Skip to content

Commit

Permalink
feat: add table for role assignments (#19)
Browse files Browse the repository at this point in the history 
* feat: add table for role assignments
  • Loading branch information
@matt-FFFFFF
matt-FFFFFF authored Jan 8, 2025
1 parent ad5c92f commit 4bf559d
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 2 deletions.
3 changes: 3 additions & 0 deletions .vscode/settings.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"cSpell.words": []
}
24 changes: 22 additions & 2 deletions docs/content/terraform/gettingStarted.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ We recommend leaving these policy assignments enabled unless you have a specific
We recommend that you review the following policy assignments before deploying the module.
If you do not use certain features or use have an alternative product, then you can disable the policy assignments.

To do this, please use the [`policy_assienments_to_modify`]({{< relref "howtos/modifyingPolicyAssignments" >}}) variable to disable the policy assignments:
To do this, please use the [`policy_assignments_to_modify`]({{< relref "howtos/modifyingPolicyAssignments" >}}) variable to disable the policy assignments:

e.g.

Expand Down Expand Up @@ -193,4 +193,24 @@ If you spot an instance odf this, please raise a [GitHub issue](https://github.c

In this case we must make manual role assignments, and we have listed these below:

> TODO: Add a list of policies that require manual role assignments
| Policy Assignment Name | Assignment Scope | Role Definition Names | Scope |
|---------------------------|------------------|---------------------------------------------------------------------------------------------------------|---------------------------------------------|
| Deploy-AzSqlDb-Auditing* | Landing Zones | Log Analytics Contributor, SQL Security Manager | Log Analytics Workspace |
| Deploy-MDFC-DefSQL-AMA* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform |
| Deploy-MDFC-DefSQL-AMA* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones |
| Deploy-Private-DNS-Zones | Corp | Network Contributor | Resource Group containing Private DNS Zones |
| Deploy-VM-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor | Landing Zones |
| Deploy-VM-Monitoring* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform |
| Deploy-VM-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones |
| Deploy-vmArc-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor | Landing Zones |
| Deploy-vmHybr-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Connected Machine Resource Administrator | Landing Zones |
| Deploy-VMSS-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones |
| Deploy-VMSS-Monitoring* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform |
| Deploy-VMSS-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones |

### Obtaining the Principal Ids

The ALZ module will output the principal ids required for the role assignments in the form of a map.
The output name is caled `policy_assignment_identity_ids`.

The map key is in the form of: `mg_id/policy_assignment_name`, and the value is the object id of the identity.

0 comments on commit 4bf559d

Please sign in to comment.