Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy refactoring with automation and testing #1022

Merged
merged 14 commits into from
Sep 6, 2022
Merged

Policy refactoring with automation and testing #1022

merged 14 commits into from
Sep 6, 2022

Conversation

krowlandson
Copy link
Contributor

@krowlandson krowlandson commented Aug 10, 2022
edited
Loading

Overview/Summary

This PR makes a fundamental change to the how we manage and test custom policies implemented as part of Azure landing zones.

This PR fixes/adds/changes/removes

  1. Adds a new resource library containing individual policy definition and policy set definition resources as individual files
  2. Adds a Bicep template used to programmatically generate a new policies.json file for the eslzArm Portal deployment
  3. The new policies.json template is now designed to universally work across AzureCloud, AzureChinaCloud and AzureUsGovernment clouds
  4. Adds new GitHub Action to automatically regenerate policies.json when relevant changes are detected in a PR
  5. Adds new GitHub Action to perform static code analysis (linting) of the new src folder (also scans eslzArm folder but for reporting only)
  6. Adds a new GitHub Action to perform automated testing of the eslzArm deployment, including a complete deployment and tear-down
  7. Adds an updated version of the original EnterpriseScaleLibraryTools PowerShell module from the Terraform implementation, now rebranded as Alz.Tools and extended to include new functionality needed for broader use (will be re-usable for Terraform and Bicep implementations)
  8. Adds a new GitHub Action to keep the Alz.Tools module up to date with the latest API versions
  9. Includes minor (primarily cosmetic) updates to the eslzArm deployment to improve maintainability and control whilst running programmatically
  10. Update elements in Portal UI definition to match the parameters set by their output for easier maintenance
  11. Added logic to customize the Portal UI questions based on target Cloud environment, to improve support for AzureChinaCloud (pending update to MG scope deployment) and AzureUSGovernment
  12. Improve consistency across deployment names and update to use alz- prefix instead of EntScale-
  13. Update description field in emailContactAsc parameter across Cloud environments for Deploy-MDFC-Config Policy Assignment

Breaking Changes

None identified

Testing Evidence

AzureCloud

See test pipelines in GitHub Actions.

policies.json for AzureChinaCloud

image

image

policies.json for AzureUsGovernment

MicrosoftTeams-image

MicrosoftTeams-image (1)

Testing URLs

n/a

As part of this Pull Request I have

  • Checked for duplicate Pull Requests
  • Associated it with relevant issues, for tracking and closure.
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Updated relevant and associated documentation.
  • Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

Policy refactoring with automation and testing (#1021)
dd12e9c 
* Adds a new resource library containing individual policy definition and policy set definition resources as individual files

* Adds a Bicep template used to programmatically generate a new policies.json file for the eslzArm Portal deployment

* The new policies.json template is now designed to universally work across AzureCloud, AzureChinaCloud and AzureUsGovernment clouds

* Adds new GitHub Action to automatically regenerate policies.json when relevant changes are detected in a PR

* Adds new GitHub Action to perform static code analysis (linting) of the new src folder (also scans eslzArm folder but for reporting only)

* Adds a new GitHub Action to perform automated testing of the eslzArm deployment, including a complete deployment and tear-down

* Adds an updated version of the original EnterpriseScaleLibraryTools PowerShell module from the Terraform implementation, now rebranded as Alz.Tools and extended to include new functionality needed for broader use (will be re-usable for Terraform and Bicep implementations)

* Adds a new GitHub Action to keep the Alz.Tools module up to date with the latest API versions

* Includes minor (primarily cosmetic) updates to the eslzArm deployment to improve maintainability and control whilst running programmatically
@krowlandson krowlandson added enhancement New feature or request engineering engineering work labels Aug 10, 2022
@krowlandson krowlandson self-assigned this Aug 10, 2022
@krowlandson krowlandson requested review from a team as code owners August 10, 2022 08:48
@krowlandson krowlandson temporarily deployed to csu-rw August 10, 2022 08:48 Inactive
@krowlandson krowlandson temporarily deployed to csu-rw August 10, 2022 08:52 Inactive
@krowlandson krowlandson mentioned this pull request Aug 10, 2022
Closed
6 tasks
@faister
Copy link
Contributor

faister commented Aug 10, 2022

@krowlandson I'll have a go with testing this in Azure China, will reach out when I have questions

