Feature Request: Easy toggle for new Security Subscription

[richardf5]

Is there an existing issue for this?

• I have searched the existing issues

Infrastructure as Code Type? (Required)

both

Starter Module? (Required)

terraform - platform_landing_zone

Use Case (Required)

We feel that few customers are likely to want the Security Subscription by at this moment in time given its tie in with Microsoft Sentinel and that it's shown as optional in the CAF.
I get that following AWS's Security Account model allows more controlled access to security logs, but I haven't seen equivalent controls like that in the Azure version? Happy to be proven wrong on my last statement, but I didn't see any advanced RBAC against security roles?

I would say that the majority of our customers either:

• Don't have the manpower or desire to run Microsoft Sentinel.
• Are subscribed to a Managed SOC.
• Use something like Splunk or CrowdStrike for their SIEM.

Proposed Solution (Required)

An easy toggle as with vpn gateways, dns resolver, bastion etc. for the Security Management Group and Subscription.

Important Factoids (Optional)

I've 'worked around' it for our current customer by editing out the Security Management Group in alz_custom.alz_architecture_definition.yaml and removing the reference to the security subscription in the tfvars file, but I'm guessing you'd have a more elegant solution!

References (Optional)

No response

[jaredfholgate]

The solution you mention is the current method to remove it. We can add these steps to the docs as an Option though to make it simpler for end users to follow the steps. With the library approach we can't currently have a flag to stop the MG being created. However we could look to see if the subscription ID is empty for subscription placement and not attempt that part at least.

@jtracey93 any thoughts on this from a higher level. Should we be mandating the new sub and MG by default as we are now?

[jtracey93]

Hey @richardf5 & @jaredfholgate,

As we announced here this change was made to the ALZ architecture as it was much requested by our customers and partners in feedback, and also our Product Group teams supported the change.

We therefore want this to be mandatory as much as possible, hence we've defaulted it. And as you have found you can remove the MG by editing the architecture definition.

We can add some docs for this and make it more obvious, but where possible we want customers to align to the ALZ architecture by default and then tailor as they desire.

Additional controls etc. will come as we learn more from our customers, partners and internal teams on what controls are commonly implemented.

Thanks for the feedback and we will enhance our docs to help remove the security MG if you want to.

Thanks

Jack