diff --git a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/_index.md b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/_index.md index d125829..7dc6899 100644 --- a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/_index.md +++ b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/_index.md @@ -6,11 +6,11 @@ weight: 2 This section provides detailed instructions for updating your configuration to implement each option. -If you are familiar with Terraform tfvars file structure, you can skip the next section that explains how to update the configuration file and go directly to the [Options](#options) you want to implement. +If you are familiar with Terraform `tfvars` file structure, you can skip the next section that explains how to update the configuration file and go directly to the [Options](#options) you want to implement. ## Platform configuration file updates -Most of the options require you to update the platform configuration file. The platform configuration file is a HCL (tfvars) file that contains the configuration settings for the platform landing zone. +Most of the options require you to update the platform configuration file. The platform configuration file is a HCL (tfvars) file that contains the configuration settings for the platform landing zone. There are two types of settings in the platform configuration file that you may need to update. For the sake of simplicity we will refer to these as `line` and `block` settings. @@ -92,3 +92,4 @@ The available options are: 1. [Turn off Azure Monitoring Agent]({{< relref "ama">}}) 1. [Deploy Azure Monitoring Baseline Alerts (AMBA)]({{< relref "amba">}}) 1. [Turn off Defender Plans]({{< relref "defender">}}) +1. [Implement Zero Trust Networking]({{< relref "zero-trust">}}) diff --git a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md new file mode 100644 index 0000000..5bd388a --- /dev/null +++ b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md @@ -0,0 +1,16 @@ +--- +title: 14 - Zero Trust Networking +geekdocCollapseSection: true +weight: 14 +--- + +If you are looking to deploy [zero trust](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security-zero-trust) practices into your Landing Zone, you should enable Azure Firewall Premium SKU. +This will enable the HTTPS inspection feature, which is a key component of zero trust. + +The steps to follow are: + +1. Update each firewall SKU to `"Premium"` in the `hub_and_spoke_vnet_virtual_networks` block setting. + + | Setting Type | Parent block(s) | Key | Action | Count | Notes | + | - | - | - | - | - | - | + | line | `hub_and_spoke_vnet_virtual_networks` > `` > `hub_virtual_network` > `firewall` | `sku_tier` | Update the value from `"Standard"` to `"Premium"` | 1+ | is the relevant region (e.g. primary or secondary). There will be two instances for a multi-region deployment | diff --git a/docs/content/accelerator/userguide/0_planning.md b/docs/content/accelerator/userguide/0_planning.md index 99faabb..77ff6fd 100644 --- a/docs/content/accelerator/userguide/0_planning.md +++ b/docs/content/accelerator/userguide/0_planning.md @@ -74,7 +74,7 @@ Fill out the `Infrastructure as Code` value with either `bicep` or `terraform`. ### Decision 2 - Choose a version control system -We currently support bootstrapping of Azure DevOps or GitHub. H +We currently support bootstrapping of Azure DevOps or GitHub. Hopefully you've already chosen one of these for your organization, but if not you can go off and do some research now before continuing. @@ -124,7 +124,7 @@ Fill out the `Platform landing zone region(s)` value with the Azure region(s) yo ### Decision 6 - Choose a parent management group -The parent management group is the management group that will contain the management groups created by the bootstrap. The parent management group must exist before the bootstrap is run. +The parent management group is the management group that will contain the management groups created by the bootstrap. The parent management group must exist before the bootstrap is run. We recommend using `Tenant Root Group`, the platform landing zone management group hierarchy will be build underneath the chosen parent management group. The only changes to the parent management group will be permissions, no policies are applied at that level. @@ -136,7 +136,7 @@ Fill out the `Parent management group id` value with the management group you ha ### Decision 7 - Choose the platform subscriptions -We strongly encourage and only support using 3 subscription model with separate Management, Connectivity and Identity platform subscriptions. +We strongly encourage and only support using 3 subscription model with separate Management, Connectivity and Identity platform subscriptions. {{< hint type=note >}} A single subscription model is technically possible, but only recommended for sandbox testing purposes. @@ -158,7 +158,7 @@ Fill out the `Bootstrap subscription id` value with the subscription ID you have ### Decision 9 - Choose the bootstrap resource naming -Choose a `service name` and `environment name` that will be used to derive the bootstrap resource names. +Choose a `service name` and `environment name` that will be used to derive the bootstrap resource names. {{< hint type=tip >}} If you must use an alternative naming convention, they can be overridden by follow the instructions found [HERE]({{< relref "../faq">}}) @@ -171,7 +171,7 @@ Fill out the `Service name` and `Environment name` values with the names you hav We offer 3 agent / runner and networking options for the bootstrap. The options and related settings are listed here: * Private networking with self-hosted agents / runners - * Azure DevOps: + * Azure DevOps: * `use_private_networking` = `true` * `use_self_hosted_agents` = `true` * GitHub: