From 5770906926646b367f67005afd1d76149f751e2e Mon Sep 17 00:00:00 2001 From: Abdullah Khairi Date: Fri, 2 Jul 2021 05:56:36 +0000 Subject: [PATCH 001/102] add support for random password in sqlmi --- modules/databases/mssql_managed_instance/main.tf | 2 +- .../mssql_managed_instance/managed_instance.tf | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/modules/databases/mssql_managed_instance/main.tf b/modules/databases/mssql_managed_instance/main.tf index da06359543..c9a8af35cd 100755 --- a/modules/databases/mssql_managed_instance/main.tf +++ b/modules/databases/mssql_managed_instance/main.tf @@ -32,7 +32,7 @@ locals { value = var.settings.administratorLogin } administratorLoginPassword = { - value = var.settings.administratorLoginPassword + value = try(var.settings.administratorLoginPassword, random_password.mssqlmi.0.result) } subnetId = { value = var.subnet_id diff --git a/modules/databases/mssql_managed_instance/managed_instance.tf b/modules/databases/mssql_managed_instance/managed_instance.tf index 8ef7f0228c..167f2fa5d0 100644 --- a/modules/databases/mssql_managed_instance/managed_instance.tf +++ b/modules/databases/mssql_managed_instance/managed_instance.tf @@ -44,4 +44,15 @@ resource "null_resource" "destroy_sqlmi" { } } +} + +# Generate sql server random admin password if not provided in the attribute administrator_login_password +resource "random_password" "mssqlmi" { + count = try(var.settings.administratorLoginPassword, null) == null ? 1 : 0 + + length = 128 + special = true + upper = true + number = true + override_special = "$#%" } \ No newline at end of file From e17a39f5135c4ce23bcd7cfb54eb61a39071f85a Mon Sep 17 00:00:00 2001 From: Abdullah Khairi Date: Fri, 2 Jul 2021 06:44:39 +0000 Subject: [PATCH 002/102] add pcredentials detail to output --- examples/mssql_mi/200-mi/configuration.tfvars | 5 +++-- modules/databases/mssql_managed_instance/output.tf | 8 ++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/examples/mssql_mi/200-mi/configuration.tfvars b/examples/mssql_mi/200-mi/configuration.tfvars index f614f298ad..1bd07603b9 100644 --- a/examples/mssql_mi/200-mi/configuration.tfvars +++ b/examples/mssql_mi/200-mi/configuration.tfvars @@ -35,7 +35,8 @@ vnets = { actions = [ "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", - "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action"] + "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action" + ] } } } @@ -57,7 +58,7 @@ mssql_managed_instances = { name = "GP_Gen5" } administratorLogin = "adminuser" - administratorLoginPassword = "@dm1nu53r@30102020" + # administratorLoginPassword = "@dm1nu53r@30102020" //networking networking = { diff --git a/modules/databases/mssql_managed_instance/output.tf b/modules/databases/mssql_managed_instance/output.tf index 40d581a8ca..c515ca8932 100755 --- a/modules/databases/mssql_managed_instance/output.tf +++ b/modules/databases/mssql_managed_instance/output.tf @@ -16,4 +16,12 @@ output "location" { output "principal_id" { value = lookup(azurerm_template_deployment.mssqlmi.outputs, "objectId") description = "SQL MI Identity Principal Id" +} + +output "administratorLogin" { + value = var.settings.administratorLogin +} + +output "administratorLoginPassword" { + value = try(var.settings.administratorLoginPassword, random_password.mssqlmi.0.result) } \ No newline at end of file From b07d2f222e476ad695d316b8f3436f1753517e11 Mon Sep 17 00:00:00 2001 From: Abdullah Khairi Date: Fri, 9 Jul 2021 02:09:06 +0000 Subject: [PATCH 003/102] push random password to keyvault --- .../databases/mssql_managed_instance/main.tf | 2 +- .../mssql_managed_instance/managed_instance.tf | 17 ++++++++++++++++- .../mssql_managed_instance/variables.tf | 1 + modules/databases/mssql_server/server.tf | 17 ++++++++++++++++- modules/databases/mssql_server/variables.tf | 1 + mssql_servers.tf | 1 + msssql_managed_instances.tf | 2 ++ 7 files changed, 38 insertions(+), 3 deletions(-) diff --git