POLICY Version 1 (WIP) Last Review Date: August, 2024
Documentation Overview
covers:
Architecture
Overview
- Azure Policy is used to provide guardrails at the platform level
- Policies are fundamental to democratisation of ther More IQ Azure tenancy by allowing safe delgation of responsibility to teams and vendors ensuring organizational policies are adhered to
- Policies allow enforcement of organizational standards and rules while enabling compliance monitoring and remediation at-scale
- Policies can be assigned at a management group, subscription or resource group level and are heirarchically inherited by child management groups, subscriptions, resource groups and resources
- Policies can be assigned in one of four enforcement modes; Deny, AuditIfNotExists, DeployIfNotExists, Modify. Each enforcement mode controls what actions the Azure policy engine should take when a policy violation is detected. The actions vary from reporting compliance, denial of incompliance to auto-remediation of incompliance
- Policies can be group together in PolicySets and Initiatives
- See Microsoft Learn - Policy Overview (opens in a new tab) for further information
Access
- Access to this site is for members of the MoreCore team, and permitted subcontractors.
- Access is controlled via
Existing Policies
- As the More IQ and More Core platforms are currently PaaS only solutions that utilise common PaaS platforms, it is expected that policy requirements will be met by existing policy definitions with no need to build and maintain policies
- Existing policies fall into 5 categories
- Built-in: These policies exist in all Azure tenancies
- Static: Microsoft owned policies that relate to regulatory compliance of Microsoft infrastructure. You generally won't see these policies in the Azure portal
- ALZ: Policies defined in Azure Landing Zones framework. These policies focus on enforcing secure configurations across resource types. As policies mature they may migrate to built-in policy
- AMBA: Polcies defined in Azure Monitor Baseline Alerts framework. These policies focus on providing automed alerting capabilities to improve observability of Azure resources. These policies supercede ALZ alerting related policies
- Community: Policies created by the community. These policies focus on edge cases that are not covered by a more authorative source. Care should be taken to understand community policy code and effects before utilising in a policy assignment
- AzAdvertiser (opens in a new tab) is a semi-official Microsoft tool for navigating the policies available for assignment from the 5 categories of policies
Azure Landing Zones Policies
- The default implementation of Azure Landing Zones contains a number of assignments of built-in and ALZ policies.
- The Enterprise Scale ALZ Policies (opens in a new tab) page details the built-in and ALZ policies assigned and the object they are assigned to
- To view the current deployed initiatives and policies along with the deployment scope and enforcement mode, navigate to the Policy Compliance blade in the portal (opens in a new tab)
More IQ Initiative and Policy assignments
- To support More IQ requirements, a number of initiatives and policies are assigned, either directly or via extension of the Azure Landing Zone objects
- Policy assignments and ALZ extension for the MoreIQ Landing Zones is implemented in Terraform IAC in the
sub-miq-mgmtsubscription
More IQ Sovereignty
- To ensure resources are only deployed in an Australian region, the Preview: Sovereignty Baseline - Global Policies (opens in a new tab) inititive is assigned to the intermediate management group via ALZ extension
- The parameters to the initiative ensure resources can only be deployed to the "australiacentral", "australiacentral2", "australiaeast" and "australiasoutheast" regions. When deploying resources care should be taken to deploy related resources to paired regions (opens in a new tab)
- The More IQ CAF design decisions document specifies that the Primary region for resources is "australiaeast" while the secondary region for redundancy and disaster recovery is "australiasoutheast".
- When assessing the availability posture of More IQ resources, pay attention to the services available in the secondary region.
Online Landing Zone Policies
- The ALZ archetype for the online management group does not contain any policy assignments.
- The PaaS related policy assignments on the corp management group were cloned for the online management group. There is no expectation of direct PaaS access from the internet in online management groups