diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..da3aa3f --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "cSpell.words": [] +} diff --git a/docs/content/terraform/gettingStarted.md b/docs/content/terraform/gettingStarted.md index 5d1c762..8a2976b 100644 --- a/docs/content/terraform/gettingStarted.md +++ b/docs/content/terraform/gettingStarted.md @@ -125,7 +125,7 @@ We recommend leaving these policy assignments enabled unless you have a specific We recommend that you review the following policy assignments before deploying the module. If you do not use certain features or use have an alternative product, then you can disable the policy assignments. -To do this, please use the [`policy_assienments_to_modify`]({{< relref "howtos/modifyingPolicyAssignments" >}}) variable to disable the policy assignments: +To do this, please use the [`policy_assignments_to_modify`]({{< relref "howtos/modifyingPolicyAssignments" >}}) variable to disable the policy assignments: e.g. @@ -193,4 +193,24 @@ If you spot an instance odf this, please raise a [GitHub issue](https://github.c In this case we must make manual role assignments, and we have listed these below: -> TODO: Add a list of policies that require manual role assignments +| Policy Assignment Name | Assignment Scope | Role Definition Names | Scope | +|---------------------------|------------------|---------------------------------------------------------------------------------------------------------|---------------------------------------------| +| Deploy-AzSqlDb-Auditing* | Landing Zones | Log Analytics Contributor, SQL Security Manager | Log Analytics Workspace | +| Deploy-MDFC-DefSQL-AMA* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform | +| Deploy-MDFC-DefSQL-AMA* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones | +| Deploy-Private-DNS-Zones | Corp | Network Contributor | Resource Group containing Private DNS Zones | +| Deploy-VM-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor | Landing Zones | +| Deploy-VM-Monitoring* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform | +| Deploy-VM-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones | +| Deploy-vmArc-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor | Landing Zones | +| Deploy-vmHybr-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Connected Machine Resource Administrator | Landing Zones | +| Deploy-VMSS-ChangeTrack* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones | +| Deploy-VMSS-Monitoring* | Landing Zones | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Platform | +| Deploy-VMSS-Monitoring* | Platform | Reader, Log Analytics Contributor, Monitoring Contributor, Managed Identity Contributor, VM Contributor | Landing Zones | + +### Obtaining the Principal Ids + +The ALZ module will output the principal ids required for the role assignments in the form of a map. +The output name is caled `policy_assignment_identity_ids`. + +The map key is in the form of: `mg_id/policy_assignment_name`, and the value is the object id of the identity.