a/modules/databases/mssql_managed_instance/main.tf b/modules/databases/mssql_managed_instance/main.tf index c9a8af35cd..a04031ee3a 100755 --- a/modules/databases/mssql_managed_instance/main.tf +++ b/modules/databases/mssql_managed_instance/main.tf @@ -32,7 +32,7 @@ locals { value = var.settings.administratorLogin } administratorLoginPassword = { - value = try(var.settings.administratorLoginPassword, random_password.mssqlmi.0.result) + value = try(var.settings.administratorLoginPassword, azurerm_key_vault_secret.sqlmi_admin_password.0.value) } subnetId = { value = var.subnet_id diff --git a/modules/databases/mssql_managed_instance/managed_instance.tf b/modules/databases/mssql_managed_instance/managed_instance.tf index 167f2fa5d0..4245ae3721 100644 --- a/modules/databases/mssql_managed_instance/managed_instance.tf +++ b/modules/databases/mssql_managed_instance/managed_instance.tf @@ -47,7 +47,7 @@ resource "null_resource" "destroy_sqlmi" { } # Generate sql server random admin password if not provided in the attribute administrator_login_password -resource "random_password" "mssqlmi" { +resource "random_password" "sqlmi_admin" { count = try(var.settings.administratorLoginPassword, null) == null ? 1 : 0 length = 128 @@ -55,4 +55,19 @@ resource "random_password" "mssqlmi" { upper = true number = true override_special = "$#%" +} + +# Store the generated password into keyvault +resource "azurerm_key_vault_secret" "sqlmi_admin_password" { + count = try(var.settings.administratorLoginPassword, null) == null ? 1 : 0 + + name = format("%s-password", azurecaf_name.mssqlmi.result) + value = random_password.sqlmi_admin.0.result + key_vault_id = var.keyvault_id + + lifecycle { + ignore_changes = [ + value + ] + } } \ No newline at end of file diff --git a/modules/databases/mssql_managed_instance/variables.tf b/modules/databases/mssql_managed_instance/variables.tf index 8fa59c0d89..c87a9f9631 100755 --- a/modules/databases/mssql_managed_instance/variables.tf +++ b/modules/databases/mssql_managed_instance/variables.tf @@ -18,3 +18,4 @@ variable "location" { variable "primary_server_id" { default = "" } +variable "keyvault_id" {} diff --git a/modules/databases/mssql_server/server.tf b/modules/databases/mssql_server/server.tf index e8e23f147d..0c2016d500 100755 --- a/modules/databases/mssql_server/server.tf +++ b/modules/databases/mssql_server/server.tf @@ -5,7 +5,7 @@ resource "azurerm_mssql_server" "mssql" { location = var.location version = try(var.settings.version, "12.0") administrator_login = var.settings.administrator_login - administrator_login_password = try(var.settings.administrator_login_password, random_password.sql_admin.0.result) + administrator_login_password = try(var.settings.administrator_login_password, azurerm_key_vault_secret.sql_admin_password.0.value) public_network_access_enabled = try(var.settings.public_network_access_enabled, true) connection_policy = try(var.settings.connection_policy, null) minimum_tls_version = try(var.settings.minimum_tls_version, null) @@ -68,4 +68,19 @@ resource "random_password" "sql_admin" { override_special = "$#%" } +# Store the generated password into keyvault +resource "azurerm_key_vault_secret" "sql_admin_password" { + count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 + + name = format("%s-password", azurecaf_name.mssql.result) + value = random_password.sql_admin.0.result + key_vault_id = var.keyvault_id + + lifecycle { + ignore_changes = [ + value + ] + } +} + diff --git a/modules/databases/mssql_server/variables.tf b/modules/databases/mssql_server/variables.tf index 83d2810c31..3d87f70a68 100755 --- a/modules/databases/mssql_server/variables.tf +++ b/modules/databases/mssql_server/variables.tf @@ -25,3 +25,4 @@ variable "base_tags" { variable "private_dns" { default = {} } +variable "keyvault_id" {} diff --git a/mssql_servers.tf b/mssql_servers.tf index ec7b39a10a..0df767b1e0 100755 --- a/mssql_servers.tf +++ b/mssql_servers.tf @@ -21,6 +21,7 @@ module "mssql_servers" { resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} private_dns = local.combined_objects_private_dns + keyvault_id = try(each.value.administrator_login_password, null) == null ? module.keyvaults[each.value.keyvault_key].id : null } data "azurerm_storage_account" "mssql_auditing" { diff --git a/msssql_managed_instances.tf b/msssql_managed_instances.tf index 7e26cdb2ae..47091b86d7 100755 --- a/msssql_managed_instances.tf +++ b/msssql_managed_instances.tf @@ -18,6 +18,7 @@ module "mssql_managed_instances" { location = try(local.global_settings.regions[each.value.region], local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].location) subnet_id = local.combined_objects_networking[try(each.value.networking.lz_key, local.client_config.landingzone_key)][each.value.networking.vnet_key].subnets[each.value.networking.subnet_key].id base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + keyvault_id = try(each.value.administratorLoginPassword, null) == null ? module.keyvaults[each.value.keyvault_key].id : null } module "mssql_managed_instances_secondary" { @@ -32,6 +33,7 @@ module "mssql_managed_instances_secondary" { subnet_id = local.combined_objects_networking[try(each.value.networking.lz_key, local.client_config.landingzone_key)][each.value.networking.vnet_key].subnets[each.value.networking.subnet_key].id primary_server_id = module.mssql_managed_instances[each.value.primary_server.mi_server_key].id base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + keyvault_id = try(each.value.administratorLoginPassword, null) == null ? module.keyvaults[each.value.keyvault_key].id : null } module "mssql_mi_failover_groups" { From f308524fcf77d86a726a0bb67de92ad794464770 Mon Sep 17 00:00:00 2001 From: Abdullah Khairi Date: Fri, 9 Jul 2021 02:42:56 +0000 Subject: [PATCH 004/102] remove login output from sql server n mi --- modules/databases/mssql_managed_instance/output.tf | 8 -------- modules/databases/mssql_server/output.tf | 8 -------- 2 files changed, 16 deletions(-) diff --git a/modules/databases/mssql_managed_instance/output.tf b/modules/databases/mssql_managed_instance/output.tf index c515ca8932..40d581a8ca 100755 --- a/modules/databases/mssql_managed_instance/output.tf +++ b/modules/databases/mssql_managed_instance/output.tf @@ -16,12 +16,4 @@ output "location" { output "principal_id" { value = lookup(azurerm_template_deployment.mssqlmi.outputs, "objectId") description = "SQL MI Identity Principal Id" -} - -output "administratorLogin" { - value = var.settings.administratorLogin -} - -output "administratorLoginPassword" { - value = try(var.settings.administratorLoginPassword, random_password.mssqlmi.0.result) } \ No newline at end of file diff --git a/modules/databases/mssql_server/output.tf b/modules/databases/mssql_server/output.tf index 1141b9d32c..349d03f426 100755 --- a/modules/databases/mssql_server/output.tf +++ b/modules/databases/mssql_server/output.tf @@ -28,12 +28,4 @@ output "resource_group_name" { output "location" { value = var.location -} - -output "administrator_login" { - value = var.settings.administrator_login -} - -output "administrator_login_password" { - value = try(var.settings.administrator_login_password, random_password.sql_admin.0.result) } \ No newline at end of file From 9029bc0c913f423233d17b0860e9265a218ea874 Mon Sep 17 00:00:00 2001 From: Abdullah Khairi Date: Fri, 9 Jul 2021 17:29:03 +0000 Subject: [PATCH 005/102] fix example for sql server --- .../101-sqlserver-simple/configuration.tfvars | 21 ++----------------- .../configurations.tfvars | 17 +++++++++++++++ .../configurations.tfvars | 18 ++++++++++++++++ .../configurations.tfvars | 18 ++++++++++++++++ 4 files changed, 55 insertions(+), 19 deletions(-) diff --git a/examples/mssql_server/101-sqlserver-simple/configuration.tfvars b/examples/mssql_server/101-sqlserver-simple/configuration.tfvars index be070be906..480e1ad0e0 100644 --- a/examples/mssql_server/101-sqlserver-simple/configuration.tfvars +++ b/examples/mssql_server/101-sqlserver-simple/configuration.tfvars @@ -19,6 +19,7 @@ mssql_servers = { region = "region1" resource_group_key = "sql_region1" administrator_login = "sqladmin" + keyvault_key = "sql_rg1" } } @@ -34,22 +35,4 @@ keyvaults = { } } } -} - -#need to place dynamic secrets module outside caf module to pass the objects -# dynamic_keyvault_secrets = { -# sql_rg1 = { -# sql_username = { -# output_key = "mssql_servers" -# resource_key = "sql_rg1" -# attribute_key = "administrator_login" -# secret_name = "sql-rg1-username" -# } -# sql_password = { -# output_key = "mssql_servers" -# resource_key = "sql_rg1" -# attribute_key = "administrator_login_password" -# secret_name = "sql-rg1-password" -# } -# } -# } \ No newline at end of file +} \ No newline at end of file diff --git a/examples/mssql_server/107-sqlserver-db-retention-policy/configurations.tfvars b/examples/mssql_server/107-sqlserver-db-retention-policy/configurations.tfvars index ef518d590f..458e93cf3e 100644 --- a/examples/mssql_server/107-sqlserver-db-retention-policy/configurations.tfvars +++ b/examples/mssql_server/107-sqlserver-db-retention-policy/configurations.tfvars @@ -48,4 +48,21 @@ mssql_databases = { } } +} + +keyvaults = { + kv1 = { + name = "examplekv" + resource_group_key = "rg1" + sku_name = "standard" + + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + logged_in_aad_app = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + } + } } \ No newline at end of file diff --git a/examples/mssql_server/108-sqlserver-db-diagnostics/configurations.tfvars b/examples/mssql_server/108-sqlserver-db-diagnostics/configurations.tfvars index 2feaf99e41..d5e7847b94 100644 --- a/examples/mssql_server/108-sqlserver-db-diagnostics/configurations.tfvars +++ b/examples/mssql_server/108-sqlserver-db-diagnostics/configurations.tfvars @@ -38,6 +38,7 @@ mssql_servers = { resource_group_key = "rg1" version = "12.0" administrator_login = "sqladmin" + keyvault_key = "kv1" connection_policy = "Default" public_network_access_enabled = false minimum_tls_version = "1.2" @@ -82,3 +83,20 @@ diagnostics_definition = { } } } + +keyvaults = { + kv1 = { + name = "examplekv" + resource_group_key = "rg1" + sku_name = "standard" + + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + logged_in_aad_app = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + } + } +} diff --git a/examples/mssql_server/109-sqlserver-network-firewall-rule/configurations.tfvars b/examples/mssql_server/109-sqlserver-network-firewall-rule/configurations.tfvars index a493436d94..bacb244aea 100644 --- a/examples/mssql_server/109-sqlserver-network-firewall-rule/configurations.tfvars +++ b/examples/mssql_server/109-sqlserver-network-firewall-rule/configurations.tfvars @@ -39,6 +39,7 @@ mssql_servers = { resource_group_key = "rg1" version = "12.0" administrator_login = "sqladmin" + keyvault_key = "kv1" connection_policy = "Default" public_network_access_enabled = true # true for firewall rule to be applied minimum_tls_version = "1.2" @@ -78,4 +79,21 @@ mssql_databases = { } } +keyvaults = { + kv1 = { + name = "examplekv" + resource_group_key = "rg1" + sku_name = "standard" + + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + logged_in_aad_app = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + } + } +} + From 70df99ea90e9402a1848075e2d509ce5629cb52f Mon Sep 17 00:00:00 2001 From: Abdullah Khairi Date: Fri, 9 Jul 2021 20:14:41 +0000 Subject: [PATCH 006/102] remove aad app keyvault policy in ex --- .../106-sqlserver-db-msi-authentication/configurations.tfvars | 3 --- .../107-sqlserver-db-retention-policy/configurations.tfvars | 3 --- .../108-sqlserver-db-diagnostics/configurations.tfvars | 3 --- .../109-sqlserver-network-firewall-rule/configurations.tfvars | 3 --- 4 files changed, 12 deletions(-) diff --git a/examples/mssql_server/106-sqlserver-db-msi-authentication/configurations.tfvars