alzlib

package module
v0.13.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 11, 2024 License: MIT Imports: 16 Imported by: 0

README

alzlib - a go module for reading Azure Landing Zones Terraform module lib definitions

Go test codecov

This module provides a go library for reading Azure Landing Zones Terraform module lib definitions.

It uses the Azure SDK for Go to get the data types required:

Usage

See the Example test funcs in alzlib_test.go for usage examples.

Documentation

Overview

Package alzlib provides the data structures needed to deploy Azure Landing Zones. It contains the custom Azure policies and policy sets needed to deploy the reference architecture. It also gets the referenced built-in definitions from the Azure Policy service.

Internally the Azure SDK is used to store the resources in memory. It is up to the caller to transform this data into the required format for deployment.

Index

Examples

Constants

View Source 
const (
	// PolicyRoleAssignmentSource.
	AssignmentScope = PolicyRoleAssignmentSource(iota)
	DefinitionParameterMetadata
	SetDefinitionParameterMetadata
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AlzLib 

type AlzLib struct {
	Options    *AlzLibOptions
	Deployment *DeploymentType // Deployment is the deployment object that stores the management group hierarchy
	// contains filtered or unexported fields
}

AlzLib is the structure that gets built from the the library files do not create this directly, use NewAlzLib instead. Note: this is not thread safe, and should not be used concurrently without an external mutex.

func NewAlzLib 

func NewAlzLib() *AlzLib

NewAlzLib returns a new instance of the alzlib library, optionally using the supplied directory for additional policy (set) definitions.

func (*AlzLib) AddManagementGroupToDeployment 

func (az *AlzLib) AddManagementGroupToDeployment(ctx context.Context, req AlzManagementGroupAddRequest) error

AddManagementGroupToDeployment adds a management group to the deployment, with a parent if specified. If the parent is not specified, the management group is considered the root of the hierarchy. The archetype should have been obtained using the `AlzLib.CopyArchetype` method, together with the `WellKnownPolicyValues`. This allows for customization and ensures the correct policy assignment values have been set.

func (*AlzLib) AddPolicyClient 

func (az *AlzLib) AddPolicyClient(client *armpolicy.ClientFactory)

AddPolicyClient adds an authenticated *armpolicy.ClientFactory to the AlzLib struct. This is needed to get policy objects from Azure.

func (*AlzLib) CopyArchetype 

func (az *AlzLib) CopyArchetype(name string, wkpv *WellKnownPolicyValues) (*Archetype, error)

CopyArchetype returns a copy of the requested archetype by name. The returned struct can be used as a parameter to the Deployment.AddManagementGroup method.

func (*AlzLib) GetDefinitionsFromAzure 

func (az *AlzLib) GetDefinitionsFromAzure(ctx context.Context, pds []string) error

GetDefinitionsFromAzure takes a slice of strings containing Azure resource IDs of policy definitions and policy set definitions. It then fetches them from Azure if needed and adds them to the AlzLib struct. For set definitions we need to get all of them, even if they exist in AlzLib already because they can contain built-in definitions.

func (*AlzLib) Init 

func (az *AlzLib) Init(ctx context.Context, libs ...fs.FS) error

Init processes ALZ libraries, supplied as fs.FS interfaces. These are typically the embed.FS global var `Lib`, or an `os.DirFS`. It populates the struct with the results of the processing.

Example

ExampleAlzLib_E2E demonstrates the creation of a new AlzLib based a sample directory. 

package main

import (
	"fmt"
	"os"

	"github.com/Azure/alzlib"
	"github.com/Azure/alzlib/to"
	"golang.org/x/net/context"
)

func main() {
	az := alzlib.NewAlzLib()
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()
	dirfs := os.DirFS("./testdata/simple")
	if err := az.Init(ctx, dirfs); err != nil {
		fmt.Println(err)
		return
	}

	wkpv := &alzlib.WellKnownPolicyValues{
		DefaultLocation:                to.Ptr("eastus"),
		DefaultLogAnalyticsWorkspaceId: to.Ptr("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/test"),
		PrivateDnsZoneResourceGroupId:  to.Ptr("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test"),
	}
	arch, err := az.CopyArchetype("root", wkpv)
	if err != nil {
		fmt.Println(err)
		return
	}
	req := alzlib.AlzManagementGroupAddRequest{
		Id:               "test",
		DisplayName:      "test",
		ParentId:         "00000000-0000-0000-0000-000000000000",
		ParentIsExternal: true,
		Archetype:        arch,
	}
	if err := az.AddManagementGroupToDeployment(ctx, req); err != nil {
		fmt.Println(err)
		return
	}
	fmt.Printf("Management groups: %v", az.Deployment.ListManagementGroups())

