alzlib

package module
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 27, 2023 License: MIT Imports: 15 Imported by: 0

README

alzlib - a go module for reading Azure Landing Zones Terraform module lib definitions

Go test codecov

This module provides a go library for reading Azure Landing Zones Terraform module lib definitions.

It uses the Azure SDK for Go to get the data types required:

Usage

See the Example test funcs in alzlib_test.go for usage examples.

Documentation

Overview

Package alzlib provides the data structures needed to deploy Azure Landing Zones. It contains the custom Azure policies and policy sets needed to deploy the reference architecture. It also gets the referenced built-in definitions from the Azure Policy service.

Internally the Azure SDK is used to store the resources in memory. It is up to the caller to transform this data into the required format for deployment.

Index

Examples

Constants

This section is empty.

Variables

View Source 
var Lib embed.FS

Embed the Lib dir into the binary.

Functions

This section is empty.

Types

type AlzLib 

type AlzLib struct {
	Options    *AlzLibOptions
	Deployment *DeploymentType // Deployment is the deployment object that stores the management group hierarchy
	// contains filtered or unexported fields
}

AlzLib is the structure that gets built from the the library files do not create this directly, use NewAlzLib instead.

func NewAlzLib 

func NewAlzLib() *AlzLib

NewAlzLib returns a new instance of the alzlib library, optionally using the supplied directory for additional policy (set) definitions.

func (*AlzLib) AddManagementGroupToDeployment added in v0.6.0 

func (az *AlzLib) AddManagementGroupToDeployment(name, displayName, parent string, parentIsExternal bool, arch *Archetype) error

AddManagementGroupToDeployment adds a management group to the deployment, with a parent if specified. If the parent is not specified, the management group is considered the root of the hierarchy. You should pass the source Archetype through the .WithWellKnownPolicyParameters() method to ensure that the values in the wellKnownPolicyValues are honored.

func (*AlzLib) AddPolicyClient added in v0.4.0 

func (az *AlzLib) AddPolicyClient(client *armpolicy.ClientFactory)

AddPolicyClient adds an authenticated *armpolicy.ClientFactory to the AlzLib struct. This is needed to get policy objects from Azure.

func (*AlzLib) CopyArchetype added in v0.6.0 

func (az *AlzLib) CopyArchetype(name string, wkpv *WellKnownPolicyValues) (*Archetype, error)

CopyArchetype returns a copy of the requested archetype by name. The returned struct can be used as a parameter to the Deployment.AddManagementGroup method.

func (*AlzLib) GetBuiltInPolicies added in v0.4.0 

func (az *AlzLib) GetBuiltInPolicies(ctx context.Context, names []string) error

GetBuiltInPolicies retrieves the built-in policy definitions with the given names and adds them to the AlzLib struct.

func (*AlzLib) GetBuiltInPolicySets added in v0.4.0 

func (az *AlzLib) GetBuiltInPolicySets(ctx context.Context, names []string) error

GetBuiltInPolicySets retrieves the built-in policy set definitions with the given names and adds them to the AlzLib struct.

func (*AlzLib) GetDefinitionsFromAzure added in v0.6.0 

func (az *AlzLib) GetDefinitionsFromAzure(ctx context.Context, pds []string) error

GetDefinitionsFromAzure takes a slice of strings containing Azure resource IDs of policy definitions and policy set definitions. It then fetches them from Azure if needed and adds them to the AlzLib struct. For set definitions we need to get all of them, even if they exist in AlzLib already because they can contain built-in definitions.

func (*AlzLib) Init added in v0.4.0 

func (az *AlzLib) Init(ctx context.Context, libs ...fs.FS) error

Init processes ALZ libraries, supplied as fs.FS interfaces. These are typically the embed.FS global var `Lib`, or an `os.DirFS`. It populates the struct with the results of the processing.

Example

ExampleAlzLib_Init demonstrates the creation of a new AlzLib based a sample directory. 

az := NewAlzLib()
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
dirfs := os.DirFS("./testdata/simple")
err := az.Init(ctx, dirfs)
if err != nil {
	fmt.Println(err)
}
fmt.Printf("Archetype count: %d\n", len(az.archetypes))

Output:

Archetype count: 2

func (*AlzLib) ListArchetypes added in v0.6.0 

func (az *AlzLib) ListArchetypes() []string

ListArchetypes returns a list of the archetypes in the AlzLib struct.

func (*AlzLib) PolicyAssignmentExists added in v0.6.0 

func (az *AlzLib) PolicyAssignmentExists(name string) bool

PolicyAssignmentExists returns true if the policy assignment exists in the AlzLib struct.

func (*AlzLib) PolicyDefinitionExists added in v0.6.0 

func (az *AlzLib) PolicyDefinitionExists(name string) bool

PolicyDefinitionExists returns true if the policy definition exists in the AlzLib struct.

func (*AlzLib) PolicySetDefinitionExists added in v0.6.0 

func (az *AlzLib) PolicySetDefinitionExists(name string) bool

PolicySetDefinitionExists returns true if the policy set definition exists in the AlzLib struct.

func (*AlzLib) RoleDefinitionExists added in v0.6.0 

func (az *AlzLib) RoleDefinitionExists(name string) bool

RoleDefinitionExists returns true if the role definition exists in the AlzLib struct.

type AlzLibOptions added in v0.4.0 

type AlzLibOptions struct {
	AllowOverwrite bool // AllowOverwrite allows overwriting of existing policy assignments when processing additional libraries with AlzLib.Init()
	Parallelism    int  // Parallelism is the number of parallel requests to make to Azure APIs
}