b/examples/mssql_server/106-sqlserver-db-msi-authentication/configurations.tfvars index 4df507fa48..4197811cf9 100644 --- a/examples/mssql_server/106-sqlserver-db-msi-authentication/configurations.tfvars +++ b/examples/mssql_server/106-sqlserver-db-msi-authentication/configurations.tfvars @@ -23,9 +23,6 @@ keyvaults = { logged_in_user = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] } - logged_in_aad_app = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } } } } diff --git a/examples/mssql_server/107-sqlserver-db-retention-policy/configurations.tfvars b/examples/mssql_server/107-sqlserver-db-retention-policy/configurations.tfvars index 458e93cf3e..328fb8cba7 100644 --- a/examples/mssql_server/107-sqlserver-db-retention-policy/configurations.tfvars +++ b/examples/mssql_server/107-sqlserver-db-retention-policy/configurations.tfvars @@ -60,9 +60,6 @@ keyvaults = { logged_in_user = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] } - logged_in_aad_app = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } } } } \ No newline at end of file diff --git a/examples/mssql_server/108-sqlserver-db-diagnostics/configurations.tfvars b/examples/mssql_server/108-sqlserver-db-diagnostics/configurations.tfvars index d5e7847b94..37eb298ff8 100644 --- a/examples/mssql_server/108-sqlserver-db-diagnostics/configurations.tfvars +++ b/examples/mssql_server/108-sqlserver-db-diagnostics/configurations.tfvars @@ -94,9 +94,6 @@ keyvaults = { logged_in_user = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] } - logged_in_aad_app = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } } } } diff --git a/examples/mssql_server/109-sqlserver-network-firewall-rule/configurations.tfvars b/examples/mssql_server/109-sqlserver-network-firewall-rule/configurations.tfvars index bacb244aea..ac94625fda 100644 --- a/examples/mssql_server/109-sqlserver-network-firewall-rule/configurations.tfvars +++ b/examples/mssql_server/109-sqlserver-network-firewall-rule/configurations.tfvars @@ -89,9 +89,6 @@ keyvaults = { logged_in_user = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] } - logged_in_aad_app = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } } } } From cdc02d52ea021819873729d09205a5af4f6749f4 Mon Sep 17 00:00:00 2001 From: Hamad Riaz Date: Sun, 11 Jul 2021 00:09:03 -0700 Subject: [PATCH 007/102] #487 Corrected name from private_key to public_key --- modules/compute/virtual_machine/output.tf | 2 +- modules/compute/virtual_machine_scale_set/output.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/compute/virtual_machine/output.tf b/modules/compute/virtual_machine/output.tf index 46003c1baa..e83716c908 100755 --- a/modules/compute/virtual_machine/output.tf +++ b/modules/compute/virtual_machine/output.tf @@ -37,7 +37,7 @@ output "ssh_keys" { value = local.create_sshkeys ? { keyvault_id = local.keyvault.id ssh_private_key_pem = azurerm_key_vault_secret.ssh_private_key[local.os_type].name - ssh_private_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name + ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name } : null } diff --git a/modules/compute/virtual_machine_scale_set/output.tf b/modules/compute/virtual_machine_scale_set/output.tf index a1ae6890fd..307922ac87 100644 --- a/modules/compute/virtual_machine_scale_set/output.tf +++ b/modules/compute/virtual_machine_scale_set/output.tf @@ -27,6 +27,6 @@ output "ssh_keys" { value = local.create_sshkeys ? { keyvault_id = local.keyvault.id ssh_private_key_pem = azurerm_key_vault_secret.ssh_private_key[local.os_type].name - ssh_private_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name + ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name } : null } From 386e756be91f308eebf513c5e2e309210fc5ab10 Mon Sep 17 00:00:00 2001 From: Scott Date: Sun, 11 Jul 2021 20:06:22 +1000 Subject: [PATCH 008/102] added support for specifying host name on backend http settings --- modules/networking/application_gateway/application_gateway.