deployment

package

v0.28.3 Latest Latest Go to latest Published: Sep 5, 2025 License: MIT Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Azure/alzlib

Links

Open Source Insights

Documentation ¶

Overview ¶

Package deployment contains the types and methods for managing the deployment of an Azure management group hierarchy using the supplied Alzlib.

Index ¶

Constants
type FSWriter
- func NewFSWriter(opt FSWriterOptions) *FSWriter
- func (w *FSWriter) Write(ctx context.Context, h *Hierarchy, outDir string) error
type FSWriterOptions
type FSWriterPolicySetOptions
type Hierarchy
- func NewHierarchy(alzlib *alzlib.AlzLib) *Hierarchy
type HierarchyManagementGroup
type HierarchyWriter
type PolicyRoleAssignment
type PolicyRoleAssignmentError
- func NewPolicyRoleAssignmentError(assignmentName string, assignmentScope string, defParameterName string, ...) *PolicyRoleAssignmentError
- func (e *PolicyRoleAssignmentError) Error() string
- func (e *PolicyRoleAssignmentError) Unwrap() error
type PolicyRoleAssignmentErrors
- func NewPolicyRoleAssignmentErrors() *PolicyRoleAssignmentErrors

Constants ¶

View Source

const (
	// ManagementGroupIDFmt is the format string for management group resource IDs in Azure.
	ManagementGroupIDFmt = "/providers/Microsoft.Management/managementGroups/%s"

	// PolicyAssignmentIDFmt is the format string for policy assignment resource IDs in Azure.
	PolicyAssignmentIDFmt = "/providers/Microsoft.Management/managementGroups/%s" +
		"/providers/Microsoft.Authorization/policyAssignments/%s"

	// PolicyDefinitionIDFmt is the format string for policy definition resource IDs in Azure.
	PolicyDefinitionIDFmt = "/providers/Microsoft.Management/managementGroups/%s" +
		"/providers/Microsoft.Authorization/policyDefinitions/%s"

	// PolicySetDefinitionIDFmt is the format string for policy set definition resource IDs in Azure.
	PolicySetDefinitionIDFmt = "/providers/Microsoft.Management/managementGroups/%s" +
		"/providers/Microsoft.Authorization/policySetDefinitions/%s"

	// RoleDefinitionIDFmt is the format string for role definition resource IDs in Azure.
	RoleDefinitionIDFmt = "/providers/Microsoft.Management/managementGroups/%s" +
		"/providers/Microsoft.Authorization/roleDefinitions/%s"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type FSWriter ¶ added in v0.28.0

type FSWriter struct {
	// contains filtered or unexported fields
}

FSWriter writes a Hierarchy to the local filesystem.

func NewFSWriter ¶ added in v0.28.0

func NewFSWriter(opt FSWriterOptions) *FSWriter

NewFSWriter creates a new filesystem writer with optional configuration.

func (*FSWriter) Write ¶ added in v0.28.0

func (w *FSWriter) Write(ctx context.Context, h *Hierarchy, outDir string) error

Write implements HierarchyWriter.

type FSWriterOptions ¶ added in v0.28.0

type FSWriterOptions struct {
	// number of times to escape ARM expressions in policy definitions
	ArmEscapePolicyDefinitions uint
	// number of times to escape ARM expressions in policy set definitions
	ArmEscapePolicySetDefinitions uint
	// number of times to escape ARM expressions in role definitions
	ArmEscapeRoleDefinitions uint
	// number of times to escape ARM expressions in policy assignments
	ArmEscapePolicyAssignments uint
	// options for customization of policy set definitions
	PolicySetOptions FSWriterPolicySetOptions
}

FSWriterOptions defines options for the filesystem writer.

type FSWriterPolicySetOptions ¶ added in v0.28.0

type FSWriterPolicySetOptions struct {
	// if true, replaces custom policy definition references in policy set definitions
	CustomPolicyDefinitionReferencesUpdate bool
	// regular expression to match custom policy definition references
	CustomPolicyDefinitionReferenceRegExp *regexp.Regexp
	// value to replace custom policy definition references
	CustomPolicyDefinitionReferenceReplaceValue string
}

FSWriterPolicySetOptions defines options for the policy set definitions.

type Hierarchy ¶

type Hierarchy struct {
	// contains filtered or unexported fields
}

Hierarchy represents a deployment of Azure management group hierarchy. Do not create this struct directly, use NewHierarchy instead.

func NewHierarchy ¶

func NewHierarchy(alzlib *alzlib.AlzLib) *Hierarchy

NewHierarchy creates a new Hierarchy with the given AlzLib.

