Landing Zones: Conditional Mandatory Building Block Deployment Based on Workspace Tag
Thomas Abbe
As a Platform Team of one department (Platform on Platform),
I want all cloud accounts belonging to the same department to be able to have a mandatory building block configured into the landing zone, depending on a tag,
so that department-specific compliance/governance requirements are automatically and consistently enforced across all relevant accounts without manual intervention.
We do not want to create a specific Landing Zone for this, since the complexity with additional Landing Zones would in our opinion increase the complexity. The actual proposal would be a policy condition in the Landing Zone if the building block is mandatory or not.
Jelle den Burger
Thanks for the feature request Thomas Abbe
Thinking out loud here but would it be possible to always have a mandatory building block, that only under certain conditions in Terraform (e.g. your workspace tag use case) provision the actual needed building block?
resource "meshstack_building_block" "marketing" {
count = contains(data.workspace.tags.department, "Marketing") ? 1 : 0
name = "marketing-building-block"
# ...
}
Thomas Abbe
Jelle den Burger This would be a workaround, however this would not be very transparent, and tenants from other departments would see a mandatory "marketing building block" provisioned (which in this case would do nothing)
Jelle den Burger
Thomas Abbe: Well the
marketing-building-block
in this case is the inner building block only provisioned under your conditions. The outer one could have a different name. You can give it a neutral name something like "Landing Zone Base Provisioning"Thomas Abbe
Jelle den Burger Yes, as said this would work but would be less transparent. I prefer when the building block's name matches its intent/purpose.
And there is also the responsability "thing", because the responsability of the "Landing Zone Base Provisioning" building block is on the side of the central platform team.
Regarding this feature request, responsibility for the building block lies more with the other department team.