ALZ Custom (#4)

richeney · Richard Cheney · web-flow · commit 95fb1853ec68 · 2025-12-11T13:51:15.000Z
* Test switch to alz_custom with no overrides

* Backend as well

---------

Co-authored-by: Richard Cheney &lt;richeney@microsoft.com&gt;
diff --git a/create-backend-config.sh b/create-backend-config.sh
@@ -0,0 +1,67 @@
+vars=$(gh variable list --json name,value | jq 'map({(.name): .value}) | add')
+sub="$(jq -r .AZURE_SUBSCRIPTION_ID <<< $vars)"
+rg="$(jq -r .BACKEND_AZURE_RESOURCE_GROUP_NAME <<< $vars)"
+sa="$(jq -r .BACKEND_AZURE_STORAGE_ACCOUNT_NAME <<< $vars)"
+container="$(jq -r .BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME <<< $vars)"
+
+cat > terraform_override.tf << EOF
+# Overrides to enable local terraform plan
+
+terraform {
+  backend "azurerm" {
+    use_azuread_auth     = true
+    subscription_id      = "$sub"
+    resource_group_name  = "$rg"
+    storage_account_name = "$sa"
+    container_name       = "$container"
+    key                  = "terraform.tfstate"
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "$(jq -r .AZURE_SUBSCRIPTION_ID <<< $vars)"
+}
+EOF
+echo "Created terraform_override.tf using the GitHub Actions variables"
+
+# Add Blob Reader role
+id="/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.Storage/storageAccounts/$sa"
+scope="$id/blobServices/default/containers/$container"
+az role assignment create --role "Storage Blob Data Reader" --scope $scope --assignee $(az ad signed-in-user show --query id -otsv)
+
+# Allow my public IP
+public_ip=$(curl -s ipinfo.io/ip)
+az storage account update --ids "$id" --public-network-access Enabled --default-action Deny
+az storage account network-rule add --subscription "$sub" --resource-group "$rg" --account-name  "$id" --ip-address "$public_ip"
+
+address_space=$(curl -s ipinfo.io/ip | cut -d. -f1-2).0.0/16
+az storage account update --ids "$id" --public-network-access Enabled --default-action Deny
+az storage account network-rule add --subscription "$sub" --resource-group "$rg" --account-name "$sa" --ip-address "$address_space"
+
+# terraform init -reconfigure
+# terraform plan -lock=false
+# Update terraform.tf
+
+# provider "alz" {
+  # library_overwrite_enabled = true
+  # library_references = [
+    # {
+      # path = "platform/alz"
+      # ref  = "2025.09.3"
+    # },
+    # {
+      # custom_url = "${path.root}/lib"
+    # }
+  # ]
+# }
+
+# ~/git/alz-mgmt (main) $ ll -d ./.alzlib/*/*
+# drwxr-xr-x 9 richeney richeney 4096 Dec 10 15:50 ./.alzlib/769917479/886ca76d4870965724e41c9252e7a75fb9eca3fb344838088f95f084
+# lrwxrwxrwx 1 richeney richeney   31 Dec 10 15:50 ./.alzlib/769917479/97a0913ff236482dbc5bfba9a9e8c81f1f2c883ef66f22fa680d019d -> /home/richeney/git/alz-mgmt/lib
+# first level is generated, second is possibly a hash - predictable value regardless
+
+# Update management_groups module with   architecture_name  = "alz_custom"
+# Plan and undo
+
+# <https://azure.github.io/Azure-Landing-Zones/accelerator/startermodules/terraform-platform-landing-zone/options/slz>
+# I have copied the original and manually renamed the new one created in as lib/architecture_definitions/slz_custom.alz_architecture_definition.yaml
diff --git a/lib/alz_library_metadata.json b/lib/alz_library_metadata.json
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/library_metadata.json",
+  "name": "local",
+  "display_name": "ALZ Accelerator - Azure Verified Modules for SLZ Platform Landing Zone",
+  "description": "This library allows overriding policies, archetypes, and management group architecture in the ALZ Accelerator.",
+  "dependencies": [
+    {
+      "path": "platform/slz",
+      "ref": "2025.10.1"
+    }
+  ]
+}
diff --git a/lib/archetype_definitions/confidential_corp_custom.alz_archetype_override.yaml b/lib/archetype_definitions/confidential_corp_custom.alz_archetype_override.yaml
@@ -0,0 +1,13 @@
+base_archetype: confidential_corp
+name: confidential_corp_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: [
+# To remove the private DNS zones policy for private endpoints
+  # Deploy-Private-DNS-Zones,
+]
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/confidential_online_custom.alz_archetype_override.yaml b/lib/archetype_definitions/confidential_online_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: confidential_online
+name: confidential_online_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/connectivity_custom.alz_archetype_override.yaml b/lib/archetype_definitions/connectivity_custom.alz_archetype_override.yaml
@@ -0,0 +1,13 @@
+base_archetype: connectivity
+name: connectivity_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: [
+# To remove the DDOS modify policy, uncomment the following line:
+  # Enable-DDoS-VNET,
+]
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/corp_custom.alz_archetype_override.yaml b/lib/archetype_definitions/corp_custom.alz_archetype_override.yaml
@@ -0,0 +1,13 @@
+base_archetype: corp
+name: corp_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: [
+# To remove the private DNS zones policy for private endpoints
+  # Deploy-Private-DNS-Zones,
+]
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/decommissioned_custom.alz_archetype_override.yaml b/lib/archetype_definitions/decommissioned_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: decommissioned
