From c9a425726c9a20d390d046e1ddd9967c87948ada Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Wed, 15 Jan 2025 09:31:35 +0000 Subject: [PATCH 1/3] feat(accelerator): add zero trust option --- .../options/_index.md | 5 +++-- .../options/zero-trust.md | 16 ++++++++++++++++ docs/content/accelerator/userguide/0_planning.md | 10 +++++----- 3 files changed, 24 insertions(+), 7 deletions(-) create mode 100644 docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md diff --git a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/_index.md b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/_index.md index d125829..7dc6899 100644 --- a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/_index.md +++ b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/_index.md @@ -6,11 +6,11 @@ weight: 2 This section provides detailed instructions for updating your configuration to implement each option. -If you are familiar with Terraform tfvars file structure, you can skip the next section that explains how to update the configuration file and go directly to the [Options](#options) you want to implement. +If you are familiar with Terraform `tfvars` file structure, you can skip the next section that explains how to update the configuration file and go directly to the [Options](#options) you want to implement. ## Platform configuration file updates -Most of the options require you to update the platform configuration file. The platform configuration file is a HCL (tfvars) file that contains the configuration settings for the platform landing zone. +Most of the options require you to update the platform configuration file. The platform configuration file is a HCL (tfvars) file that contains the configuration settings for the platform landing zone. There are two types of settings in the platform configuration file that you may need to update. For the sake of simplicity we will refer to these as `line` and `block` settings. @@ -92,3 +92,4 @@ The available options are: 1. [Turn off Azure Monitoring Agent]({{< relref "ama">}}) 1. [Deploy Azure Monitoring Baseline Alerts (AMBA)]({{< relref "amba">}}) 1. [Turn off Defender Plans]({{< relref "defender">}}) +1. [Implement Zero Trust Networking]({{< relref "zero-trust">}}) diff --git a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md new file mode 100644 index 0000000..4c1e6a4 --- /dev/null +++ b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md @@ -0,0 +1,16 @@ +--- +title: 14 - Zero Trust Networking +geekdocCollapseSection: true +weight: 14 +--- + +If you are looking to deploy [zero trust](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security-zero-trust) practices into your Landing Zone, you should enable Azure Firewall Premium SKU. +This will enable the HTTPS inspection feature, which is a key component of zero trust. + +The steps to follow are: + +1. Update each firewall SKU to `"Premium"` in the `hub_and_spoke_vnet_virtual_networks` configuration. + + | Setting Type | Parent block(s) | Key | Action | Count | Notes | + | - | - | - | - | - | - | + | line | `hub_and_spoke_vnet_virtual_networks.*.hub_virtual_network.firewall` | `sku_tier` | Change value to `"Premium"` | 1+ | In multi-region deployments, change all regions [primary, secondary] value as well | diff --git a/docs/content/accelerator/userguide/0_planning.md b/docs/content/accelerator/userguide/0_planning.md index 99faabb..77ff6fd 100644 --- a/docs/content/accelerator/userguide/0_planning.md +++ b/docs/content/accelerator/userguide/0_planning.md @@ -74,7 +74,7 @@ Fill out the `Infrastructure as Code` value with either `bicep` or `terraform`. ### Decision 2 - Choose a version control system -We currently support bootstrapping of Azure DevOps or GitHub. H +We currently support bootstrapping of Azure DevOps or GitHub. Hopefully you've already chosen one of these for your organization, but if not you can go off and do some research now before continuing. @@ -124,7 +124,7 @@ Fill out the `Platform landing zone region(s)` value with the Azure region(s) yo ### Decision 6 - Choose a parent management group -The parent management group is the management group that will contain the management groups created by the bootstrap. The parent management group must exist before the bootstrap is run. +The parent management group is the management group that will contain the management groups created by the bootstrap. The parent management group must exist before the bootstrap is run. We recommend using `Tenant Root Group`, the platform landing zone management group hierarchy will be build underneath the chosen parent management group. The only changes to the parent management group will be permissions, no policies are applied at that level. @@ -136,7 +136,7 @@ Fill out the `Parent management group id` value with the management group you ha ### Decision 7 - Choose the platform subscriptions -We strongly encourage and only support using 3 subscription model with separate Management, Connectivity and Identity platform subscriptions. +We strongly encourage and only support using 3 subscription model with separate Management, Connectivity and Identity platform subscriptions. {{< hint type=note >}} A single subscription model is technically possible, but only recommended for sandbox testing purposes. @@ -158,7 +158,7 @@ Fill out the `Bootstrap subscription id` value with the subscription ID you have ### Decision 9 - Choose the bootstrap resource naming -Choose a `service name` and `environment name` that will be used to derive the bootstrap resource names. +Choose a `service name` and `environment name` that will be used to derive the bootstrap resource names. {{< hint type=tip >}} If you must use an alternative naming convention, they can be overridden by follow the instructions found [HERE]({{< relref "../faq">}}) @@ -171,7 +171,7 @@ Fill out the `Service name` and `Environment name` values with the names you hav We offer 3 agent / runner and networking options for the bootstrap. The options and related settings are listed here: * Private networking with self-hosted agents / runners - * Azure DevOps: + * Azure DevOps: * `use_private_networking` = `true` * `use_self_hosted_agents` = `true` * GitHub: From 3d4cfe41777283820df0f3edb7a47d5ea4886fe9 Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Wed, 15 Jan 2025 11:22:08 +0000 Subject: [PATCH 2/3] Update docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md Co-authored-by: Jared Holgate --- .../terraform-platform-landing-zone/options/zero-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md index 4c1e6a4..aea35b8 100644 --- a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md +++ b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md @@ -9,7 +9,7 @@ This will enable the HTTPS inspection feature, which is a key component of zero The steps to follow are: -1. Update each firewall SKU to `"Premium"` in the `hub_and_spoke_vnet_virtual_networks` configuration. +1. Update each firewall SKU to `"Premium"` in the `hub_and_spoke_vnet_virtual_networks` block setting. | Setting Type | Parent block(s) | Key | Action | Count | Notes | | - | - | - | - | - | - | From 3609910a42eea8894b4fd73aab8d32b3d40fa99e Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Wed, 15 Jan 2025 11:22:28 +0000 Subject: [PATCH 3/3] Update docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md Co-authored-by: Jared Holgate --- .../terraform-platform-landing-zone/options/zero-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md index aea35b8..5bd388a 100644 --- a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md +++ b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/options/zero-trust.md @@ -13,4 +13,4 @@ The steps to follow are: | Setting Type | Parent block(s) | Key | Action | Count | Notes | | - | - | - | - | - | - | - | line | `hub_and_spoke_vnet_virtual_networks.*.hub_virtual_network.firewall` | `sku_tier` | Change value to `"Premium"` | 1+ | In multi-region deployments, change all regions [primary, secondary] value as well | + | line | `hub_and_spoke_vnet_virtual_networks` > `` > `hub_virtual_network` > `firewall` | `sku_tier` | Update the value from `"Standard"` to `"Premium"` | 1+ | is the relevant region (e.g. primary or secondary). There will be two instances for a multi-region deployment |