Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request - Generate EPAC compatible policy assignments #199

Open
cjtous1 opened this issue Feb 3, 2025 · 4 comments
Open

Feature request - Generate EPAC compatible policy assignments #199

cjtous1 opened this issue Feb 3, 2025 · 4 comments

Comments

@cjtous1
Copy link

cjtous1 commented Feb 3, 2025

Hello,

I was wondering if you could add a functionality to generate policy definitions & assignments that would be compatible with EPAC?
I would like to leverage the alzlibtool to generate my EPAC assignments and then use the alzlibtool to generate new EPAC assignments against a specific architecture to be able to properly identify differences between what I have deployed in EPAC vs a newer release of the ALZ library.

Thank you.
@matt-FFFFFF
Copy link
Member

matt-FFFFFF commented Feb 4, 2025
edited
Loading

Hi!

This module and the associated Terraform provider, generate policy artefacts in 100% ARM JSON.

We use the Azure SDK for Go to ensure that the resources are valid.

What sort of output would you like to see?

@cjtous1
Copy link
Author

cjtous1 commented Feb 5, 2025

EPAC has its own JSON schema for how they do policy assignments: https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json

The EPAC team created a function to synz ALZ policies. It gets the policy/policyset definitions from the enterprise scale repo but the policy assignments file are maintained manually by someone from the EPAC team because they are in a different format.
See here: https://github.com/Azure/enterprise-azure-policy-as-code/tree/main/Scripts/CloudAdoptionFramework/policyAssignments

Now, instead of relaying on someone manually maintaining those files, I was hoping to leverage the alzlibtool to generate those policy assignments in a format that can be used by EPAC. Ideally, I would be able to pass in an architecture and it could generate policy assignment file used by the architecture in EPAC-compatible format. This would allow me to quickly identify changes between what I have deployed in EPAC and what is new in the latest ALZ library release.

Hopefully this helps, let me know if this is still not clear.
Thank you.

@matt-FFFFFF
Copy link
Member

Got it, thanks.

Have you raised an issue on the EPAC repo?

As EPAC has implemented a custom schema we would probably not implement that in our tooling.

Also, since there is precedent for EPAC providing tooling to consume the ALZ policies, then I think they could do this again.

Ideally they would sync directly from the library, or via the alzlibtool's generate command. The latter produces ARM JSON with the correct resource IDs based on the supplied architecture. I'm sure with one of these EPAC could import the required assets.

@cjtous1
Copy link
Author

cjtous1 commented Feb 5, 2025

I did raise an issue here: Azure/enterprise-azure-policy-as-code#819

Though it does not seem to be much of a priority for them. The last response I got with this issue was that they thought they would have to keep maintaining those assignments manually...

Would you be able to talk with the EPAC maintainers to explain to them how they could leverage the alzlibtool to generate those assignments?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matt-FFFFFF @cjtous1