+name: decommissioned_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/identity_custom.alz_archetype_override.yaml b/lib/archetype_definitions/identity_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: identity
+name: identity_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/landing_zones_custom.alz_archetype_override.yaml b/lib/archetype_definitions/landing_zones_custom.alz_archetype_override.yaml
@@ -0,0 +1,21 @@
+base_archetype: landing_zones
+name: landing_zones_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: [
+# To remove AMA policies, uncomment the following lines:
+  # Deploy-MDFC-DefSQL-AMA,
+  # Deploy-VM-ChangeTrack,
+  # Deploy-VM-Monitoring,
+  # Deploy-vmArc-ChangeTrack,
+  # Deploy-vmHybr-Monitoring,
+  # Deploy-VMSS-ChangeTrack,
+  # Deploy-VMSS-Monitoring,
+# To remove the DDOS modify policy, uncomment the following line:
+  # Enable-DDoS-VNET,
+]
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/management_custom.alz_archetype_override.yaml b/lib/archetype_definitions/management_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: management
+name: management_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/online_custom.alz_archetype_override.yaml b/lib/archetype_definitions/online_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: online
+name: online_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/platform_custom.alz_archetype_override.yaml b/lib/archetype_definitions/platform_custom.alz_archetype_override.yaml
@@ -0,0 +1,20 @@
+base_archetype: platform
+name: platform_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: [
+# To disable AMA policies, uncomment the following lines:
+  # DenyAction-DeleteUAMIAMA,
+  # Deploy-MDFC-DefSQL-AMA,
+  # Deploy-VM-ChangeTrack,
+  # Deploy-VM-Monitoring,
+  # Deploy-vmArc-ChangeTrack,
+  # Deploy-vmHybr-Monitoring,
+  # Deploy-VMSS-ChangeTrack,
+  # Deploy-VMSS-Monitoring,
+]
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/public_custom.alz_archetype_override.yaml b/lib/archetype_definitions/public_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: public
+name: public_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/root_custom.alz_archetype_override.yaml b/lib/archetype_definitions/root_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: root
+name: root_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/sandbox_custom.alz_archetype_override.yaml b/lib/archetype_definitions/sandbox_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: sandbox
+name: sandbox_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/security_custom.alz_archetype_override.yaml b/lib/archetype_definitions/security_custom.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: security
+name: security_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/archetype_definitions/sovereign_root.alz_archetype_override.yaml b/lib/archetype_definitions/sovereign_root.alz_archetype_override.yaml
@@ -0,0 +1,10 @@
+base_archetype: sovereign_root
+name: sovereign_root_custom
+policy_assignments_to_add: []
+policy_assignments_to_remove: []
+policy_definitions_to_add: []
+policy_definitions_to_remove: []
+policy_set_definitions_to_add: []
+policy_set_definitions_to_remove: []
+role_definitions_to_add: []
+role_definitions_to_remove: []
diff --git a/lib/architecture_definitions/alz_custom.alz_architecture_definition.yaml b/lib/architecture_definitions/alz_custom.alz_architecture_definition.yaml
@@ -0,0 +1,78 @@
+name: alz_custom
+management_groups:
+  - id: alz
+    display_name: Azure Landing Zones
+    archetypes:
+      - root_custom
+    exists: false
+    parent_id: null
+
+  - id: platform
+    display_name: Platform
+    archetypes:
+      - platform_custom
+    exists: false
+    parent_id: alz
+
+  - id: landingzones
+    display_name: Landing Zones
+    archetypes:
+      - landing_zones_custom
+    exists: false
+    parent_id: alz
+
+  - id: corp
+    display_name: Corp
+    archetypes:
+      - corp_custom
+    exists: false
+    parent_id: landingzones
+
+  - id: online
+    display_name: Online
+    archetypes:
+      - online_custom
+    exists: false
+    parent_id: landingzones
+
+  - id: sandbox
+    display_name: Sandbox
+    archetypes:
+      - sandbox_custom
+    exists: false
+    parent_id: alz
+
+  - id: security
+    display_name: Security
+    archetypes:
+      - security_custom
+    exists: false
+    parent_id: platform
+
+  - id: management
+    display_name: Management
+    archetypes:
+      - management_custom
+    exists: false
+    parent_id: platform
+
+  - id: connectivity
+    display_name: Connectivity
+    archetypes:
+      - connectivity_custom
+    exists: false
+    parent_id: platform
+
+  - id: identity
+    display_name: Identity
+    archetypes:
+      - identity_custom
+    exists: false
+    parent_id: platform
+
+  - id: decommissioned
+    display_name: Decommissioned
+    archetypes:
+      - decommissioned_custom
+    exists: false
+    parent_id: alz
diff --git a/lib/architecture_definitions/slz_custom.alz_architecture_definition.yaml b/lib/architecture_definitions/slz_custom.alz_architecture_definition.yaml
diff --git a/main.tf b/main.tf
diff --git a/terraform.tf b/terraform.tf
