From 7c6f25b74677a13e6c0a6e66abd4cecd552d3cf9 Mon Sep 17 00:00:00 2001 From: Zhiyan Xu Date: Wed, 11 Dec 2024 08:54:06 -0800 Subject: [PATCH 1/3] Update exemptions to fix policy assignments. --- .../financial_services_landing_zone/locals.tf | 13 +++++++------ .../sovereign_landing_zone/locals.tf | 5 +++-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf b/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf index 45e5af1..98385f0 100644 --- a/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf +++ b/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf @@ -71,6 +71,7 @@ locals { locals { management_group_resource_id_format = "/providers/Microsoft.Management/managementGroups/%s" + root_management_group_id = format(local.management_group_resource_id_format, "${var.default_prefix}${var.default_postfix}") confidential_corp_management_group_id = format(local.management_group_resource_id_format, "${var.default_prefix}-landingzones-confidential-corp${var.default_postfix}") confidential_online_management_group_id = format(local.management_group_resource_id_format, "${var.default_prefix}-landingzones-confidential-online${var.default_postfix}") @@ -79,19 +80,19 @@ locals { "Confidential-Online-Location-Exemption" = { name = "Confidential-Online-Location-Exemption" display_name = "Confidential-Online-Location-Exemption" - description = "Exempt the confidential online management group from the FSI Global location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." + description = "Exempt the confidential online management group from the FSI data residency location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." management_group_id = local.confidential_online_management_group_id - policy_assignment_id = "${local.confidential_online_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-fsi-conf" - policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"] + policy_assignment_id = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/so-01-data-residency" + policy_definition_reference_ids = ["Allowed locations for resource groups", "Allowed locations"] exemption_category = "Waiver" } "Confidential-Corp-Location-Exemption" = { name = "Confidential-Corp-Location-Exemption" display_name = "Confidential-Corp-Location-Exemption" - description = "Exempt the confidential corp management group from the FSI Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." + description = "Exempt the confidential corp management group from the FSI data residency location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." management_group_id = local.confidential_corp_management_group_id - policy_assignment_id = "${local.confidential_corp_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-fsi-conf" - policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"] + policy_assignment_id = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/so-01-data-residency" + policy_definition_reference_ids = ["Allowed locations for resource groups", "Allowed locations"] exemption_category = "Waiver" } } diff --git a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf index dafb630..288a717 100644 --- a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf @@ -27,6 +27,7 @@ locals { tenant_id = data.azurerm_client_config.current.tenant_id root_parent_management_group_id = var.root_parent_management_group_id == "" ? local.tenant_id : var.root_parent_management_group_id management_group_resource_id_format = "/providers/Microsoft.Management/managementGroups/%s" + root_management_group_id = format(local.management_group_resource_id_format, "${var.default_prefix}${var.default_postfix}") landingzones_management_group_id = module.slz_management_groups.management_group_resource_ids["${var.default_prefix}-landingzones${var.default_postfix}"] management_management_group_id = "${var.default_prefix}-platform-management${var.default_postfix}" @@ -331,7 +332,7 @@ locals { display_name = "Confidential-Online-Location-Exemption" description = "Exempt the confidential online management group from the SLZ Global location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." management_group_id = local.confidential_online_management_group_id - policy_assignment_id = "${local.confidential_online_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-conf" + policy_assignment_id = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-global" policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"] exemption_category = "Waiver" } @@ -340,7 +341,7 @@ locals { display_name = "Confidential-Corp-Location-Exemption" description = "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." management_group_id = local.confidential_corp_management_group_id - policy_assignment_id = "${local.confidential_corp_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-conf" + policy_assignment_id = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-global" policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"] exemption_category = "Waiver" } From 376bd81d3dacf0869097527c77c953282352827b Mon Sep 17 00:00:00 2001 From: Zhiyan Xu Date: Wed, 11 Dec 2024 