[CES-760] Added Azure Policies configuration (#294)

pagopa · Feb 24, 2025 · 3dcbe66 · 3dcbe66
1 parent 7bc5adb
commit 3dcbe66
Show file tree

Hide file tree

Showing 10 changed files with 315 additions and 0 deletions.
diff --git a/infra/policy/README.md b/infra/policy/README.md
@@ -0,0 +1,91 @@
+# DX - Azure Policy
+
+This directory contains shared Azure Policy rules that any team can choose to apply to its own Azure subscriptions to ensure consistent governance across different environments.
+Additionally, the `dev` directory contains Terraform code used to deploy the defined Policy Rules to the DX development subscription on Azure.`
+
+## Repository Structure
+
+```shell
+infra/
+├── policy/
+│   ├── _policy_rules/        # Contains JSON files defining shared policy rules and parameters
+│   ├── dev/                  # Policies assigned to the development environment (DEV-ENGINEERING)
+```
+
+## Policy Rules (`infra/policy/_policy_rules`)
+
+This directory contains JSON files that define policy rules to be used in Azure, and the JSON file that define the policy rules parameters. These files specify permissions and constraints that can be assigned to users, groups, or services.
+
+## Environment-Specific Policies (`infra/policy/dev`)
+
+These directory contain Terraform resources that deploys the defined policy rules into the provided Azure resources (e.g., Subscriptions).
+
+## Configuration
+
+Each repository that needs to apply a policy must replicate the same structure within the `infra` directory, excluding `_policy_rules`. Terraform resources must reference the policy rules and parameters definition from the `dx` repository. For example:
+
+```hcl
+# infra/policy/prod/policy_specific_tags.tf
+
+data "http" "specific_tags_policy_rule" {
+  url = "https://raw.githubusercontent.com/pagopa/dx/refs/heads/main/infra/policy/_policy_rules/specific_tags_rule_v1.json"
+}
+
+data "http" "specific_tags_policy_parameters" {
+  url = "https://raw.githubusercontent.com/pagopa/dx/refs/heads/main/infra/policy/_policy_rules/specific_tags_paramenters_v1.json"
+}
+
+
+resource "azurerm_policy_definition" "specific_tags_policy" {
+  name         = "${module.naming_convention.project}-specific-tags-policy"
+  policy_type  = "Custom"
+  mode         = "Indexed"
+  display_name = "DevEx Enforce specific tags and values on resources"
+  description  = "Ensures that resources have specific tags and values during creation."
+
+  metadata = jsonencode({
+    category = "Custom DevEx"
+    version  = "1.0.0"
+  })
+
+  policy_rule = file(data.http.specific_tags_policy_rule.response_body)
+
+  parameters = file(data.http.specific_tags_policy_parameters.response_body)
+}
+
+
+resource "azurerm_subscription_policy_assignment" "specific_tags_assignment" {
+  name                 = "${module.naming_convention.project}-specific-tags-assignment"
+  display_name         = "DevEx Enforce specific tags and values on resources"
+  policy_definition_id = azurerm_policy_definition.specific_tags_policy.id
+  subscription_id      = data.azurerm_subscription.current.id
+
+  parameters = jsonencode({
+    "CostCenter" = {
+      "value" = "TS000 - Tecnologia e Servizi"
+    },
+    "BusinessUnit" = {
+      "value" = [
+        "App IO",
+        "CGN",
+        "Carta della Cultura",
+        "IT Wallet",
+      ]
+    },
+    "ManagementTeam" = {
+      "value" = [
+        "IO Enti & Servizi",
+        "IO Platform",
+        "IO Wallet",
+        "IO Comunicazione",
+        "IO Autenticazione",
+        "IO Bonus & Pagamenti",
+        "IO Firma",
+      ]
+    },
+    "SourceOrg" = {
+      "value" = "pagopa"
+    }
+  })
+}
+```
diff --git a/infra/policy/_policy_rules/specific_tags_parameters_v1.json b/infra/policy/_policy_rules/specific_tags_parameters_v1.json
@@ -0,0 +1,30 @@
+{
+  "CostCenter": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Allowed CostCenter",
+      "description": "Specify the allowed CostCenter value."
+    }
+  },
+  "BusinessUnit": {
+    "type": "Array",
+    "metadata": {
+      "displayName": "Allowed Business Units",
+      "description": "Specify the allowed Business Units."
+    }
+  },
+  "ManagementTeam": {
+    "type": "Array",
+    "metadata": {
+      "displayName": "Allowed Management Teams",
+      "description": "Specify the allowed Management Teams."
+    }
+  },
+  "SourceOrg": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Allowed GitHub Organization",
+      "description": "Specify the allowed GitHub organization for source tagging."
+    }
+  }
+}