func (*Hierarchy) AddDefaultPolicyAssignmentValue ¶ added in v0.19.0

func (h *Hierarchy) AddDefaultPolicyAssignmentValue(
	_ context.Context,
	defaultName string,
	defaultValue *armpolicy.ParameterValuesValue,
) error

AddDefaultPolicyAssignmentValue adds a default policy assignment value to the hierarchy.

func (*Hierarchy) FromArchitecture ¶

func (h *Hierarchy) FromArchitecture(
	ctx context.Context,
	arch, externalParentID, location string,
) error

FromArchitecture creates a hierarchy from the given architecture.

func (*Hierarchy) ManagementGroup ¶

func (h *Hierarchy) ManagementGroup(name string) *HierarchyManagementGroup

ManagementGroup returns the management group with the given name.

func (*Hierarchy) ManagementGroupNames ¶

func (h *Hierarchy) ManagementGroupNames() []string

ManagementGroupNames returns the management group names as a slice of string.

func (*Hierarchy) ManagementGroupsAtLevel ¶

func (h *Hierarchy) ManagementGroupsAtLevel(level int) map[string]*HierarchyManagementGroup

ManagementGroupsAtLevel returns the management groups from the given level as a map of string to *HierarchyManagementGroup.

func (*Hierarchy) PolicyRoleAssignments ¶

func (h *Hierarchy) PolicyRoleAssignments(
	_ context.Context,
) (mapset.Set[PolicyRoleAssignment], error)

PolicyRoleAssignments returns the policy assignments required for the hierarchy. This error returned bay be a PolicyRoleAssignmentErrors, which contains a slice of errors. This is so that callers can choose to issue a warning here instead of halting the process.

type HierarchyManagementGroup ¶

type HierarchyManagementGroup struct {
	// contains filtered or unexported fields
}

HierarchyManagementGroup represents an Azure Management Group within a hierarchy, with links to parent and children.

func (*HierarchyManagementGroup) Children ¶

func (mg *HierarchyManagementGroup) Children() []*HierarchyManagementGroup

Children returns the children of the management group.

func (*HierarchyManagementGroup) DisplayName ¶

func (mg *HierarchyManagementGroup) DisplayName() string

DisplayName returns the display name of the management group.

func (*HierarchyManagementGroup) Exists ¶ added in v0.15.0

func (mg *HierarchyManagementGroup) Exists() bool

Exists returns a bool value depending on whether the management group exists.

func (*HierarchyManagementGroup) HasParent ¶

func (mg *HierarchyManagementGroup) HasParent(id string) bool

HasParent returns a bool value depending on whether the management group has a given parent. Only works for internal parents.

func (*HierarchyManagementGroup) Level ¶ added in v0.15.0

func (mg *HierarchyManagementGroup) Level() int

Level returns the level of the management group in the hierarchy.

func (*HierarchyManagementGroup) Location ¶ added in v0.15.0

func (mg *HierarchyManagementGroup) Location() string

Location returns the default location to use for artifacts in the management group.

func (HierarchyManagementGroup) MarshalJSON ¶ added in v0.20.0

func (mg HierarchyManagementGroup) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for HierarchyManagementGroup.

func (*HierarchyManagementGroup) ModifyPolicyAssignment ¶

func (mg *HierarchyManagementGroup) ModifyPolicyAssignment(
	name string,
	parameters map[string]*armpolicy.ParameterValuesValue,
	enforcementMode *armpolicy.EnforcementMode,
	nonComplianceMessages []*armpolicy.NonComplianceMessage,
	identity *armpolicy.Identity,
	resourceSelectors []*armpolicy.ResourceSelector,
	overrides []*armpolicy.Override,
) error

ModifyPolicyAssignment modifies an existing policy assignment in the management group. It will deep merge the supplied assignments with the existing assignments.

func (*HierarchyManagementGroup) Name ¶

func (mg *HierarchyManagementGroup) Name() string

Name returns the name/id of the management group.

func (*HierarchyManagementGroup) Parent ¶

func (mg *HierarchyManagementGroup) Parent() *HierarchyManagementGroup

Parent returns parent *AlzManagementGroup. If the parent is external, the result will be nil.

func (*HierarchyManagementGroup) ParentID ¶ added in v0.27.0

func (mg *HierarchyManagementGroup) ParentID() string

ParentID returns the ID of the parent management group. If the parent is external, this will be preferred. If neither are set an empty string is returned (though this should never happen).

func (*HierarchyManagementGroup) ParentIsExternal ¶

func (mg *HierarchyManagementGroup) ParentIsExternal() bool

ParentIsExternal returns a bool value depending on whether the parent MG is external or not.

