mspnp/aks-baseline

Why do the bicep templates have an @allowed list of locations?

larryclaman opened this issue · 1 comments

larryclaman commented

Wondering why the bicep templates specifically have an allowed list of locations they can deploy to? Ran into this when I tried to deploy to westus3 and it failed because it wasn't on the list. It was a quick fix to add westus3 to the list of allowed locations, but it made me think: why have this list at all? I see from the description that the intention is to only allow deployments to regions with AZ support (The network team maintains this approved regional list which is a subset of zones with Availability Zone support), but IMHO, this is the wrong place to enforce governance. If there is to be a list of allowed regions, then I would say that should be enforced via Azure Policy, not via an allowed list in a bicep/arm template. Which means that when this list needs to be updated (to add westus3, for example), it needs to get updated in multiple templates versus one central policy setting.

see

aks-baseline/networking/hub-default.bicep

Line 5 in f6012cb

@allowed([
for an example

This

ckittel commented

Great question.

Azure policy would be a great place to show this! For this walkthrough though, that would be hard for someone stepping through this workload to track down if they ran into the policy violation (if we hardcoded it there). They would have to modify another template that has this allow list. The parameter way of showing that makes a "fail fast" more possible. But you're right, for your situation you would be spot on to use Azure Policy for that! That would be a good comment to include in the content here.

The reasoning for the list was to provide a list of regions that had paired regions that contained all of the resources that we deploy in the reference architecture that also contain availability zones. Nothing worse than trying to deploy something and it's not available in the region or paired region, and the deployment failing due to lack of resource or availability zone support. If there is a region + paired region that should be added to the list, we'd be glad to see it in there -- it was generated over a year ago, so there are probably missing entries by now.

Hope that helps.

  • 👍1