Skip to content

Commit

Permalink
Release 0.3.2 (#8)
Browse files Browse the repository at this point in the history
* Release 0.3.2

* Release 0.3.2

* Release 0.3.2

---------

Co-authored-by: Microsoft Open Source <[email protected]>
  • Loading branch information
VeronicaSea and microsoftopensource authored Nov 2, 2023
1 parent 212ce7f commit bfdd870
Show file tree
Hide file tree
Showing 55 changed files with 140 additions and 201 deletions.
2 changes: 1 addition & 1 deletion docs/02-Architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ The assigned policies in each of the landing zones are designed to support the b

The SLZ Preview deploys under the [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) in Azure, so it can support brownfield deployments, greenfield deployments, and multiple SLZ Preview deployments within the same tenant based on customer need. The SLZ Preview can also be deployed to an arbitrary [child management group](scenarios/Piloting-SLZ.md), which is better suited for conducting a proof-of-concept.

![SLZ Preview Architecture Diagram](images/sovereign-scale-architecture.png)
![SLZ Initial Architecture Diagram](images/slz-initial-architecture.png)

## Next Step

Expand Down
4 changes: 2 additions & 2 deletions docs/04-Repository-Setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ For contributing and best practice for receiving updates, follow the steps outli
git clone https://github.com/Azure/sovereign-landing-zone
```
#### Fork Repository
![Fork Repository screenshot](images/forkgithubrepo.png)
![Fork Repository screenshot](images/fork-github-repo.png)

The version of the SLZ Preview being used can be determined from the [git tag](https://git-scm.com/docs/git-tag) or the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the clone or fork was made from.

### Option 2

If you do not plan on contributing or do not intend to receive updates, you can simply download a copy of the [repository](https://github.com/Azure/sovereign-landing-zone) to your local machine, and unzip.

![Screenshot of .zip download](images/downloadzipofrepo.png)
![Screenshot of .zip download](images/download-github-repo.png)

The version of the SLZ Preview being used can be determined from the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the zip file was downloaded from. The version number will be in the file name of the zip file.

Expand Down
26 changes: 13 additions & 13 deletions docs/10-Compliance-Dashboard.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,20 +15,20 @@ The compliance dashboard is customizable and [can be extended](scenarios/Extendi
| 1 | Overall resources compliance score | Indicates the number of resources in the SLZ Preview top-level management group are compliant with all policies applied within the SLZ Preview. This calculation is also inclusive of the policies and initiatives assigned by the customer. |
| 2 | Overall data residency compliance score | Indicates the number of resources in the SLZ Preview top-level management group that are compliant with data residency policies applied within the SLZ Preview. |
| 3 | Overall confidential compliance score | Indicates the number of resources in the SLZ Preview top-level management group are compliant with encryption policies meant to keep data confidential and encrypted from Microsoft as the cloud operator. Note that resources of a valid SKU do not contribute to the total resource count by design: [Update in Policy Compliance for Resource Type Policies](https://azure.microsoft.com/updates/general-availability-update-in-policy-compliance-for-resource-type-policies/) |
| 4 | Resources by compliance state | Number of resources that are in each compliance state as evaluated by Azure Policy. |
| 4 | Resource compliance by state | Number of resources that are in each compliance state as evaluated by Azure Policy. |
| 5 | Resource compliance percentage by subscription | Resource compliance percentage for each subscription that has applicable resources under it. This count also includes compliance reports for resource group and subscription compliance. |
| 6 | Resource compliance percentage per policy initiative | Resource compliance percentage for each policy initiative that has applicable resources under it. Supports custom initiatives if the policy initiative is being applied to applicable resources. This count also includes compliance reports for resource group and subscription compliance. |
| 7 | Resource compliance percentage per policy group | Resource compliance percentage for each policy group (prefixed with dashboard-) that has applicable resources enumerated as a policy group in the SLZ Preview bicep. The calculations on this tile cannot be directly verified via the Azure Policy section of Azure portal. |
| 8 | Non-Compliant and Exempt resources | Non-compliant and exempt resources as well as relevant information to act against those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. |
| 9 | Non-Compliant resources by location | Resources that are in regions outside of the custom defined safe regions list. The tile will only show resources that are in locations which are not allowed by the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy. |
| 10| Resource exemptions | Resources that have been made exempt to data residence policies with actionable information. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. |
| 11 | Resources outside of safe regions | All non-compliant resources and their location with enough detail to act. The tile will show resources that are in locations which are exempted under the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy and there’s an exemption created for those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. |