}

Output:

Management groups: [test]

func (*AlzLib) ListArchetypes 

func (az *AlzLib) ListArchetypes() []string

ListArchetypes returns a list of the archetypes in the AlzLib struct.

func (*AlzLib) PolicyAssignmentExists 

func (az *AlzLib) PolicyAssignmentExists(name string) bool

PolicyAssignmentExists returns true if the policy assignment exists in the AlzLib struct.

func (*AlzLib) PolicyDefinitionExists 

func (az *AlzLib) PolicyDefinitionExists(name string) bool

PolicyDefinitionExists returns true if the policy definition exists in the AlzLib struct.

func (*AlzLib) PolicySetDefinitionExists 

func (az *AlzLib) PolicySetDefinitionExists(name string) bool

PolicySetDefinitionExists returns true if the policy set definition exists in the AlzLib struct.

func (*AlzLib) RoleDefinitionExists 

func (az *AlzLib) RoleDefinitionExists(name string) bool

RoleDefinitionExists returns true if the role definition exists in the AlzLib struct.

type AlzLibOptions 

type AlzLibOptions struct {
	AllowOverwrite bool // AllowOverwrite allows overwriting of existing policy assignments when processing additional libraries with AlzLib.Init()
	Parallelism    int  // Parallelism is the number of parallel requests to make to Azure APIs
}

AlzLibOptions are options for the AlzLib. This is created by NewAlzLib.

type AlzManagementGroup 

type AlzManagementGroup struct {
	// contains filtered or unexported fields
}

AlzManagementGroup represents an Azure Management Group within a hierarchy, with links to parent and children. Note: this is not thread safe, and should not be used concurrently without an external mutex.

func (*AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments 

func (alzmg *AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments(az *AlzLib) error

GeneratePolicyAssignmentAdditionalRoleAssignments generates the additional role assignment data needed for the policy assignments It should be run once the policy assignments map has been fully populated for a given ALZManagementGroup. It will iterate through all policy assignments and generate the additional role assignments for each one, storing them in the AdditionalRoleAssignmentsByPolicyAssignment map.

func (*AlzManagementGroup) GetChildren 

func (alzmg *AlzManagementGroup) GetChildren() []*AlzManagementGroup

GetChildren returns the children of the management group.

func (*AlzManagementGroup) GetParentId 

func (alzmg *AlzManagementGroup) GetParentId() string

GetParentId returns the ID of the parent management group. If the parent is external, this will be preferred. If neither are set an empty string is returned (though this should never happen).

func (*AlzManagementGroup) GetParentMg 

func (alzmg *AlzManagementGroup) GetParentMg() *AlzManagementGroup

GetParentMg returns parent *AlzManagementGroup. If the parent is external, the result will be nil.

func (*AlzManagementGroup) GetPolicyAssignmentMap 

func (alzmg *AlzManagementGroup) GetPolicyAssignmentMap() map[string]armpolicy.Assignment

GetPolicyAssignmentMap returns a copy of the policy assignments map.

func (*AlzManagementGroup) GetPolicyDefinitionsMap 

func (alzmg *AlzManagementGroup) GetPolicyDefinitionsMap() map[string]armpolicy.Definition

GetPolicyDefinitionsMap returns a copy of the policy definitions map.

func (*AlzManagementGroup) GetPolicyRoleAssignments added in v0.7.1 

func (alzmg *AlzManagementGroup) GetPolicyRoleAssignments() []PolicyRoleAssignment

GetPolicyRoleAssignmentsMap returns a copy of the additional role assignments slice.

func (*AlzManagementGroup) GetPolicySetDefinitionsMap 

func (alzmg *AlzManagementGroup) GetPolicySetDefinitionsMap() map[string]armpolicy.SetDefinition

GetPolicySetDefinitionsMap returns a copy of the policy definitions map.

func (*AlzManagementGroup) GetResourceId 

func (alzmg *AlzManagementGroup) GetResourceId() string

GetResourceId returns the resource ID for the management group.

