eng-azure-governance

This project contains all PagoPA policies and assignments to governance Azure workloads.

Project structure

• src/01_custom_roles contains custom roles created with least privileges principle
• src/02_policy_* contains custom policies grouped by type definition
• src/03_policy_set contains custom policy initiatives (alias policy set)
• src/04_policy_assignments contains policy initiatives assignments to management groups or subscriptions.

Terraform

Apply order is made by folders number.

How to use it

./terraform.sh plan|apply|destroy

Azure policy docs

Policy structure definition

How to force to rerun policy evaluation

# change subscription
az account set -s MY-SUBSCRIPTION
# trigger scan on current subscription
az policy state trigger-scan --no-wait
# trigger scan on resource group in current subscription
az policy state trigger-scan -g my-rg --no-wait

Terraform lock.hcl

We have both developers who work with your Terraform configuration on their Linux, macOS or Windows workstations and automated systems that apply the configuration while running on Linux. https://www.terraform.io/docs/cli/commands/providers/lock.html#specifying-target-platforms

So we need to specify this in terraform lock providers:

terraform init

rm .terraform.lock.hcl

terraform providers lock \
  -platform=windows_amd64 \
  -platform=darwin_amd64 \
  -platform=darwin_arm64 \
  -platform=linux_amd64