MANAGEMENT Version 1 (WIP) Last Review Date: August, 2024

Documentation Overview

covers:

##Management Subscription

Overview

• The More IQ Management Subscription sub-miq-management, contains all services supporting the More IQ Landing Zones operation and management.
• The Management Subscription is the central location for logging, monitoring, alerting and automation that affects all other subscriptions and resources in the More IQ Landing Zones.
• The following diagram shows the overall resource topology of the management subscription.
  

Note: No secrets are to be added into the site

Access

• Access to this site is for members of the MoreCore team, and permitted subcontractors.
• Access is controlled via

Azure Landing Zones DevOps services

• The ALZ DevOps Services provide self-hosted agents supporting execution of terraform and pipelines in the More IQ Landing Zones Azure DevOps project.
• The rg-miq-mgmt-agents-australiaeast-001 resource group contains an Azure Container Registry storing the terraform build agent container images and 2 Azure Container Instances in different availability zones hosting the agents for the miq-mgmt agent pools.
• The rg-miq-mgmt-state-australiaeast-001 resource group contains an Azure Storage account where the terraform state is stored.
• The rg-miq-mgmt-identity-australiaeast-001 resource group contains the Plan and Apply Managed Identities that have permission to read and provision respectively into all subscriptions.
• The rg-miq-mgmt-network-australiaeast-001 resource group contains the VNet, private endpoints, private DNS zones and nat gateway allowing resources in the ALZ DevOps Services to comminucate with each other and with Azure APIs securely.
• The VNet is not connected to the regional hub meaning the solution is more secure; it has line of sight to management.azure.com but does not have network line of sight to resources it creates. If this becomes an issue then the VNet can be connected to the regional hub, but it is recommended to connect via an Azure Firewall.

User Assigned Managed Identities

• The Plan identity has access to read all resources current state in order to calculate the terraform plan during pipeline execution via assignment to the custom Azure Role Azure Landing Zones Management Group Reader to ALZ management groups.
• The Apply identity has a high level of access to create and destroy resources during the apply phase of CD pipelines via assignment to the custom Azure Role Azure Landing Zones Management Group Contributor to tenant root management group, and Owner to ALZ management groups.
• The Plan and Apply managed identities have corresponding Service Connections in the More IQ Landing Zones Azure DevOps project.

Centralised logging, analytics and automation

• Policy initiatives deployed with the Azure Landing Zones ensures resources are sending all logs to the cental log-management log analytics workspace.
• Other policy initiaves deployed ensure security posture from other angles.
• The rg-management resource group contains the resources providing centralised logging, analytics, and automation for all subscriptions in the More IQ Landing Zones.
• The log-management Log Analytics Workspace ingests the platform logs from all deployed Azure Services in the Landing Zone subscriptions.
• The ChangeTracking and SecurityInsights Analytics solutions provide a collection of Workbooks for analysing logs in support of change and security monitoring.
• Data collection rules for VM Insights, Change Tracking and Defender for SQL are in place to ensure appropriate logs from VMs is ingested into the log-management Log Annalytics Workspace.
• Although the More IQ and More Core platforms do not currently utilise VMs, the data collection rules have been left in place to ensure any future VM based workload will automatically send logs to the log-management Log Analytics Workspace.
• A centralised aa-management automation account is intended for platform automation across the Landing Zone subscriptions. It is not intended for workload automation.
• Depending on log retention requirements and storage costs, a centralised storage account for long term retention may be provisioned.
• It may also be desirable to have a second Log Analytics Workspace for ingesting and analysing metrics and telemetry data from deployed services. This would have a shorter retention and more variability in tables ingested.

Dev Center Managed Identity

• In the resource group rg-miq-devcenter is the managed identity id-miq-devops-devcenter which is the identity of the central DevCenter in the DevOps services subscription.