Documentation ¶
Overview ¶
Package alzlib provides the data structures needed to deploy Azure Landing Zones. It contains the custom Azure policies and policy sets needed to deploy the reference architecture. It also gets the referenced built-in definitions from the Azure Policy service.
Internally the Azure SDK is used to store the resources in memory. It is up to the caller to transform this data into the required format for deployment.
Index ¶
- Constants
- type AlzLib
- func (az *AlzLib) AddManagementGroupToDeployment(ctx context.Context, req AlzManagementGroupAddRequest) error
- func (az *AlzLib) AddPolicyClient(client *armpolicy.ClientFactory)
- func (az *AlzLib) CopyArchetype(name string, wkpv *WellKnownPolicyValues) (*Archetype, error)
- func (az *AlzLib) GetDefinitionsFromAzure(ctx context.Context, pds []string) error
- func (az *AlzLib) Init(ctx context.Context, libs ...fs.FS) error
- func (az *AlzLib) ListArchetypes() []string
- func (az *AlzLib) PolicyAssignmentExists(name string) bool
- func (az *AlzLib) PolicyDefinitionExists(name string) bool
- func (az *AlzLib) PolicySetDefinitionExists(name string) bool
- func (az *AlzLib) RoleDefinitionExists(name string) bool
- type AlzLibOptions
- type AlzManagementGroup
- func (alzmg *AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments(az *AlzLib) error
- func (alzmg *AlzManagementGroup) GetChildren() []*AlzManagementGroup
- func (alzmg *AlzManagementGroup) GetParentId() string
- func (alzmg *AlzManagementGroup) GetParentMg() *AlzManagementGroup
- func (alzmg *AlzManagementGroup) GetPolicyAssignmentMap() map[string]armpolicy.Assignment
- func (alzmg *AlzManagementGroup) GetPolicyDefinitionsMap() map[string]armpolicy.Definition
- func (alzmg *AlzManagementGroup) GetPolicyRoleAssignments() []PolicyRoleAssignment
- func (alzmg *AlzManagementGroup) GetPolicySetDefinitionsMap() map[string]armpolicy.SetDefinition
- func (alzmg *AlzManagementGroup) GetResourceId() string
- func (alzmg *AlzManagementGroup) GetRoleDefinitionsMap() map[string]armauthorization.RoleDefinition
- func (alzmg *AlzManagementGroup) ModifyPolicyAssignment(name string, parameters map[string]*armpolicy.ParameterValuesValue, ...) error
- func (alzmg *AlzManagementGroup) ParentIsExternal() bool
- func (alzmg *AlzManagementGroup) ResourceId() string
- type AlzManagementGroupAddRequest
- type Archetype
- type DeploymentType
- type PolicyAssignmentsParameterValues
- type PolicyRoleAssignment
- type PolicyRoleAssignmentSource
- type WellKnownPolicyValues
Examples ¶
Constants ¶
const ( // PolicyRoleAssignmentSource. AssignmentScope = PolicyRoleAssignmentSource(iota) DefinitionParameterMetadata SetDefinitionParameterMetadata )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AlzLib ¶
type AlzLib struct { Options *AlzLibOptions Deployment *DeploymentType // Deployment is the deployment object that stores the management group hierarchy // contains filtered or unexported fields }
AlzLib is the structure that gets built from the the library files do not create this directly, use NewAlzLib instead. Note: this is not thread safe, and should not be used concurrently without an external mutex.
func NewAlzLib ¶
func NewAlzLib() *AlzLib
NewAlzLib returns a new instance of the alzlib library, optionally using the supplied directory for additional policy (set) definitions.
func (*AlzLib) AddManagementGroupToDeployment ¶
func (az *AlzLib) AddManagementGroupToDeployment(ctx context.Context, req AlzManagementGroupAddRequest) error
AddManagementGroupToDeployment adds a management group to the deployment, with a parent if specified. If the parent is not specified, the management group is considered the root of the hierarchy. The archetype should have been obtained using the `AlzLib.CopyArchetype` method, together with the `WellKnownPolicyValues`. This allows for customization and ensures the correct policy assignment values have been set.
func (*AlzLib) AddPolicyClient ¶
func (az *AlzLib) AddPolicyClient(client *armpolicy.ClientFactory)
AddPolicyClient adds an authenticated *armpolicy.ClientFactory to the AlzLib struct. This is needed to get policy objects from Azure.
func (*AlzLib) CopyArchetype ¶
func (az *AlzLib) CopyArchetype(name string, wkpv *WellKnownPolicyValues) (*Archetype, error)
CopyArchetype returns a copy of the requested archetype by name. The returned struct can be used as a parameter to the Deployment.AddManagementGroup method.
func (*AlzLib) GetDefinitionsFromAzure ¶
GetDefinitionsFromAzure takes a slice of strings containing Azure resource IDs of policy definitions and policy set definitions. It then fetches them from Azure if needed and adds them to the AlzLib struct. For set definitions we need to get all of them, even if they exist in AlzLib already because they can contain built-in definitions.
func (*AlzLib) Init ¶
Init processes ALZ libraries, supplied as fs.FS interfaces. These are typically the embed.FS global var `Lib`, or an `os.DirFS`. It populates the struct with the results of the processing.
