Documentation ¶
Overview ¶
Package alzlib provides the data structures needed to deploy Azure Landing Zones. It contains the custom Azure policies and policy sets needed to deploy the reference architecture. It also gets the referenced built-in definitions from the Azure Policy service.
Internally the Azure SDK is used to store the resources in memory. It is up to the caller to transform this data into the required format for deployment.
Index ¶
- Variables
- type AlzLib
- func (az *AlzLib) AddManagementGroupToDeployment(name, displayName, parent string, parentIsExternal bool, arch *Archetype) error
- func (az *AlzLib) AddPolicyClient(client *armpolicy.ClientFactory)
- func (az *AlzLib) CopyArchetype(name string, wkpv *WellKnownPolicyValues) (*Archetype, error)
- func (az *AlzLib) GetBuiltInPolicies(ctx context.Context, names []string) error
- func (az *AlzLib) GetBuiltInPolicySets(ctx context.Context, names []string) error
- func (az *AlzLib) GetDefinitionsFromAzure(ctx context.Context, pds []string) error
- func (az *AlzLib) Init(ctx context.Context, libs ...fs.FS) error
- func (az *AlzLib) ListArchetypes() []string
- func (az *AlzLib) PolicyAssignmentExists(name string) bool
- func (az *AlzLib) PolicyDefinitionExists(name string) bool
- func (az *AlzLib) PolicySetDefinitionExists(name string) bool
- func (az *AlzLib) RoleDefinitionExists(name string) bool
- type AlzLibOptions
- type AlzManagementGroup
- func (alzmg *AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments(az *AlzLib) error
- func (alzmg *AlzManagementGroup) GetChildren() []*AlzManagementGroup
- func (alzmg *AlzManagementGroup) GetParentId() string
- func (alzmg *AlzManagementGroup) GetParentMg() *AlzManagementGroup
- func (alzmg *AlzManagementGroup) GetResourceId() string
- func (alzmg *AlzManagementGroup) ParentIsExternal() bool
- func (alzmg *AlzManagementGroup) ResourceId() string
- func (alzmg *AlzManagementGroup) Update(az *AlzLib, wkpv *WellKnownPolicyValues) error
- type Archetype
- type DeploymentType
- type PolicyAssignmentAdditionalRoleAssignments
- type PolicyDefinitionRule
- type PolicyDefinitionRuleThen
- type PolicyDefinitionRuleThenDetails
- type WellKnownPolicyValues
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var Lib embed.FS
Embed the Lib dir into the binary.
Functions ¶
This section is empty.
Types ¶
type AlzLib ¶
type AlzLib struct { Options *AlzLibOptions Deployment *DeploymentType // Deployment is the deployment object that stores the management group hierarchy // contains filtered or unexported fields }
AlzLib is the structure that gets built from the the library files do not create this directly, use NewAlzLib instead.
func NewAlzLib ¶
func NewAlzLib() *AlzLib
NewAlzLib returns a new instance of the alzlib library, optionally using the supplied directory for additional policy (set) definitions.
func (*AlzLib) AddManagementGroupToDeployment ¶ added in v0.6.0
func (az *AlzLib) AddManagementGroupToDeployment(name, displayName, parent string, parentIsExternal bool, arch *Archetype) error
AddManagementGroupToDeployment adds a management group to the deployment, with a parent if specified. If the parent is not specified, the management group is considered the root of the hierarchy. You should pass the source Archetype through the .WithWellKnownPolicyParameters() method to ensure that the values in the wellKnownPolicyValues are honored.
func (*AlzLib) AddPolicyClient ¶ added in v0.4.0
func (az *AlzLib) AddPolicyClient(client *armpolicy.ClientFactory)
AddPolicyClient adds an authenticated *armpolicy.ClientFactory to the AlzLib struct. This is needed to get policy objects from Azure.
func (*AlzLib) CopyArchetype ¶ added in v0.6.0
func (az *AlzLib) CopyArchetype(name string, wkpv *WellKnownPolicyValues) (*Archetype, error)
CopyArchetype returns a copy of the requested archetype by name. The returned struct can be used as a parameter to the Deployment.AddManagementGroup method.
func (*AlzLib) GetBuiltInPolicies ¶ added in v0.4.0
GetBuiltInPolicies retrieves the built-in policy definitions with the given names and adds them to the AlzLib struct.
func (*AlzLib) GetBuiltInPolicySets ¶ added in v0.4.0
GetBuiltInPolicySets retrieves the built-in policy set definitions with the given names and adds them to the AlzLib struct.
func (*AlzLib) GetDefinitionsFromAzure ¶ added in v0.6.0
GetDefinitionsFromAzure takes a slice of strings containing Azure resource IDs of policy definitions and policy set definitions. It then fetches them from Azure if needed and adds them to the AlzLib struct. For set definitions we need to get all of them, even if they exist in AlzLib already because they can contain built-in definitions.
func (*AlzLib) Init ¶ added in v0.4.0
Init processes ALZ libraries, supplied as fs.FS interfaces. These are typically the embed.FS global var `Lib`, or an `os.DirFS`. It populates the struct with the results of the processing.
Example ¶
ExampleAlzLib_Init demonstrates the creation of a new AlzLib based a sample directory.
az := NewAlzLib() ctx, cancel := context.WithCancel(context.Background()) defer cancel() dirfs := os.DirFS("./testdata/simple") err := az.Init(ctx, dirfs) if err != nil { fmt.Println(err) } fmt.Printf("Archetype count: %d\n", len(az.archetypes))
Output: Archetype count: 2
func (*AlzLib) ListArchetypes ¶ added in v0.6.0
ListArchetypes returns a list of the archetypes in the AlzLib struct.
func (*AlzLib) PolicyAssignmentExists ¶ added in v0.6.0
PolicyAssignmentExists returns true if the policy assignment exists in the AlzLib struct.
func (*AlzLib) PolicyDefinitionExists ¶ added in v0.6.0
PolicyDefinitionExists returns true if the policy definition exists in the AlzLib struct.
func (*AlzLib) PolicySetDefinitionExists ¶ added in v0.6.0
PolicySetDefinitionExists returns true if the policy set definition exists in the AlzLib struct.
func (*AlzLib) RoleDefinitionExists ¶ added in v0.6.0
RoleDefinitionExists returns true if the role definition exists in the AlzLib struct.
type AlzLibOptions ¶ added in v0.4.0
type AlzLibOptions struct { AllowOverwrite bool // AllowOverwrite allows overwriting of existing policy assignments when processing additional libraries with AlzLib.Init() Parallelism int // Parallelism is the number of parallel requests to make to Azure APIs }
AlzLibOptions are options for the AlzLib. This is created by NewAlzLib.
type AlzManagementGroup ¶ added in v0.4.0
type AlzManagementGroup struct { Name string DisplayName string PolicyDefinitions map[string]*armpolicy.Definition PolicySetDefinitions map[string]*armpolicy.SetDefinition PolicyAssignments map[string]*armpolicy.Assignment RoleDefinitions map[string]*armauthorization.RoleDefinition RoleAssignments map[string]*armauthorization.RoleAssignment AdditionalRoleAssignmentsByPolicyAssignment map[string]*PolicyAssignmentAdditionalRoleAssignments // contains filtered or unexported fields }
AlzManagementGroup represents an Azure Management Group within a hierarchy, with links to parent and children.
func (*AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments ¶ added in v0.4.0
func (alzmg *AlzManagementGroup) GeneratePolicyAssignmentAdditionalRoleAssignments(az *AlzLib) error
GeneratePolicyAssignmentAdditionalRoleAssignments generates the additional role assignment data needed for the policy assignments It should be run once the policy assignments map has been fully populated for a given ALZManagementGroup. It will iterate through all policy assignments and generate the additional role assignments for each one, storing them in the AdditionalRoleAssignmentsByPolicyAssignment map.
func (*AlzManagementGroup) GetChildren ¶ added in v0.4.0
func (alzmg *AlzManagementGroup) GetChildren() []*AlzManagementGroup
GetChildren returns the children of the management group.