func (*AlzManagementGroup) GetRoleDefinitionsMap 

func (alzmg *AlzManagementGroup) GetRoleDefinitionsMap() map[string]armauthorization.RoleDefinition

GetRoleDefinitionsMap returns a copy of the role definitions map.

func (*AlzManagementGroup) ModifyPolicyAssignment added in v0.13.0 

func (alzmg *AlzManagementGroup) ModifyPolicyAssignment(
	name string,
	parameters map[string]*armpolicy.ParameterValuesValue,
	enforcementMode *armpolicy.EnforcementMode,
	nonComplianceMessages []*armpolicy.NonComplianceMessage,
	identity *armpolicy.Identity,
	resourceSelectors []*armpolicy.ResourceSelector,
	overrides []*armpolicy.Override,
) error

ModifyPolicyAssignment modifies an existing policy assignment in the management group. It will deep merge the supplied assignments with the existing assignments.

func (*AlzManagementGroup) ParentIsExternal 

func (alzmg *AlzManagementGroup) ParentIsExternal() bool

ParentIsExternal returns a bool value depending on whether the parent MG is external or not.

func (*AlzManagementGroup) ResourceId 

func (alzmg *AlzManagementGroup) ResourceId() string

ResourceId returns the resource ID of the management group.

type AlzManagementGroupAddRequest added in v0.4.0 

type AlzManagementGroupAddRequest struct {
	Id               string
	DisplayName      string
	ParentId         string
	ParentIsExternal bool
	Archetype        *Archetype
}

type Archetype 

type Archetype struct {
	PolicyDefinitions    mapset.Set[string]
	PolicyAssignments    mapset.Set[string]
	PolicySetDefinitions mapset.Set[string]
	RoleDefinitions      mapset.Set[string]
	// contains filtered or unexported fields
}

Archetype represents an archetype definition that hasn't been assigned to a management group The contents of the sets represent the map keys of the corresponding AlzLib maps.

type DeploymentType 

type DeploymentType struct {
	// contains filtered or unexported fields
}

DeploymentType represents a deployment of Azure management group. Note: this is not thread safe, and should not be used concurrently without an external mutex.

func (*DeploymentType) GetManagementGroup added in v0.2.0 

func (d *DeploymentType) GetManagementGroup(name string) *AlzManagementGroup

GetManagementGroup returns the management group with the given name.

func (*DeploymentType) ListManagementGroups added in v0.2.0 

func (d *DeploymentType) ListManagementGroups() []string

ListManagementGroups returns the management group names as a slice of string.

type PolicyAssignmentsParameterValues 

type PolicyAssignmentsParameterValues map[string]map[string]*armpolicy.ParameterValuesValue

PolicyAssignmentsParameterValues represents a data structure for replacing policy parameters. The first map key is the assignment name, the second is the parameter name, and the value is the parameter values value (an ARM SDK type).

func (PolicyAssignmentsParameterValues) Merge 

func (papv PolicyAssignmentsParameterValues) Merge(other PolicyAssignmentsParameterValues) PolicyAssignmentsParameterValues

Merge merges the other PolicyAssignmentsParameterValues into this one.

type PolicyRoleAssignment added in v0.7.0 

type PolicyRoleAssignment struct {
	RoleDefinitionId string
	Scope            string
	AssignmentName   string
}

PolicyRoleAssignment represents the role assignments that need to be created for a management group. Since we could be using system assigned identities, we don't know the principal ID until after the deployment. Therefore this data can be used to create the role assignments after the deployment.

type PolicyRoleAssignmentSource added in v0.7.0 

type PolicyRoleAssignmentSource uint8

func (PolicyRoleAssignmentSource) String added in v0.7.0 

func (p PolicyRoleAssignmentSource) String() string

String implements Stringer interface for PolicyRoleAssignmentSource.

type WellKnownPolicyValues 

type WellKnownPolicyValues struct {
	DefaultLocation                *string
	DefaultLogAnalyticsWorkspaceId *string
	PrivateDnsZoneResourceGroupId  *string // PrivateDnsZoneResourceGroupId is used in the Deploy-Private-Dns-Zones policy assignment
}

WellKnownPolicyValues represents options for a deployment These are values that are typically replaced in the deployed resources E.g. location, log analytics workspace ID, etc.

Source Files

View all Source files

Directories

Path Synopsis
package processor is used to process the library files.
 package processor is used to process the library files.
Package to contains various type-conversion helper functions.
 Package to contains various type-conversion helper functions.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.