💡 Feature Request - Identity module

[KiZach]

Describe the solution you'd like

How do you see a module for the Identity part of the ALZ concept?

The module should include these features:

• ‘All’ infrastructure management resources.
• Multiple subscriptions support.
• Multiple regions, single subscription support.
• Domain controller supported deployment (Data disk and caching settings).
• Deployment of Gen2 trusted VM(s) for domain controller role.
• Keyvault with autogenerated initial login credentials.
• Network and peering like a spoke network but for ADDS services.
• NSG protected subnet with ADDS default rules included.
• NSG protected RDP access from only trusted IP(s). PAWs, jumstations etc.
• Backup vault deployed and configured.
• Added to central Log Analytics workspace for update and OS management.
• Other infrastructure parts like tags, etc.

Describe alternatives you've considered

We will have to do this either way, so more if you see this as part of this project as an extra module?

Additional context

Feel free to reach out if we should discuss this offline.

[jtracey93]

Hi @KiZach,

Thanks for raising this, we have been discussing internally in the core maintainer team for this project.

We like the idea; however, we must ensure that we maintain parity across the implementation options for ALZ/ESLZ (Terraform, Bicep, Portal etc.). 👍

We have reviewed the list of tasks you proposed, and we agree on the below that we would like to see in an "identity" module (more on this later).

Your Request	Yes/No	Notes
‘All’ infrastructure management resources.	❌	Not 100% clear on what you mean by 'All' however, the below seems like a more defined list of asks
Multiple subscriptions support.	✅	Agree, although this could be done by just looping the module without having support for it in the module itself?
Multiple regions, single subscription support.	✅	We don't prevent this today and again this could just be done by looping the module again with different parameter inputs
Domain controller supported deployment (Data disk and caching settings).	❌	We don't want to provide configuration of ADDS DCs as part of ALZ/ESLZ, as not all customers use AD and there are various ways to implement this depending on the customer. For this reason, we expect customers to do this once they have deployed ALZ/ESLZ and established the platform. To which they can then deploy whatever identity services into the identity subscription using plenty of other samples/examples that they can take and tweak to meet their needs
Deployment of Gen2 trusted VM(s) for domain controller role.	❌	As above
Keyvault with autogenerated initial login credentials.	❌	As above
Network and peering like a spoke network but for ADDS services.	✅	Agreed and we have the spokeNetworking and virtualNetworkPeering modules today that can be grouped together in a module to achieve this (to keep code DRY). But we will not create subnets as this is something we expect the workload team to want to configure as they desire
NSG protected subnet with ADDS default rules included.	✅❌	This is already done by the policy assignment to ensure every subnet has an NSG. However, as above we do not want to get into the details of ADDS in ALZ/ESLZ so won't include an NSG or Subnet for ADDS or any other service, just a blank peered VNET
NSG protected RDP access from only trusted IP(s). PAWs, jumpstations etc.	✅❌	This is already done by the policy assignment to ensure every subnet has an NSG and also the policy to not allow RDP/SSH from internet in an NSG rule. However, as above we do not want to get into the details of the workload side in ALZ/ESLZ so won't go further. However, we could look at deploying Bastion as an optional deployment into each spoke via this module to meet half way?
Backup vault deployed and configured.	✅❌	This is already enforced via a policy assignment on identity
Added to central Log Analytics workspace for update and OS management.	✅❌	This is already enforced via a policy assignment on identity
Other infrastructure parts like tags, etc.	✅	Agreed we are adding tags support for all resources soon on a feature we are tracking internally.

What we propose

We decided as a team to make a module, that wrap, orchestrates and uses existing modules we have like spokeNetworking and virtualNetworkPeering, that is effectively a Connected Spoke VNET module. This module will:

• Create a spoke VNET, using spokeNetworking module
• Peer it back to a hub VNET using virtualNetworkPeering module (optional)
• Place the subscription into a target management group using subPlacement module (optional)
• Support tags etc.

This module can then be looped itself to support to multiple regions/subscriptions asks you also had?