func (*HierarchyManagementGroup) PolicyAssignmentMap ¶

func (mg *HierarchyManagementGroup) PolicyAssignmentMap() map[string]*assets.PolicyAssignment

PolicyAssignmentMap returns a copy of the policy assignments map.

func (*HierarchyManagementGroup) PolicyDefinitionsMap ¶

func (mg *HierarchyManagementGroup) PolicyDefinitionsMap() map[string]*assets.PolicyDefinition

PolicyDefinitionsMap returns a copy of the policy definitions map.

func (*HierarchyManagementGroup) PolicySetDefinitionsMap ¶

func (mg *HierarchyManagementGroup) PolicySetDefinitionsMap() map[string]*assets.PolicySetDefinition

PolicySetDefinitionsMap returns a copy of the policy definitions map.

func (*HierarchyManagementGroup) ResourceID ¶ added in v0.27.0

func (mg *HierarchyManagementGroup) ResourceID() string

ResourceID returns the resource ID of the management group.

func (*HierarchyManagementGroup) RoleDefinitionsMap ¶

func (mg *HierarchyManagementGroup) RoleDefinitionsMap() map[string]*assets.RoleDefinition

RoleDefinitionsMap returns a copy of the role definitions map.

type HierarchyWriter ¶ added in v0.28.0

type HierarchyWriter interface {
	// Write exports the hierarchy to outDir. Each management group becomes a directory
	// (nested according to parent/child), and each asset (policy assignment/definition,
	// policy set definition, role definition) is written as a separate JSON file named
	// using the asset JSON .name plus a type-specific suffix.
	Write(ctx context.Context, h *Hierarchy, outDir string) error
}

HierarchyWriter writes a Hierarchy to a target location. Implementations should mirror the management group hierarchy on the target.

type PolicyRoleAssignment ¶

type PolicyRoleAssignment struct {
	RoleDefinitionID  string `json:"role_definition_id,omitempty"`
	Scope             string `json:"scope,omitempty"`
	AssignmentName    string `json:"assignment_name,omitempty"`
	ManagementGroupID string `json:"management_group_id,omitempty"`
}

PolicyRoleAssignment represents the role assignments that need to be created for a management group. Since we could be using system assigned identities, we don't know the principal ID until after the deployment. Therefore this data can be used to create the role assignments after the deployment.

type PolicyRoleAssignmentError ¶ added in v0.23.1

type PolicyRoleAssignmentError struct {
	// contains filtered or unexported fields
}

PolicyRoleAssignmentError represents an error that occurred while generating a role assignment for a policy assignment.

func NewPolicyRoleAssignmentError ¶ added in v0.23.1

func NewPolicyRoleAssignmentError(
	assignmentName string,
	assignmentScope string,
	defParameterName string,
	pdref string,
	roleDefinitionIDs []string,
	innerError error,
) *PolicyRoleAssignmentError

NewPolicyRoleAssignmentError creates a new PolicyRoleAssignmentError with the provided parameters.

func (*PolicyRoleAssignmentError) Error ¶ added in v0.23.1

func (e *PolicyRoleAssignmentError) Error() string

Error implements the error interface.

func (*PolicyRoleAssignmentError) Unwrap ¶ added in v0.24.0

func (e *PolicyRoleAssignmentError) Unwrap() error

type PolicyRoleAssignmentErrors ¶ added in v0.23.1

type PolicyRoleAssignmentErrors struct {
	// contains filtered or unexported fields
}

PolicyRoleAssignmentErrors represents a collection of PolicyRoleAssignmentError. It can be used by the caller to emit a warning rather than halt execution.

func NewPolicyRoleAssignmentErrors ¶ added in v0.23.1

func NewPolicyRoleAssignmentErrors() *PolicyRoleAssignmentErrors

NewPolicyRoleAssignmentErrors creates a new PolicyRoleAssignmentErrors collection.

func (*PolicyRoleAssignmentErrors) Add ¶ added in v0.23.1

func (e *PolicyRoleAssignmentErrors) Add(err ...*PolicyRoleAssignmentError)

Add adds one or more PolicyRoleAssignmentError to the collection.

func (*PolicyRoleAssignmentErrors) Error ¶ added in v0.23.1

func (e *PolicyRoleAssignmentErrors) Error() string

Error implements the error interface.

func (*PolicyRoleAssignmentErrors) Errors ¶ added in v0.23.1

func (e *PolicyRoleAssignmentErrors) Errors() []*PolicyRoleAssignmentError

Errors returns the collection of PolicyRoleAssignmentError.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL