Enable hierarchical assignment of Azure Management Groups & AWS Organizational Units in Landing Zones
planned
Jelle den Burger
I have updated this post to also reflect AWS Organizational Units, which pose the same situation and problem. We plan to implement similar solutions for both cloud providers.
Jelle den Burger
Merged in a post:
Freely move Organizational Units in AWS
Y
Young-Hwan Kim
As a Cloud Foundation I want to re-organize my AWS Accounts depending on new organizational changes, for better structure and overview or similar. Therefore we would like to move AWS Accounts to other OUs (Organizational Units) - e.g. child OUs or complete new OU folders.
Currently, meshStack fails AWS replication if the AWS Account is moved to a AWS OU different from the OU defined in the Landing Zone.
To have more control on my Platform I would like to have:
- a configuration setting for my platform to enable/disable a check if the AWS Account is in the defined OU of the Landing Zone
- if the configuration is enabled it would be great when the replicator also moves the AWS Account to the defined OU if moved e.g. by accident or by a non-allowed movement.
Jelle den Burger
These use cases are planned as part of another feature request. I will merge it.
Jelle den Burger
planned
Jelle den Burger
Hey Sergej, thank you for your feature request.
I am not sure if I fully understand what it is you want to do within meshStack. Could you provide some more details to your idea?
Thanks :-)
S
Sergej Neumann
Hi Jelle den Burger, Azure Management Groups can be used as scope for Reserved Instances, Saving Plans and Pre-Purchase Plans. Adding subscriptions of your application to a Management Group allows you to share a RI across several subscriptions of your application.
Right now, the meshStack replicator automatically compares the membership of the subscription to the defined management group and corrects this in the case of a mismatch.
Best,
Sergej
Jelle den Burger
Sergej Neumann: Thanks for the elaboration!
This also sounds a bit like an expectation mismatch: the management group where to share these resources and the management group of the landing zone are different? Or do I see that wrongly?
Would it help if the meshStack replicator leaves the management group assignment untouched?
S
Sergej Neumann
Jelle den Burger we want to use the hierarchy of the management groups. The new management group would be under the management group of the landing zone.
Your suggestion would help. However this would require adjustments in our backend. We will discuss this option internally and come back.
Jelle den Burger
Sergej Neumann : it sounds a bit similar to a solution we have for Google Cloud. There the replicator leaves folder assignments untouched (folder is the same thing as a management group basically) as long as the tenant is assigned below the hierarchy of the folder that is defined in the landing zone.
I attached an image what this could look like for Azure (currently this does not work)
In the example, the landing zone is attached to the "IT Team" management group. As long as the tenant is somewhere within that hierarchy, either on the management group itself or one of its children, the replicator would leave the assignment untouched