From 4bf559d30822f98d9eaff70890234afe6129138f Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Wed, 8 Jan 2025 13:08:15 +0000 Subject: [PATCH] feat: add table for role assignments (#19) * feat: add table for role assignments --- .vscode/settings.json | 3 +++ docs/content/terraform/gettingStarted.md | 24 ++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..da3aa3f --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "cSpell.words": [] +} diff --git a/docs/content/terraform/gettingStarted.md b/docs/content/terraform/gettingStarted.md index 5d1c762..8a2976b 100644 --- a/docs/content/terraform/gettingStarted.md +++ b/docs/content/terraform/gettingStarted.md @@ -125,7 +125,7 @@ We recommend leaving these policy assignments enabled unless you have a specific We recommend that you review the following policy assignments before deploying the module. If you do not use certain features or use have an alternative product, then you can disable the policy assignments. -To do this, please use the [`policy_assienments_to_modify`]({{< relref "howtos/modifyingPolicyAssignments" >}}) variable to disable the policy assignments: +To do this, please use the [`policy_assignments_to_modify`]({{< relref "howtos/modifyingPolicyAssignments" >}}) variable to disable the policy assignments: e.g. @@ -193,4 +193,24 @@ If you spot an instance odf this, please raise a [GitHub issue](https://github.c In this case we must make manual role assignments, and we have listed these below: -> TODO: Add a list of policies that require manual role assignments +| Policy Assignment Name | Assignment Scope | Role Definition Names | Scope | +|---------------------------|------------------|---------------------------------------------------------------------------------------------------------|---------------------------------------------| +| Deploy-AzSqlDb-Auditing* | Landing Zones | Log Analytics Contributor, SQL Security Manager | Log Analytics Workspace | +| Deploy-MDFC-DefSQL-AMA* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform | +| Deploy-MDFC-DefSQL-AMA* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones | +| Deploy-Private-DNS-Zones | Corp | Network Contributor | Resource Group containing Private DNS Zones | +| Deploy-VM-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor | Landing Zones | +| Deploy-VM-Monitoring* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform | +| Deploy-VM-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones | +| Deploy-vmArc-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor | Landing Zones | +| Deploy-vmHybr-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Connected Machine Resource Administrator | Landing Zones | +| Deploy-VMSS-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones | +| Deploy-VMSS-Monitoring* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform | +| Deploy-VMSS-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones | + +### Obtaining the Principal Ids + +The ALZ module will output the principal ids required for the role assignments in the form of a map. +The output name is caled `policy_assignment_identity_ids`. + +The map key is in the form of: `mg_id/policy_assignment_name`, and the value is the object id of the identity.