Example ¶
ExampleAlzLib_E2E demonstrates the creation of a new AlzLib based a sample directory.
package main import ( "fmt" "os" "github.com/Azure/alzlib" "github.com/Azure/alzlib/to" "golang.org/x/net/context" ) func main() { az := alzlib.NewAlzLib() ctx, cancel := context.WithCancel(context.Background()) defer cancel() dirfs := os.DirFS("./testdata/simple") if err := az.Init(ctx, dirfs); err != nil { fmt.Println(err) return } wkpv := &alzlib.WellKnownPolicyValues{ DefaultLocation: to.Ptr("eastus"), DefaultLogAnalyticsWorkspaceId: to.Ptr("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/test"), PrivateDnsZoneResourceGroupId: to.Ptr("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test"), } arch, err := az.CopyArchetype("root", wkpv) if err != nil { fmt.Println(err) return } req := alzlib.AlzManagementGroupAddRequest{ Id: "test", DisplayName: "test", ParentId: "00000000-0000-0000-0000-000000000000", ParentIsExternal: true, Archetype: arch, } if err := az.AddManagementGroupToDeployment(ctx, req); err != nil { fmt.Println(err) return } fmt.Printf("Management groups: %v", az.Deployment.ListManagementGroups()) }
Output: Management groups: [test]
func (*AlzLib) ListArchetypes ¶
ListArchetypes returns a list of the archetypes in the AlzLib struct.
func (*AlzLib) PolicyAssignmentExists ¶
PolicyAssignmentExists returns true if the policy assignment exists in the AlzLib struct.
func (*AlzLib) PolicyDefinitionExists ¶
PolicyDefinitionExists returns true if the policy definition exists in the AlzLib struct.
func (*AlzLib) PolicySetDefinitionExists ¶
PolicySetDefinitionExists returns true if the policy set definition exists in the AlzLib struct.
func (*AlzLib) RoleDefinitionExists ¶
RoleDefinitionExists returns true if the role definition exists in the AlzLib struct.
type AlzLibOptions ¶
type AlzLibOptions struct { AllowOverwrite bool // AllowOverwrite allows overwriting of existing policy assignments when processing additional libraries with AlzLib.Init() Parallelism int // Parallelism is the number of parallel requests to make to Azure APIs }
AlzLibOptions are options for the AlzLib. This is created by NewAlzLib.
type AlzManagementGroup ¶
type AlzManagementGroup struct {
// contains filtered or unexported fields
}
AlzManagementGroup represents an Azure Management Group within a hierarchy, with links to parent and children. Note: this is not thread safe, and should not be used concurrently without an external mutex.
func (*AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments ¶
func (alzmg *AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments(az *AlzLib) error
GeneratePolicyAssignmentAdditionalRoleAssignments generates the additional role assignment data needed for the policy assignments It should be run once the policy assignments map has been fully populated for a given ALZManagementGroup. It will iterate through all policy assignments and generate the additional role assignments for each one, storing them in the AdditionalRoleAssignmentsByPolicyAssignment map.
func (*AlzManagementGroup) GetChildren ¶
func (alzmg *AlzManagementGroup) GetChildren() []*AlzManagementGroup
GetChildren returns the children of the management group.
func (*AlzManagementGroup) GetParentId ¶
func (alzmg *AlzManagementGroup) GetParentId() string
GetParentId returns the ID of the parent management group. If the parent is external, this will be preferred. If neither are set an empty string is returned (though this should never happen).
func (*AlzManagementGroup) GetParentMg ¶
func (alzmg *AlzManagementGroup) GetParentMg() *AlzManagementGroup
GetParentMg returns parent *AlzManagementGroup. If the parent is external, the result will be nil.
func (*AlzManagementGroup) GetPolicyAssignmentMap ¶
func (alzmg *AlzManagementGroup) GetPolicyAssignmentMap() map[string]armpolicy.Assignment
GetPolicyAssignmentMap returns a copy of the policy assignments map.
func (*AlzManagementGroup) GetPolicyDefinitionsMap ¶
func (alzmg *AlzManagementGroup) GetPolicyDefinitionsMap() map[string]armpolicy.Definition
GetPolicyDefinitionsMap returns a copy of the policy definitions map.
