In this post, I will explain how to use custom archetypes of Azure Landing Zones and how to automate this deployment using enterprise landing zones module in terraform
Azure Landing Zones are an important aspect of cloud adoption for organizations. They provide a foundation for consistent deployment of resources, governance, and security across an organization's Azure environment. However, out-of-the-box Azure Landing Zones may not meet the specific needs of all organizations. This is where custom archetypes can help us to meet these particular requirements.
Custom archetypes are based on the organization's specific needs, such as its industry, regulatory compliance, and security requirements. Custom archetypes can be designed to meet the specific needs of different business units within an organization.
One of the biggest benefits of custom archetypes is that they can help organizations reduce the time and effort required to deploy a Landing Zone. Custom archetypes can be pre-configured with the necessary components, such as virtual networks, subnets, security policies, and Azure resources, that are required to support the organization's workload. This can help organizations speed up the deployment process and ensure consistency across all of their Azure environments.
Another benefit of custom archetypes is that they can help organizations ensure compliance with regulatory requirements. Custom archetypes can be designed to meet specific regulatory requirements, such as SWIFT, HIPAA, PCI, or GDPR. This can help organizations avoid costly fines and reputational damage that can result from non-compliance.
Custom archetypes can also help organizations improve their security posture. By designing custom archetypes with security in mind, organizations can ensure that their Azure environments are secure from the ground up.
Custom archetypes can be designed to include security policies, such as network segmentation, access control (custom azure roles) , and encryption, that meet the organization's specific security requirements.
In conclusion, custom archetypes are a powerful tool that organizations can use to tailor Azure Landing Zones to meet their specific needs. By designing custom archetypes, organizations can reduce the time and effort required to deploy a Landing Zone, ensure compliance with regulatory requirements, and improve their security posture. If you're considering adopting Azure, it's worth exploring the benefits of custom archetypes for your organization.
In this example I will create a custom archetype particularly for financial organizations that require more strict controls to comply with the industry regulation.
Let review the components that make part of this example so there is a clear understanding on how create and integrate a custom archetype in azure landing zones.
{
"es_bankonline": {
"policy_assignments": ["Deny-Resource-Locations", "Deny-RSG-Locations","SWIFT-CSP-CSCF"],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {
"Deny-Resource-Locations": {
"listOfAllowedLocations": [
"East Us",
"West Us"
]
},
"Deny-RSG-Locations": {
"listOfAllowedLocations": [
"East Us",
"West Us"
]
}
},
"access_control": {
}
}
}
}
{
"name": "SWIFT-CSP-CSCF",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "SWIFT's Customer Security Programme (CSP) helps financial institutions ensure their defences against cyberattacks are up to date and effective, to protect the integrity of the wider financial network. Users compare the security measures they have implemented with those detailed in the Customer Security Controls Framework (CSCF). These policies address a subset of SWIFT controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/swift-cscf-v2021",
"displayName": "SWIFT-CSP-CSCF",
"notScopes": [],
"parameters": {
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/7bc7cd6c-4114-ff31-3cac-59be3157596d",
"nonComplianceMessages": [
{
"message": "SWIFT-CSP-CSCF controls {enforcementMode} be enforced"
}
],
"scope": "${current_scope_resource_id}",
"enforcementMode": null
},
"location": "${default_location}",
"identity": {
"type": "SystemAssigned"
}
}
{
"name": "617e86e8-e111-4d69-a120-ed3aec64717a",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "bankOnline app owner",
"description": "Owner for the bankonline management group, it has all permission except modify / delete vnets",
"type": "customRole",
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Network/virtualNetworks/write"
],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"${current_scope_resource_id}"
]
}
}
{
"extend_es_root": {
"policy_assignments": [],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": ["bankOnline app owner"],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
This set of instructions will get you started with the deployment of a custom archetype and custom roles using the terraform module
login to azure using az cli az login
clone github repo to get started git clone https://github.com/mblanco77/alzcustomarchetypetf
Optionally you can change in the variables.tf file the name of the root_id , root_name and the location where you will deploy the resources.
variable "root_id" {
type = string
default = "alz-tf1"
}
variable "root_name" {
type = string
default = "alz tf1"
}
variable "primary_location" {
type = string
default = "eastus"
}
Deploy using Terraform it usually takes around 20 minutes to complete
terraform init
terraform plan
terraform apply
Hope this post helps getting you started using custom archetypes in Azure Landing Zones,
additionally you can find all the artifacts related in this github repo https://github.com/mblanco77/alzcustomarchetypetf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.