Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a Resource Lock Utility to Prevent modification to T3 resources #484

Closed
lisamurphy-msft opened this issue Oct 25, 2021 · 3 comments
Closed

Create a Resource Lock Utility to Prevent modification to T3 resources #484

lisamurphy-msft opened this issue Oct 25, 2021 · 3 comments
Labels
core New feature or request

Comments

@lisamurphy-msft
Copy link
Contributor

Benefit/Result/Outcome

As a MissionLZ admistrator or system owner, I want the ability to apply resource locks on the T3 resource groups to prevent system integrators from altering the networking or other such resource allocations and incurring un-vetted expenses.

Description

Resource locking is something that can be applied at the resource group level by the account owner to prevent editing or deletion or adding of resources. Having a utility included to guide the system administrator in facilitating resource locks to prevent this potential use case defined in #305 as denoted by @sstjean would be a useful implementation to achieve the desired effect.

As per @sstjean :
"a VNet is created with specific subnets as configured by the deployment/operations team. The Tier 3 subscription can them be "handed over" to the workload owner to deploy necessary resources which will attach to the created subnets. The forced-tunneling routes are configured in the RG created by MLZ and should be controlled by the Ops team and not the Tier 3 workload owner. Giving the workload owner OWNER permissions to the Tier 3 sub now allows the Tier 3 owner the ability to change the forced tunneling or CIDR ranges outside of the operations team's control. By putting a READ lock on the networking resources, the Tier 3 owner can attach new resources to the subnet but cannot change the subnet or routing configuration."

Acceptance Criteria

  • Update the utilities with enhanced guidance with samples to provide resource locks to T3 Resources.
  • Provide documentation on usage and potential configurable options.
@lisamurphy-msft lisamurphy-msft mentioned this issue Oct 25, 2021
Closed
@brooke-hamilton
Copy link
Contributor

Recommend adding a parameter to the T3 example that will set resource locks.

@brooke-hamilton brooke-hamilton added core New feature or request and removed needs triage labels Nov 3, 2021
@glennmusa
Copy link
Contributor

one could run az deployment group create with a resource group scoped template that locks the resource group like:

resource createRgLock 'Microsoft.Authorization/locks@2016-09-01' = {
  name: 'rgLock'
  properties: {
    level: 'CanNotDelete'
    notes: 'Resource group should not be deleted.'
  }
}

https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/scope-extension-resources#apply-at-deployment-scope

@brooke-hamilton
Copy link
Contributor

I'm closing this issue for now, but we can re-open if needed.

We do not want to issue resource locks for a resource group until a deployment is fully configured. We can't be sure that our initial configuration will be the final configuration for a particular customer, especially for T3 resources, which will probably have additional resources deployed after or along with the T3 deployment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@glennmusa @brooke-hamilton @lisamurphy-msft