Post

Creating a new archetype_id

Posted Updated
By Diego dos Santos Rosa Pauletto
2 min read
Creating a new archetype_id

HCL Azure

As we shape our environment and address our needs, imagine that the mg-example-custom we created does not yet have defined policies and is only inheriting policies from the Management Groups above. Now, we want to customize this setup to meet specific requirements.

Creating an archetype_id for our mg-example-custom

I created the file archetype_definition_mg_example_custom.json in the lib/archetype_definitions folder. Inside the file structure, I added the policy name under the policy_assignments array, as shown in the example below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

{
  "custom": {
    "policy_assignments": [
      "Deny-MgmtPorts-Internet"
    ],
    "policy_definitions": [],
    "policy_set_definitions": [],
    "role_definitions": [],
    "archetype_config": {
      "parameters": {},
      "access_control": {}
    }
  }
}

We will also add a budget policy. Since the definition of this policy is created by the module and is not associated with any Management Group, we need to create the assignment file.

To achieve this, I create a file named policy_assignment_mg_custom_deploy_budget.json in the lib/policy_assignments folder with this content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

{
  "name": "Budget",
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
      "description": "Deploy a default budget on all subscriptions under the assigned scope",
      "displayName": "Deploy a default budget on all subscriptions under the assigned scope",
      "notScopes": [],
      "parameters": {},
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget",
      "nonComplianceMessages": [],
      "scope": "${current_scope_resource_id}",
      "enforcementMode": null
  },
  "location": "${default_location}",
  "identity": {
      "type": "SystemAssigned"
  }
}

So I updated the assignments in the archetype_definition_mg_example_custom.json file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

{
  "custom": {
    "policy_assignments": [
      "Deny-MgmtPorts-Internet",
      "Budget"
    ],
    "policy_definitions": [],
    "policy_set_definitions": [],
    "role_definitions": [],
    "archetype_config": {
      "parameters": {},
      "access_control": {}
    }
  }
}

So now we need to update the archetype_id of the Management Group we created in caf_configure_custom_landing_zones. Notice that the name of the archetype_id I added is the same as the archetype_definition_mg_example_custom.json file.


With this, we are almost finished with the core submodule. In the next post, I will show how to modify a parameter of an associated policy, and then we will begin working on the management submodule. Stay tuned!


🔗 Check out the changes in the repository: https://github.com/diegosrp/azure-caf/core/new_archetype

Azure CAF, terraform-azurerm-caf-enterprise-scale
cloud microsoft azure hashicorp terraform iac automation infrastructure security governance core caf management policy enterprise-scale
This post is licensed under CC BY 4.0 by the author.