Secure Landing Zone Contributor Tenant Import
J
Johannes Rudolph
We have multiple platform teams working on top of our Azure foundation platform.
We want these platform teams to use the "Platform Builder" to manage their own landing zones using the "Landing Zone Contributor" feature.
Now the platform team wants to also import existing subscriptions into meshStack. However, today this is an admin level permission that cannot be scoped to
- allow import only into landing zones owned by the platform team
- allow import only of subscriptions that are supposed to be "owned" by that platform team
These restrictions are necessary so that the platform team cannot put meshStack into a "confused deputy" situation where it would use the replicator to arbitrarily adopt subscriptions that the platform team should not have control over.
J
Johannes Rudolph
We are currently investigating the following solution option to support this use case:
We will validate "ownership" of subscriptions to import based on their placement in the resource hierarchy. This is based on the assumption that most platform teams will delegate an entire part of the resource hierarchy to another platform team (e.g. provide them a Management Group under which they can freely operate).
1) To enforce this, we will enable the replicator to evaluate resource hierarchy constraints. These constraints can be configured on the landing zone. The replicator will evaluate constraints prior to replication. This way, the replicator will refuse to perform any operation on a landing zone that is not part of the resource hierarchy delegated to a platform team. Subscriptions that are not supposed to be owned by the platform team will thus not be adopted by meshStack.
In a later iteration of this solution, resource hierarchy constraints may become a mandatory setting on landing zones owned by Landing Zone Contributors and we may put measures in place that they can be only configured via the admin area.
2) We will add new API key permissions for "import tenants into owned landing zones" for landing zone contributors and enforce this accordingly in the API. This enables platform teams to use their workspace-scoped API keys for tenant import.
We intend to make this feature available with similar capabilities across Azure, AWS and GCP. However we will most likely launch this as a preview for Azure first to validate the practical use of this solution.