diff --git a/infra/policy/_policy_rules/specific_tags_rule_v1.json b/infra/policy/_policy_rules/specific_tags_rule_v1.json
@@ -0,0 +1,49 @@
+{
+  "if": {
+    "anyOf": [
+      {
+        "field": "tags.CostCenter",
+        "notEquals": "[parameters('CostCenter')]"
+      },
+      {
+        "field": "tags.CreatedBy",
+        "notIn": [
+          "Terraform",
+          "ARM",
+          "AzurePortal"
+        ]
+      },
+      {
+        "field": "tags.Environment",
+        "notIn": [
+          "Prod",
+          "Dev",
+          "Uat"
+        ]
+      },
+      {
+        "field": "tags.BusinessUnit",
+        "notIn": "[parameters('BusinessUnit')]"
+      },
+      {
+        "allOf": [
+          {
+            "field": "tags.CreatedBy",
+            "equals": "Terraform"
+          },
+          {
+            "field": "tags.Source",
+            "notLike": "[concat('https://github.com/', parameters('SourceOrg'), '/*')]"
+          }
+        ]
+      },
+      {
+        "field": "tags.ManagementTeam",
+        "notIn": "[parameters('ManagementTeam')]"
+      }
+    ]
+  },
+  "then": {
+    "effect": "deny"
+  }
+}
diff --git a/infra/policy/dev/.terraform.lock.hcl b/infra/policy/dev/.terraform.lock.hcl
diff --git a/infra/policy/dev/README.md b/infra/policy/dev/README.md
@@ -0,0 +1,37 @@
+# dev
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 4 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.19.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_naming_convention"></a> [naming\_convention](#module\_naming\_convention) | pagopa/dx-azure-naming-convention/azurerm | ~> 0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_policy_definition.specific_tags_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
+| [azurerm_subscription_policy_assignment.specific_tags_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_policy_assignment) | resource |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/infra/policy/dev/data.tf b/infra/policy/dev/data.tf
@@ -0,0 +1 @@
+data "azurerm_subscription" "current" {}
diff --git a/infra/policy/dev/locals.tf b/infra/policy/dev/locals.tf
@@ -0,0 +1,10 @@
+locals {
+  environment = {
+    prefix          = "dx"
+    env_short       = "d"
+    location        = "italynorth"
+    domain          = "az"
+    instance_number = "01"
+    app_name        = "policy"
+  }
+}
diff --git a/infra/policy/dev/main.tf b/infra/policy/dev/main.tf
@@ -0,0 +1,27 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4"
+    }
+  }
+
+  backend "azurerm" {
+    resource_group_name  = "terraform-state-rg"
+    storage_account_name = "tfdevdx"
+    container_name       = "terraform-state"
+    key                  = "dx.policy.dev.italynorth.tfstate"
+  }
+}
+
+provider "azurerm" {
+  features {
+  }
+  storage_use_azuread = true
+}
+
+module "naming_convention" {
+  source      = "pagopa/dx-azure-naming-convention/azurerm"
+  version     = "~> 0"
+  environment = local.environment
+}
diff --git a/infra/policy/dev/policy_specific_tags.tf b/infra/policy/dev/policy_specific_tags.tf
@@ -0,0 +1,42 @@
+resource "azurerm_policy_definition" "specific_tags_policy" {
+  name         = "${module.naming_convention.project}-specific-tags-policy"
+  policy_type  = "Custom"
+  mode         = "Indexed"
+  display_name = "DevEx Enforce specific tags and values on resources"
+  description  = "Ensures that resources have specific tags and values during creation."
+
+  metadata = jsonencode({
+    category = "Custom DevEx"
+    version  = "1.0.0"
+  })
+
+  policy_rule = file("../_policy_rules/specific_tags_rule_v1.json")
+
+  parameters = file("../_policy_rules/specific_tags_parameters_v1.json")
+}
+
+resource "azurerm_subscription_policy_assignment" "specific_tags_assignment" {
+  name                 = "${module.naming_convention.project}-specific-tags-assignment"
+  display_name         = "DevEx Enforce specific tags and values on resources"
+  policy_definition_id = azurerm_policy_definition.specific_tags_policy.id
+  subscription_id      = data.azurerm_subscription.current.id
+
+  parameters = jsonencode({
+    "CostCenter" = {
+      "value" = "TS000 - Tecnologia e Servizi"
+    },
+    "BusinessUnit" = {
+      "value" = [
+        "DevEx",
+      ]
+    },
+    "ManagementTeam" = {
+      "value" = [
+        "Developer Experience",
+      ]
+    },
+    "SourceOrg" = {
+      "value" = "pagopa"
+    }
+  })
+}
diff --git a/infra/policy/dev/tfmodules.lock.json b/infra/policy/dev/tfmodules.lock.json
@@ -0,0 +1,3 @@
+{
+  "naming_convention": "5b1d21788783dcf33e17a9842f9f7c874c8c5f736c82e70979eb9c8785a74ce4"
+}