Dynamically assign parameter values for two different tenants

[Wopienkaatwork]

Hi everybody,
I have two tenants (dev & prod) both are working with ALZ (azure landingzones). Now I want to deploy policies for private dns zones which have their resourceid to the corresponding connectivity subscription.

My question is now how can I manage those tenant specific settings? Is there a way to provide a parameter file depending on the pac-environment. For instance the policy for app services - https://www.azadvertizer.net/azpolicyadvertizer/b318f84a-b872-429b-ac6d-a01b96814452.html - this policy requires the privatednszoneid. One approach would be to make a folder for test and prod and hardcode the resourcestring directly into the parameter, which seems a bit clumsy to me. I read through the CSV-approach but honestly I did not understand that.
Is there a better way to this?

[krallsm]

There is. It took me a second to understand and figure it out, but now that I do, I have much cleaner code for my assignments.

You'll want to reference this documentation: https://azure.github.io/enterprise-azure-policy-as-code/policy-assignments/

and specifically try out some assignments with children. It's pretty flexible and I don't think the documentation makes this super clear with its examples and wording.

Anything you want to be inherited, put those settings under the root node of your assignment and then anything you want to be different between the 2 tenants, put those settings under the children nodes.

So, for most of my assignments I'll define everything, including the shared parameters under a root node in the assignment and then in the child node, only designate the node name and parameters that I want to change.

Play around a little bit to get a better understanding of what can and can't be done. You don't want to define duplicate parameters and things, it'll error out on that, but once you get the hang of it, it should make good sense, and you should be able to minimize the amount of assignment files you have going on pretty well.

FWIW, I also prefer the json approach even for larger policy sets. I personally haven't run into the json limitations yet applying mostly the ALZ default policies.

[stateofthearb]

@krallsm Thanks a lot, I've read that link & as you say its not so clear to understand this root/child aspect. I understand what you saying but think it would add up more if I could see a working example. Are you able to provide one?

We've been using the multi folder approach for multi tenant & looking for another approach as not the cleanest. I've been playing around with the nodes a bit & think I've got to concept. I take it I can just create different scopes in each child & then EPAC knows to apply the specific params/property values in each child node to that tenant via the PAC Selectors in the scopes?

[krallsm]

@krallsm Thanks a lot, I've read that link & as you say its not so clear to understand this root/child aspect. I understand what you saying but think it would add up more if I could see a working example. Are you able to provide one?

We've been using the multi folder approach for multi tenant & looking for another approach as not the cleanest. I've been playing around with the nodes a bit & think I've got to concept. I take it I can just create different scopes in each child & then EPAC knows to apply the specific params/property values in each child node to that tenant via the PAC Selectors in the scopes?

@stateofthearb

I'll provide this example, I hope it helps. It is VERY flexible and you can shift your variables/sections to anywhere within the tree and it should inherit as you'd expect. Another great example(s) to reference is the ones included with the EPAC repo. My example is just for applying one policy set, whereas the included example on the repo deploys multiple policy sets/definitions in one file. It all works the same. Over time, I'll be continually consolidating my current assignments into less files like they've done in the repo. I had just already created everything in so many files before I figured out how to do it like they have.

EDIT: sorry, idk how to get it to format my code in my comment, but you can copy/paste this and Ctrl+Alt+F to format it in vscode
{ "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", "nodeName": "/root", "definitionEntry": { "policySetName": "Deploy-MDFC-Config_20240319" }, "assignment": { "name": "Deploy-MDFC-Config-H224", "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud and Security Contacts" }, "parameters": { "minimalSeverity" :"High", "createResourceGroup": true, "ascExportResourceGroupName": "asc-export-alz", "ascExportResourceGroupLocation": "westeurope", "vulnerabilityAssessmentProvider": "default", "enableTvmCheck": "DeployIfNotExists", "enableAscForServers": "DeployIfNotExists", "enableAscForCosmosDbs": "DeployIfNotExists", "enableAscForAppServices": "DeployIfNotExists", "enableAscForStorage": "DeployIfNotExists", "enableAscForOssDb": "DeployIfNotExists", "enableAscForKeyVault": "DeployIfNotExists", "enableAscForArm": "DeployIfNotExists", "enableAscForSqlOnVm": "DeployIfNotExists", "enableAscForContainers": "DeployIfNotExists", "enableAscForServersVulnerabilityAssessments": "DeployIfNotExists", "enableAscForSql": "DeployIfNotExists", "enableAscForCspm": "DeployIfNotExists" }, "children": [ { "nodeName": "/Tenant1", "parameters": { "emailSecurityContact": "[email protected]", "logAnalytics": "<log analytics worksapce id>" }, "scope": { "EpacSelectorTenant1": [ "/providers/Microsoft.Management/managementGroups/alz" ] } }, { "nodeName": "/Tenant2", "parameters": { "emailSecurityContact": "[email protected]", "logAnalytics": "<log analytics workspace id" }, "scope": { "EpacSelectorTenant2": [ "/providers/Microsoft.Management/managementGroups/alz" ] } } ], "overrides": [], "nonComplianceMessages": [ { "message": "Microsoft Defender for Cloud and Security Contacts must be deployed." } ], "resourceSelectors": [], "enforcementMode": "Default", "managedIdentityLocations": { "*": "westeurope" } }

[stateofthearb]

@krallsm thank you that is VERY helpful & just what I was looking for! Thanks for the GitHub ref also, I had looked through the repo but missed those. I think having multiple policy sets/definitions in one file would be useful & simplify/consolidate some assignments.
Appreciate you getting back so quickly, take care.