refactor: Separation of policy assignments module to avoid hitting ARM size limit and include workload specific policy assignments #975
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
changed the title
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
oZakari
temporarily deployed
to
BicepUpdateDocumentation
GitHub Actions
Inactive
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
…m/Azure/ALZ-Bicep into policy-assignment-module-refactor
oZakari
temporarily deployed
to
BicepUpdateDocumentation
GitHub Actions
Inactive
oZakari
had a problem deploying
to
BicepUpdateDocumentation
GitHub Actions
Failure
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the policy assignments module to separate workload-specific policy assignments, addressing ARM template size limitations while streamlining the documentation and codebase.
- Added documentation for the new workload-specific policy assignments module.
- Adjusted the order and descriptions in both policy assignments and deployment documentation.
- Removed deprecated types from the policy assignments Bicep file.
Reviewed Changes
Copilot reviewed 45 out of 45 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| docs/wiki/AssigningPolicies.md | Updated to reference the new workload-specific module and adjusted the instructions for policy assignment exclusion. |
| infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md | Revised parameter documentation to reflect changes in policy enforcement and removed deprecated parameters. |
| docs/wiki/AddingPolicyDefs.md | Removed the pre-requisites section to streamline the procedure for adding custom policy definitions. |
| docs/wiki/DeploymentFlow.md | Updated the module deployment order and added the workload-specific policy assignments row. |
oZakari
temporarily deployed
to
BicepUpdateDocumentation
GitHub Actions
Inactive
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview/Summary
As part of the PR, I have created a new module called workloadSpecificPolicyAssignments.bicep which is used to assign all of the policies here. Although assigned, they are set to DoNotEnforce which equates to putting them in audit mode.
I have also refactored the alzDefaultPolicyAssignments.bicep file to remove the Sovereign Landing Zone policy assignments and exemptions (and associated parameters) which have now been moved to the workloadSpecificPolicyAssignments.bicep. This change implemented to reduce the size of the compiled deployment in relation to this issue.
Related Issues/Work Items
Fixed AB#202503
This PR fixes/adds/changes/removes
Configuration Updates:
accelerator/.config/ALZ-Powershell-Auto.config.jsonfile. This includes specifying the template and parameter file paths, management group ID, deployment type, and order.Documentation Updates:
AssigningPolicies.mdfile to include the new workload-specific policy assignments module and removed the pre-requisites section. [1] [2]DeploymentFlow.mdfile to include the new workload-specific policy assignments module in the deployment order. [1] [2]Codebase Simplification:
policyAssignmentSovereigntyGlobalOptionsTypeandpolicyAssignmentSovereigntyConfidentialOptionsTypetypes from thealzDefaultPolicyAssignments.bicepfile.Breaking Changes
This PR introduces breaking changes with the alzDefaultPolicyAssignments.bicep module as we have removed the following parameters associated to Sovereign Landing Zones. These associated policy assignments and exemptions have been moved to the workloadSpecificPolicyAssignments.bicep module.
Testing Evidence
Replace this with any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).
As part of this Pull Request I have
.bicepfile/s I am adding/editing are using the latest API version possiblemainbranch