/azuregovernance

Implement Azure Governance using Terraform

Primary LanguageHCLMIT LicenseMIT

Azure Governance with Terraform

Build Status

This repo contains samples for using Terraform 0.13 to deploy and manage Azure Governance related resources using GitHub/Azure Devops and is configured to:

  • Support multiple Azure AD Tenants in a multistage pipeline - Currently dev and prod, but designed to support easy addition of more stages.
  • Azure Pipelines YAML templates for common tasks.
  • Use of containers to support required tooling version pinning.
    • Extend usage of container for dev scenarios with Visual Studio Code
  • Implement Azure Governance Resources
    • Subscription assignment to Management Groups
    • Support for external management of Subscription Assignment via lifecycle/ignore_changes
    • Custom Role Based Access Control definitons scoped to Management Groups, Subscriptions and Resource Groups #4847.
    • Role Based Access Control assignments with builtin and custom roles to Management Groups, Subscriptions and Resource Groups.
    • Azure Policy definitions scoped to Management Groups
    • Azure Policy assignments to Management Groups #3762
    • Add a scenario with Tags
    • Add a scenario for DeployIfNotExists and Managed Service Identities.
    • Add Blueprints definitions/assignments
  • Add Azure DevOps custom dashboard with relevant visuals
  • Add azure dashboard azurerm_dashboard
  • Improve deployment safety
    • Added Scheduled plan pipeline
    • Notify on pipeline failure
    • Add pull request pipeline
    • Add tflint, investigate terratest
    • Add tests to pull request pipeline
    • Add Environments, approvals and checks
    • Monitor secret age and alert.
  • Add Security Center configuration
  • Cost Management
  • Documentation
  • Add Azure AD custom roles
  • Custom Roles for App registration
  • Operations scenarios
    • Connect Activity Log to Workspace
    • Connect Azure AD Logs
    • Add Azure Monitor
    • Action Groups & Alerts
  • Terraform
    • Maintain Terraform state with the azurerm storage account backend.
    • Add Terraform graph and GraphViz support, review terraform-docs
    • Add a provisioners/connections scenario
    • Verify usage of dynamic block
  • Enterprise Scale

Setup

Setup guidance is work in progress and most steps are capable of automation with az cli and the azure-devops extension.

Note: the Repo contains IDs for tenants/subscriptions related to my test/demo infrastructure.