AlzLibOptions are options for the AlzLib. This is created by NewAlzLib.

type AlzManagementGroup added in v0.4.0 

type AlzManagementGroup struct {
	Name                                        string
	DisplayName                                 string
	PolicyDefinitions                           map[string]*armpolicy.Definition
	PolicySetDefinitions                        map[string]*armpolicy.SetDefinition
	PolicyAssignments                           map[string]*armpolicy.Assignment
	RoleDefinitions                             map[string]*armauthorization.RoleDefinition
	RoleAssignments                             map[string]*armauthorization.RoleAssignment
	AdditionalRoleAssignmentsByPolicyAssignment map[string]*PolicyAssignmentAdditionalRoleAssignments
	// contains filtered or unexported fields
}

AlzManagementGroup represents an Azure Management Group within a hierarchy, with links to parent and children.

func (*AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments added in v0.4.0 

func (alzmg *AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments(az *AlzLib) error

GeneratePolicyAssignmentAdditionalRoleAssignments generates the additional role assignment data needed for the policy assignments It should be run once the policy assignments map has been fully populated for a given ALZManagementGroup. It will iterate through all policy assignments and generate the additional role assignments for each one, storing them in the AdditionalRoleAssignmentsByPolicyAssignment map.

func (*AlzManagementGroup) GetChildren added in v0.4.0 

func (alzmg *AlzManagementGroup) GetChildren() []*AlzManagementGroup

GetChildren returns the children of the management group.

func (*AlzManagementGroup) GetParentId added in v0.5.0 

func (alzmg *AlzManagementGroup) GetParentId() string

GetParentId returns the ID of the parent management group. If the parent is external, this will be preferred. If neither are set an empty string is returned (though this should never happen).

func (*AlzManagementGroup) GetParentMg added in v0.5.0 

func (alzmg *AlzManagementGroup) GetParentMg() *AlzManagementGroup

GetParentMg returns parent *AlzManagementGroup. If the parent is external, the result will be nil.

func (*AlzManagementGroup) GetResourceId added in v0.4.0 

func (alzmg *AlzManagementGroup) GetResourceId() string

func (*AlzManagementGroup) ParentIsExternal added in v0.5.0 

func (alzmg *AlzManagementGroup) ParentIsExternal() bool

ParentIsExternal returns a bool value depending on whether the parent MG is external or not.

func (*AlzManagementGroup) ResourceId added in v0.4.0 

func (alzmg *AlzManagementGroup) ResourceId() string

ResourceId returns the resource ID of the management group.

func (*AlzManagementGroup) Update added in v0.7.0 

func (alzmg *AlzManagementGroup) Update(az *AlzLib, wkpv *WellKnownPolicyValues) error

Update will update the AlzManagementGroup resources with the correct resource ids, references, etc.

type Archetype added in v0.4.0 

type Archetype struct {
	PolicyDefinitions    sets.Set[string]
	PolicyAssignments    sets.Set[string]
	PolicySetDefinitions sets.Set[string]
	RoleDefinitions      sets.Set[string]
	// contains filtered or unexported fields
}

Archetype represents an archetype definition that hasn't been assigned to a management group The contents of the sets represent the map keys of the corresponding AlzLib maps.

type DeploymentType added in v0.4.0 

type DeploymentType struct {
	MGs map[string]*AlzManagementGroup
	// contains filtered or unexported fields
}

DeploymentType represents a deployment of Azure management group.

type PolicyAssignmentAdditionalRoleAssignments added in v0.4.0 

type PolicyAssignmentAdditionalRoleAssignments struct {
	RoleDefinitionIds sets.Set[string]
	AdditionalScopes  sets.Set[string]
}

PolicyAssignmentAdditionalRoleAssignments represents the additional role assignments that need to be created for a management group. Since we could be using system assigned identities, we don't know the principal ID until after the deployment. Therefore this data can be used to create the role assignments after the deployment.

type PolicyDefinitionRule added in v0.4.0 

type PolicyDefinitionRule struct {
	Then *PolicyDefinitionRuleThen `json:"then"`
}

PolicyDefinitionRule represents the rule section of a policy definition. This is used to determine the role assignments that need to be created, therefore we only care about the `then` field.

type PolicyDefinitionRuleThen added in v0.4.0 

type PolicyDefinitionRuleThen struct {
	Details *PolicyDefinitionRuleThenDetails `json:"details"`
}

PolicyDefinitionRuleThen represents the `then` section of a policy definition rule. This is used to determine the role assignments that need to be created. We only care about the `details` field.

type PolicyDefinitionRuleThenDetails added in v0.4.0 

type PolicyDefinitionRuleThenDetails struct {
	RoleDefinitionIds []string `json:"roleDefinitionIds"`
}

PolicyDefinitionRuleThenDetails represents the `details` section of a policy definition rule `then` section. This is used to determine the role assignments that need to be created. We only care about the `roleDefinitionIds` field.

type WellKnownPolicyValues added in v0.4.0 

type WellKnownPolicyValues struct {
	DefaultLocation                string
	DefaultLogAnalyticsWorkspaceId string
}

WellKnownPolicyValues represents options for a deployment These are values that are typically replaced in the deployed resources E.g. location, log analytics workspace ID, etc.

Source Files

View all Source files

Directories

Path Synopsis
package processor is used to process the library files.
 package processor is used to process the library files.
package sets is used to provide set like functionality for the library.
 package sets is used to provide set like functionality for the library.
Package to contains various type-conversion helper functions.
 Package to contains various type-conversion helper functions.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.