bootstrap Inputs +azure_devops_personal_access_token: "" +azure_devops_agents_personal_access_token: "" +azure_devops_organization_name: "" +use_separate_repository_for_templates: true +bootstrap_subscription_id: "" +service_name: "fsi" +environment_name: "mgmt" +postfix_number: 1 +azure_devops_use_organisation_legacy_url: false +azure_devops_create_project: true +azure_devops_project_name: "" +use_self_hosted_agents: true +use_private_networking: true +allow_storage_access_from_my_ip: false +apply_approvers: [""] +create_branch_policies: true +architecture_definition_name: "fsi" +apply_alz_archetypes_via_architecture_definition_template: true + +# Starter Module Specific Variables +allowed_locations: [] +allowed_locations_for_confidential_computing: [] +az_firewall_policies_enabled: true +bastion_outbound_ssh_rdp_ports: ["22", "3389"] +custom_subnets: { + AzureBastionSubnet: { + address_prefixes: "10.20.15.0/24", + name: "AzureBastionSubnet", + networkSecurityGroupId: "", + routeTableId: "" + }, + AzureFirewallSubnet: { + address_prefixes: "10.20.254.0/24", + name: "AzureFirewallSubnet", + networkSecurityGroupId: "", + routeTableId: "" + }, + GatewaySubnet: { + address_prefixes: "10.20.252.0/24", + name: "GatewaySubnet", + networkSecurityGroupId: "", + routeTableId: "" + } +} +customer: "Country/Region" +customer_policy_sets: {} +default_postfix: "" +default_prefix: "fsi" +deploy_bastion: true +deploy_ddos_protection: true +deploy_hub_network: true +deploy_log_analytics_workspace: true +enable_firewall: true +enable_telemetry: true +express_route_gateway_config: {name: "noconfigEr"} +hub_network_address_prefix: "10.20.0.0/16" +landing_zone_management_group_children: {} +log_analytics_workspace_retention_in_days: "365" +ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" +policy_assignment_enforcement_mode: "Default" +policy_effect: "Deny" +policy_exemptions: {} +subscription_billing_scope: "" +tags: {} +use_premium_firewall: true +vpn_gateway_config: {name: "noconfigVpn"} + +# Advanced Inputs +bootstrap_module_version: "v4.1.3" +starter_module_version: "latest" diff --git a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml b/docs/wiki/examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml new file mode 100644 index 0000000..14ea878 --- /dev/null +++ b/docs/wiki/examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml @@ -0,0 +1,82 @@ +--- +# Basic Inputs +iac: "terraform" +bootstrap: "alz_github" +starter: "financial_services_landing_zone" + +# Shared Interface Inputs +bootstrap_location: "" +starter_locations: [""] # NOTE: FSI only support a single region by design +root_parent_management_group_id: "" +subscription_id_management: "" +subscription_id_identity: "" +subscription_id_connectivity: "" + +# Bootstrap Inputs +github_personal_access_token: "" +github_runners_personal_access_token: "" +github_organization_name: "" +use_separate_repository_for_templates: true +bootstrap_subscription_id: "" +service_name: "fsi" +environment_name: "mgmt" +postfix_number: 1 +use_self_hosted_runners: true +use_private_networking: true +allow_storage_access_from_my_ip: false +apply_approvers: [""] +create_branch_policies: true +architecture_definition_name: "fsi" +apply_alz_archetypes_via_architecture_definition_template: true + +# Starter Module Specific Variables +allowed_locations: [] +allowed_locations_for_confidential_computing: [] +az_firewall_policies_enabled: true +bastion_outbound_ssh_rdp_ports: ["22", "3389"] +custom_subnets: { + AzureBastionSubnet: { + address_prefixes: "10.20.15.0/24", + name: "AzureBastionSubnet", + networkSecurityGroupId: "", + routeTableId: "" + }, + AzureFirewallSubnet: { + address_prefixes: "10.20.254.0/24", + name: "AzureFirewallSubnet", + networkSecurityGroupId: "", + routeTableId: "" + }, + GatewaySubnet: { + address_prefixes: "10.20.252.0/24", + name: "GatewaySubnet", + networkSecurityGroupId: "", + routeTableId: "" + } +} +customer: "Country/Region" +customer_policy_sets: {} +default_postfix: "" +default_prefix: "fsi" +deploy_bastion: true +deploy_ddos_protection: true +deploy_hub_network: true +deploy_log_analytics_workspace: true +enable_firewall: true +enable_telemetry: true +express_route_gateway_config: {name: "noconfigEr"} +hub_network_address_prefix: "10.20.0.0/16" +landing_zone_management_group_children: {} +log_analytics_workspace_retention_in_days: "365" +ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" +policy_assignment_enforcement_mode: "Default" +policy_effect: "Deny" +policy_exemptions: {} +subscription_billing_scope: "" +tags: {} +use_premium_firewall: true +vpn_gateway_config: {name: "noconfigVpn"} + +# Advanced Inputs +bootstrap_module_version: "v4.1.3" +starter_module_version: "latest" diff --git a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml b/docs/wiki/examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml new file mode 100644 index 0000000..542d230 --- /dev/null +++ b/docs/wiki/examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml @@ -0,0 +1,75 @@ +--- +# Basic Inputs +iac: "terraform" +bootstrap: "alz_local" +starter: "financial_services_landing_zone" + +# Shared Interface Inputs +bootstrap_location: "" +starter_locations: [""] # NOTE: FSI only support a single region by design +root_parent_management_group_id: "" +subscription_id_management: "" +subscription_id_identity: "" +subscription_id_connectivity: "" + +# Bootstrap Inputs +target_directory: "" +create_bootstrap_resources_in_azure: false +bootstrap_subscription_id: "" +service_name: "fsi" +environment_name: "mgmt" +postfix_number: 1 +architecture_definition_name: "fsi" +apply_alz_archetypes_via_architecture_definition_template: true + +# Starter Module Specific Variables +allowed_locations: [] +allowed_locations_for_confidential_computing: [] +az_firewall_policies_enabled: true +bastion_outbound_ssh_rdp_ports: ["22", "3389"] +custom_subnets: { + AzureBastionSubnet: { + address_prefixes: "10.20.15.0/24", + name: "AzureBastionSubnet", + networkSecurityGroupId: "", + routeTableId: "" + }, + AzureFirewallSubnet: { + address_prefixes: "10.20.254.0/24", + name: "AzureFirewallSubnet", + networkSecurityGroupId: "", + routeTableId: "" + }, + GatewaySubnet: { + address_prefixes: "10.20.252.0/24", + name: "GatewaySubnet", + networkSecurityGroupId: "", + routeTableId: "" + } +} +customer: "Country/Region" +customer_policy_sets: {} +default_postfix: "" +default_prefix: "fsi" +deploy_bastion: true +deploy_ddos_protection: true +deploy_hub_network: true +deploy_log_analytics_workspace: true +enable_firewall: true +enable_telemetry: true +express_route_gateway_config: {name: "noconfigEr"} +hub_network_address_prefix: "10.20.0.0/16" +landing_zone_management_group_children: {} +log_analytics_workspace_retention_in_days: "365" +ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" +policy_assignment_enforcement_mode: "Default" +policy_effect: "Deny" +policy_exemptions: {} +subscription_billing_scope: "" +tags: {} +use_premium_firewall: true +vpn_gateway_config: {name: "noconfigVpn"} + +# Advanced Inputs +bootstrap_module_version: "v4.1.3" +starter_module_version: "latest" diff --git a/docs/wiki/media/starter-module-microsoft_cloud_for_financial_services_industry.png b/docs/wiki/media/starter-module-microsoft_cloud_for_financial_services_industry.png new file mode 100644 index 0000000..3442218 Binary files /dev/null and b/docs/wiki/media/starter-module-microsoft_cloud_for_financial_services_industry.png differ