Update policy refactor (#1026)
d4d4628 
* Update elements in Portal UI definition to match the parameters set by their output for easier maintenance

* Added logic to customize the Portal UI questions based on target Cloud environment, to improve support for `AzureChinaCloud` (_pending update to MG scope deployment_) and `AzureUSGovernment`

* Improve consistency across deployment names and update to use `alz-` prefix instead of `EntScale-`

* Update description field in `emailContactAsc` parameter across Cloud environments for `Deploy-MDFC-Config` Policy Assignment
@krowlandson krowlandson temporarily deployed to csu-rw August 13, 2022 08:48 Inactive
@krowlandson krowlandson temporarily deployed to csu-rw August 13, 2022 08:49 Inactive
@krowlandson krowlandson mentioned this pull request Aug 24, 2022
Open
@krowlandson krowlandson temporarily deployed to csu-rw August 26, 2022 10:54 Inactive
@matt-FFFFFF
Copy link
Member

matt-FFFFFF commented Aug 26, 2022
edited
Loading

I have one concern that we are using a Bicep data structure to store the configuration for the public/mc/ff policies.

This should be in a common data format like JSON or YAML.

I understand there is a feature request in the Bicep team for changes to a function Azure/bicep/issues/3816#issuecomment-1191230215 but they have not committed to producing this. As a workaround to this I would like us to store the data as JSON/YAML, then convert this to Bicep in the absence of working bicep function. This way we can start on the journey to have a machine readable definition for ALZ.

@jtracey93
Copy link
Collaborator

I have one concern that we are using a Bicep data structure to store the configuration for the public/mc/ff policies.

This should be in a common data format like JSON or YAML.

I understand there is a feature request in the Bicep team for changes to a function Azure/bicep/issues/3816#issuecomment-1191230215 but they have not committed to producing this. As a workaround to this I would like us to store the data as JSON/YAML, then convert this to Bicep in the absence of working bicep function. This way we can start on the journey to have a machine readable definition for ALZ.

This is a good idea. However, the term "workaround" doesn't sit well with me.

Being honest, today, do we actually find ourselves updating the list of policies for clouds? It's more updating existing policies and the rule definitions of them.

Also, by templating now and then reverting back to bicep at a later date, if the feature is added, do we think it is worth the additional engineering effort?

If so, we may need you to pick this up as @krowlandson is going to be OOF over the next few weeks at different times. Or do we think we can merge this and then evolve from there with another PR later to look at templating option?

This may be easier for all of us to discuss on a call 🙂 let me know if you think so and I'll find us a slot

@krowlandson krowlandson temporarily deployed to csu-rw August 26, 2022 14:43 Inactive
This was referenced Aug 30, 2022
Closed
Closed
Closed
jfaurskov
jfaurskov approved these changes Sep 1, 2022
View reviewed changes
Copy link
Contributor

@jfaurskov jfaurskov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the comments previously made as well as the single comment on collisions I have no further input. Sterling work @krowlandson !

matt-FFFFFF
matt-FFFFFF approved these changes Sep 5, 2022
View reviewed changes
Copy link
Member

@matt-FFFFFF matt-FFFFFF left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work

@krowlandson krowlandson temporarily deployed to csu-rw September 6, 2022 08:02 Inactive
@jtracey93 jtracey93 merged commit 3476914 into main Sep 6, 2022
@jtracey93 jtracey93 deleted the policy-refactor branch September 6, 2022 15:51
@jtracey93 jtracey93 mentioned this pull request Sep 6, 2022
Merged
6 tasks
@krowlandson krowlandson mentioned this pull request Sep 7, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtracey93 jtracey93 jtracey93 approved these changes

@jfaurskov jfaurskov jfaurskov approved these changes

@matt-FFFFFF matt-FFFFFF matt-FFFFFF approved these changes

Assignees

@krowlandson krowlandson

Labels
engineering engineering work enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@krowlandson @faister @matt-FFFFFF @jtracey93 @jfaurskov