11:04:59 -0800 Subject: [PATCH 2/3] Update the exemption names. --- .../financial_services_landing_zone/locals.tf | 12 ++++++------ .../sovereign_landing_zone/locals.tf | 14 +++++++------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf b/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf index 98385f0..e6448a5 100644 --- a/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf +++ b/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf @@ -77,18 +77,18 @@ locals { # Policy exemptions default_policy_exemptions = { - "Confidential-Online-Location-Exemption" = { - name = "Confidential-Online-Location-Exemption" - display_name = "Confidential-Online-Location-Exemption" + "Confidential-Online-Data-Residency-Exemption" = { + name = "Confidential-Online-Data-Residency-Exemption" + display_name = "Confidential-Online-Data-Residency-Exemption" description = "Exempt the confidential online management group from the FSI data residency location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." management_group_id = local.confidential_online_management_group_id policy_assignment_id = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/so-01-data-residency" policy_definition_reference_ids = ["Allowed locations for resource groups", "Allowed locations"] exemption_category = "Waiver" } - "Confidential-Corp-Location-Exemption" = { - name = "Confidential-Corp-Location-Exemption" - display_name = "Confidential-Corp-Location-Exemption" + "Confidential-Corp-Data-Residency-Exemption" = { + name = "Confidential-Corp-Data-Residency-Exemption" + display_name = "Confidential-Corp-Data-Residency-Exemption" description = "Exempt the confidential corp management group from the FSI data residency location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." management_group_id = local.confidential_corp_management_group_id policy_assignment_id = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/so-01-data-residency" diff --git a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf index 288a717..f97362d 100644 --- a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf @@ -327,18 +327,18 @@ locals { locals { default_policy_exemptions = { - "Confidential-Online-Location-Exemption" = { - name = "Confidential-Online-Location-Exemption" - display_name = "Confidential-Online-Location-Exemption" + "Confidential-Online-Global-Location-Exemption" = { + name = "Confidential-Online-Global-Location-Exemption" + display_name = "Confidential-Online-Global-Location-Exemption" description = "Exempt the confidential online management group from the SLZ Global location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." management_group_id = local.confidential_online_management_group_id policy_assignment_id = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-global" policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"] exemption_category = "Waiver" } - "Confidential-Corp-Location-Exemption" = { - name = "Confidential-Corp-Location-Exemption" - display_name = "Confidential-Corp-Location-Exemption" + "Confidential-Corp-Global-Location-Exemption" = { + name = "Confidential-Corp-Global-Location-Exemption" + display_name = "Confidential-Corp-Global-Location-Exemption" description = "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." management_group_id = local.confidential_corp_management_group_id policy_assignment_id = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-global" @@ -366,7 +366,7 @@ locals { policyEffect = jsonencode({ value = var.policy_effect }) listOfAllowedLocations = jsonencode({ value = var.allowed_locations }) allowedLocationsForConfidentialComputing = jsonencode({ value = var.allowed_locations_for_confidential_computing }) - ddos_protection_plan_id = jsonencode({ value = "" }) + ddos_protection_plan_id = jsonencode({ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.Network/ddosProtectionPlans/placeholder" }) ddos_protection_plan_effect = jsonencode({ value = var.deploy_ddos_protection ? "Audit" : "Disabled" }) emailSecurityContact = jsonencode({ value = var.ms_defender_for_cloud_email_security_contact }) } From e925e673da32cc79c7b80df4b991943ad8f7a47f Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:07:28 -0800 Subject: [PATCH 3/3] Update locals.tf --- .../sovereign_landing_zone/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf index f97362d..5de2343 100644 --- a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf @@ -366,7 +366,7 @@ locals { policyEffect = jsonencode({ value = var.policy_effect }) listOfAllowedLocations = jsonencode({ value = var.allowed_locations }) allowedLocationsForConfidentialComputing = jsonencode({ value = var.allowed_locations_for_confidential_computing }) - ddos_protection_plan_id = jsonencode({ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.Network/ddosProtectionPlans/placeholder" }) + ddos_protection_plan_id = jsonencode({ value = "" }) ddos_protection_plan_effect = jsonencode({ value = var.deploy_ddos_protection ? "Audit" : "Disabled" }) emailSecurityContact = jsonencode({ value = var.ms_defender_for_cloud_email_security_contact }) }