| 12 | Resource compliance score for encryption at rest policy group | Percentage of resources that are compliant with the encryption at rest policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. |
| 13 | Resource compliance score for encryption in transit policy group | Percentage of resources that are compliant with the data transit encryption policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. |
| 14 | Resource compliance score for confidential computing policy group | Percentage of resources that are compliant with the confidential computing policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. |
| 15 | Confidential resource exemptions | Shows the resources that have been made exempt from confidential policies with enough detail to act. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. Resources within the Confidential Corp and Confidential Online Management Groups are *NOT* expected to be exempt from the Allowed locations listed here as this tile shows the exemptions of the SlzConfidentialPolicies initiative. |

![DashboardMarkup](images/github_compliance-dashboard.png)
| 6 | Resource compliance percentage by policy initiative | Resource compliance percentage for each policy initiative that has applicable resources under it. Supports custom initiatives if the policy initiative is being applied to applicable resources. This count also includes compliance reports for resource group and subscription compliance. |
| 7 | Resource compliance percentage by policy group | Resource compliance percentage for each policy group (prefixed with dashboard-) that has applicable resources enumerated as a policy group in the SLZ Preview bicep. The calculations on this tile cannot be directly verified via the Azure Policy section of Azure portal. |
| 8 | Non-Compliant and exempt resources | Non-compliant and exempt resources as well as relevant information to act against those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. |
| 9 | Non-compliant resources by location | Resources that are in regions outside of the custom defined safe regions list. The tile will only show resources that are in locations which are not allowed by the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy. |
| 10| Resource exempt from data residency policies | Resources that have been made exempt to data residence policies with actionable information. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. |
| 11 | Resources outside of approved regions | All non-compliant resources and their location with enough detail to act. The tile will show resources that are in locations which are exempted under the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy and there’s an exemption created for those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. |
| 12 | Resource compliance score for encryption at rest policies | Percentage of resources that are compliant with the encryption at rest policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. |
| 13 | Resource compliance score for encryption in transit policies | Percentage of resources that are compliant with the data transit encryption policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. |
| 14 | Resource compliance score for confidential computing policies | Percentage of resources that are compliant with the confidential computing policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. |
| 15 | Resource exempt from confidential computing policies | Shows the resources that have been made exempt from confidential policies with enough detail to act. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. Resources within the Confidential Corp and Confidential Online Management Groups are *NOT* expected to be exempt from the Allowed locations listed here as this tile shows the exemptions of the SlzConfidentialPolicies initiative. |

![DashboardMarkup](images/compliance-dashboard.png)

## Next step

Expand Down
6 changes: 3 additions & 3 deletions docs/12-FAQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,11 @@ Elevating permissions is no longer required, but it may be useful for organizati

If elevating permissions is the preferred route for your organization, you may get an error such as:

![AccessError](images/deployerror-vscode.png)
![AccessError](images/elevate-permissions-error.png)

Navigate to the Azure Active Directory Properties screen and ensure `Access management for Azure resources` is set to `Yes`.

![AzurePermissions](images/access-permissions.png)
![AzurePermissions](images/access-management-permissions.png)

### Why am I still getting an error about permissions even after my permissions have been elevated?

Expand Down Expand Up @@ -172,7 +172,7 @@ While it's recommended to wait for Azure to automatically clean up the deploymen
}
}
#fetch resourcegroups under the subscriptions and for each resource groups get the deployments name and delete the corresponding deployment from deployment history
#fetch resource groups under the subscriptions and for each resource groups get the deployments name and delete the corresponding deployment from deployment history
$subscriptions | ForEach-Object {
Set-AzContext -SubscriptionName $_.DisplayName
Get-AzResourceGroup | ForEach-Object {
Expand Down
4 changes: 2 additions & 2 deletions docs/13-Troubleshooting.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ When a user creates or updates the SLZ Preview, they will execute the `/orchestr

Any time the user should be informed of a specific log, that log will start with `>>>` including when a deployment step is beginning or ending. When an error occurs, the current deployment step will be the last deployment step printed in the logs. The screenshot below shows an example for the bootstrap deployment step.