We are terming this new line of work as mini-orchestration modules which we are thinking to create in the following directory to avoid confusion with the base modules: ./infra-as-code/bicep/orchestration/<MODULE NAME>.

How does this sound to you @KiZach?

Let us know and then we can decide if this is something you'd like to work on via a PR or whether it's something we will create, as there are some other moving pieces that need to happen (potentially) before this can be done.

Let us know

Thanks

Jack

[KiZach]

Hi Jack,

Your answer makes perfect sense, in terms of keeping the project at the right level, and not get technology included like On-prem Active Directory, that might be replaced by Azure Active Directory Domain Services (AADDS) or other identity solutions going forward.

Yes, I can do the module in a PR from your description, and then we (Customer project) will build our own On-prem AD module on top of this new identity module. We will use the public modules from ‘Common Azure Resource Modules Library’ for the infrastructure components in our module.

So let us align on your statement ‘as there are some other moving pieces that need to happen (potentially) before this can be done.’ Then I will start module development.

Regards
Kim

[jtracey93]

Hi @KiZach,

Glad it makes sense. And nice to see you using CARML 👍

Requirements for new module

1. Name = hubPeeredSpoke
2. Module File Path = ./infra-as-code/bicep/orchestration/hubPeeredSpoke
3. Tasks it should handle:
   • Move subscription to target management group, using subPlacement module
   • Create Resource Group in subscription, using resourceGroup module
   • Create VNET in subscription, using spokeNetworking module
   • Peer VNET to hub VNET, using virtualNetworkPeering module

Things to be aware of

• @rjygraham is about to merge Standardize on parLocation for specifying Azure regions. #174
• We are working on an item to add tag support to all resources, but haven't started yet, so if you want to add this to the modules you will use, that would be ace 👍

I think that is everything, any question please reach out and keep us updated 👍

Really appreciate and looking forward to your contribution here 👍

Thanks

Jack

[KiZach]

@jtracey93

Does this hubPeeredSpoke module needs a 'customer usage attribution (PID)'? if yes, can I then create a GUID to use, or do you need to provide me with this in terms of backend registration?

Module is close to complete, but will wait for this PR #185 to merge. This is to support the module also can support Azure virtual WAN hubs.

[jtracey93]

Hi @KiZach,

Yes it does 👍 if you can generate one via 'New-GUID' and then add it to the docs etc and the module that would be great.

Thanks

Jack

[jtracey93]

Hey @KiZach, Just checking in for an update on where you are with the PR for this as discussed?

No rush, just wanted to know 👍

[olljanat]

@jtracey93 if I understand correctly hubPeeredSpoke is now combination of spokeNetworking and vnetPeering (+ some extras)?

How about those of us who want to use combination of hubNetworking and vnetPeering?

Currently what if deployment for hubNetworking tell that it would remove all vnet peers from our environment so I assume that something like hubPeeredNet is needed for that?

Also perhaps https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlowHS and https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlowVWAN should also contain comment about hubPeeredSpoke module?

[jtracey93]

Hey @olljanat,

Thanks for asking here 👍

Yes hubPeeredSpoke is a module to help you do the following, as per the docs here https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke:

• Subscription placement in Management Group hierarchy - if parPeeredVnetSubscriptionMGPlacement is specified
• Virtual Network (Spoke VNet)
• UDR - if parNextHopIPAddress and resource id of hub virtual network object is specified
• Hub to Spoke peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID
• Spoke to hub peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID
• Spoke to virtual WAN peering - if resource id of virtual WAN hub object is specified in parHubVirtualNetworkID

You can use this module to create the spoke VNet and peer it to the hub and optionally move its sub to a Management Group and create a UDR

Have you tested if the what if result is actually true? I don't think it will remove the peering's as these are child resources and separate. I think it may be false positive and possibly the same as Azure/arm-template-whatif#233

I think this module should meet your requirements of just doing the peering or have I misunderstood your requirement? Maybe a separate issue/feature request?

Completely agree about the doc references, I'll get that logged and done 👍

Thanks

Jack