func (*AlzManagementGroup) GetPolicyRoleAssignments ¶ added in v0.7.1
func (alzmg *AlzManagementGroup) GetPolicyRoleAssignments() []PolicyRoleAssignment
GetPolicyRoleAssignmentsMap returns a copy of the additional role assignments slice.
func (*AlzManagementGroup) GetPolicySetDefinitionsMap ¶
func (alzmg *AlzManagementGroup) GetPolicySetDefinitionsMap() map[string]armpolicy.SetDefinition
GetPolicySetDefinitionsMap returns a copy of the policy definitions map.
func (*AlzManagementGroup) GetResourceId ¶
func (alzmg *AlzManagementGroup) GetResourceId() string
GetResourceId returns the resource ID for the management group.
func (*AlzManagementGroup) GetRoleDefinitionsMap ¶
func (alzmg *AlzManagementGroup) GetRoleDefinitionsMap() map[string]armauthorization.RoleDefinition
GetRoleDefinitionsMap returns a copy of the role definitions map.
func (*AlzManagementGroup) ModifyPolicyAssignment ¶ added in v0.13.0
func (alzmg *AlzManagementGroup) ModifyPolicyAssignment( name string, parameters map[string]*armpolicy.ParameterValuesValue, enforcementMode *armpolicy.EnforcementMode, nonComplianceMessages []*armpolicy.NonComplianceMessage, identity *armpolicy.Identity, resourceSelectors []*armpolicy.ResourceSelector, overrides []*armpolicy.Override, ) error
ModifyPolicyAssignment modifies an existing policy assignment in the management group. It will deep merge the supplied assignments with the existing assignments.
func (*AlzManagementGroup) ParentIsExternal ¶
func (alzmg *AlzManagementGroup) ParentIsExternal() bool
ParentIsExternal returns a bool value depending on whether the parent MG is external or not.
func (*AlzManagementGroup) ResourceId ¶
func (alzmg *AlzManagementGroup) ResourceId() string
ResourceId returns the resource ID of the management group.
type AlzManagementGroupAddRequest ¶ added in v0.4.0
type Archetype ¶
type Archetype struct { PolicyDefinitions mapset.Set[string] PolicyAssignments mapset.Set[string] PolicySetDefinitions mapset.Set[string] RoleDefinitions mapset.Set[string] // contains filtered or unexported fields }
Archetype represents an archetype definition that hasn't been assigned to a management group The contents of the sets represent the map keys of the corresponding AlzLib maps.
type DeploymentType ¶
type DeploymentType struct {
// contains filtered or unexported fields
}
DeploymentType represents a deployment of Azure management group. Note: this is not thread safe, and should not be used concurrently without an external mutex.
func (*DeploymentType) GetManagementGroup ¶ added in v0.2.0
func (d *DeploymentType) GetManagementGroup(name string) *AlzManagementGroup
GetManagementGroup returns the management group with the given name.
func (*DeploymentType) ListManagementGroups ¶ added in v0.2.0
func (d *DeploymentType) ListManagementGroups() []string
ListManagementGroups returns the management group names as a slice of string.
type PolicyAssignmentsParameterValues ¶
type PolicyAssignmentsParameterValues map[string]map[string]*armpolicy.ParameterValuesValue
PolicyAssignmentsParameterValues represents a data structure for replacing policy parameters. The first map key is the assignment name, the second is the parameter name, and the value is the parameter values value (an ARM SDK type).
func (PolicyAssignmentsParameterValues) Merge ¶
func (papv PolicyAssignmentsParameterValues) Merge(other PolicyAssignmentsParameterValues) PolicyAssignmentsParameterValues
Merge merges the other PolicyAssignmentsParameterValues into this one.
type PolicyRoleAssignment ¶ added in v0.7.0
PolicyRoleAssignment represents the role assignments that need to be created for a management group. Since we could be using system assigned identities, we don't know the principal ID until after the deployment. Therefore this data can be used to create the role assignments after the deployment.
type PolicyRoleAssignmentSource ¶ added in v0.7.0
type PolicyRoleAssignmentSource uint8
func (PolicyRoleAssignmentSource) String ¶ added in v0.7.0
func (p PolicyRoleAssignmentSource) String() string
String implements Stringer interface for PolicyRoleAssignmentSource.
type WellKnownPolicyValues ¶
type WellKnownPolicyValues struct { DefaultLocation *string DefaultLogAnalyticsWorkspaceId *string PrivateDnsZoneResourceGroupId *string // PrivateDnsZoneResourceGroupId is used in the Deploy-Private-Dns-Zones policy assignment }
WellKnownPolicyValues represents options for a deployment These are values that are typically replaced in the deployed resources E.g. location, log analytics workspace ID, etc.