![SLZ Preview Deployment Step in Logs](images/ViewDeploymentStep.png)
![SLZ Preview Deployment Step in Logs](images/determine-deployment-steps.png)

## Determining Error from the Error Message

When an error occurs, the error message will most often be presented in a human readable format in red text, with the relevant details being contained within the `Status Message` field as seen below or in a generic `Message` field.

![SLZ Preview Erro in Logs](images/ViewErrorFromLog.png)
![SLZ Preview Error in Logs](images/determine-error-message.png)

## Bootstrap Errors

Expand Down
Binary file removed docs/images/LightHouseTenantID.png
Binary file not shown.
Binary file removed docs/images/LighthouseSubscriptionID.png
Binary file not shown.
Binary file removed docs/images/Upgrade-ComplianceDetails.png
Binary file not shown.
Binary file removed docs/images/Upgrade-ManagementGroup.png
Binary file not shown.
Binary file removed docs/images/Upgrade-ManagementGroupDetail.png
Binary file not shown.
Binary file removed docs/images/Upgrade-PolicyAssignmentDelete.png
Binary file not shown.
Binary file removed docs/images/Upgrade-PolicyAssignmentFilter.png
Binary file not shown.
Binary file removed docs/images/Upgrade-PolicyAssignmentScope.png
Binary file not shown.
Binary file removed docs/images/Upgrade-PolicyAssignmentsBlade.png
Binary file not shown.
Binary file removed docs/images/Upgrade-PolicyDefinitionFilter.png
Binary file not shown.
Binary file not shown.
Binary file removed docs/images/Upgrade-PolicyDefinitionList.png
Binary file not shown.
Binary file removed docs/images/ViewDeploymentStep.png
Binary file not shown.
Binary file removed docs/images/ViewErrorFromLog.png
Binary file not shown.
Binary file removed docs/images/access-permissions.png
Binary file not shown.
Binary file added docs/images/compliance-dashboard.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/images/custom-policies-folder.png
Binary file not shown.
Binary file removed docs/images/deployerror-vscode.png
Binary file not shown.
Binary file added docs/images/determine-deployment-steps.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/images/determine-error-message.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/images/download-github-repo.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/images/downloadzipofrepo.png
Binary file not shown.
Binary file added docs/images/elevate-permissions-error.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/images/empty-custom-policies.png
Binary file not shown.
Binary file added docs/images/fork-github-repo.png
Binary file removed docs/images/forkgithubrepo.png
Diff not rendered.
Binary file removed docs/images/github_compliance-dashboard.png
Diff not rendered.
Binary file removed docs/images/parBillingAccountID.png
Diff not rendered.
Binary file removed docs/images/parEnrollmentID.png
Diff not rendered.
Binary file added docs/images/slz-initial-architecture.png
Binary file added docs/images/slz-sample-deployment.png
Binary file removed docs/images/sovereign-scale-architecture.png
Diff not rendered.
3 changes: 1 addition & 2 deletions docs/scenarios/Custom-Policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Once the SLZ Preview is deployed, the management group structure, subscriptions,
The SLZ Preview allows for custom policy initiatives to be deployed within the standard management group scopes for each deployment through the following:

1. Navigate to the custom policy definitions located in `/custom/policies/definitions` in your version of the GitHub repository.
2. Each definition corresponds to one of the default management group scopes deployed as part of the SLZ Preview management group hierarchy ![Custom Policy Folder](../images/custom-policies-folder.png)
2. Each definition corresponds to one of the default management group scopes deployed as part of the SLZ Preview management group hierarchy:
* `slzConfidentialCustom.json` -> Confidential Corp and Confidential Online Management Groups
* `slzConnectivityCustom.json` -> Connectivity Management Group
* `slzCorpCustom.json` -> Corp and Confidential Corp Management Groups
Expand All @@ -21,7 +21,6 @@ The SLZ Preview allows for custom policy initiatives to be deployed within the s
* `slzSandboxCustom.json` -> Sandbox Management Group
3. Select the file for management group scope that you want custom policies to apply to and if you want to apply custom policies to all application workloads then select `slzLandingZoneCustom.json`
4. If custom policies have not been added yet, then the custom policy file will look like the screenshot below. Do NOT edit the `policyType`, `id`, `type`, or `name` fields. You will update the `parameters`, `policyDefinitions`, and `policyDefinitionGroups` as described by the [initiative definition structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure)
![Empty Policy File](../images/empty-custom-policies.png)
5. Grouping policies together on the [SLZ Preview dashboard](./Extending-Compliance-Dashboard.md) is accomplished by adding `dashboard-` to the beginning of the policy definition group name, but any name can be used. The documentation for the [policy set definition group structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure#policy-definition-groups) describes the group structure further. A valid policy definition group can be found below:
```
{
Expand Down
17 changes: 17 additions & 0 deletions docs/scenarios/Pipeline-Deployments.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,20 @@ These deployment steps also have additional required parameters as the SLZ Previ
|Dashboard|N/A|
|Policy Exemptions|N/A|
|Policy Remediations|N/A|