func (*AlzManagementGroup) GetParentId ¶ added in v0.5.0
func (alzmg *AlzManagementGroup) GetParentId() string
GetParentId returns the ID of the parent management group. If the parent is external, this will be preferred. If neither are set an empty string is returned (though this should never happen).
func (*AlzManagementGroup) GetParentMg ¶ added in v0.5.0
func (alzmg *AlzManagementGroup) GetParentMg() *AlzManagementGroup
GetParentMg returns parent *AlzManagementGroup. If the parent is external, the result will be nil.
func (*AlzManagementGroup) GetResourceId ¶ added in v0.4.0
func (alzmg *AlzManagementGroup) GetResourceId() string
func (*AlzManagementGroup) ParentIsExternal ¶ added in v0.5.0
func (alzmg *AlzManagementGroup) ParentIsExternal() bool
ParentIsExternal returns a bool value depending on whether the parent MG is external or not.
func (*AlzManagementGroup) ResourceId ¶ added in v0.4.0
func (alzmg *AlzManagementGroup) ResourceId() string
ResourceId returns the resource ID of the management group.
func (*AlzManagementGroup) Update ¶ added in v0.7.0
func (alzmg *AlzManagementGroup) Update(az *AlzLib, wkpv *WellKnownPolicyValues) error
Update will update the AlzManagementGroup resources with the correct resource ids, references, etc.
type Archetype ¶ added in v0.4.0
type Archetype struct { PolicyDefinitions sets.Set[string] PolicyAssignments sets.Set[string] PolicySetDefinitions sets.Set[string] RoleDefinitions sets.Set[string] // contains filtered or unexported fields }
Archetype represents an archetype definition that hasn't been assigned to a management group The contents of the sets represent the map keys of the corresponding AlzLib maps.
type DeploymentType ¶ added in v0.4.0
type DeploymentType struct { MGs map[string]*AlzManagementGroup // contains filtered or unexported fields }
DeploymentType represents a deployment of Azure management group.
type PolicyAssignmentAdditionalRoleAssignments ¶ added in v0.4.0
type PolicyAssignmentAdditionalRoleAssignments struct { RoleDefinitionIds sets.Set[string] AdditionalScopes sets.Set[string] }
PolicyAssignmentAdditionalRoleAssignments represents the additional role assignments that need to be created for a management group. Since we could be using system assigned identities, we don't know the principal ID until after the deployment. Therefore this data can be used to create the role assignments after the deployment.
type PolicyDefinitionRule ¶ added in v0.4.0
type PolicyDefinitionRule struct {
Then *PolicyDefinitionRuleThen `json:"then"`
}
PolicyDefinitionRule represents the rule section of a policy definition. This is used to determine the role assignments that need to be created, therefore we only care about the `then` field.
type PolicyDefinitionRuleThen ¶ added in v0.4.0
type PolicyDefinitionRuleThen struct {
Details *PolicyDefinitionRuleThenDetails `json:"details"`
}
PolicyDefinitionRuleThen represents the `then` section of a policy definition rule. This is used to determine the role assignments that need to be created. We only care about the `details` field.
type PolicyDefinitionRuleThenDetails ¶ added in v0.4.0
type PolicyDefinitionRuleThenDetails struct {
RoleDefinitionIds []string `json:"roleDefinitionIds"`
}
PolicyDefinitionRuleThenDetails represents the `details` section of a policy definition rule `then` section. This is used to determine the role assignments that need to be created. We only care about the `roleDefinitionIds` field.
type WellKnownPolicyValues ¶ added in v0.4.0
WellKnownPolicyValues represents options for a deployment These are values that are typically replaced in the deployed resources E.g. location, log analytics workspace ID, etc.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
package processor is used to process the library files.
|
package processor is used to process the library files. |
package sets is used to provide set like functionality for the library.
|
package sets is used to provide set like functionality for the library. |
Package to contains various type-conversion helper functions.
|
Package to contains various type-conversion helper functions. |