## Pipeline Templates

There may be some issues invoking the SLZ deployment scripts from a BASH task. Instead, it is recommended to use the `AzurePowerShell@5` task to invoke the scripts such as through the following example:

```
- task: AzurePowerShell@5
inputs:
azureSubscription: ${{ parameters.SERVICE_CONNECTION }}
azurePowerShellVersion: LatestVersion
ScriptType: inlineScript
Inline: |
cd orchestration\scripts\
./New-SovereignLandingZone.ps1 -parAttendedLogin 0 -parDeployment all
```

Where the `SERVICE_CONNECTION` parameter is the previously setup service connection to be used during [pipeline execution](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#use-a-service-connection).
1 change: 1 addition & 0 deletions docs/scenarios/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,4 @@ The following are common scenarios found during initial deployment or through op
7. [Customizing the compliance dashboard](./Extending-Compliance-Dashboard.md)
8. [Deploying application or platform landing zones](./Landing-Zone-Vending.md)
9. [Adding additional landing zone management groups](./Expanding-SLZ-ManagementGroups.md)
10. [Removing ALZ Policies](./Removing-Policy-Assignments.md)
22 changes: 16 additions & 6 deletions docs/scenarios/Removing-Policy-Assignments.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,25 @@ Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azur

Update the SLZ Preview parameter file and set `parDeployAlzDefaultPolicies` to `false`. This will prevent the SLZ Preview from deploying the ALZ Policies in the future.

Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ Preview deployment.
Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ Preview deployment, and then select the **Policy** blade. This will ensure you have the appropriate scope selected

![alz-delete-initiative-assignments](../images/alz-update-initiative-with-builtin-04.png)
![alz-initiative-assignments-overview](../images/removing-policy-assignments-01-policy-overview-blade.png)

- For each assignment, click the ellipsis and select Delete Assignment.
- Once all initiative assignments are deleted, go to the Definitions pane, search for the initiative definition. Once found click the ellipsis and choose Delete Policy Definition.
Navigate to the **Assignments** blade, then for each policy listed below perform the following:

![alz-custom-initiative-def-search](../images/alz-update-initiative-with-builtin-01.png)
- For implementation details refer to the [ALZ Assignment Deletion](https://github.com/Azure/ALZ-Bicep/blob/da0af7a5a1f21825b497017f52264df2d29aa0a6/docs/wiki/PolicyDeepDive.md) docs, and for design consideration refer to the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) doc.
1) Search for the assignment name

![alz-find-initiative-assignments](../images/removing-policy-assignments-02-search-filter.png)

2) Select the ellipsis for the assignment

![alz-select-initiative-assignments](../images/removing-policy-assignments-03-select-ellipsis.png)

3) Delete the assignment

![alz-delete-initiative-assignments](../images/removing-policy-assignments-04-select-delete-assignment.png)

For further details refer to the [ALZ Assignment Deletion](https://github.com/Azure/ALZ-Bicep/blob/da0af7a5a1f21825b497017f52264df2d29aa0a6/docs/wiki/PolicyDeepDive.md) docs, and for design consideration refer to the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) doc.

## ALZ Policy Assignments

Expand Down
Loading

0 comments on commit bfdd870

Please sign in to comment.