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index f7b17a7e07..36f690abfb 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -151,6 +151,7 @@ resource "azurerm_application_gateway" "agw" { request_timeout = try(backend_http_settings.value.request_timeout, 30) pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false) trusted_root_certificate_names = try(backend_http_settings.value.trusted_root_certificate_names, null) + host_name = try(backend_http_settings.value.host_name, null) } } From c50420f1f6d11385c389741d5c8e07c92c9f3322 Mon Sep 17 00:00:00 2001 From: Scott Date: Sun, 11 Jul 2021 20:15:08 +1000 Subject: [PATCH 009/102] added support for specifying health probes for app gateway --- .../application_gateway.tf | 24 +++++++++++++++++++ .../networking/application_gateway/locals.tf | 13 ++++++++++ 2 files changed, 37 insertions(+) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index f7b17a7e07..a54db28eab 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -139,6 +139,29 @@ resource "azurerm_application_gateway" "agw" { } } } + dynamic "probe" { + for_each = local.probes + + content { + name = probe.value.name + host = probe.value.host + interval = probe.value.interval + protocol = probe.value.protocol + path = probe.value.path + timeout = probe.value.timeout + unhealthy_threshold = probe.value.unhealthy_threshold + port = try(probe.value.port,null) + pick_host_name_from_backend_http_settings = try(probe.value.pick_host_name_from_backend_http_settings, false) + minimum_servers = try(probe.value.minimum_servers, 0) + dynamic "match" { + for_each = try(probe.value.match, null) == null ? [] : [1] + content { + body = try(probe.value.match.body,null) + status_code = try(probe.value.match.status_code,null) + } + } + } + } dynamic "backend_http_settings" { for_each = local.backend_http_settings @@ -151,6 +174,7 @@ resource "azurerm_application_gateway" "agw" { request_timeout = try(backend_http_settings.value.request_timeout, 30) pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false) trusted_root_certificate_names = try(backend_http_settings.value.trusted_root_certificate_names, null) + probe_name = local.probes[format("%s-%s",backend_http_settings.key, backend_http_settings.value.probe_key)].name } } diff --git a/modules/networking/application_gateway/locals.tf b/modules/networking/application_gateway/locals.tf index 83c99d6e48..ce1a0fc96c 100644 --- a/modules/networking/application_gateway/locals.tf +++ b/modules/networking/application_gateway/locals.tf @@ -48,6 +48,19 @@ locals { ) : format("%s-%s", url_path_map.value.app_key, url_path_map.value.url_path_map_key) => url_path_map.value } + probes = { + for probe in + flatten( + [ + for app_key, config in var.application_gateway_applications : [ + for key, value in try(config.probes, []) : { + value = merge({ app_key = app_key, probe_key = key }, value) + } + ] + ] + ) : format("%s-%s", probe.value.app_key, probe.value.probe_key) => probe.value + } + certificate_keys = distinct(flatten([ for key, value in local.listeners : [try(value.keyvault_certificate.certificate_key, [])] ])) From 461ac454c01e5d85dae9a7e14094770a2958f630 Mon Sep 17 00:00:00 2001 From: Hamad Riaz Date: Sun, 11 Jul 2021 18:02:58 -0700 Subject: [PATCH 010/102] #575 updated networking.tf to allow null value for next_hop_in_ip_address_fw --- networking.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/networking.tf b/networking.tf index 62559cac09..d9df4b7e92 100755 --- a/networking.tf +++ b/networking.tf @@ -170,9 +170,10 @@ module "routes" { address_prefix = each.value.address_prefix next_hop_type = each.value.next_hop_type next_hop_in_ip_address = try(lower(each.value.next_hop_type), null) == "virtualappliance" ? try(each.value.next_hop_in_ip_address, null) : null - next_hop_in_ip_address_fw = try(lower(each.value.next_hop_type), null) == "virtualappliance" ? coalesce( + next_hop_in_ip_address_fw = try(lower(each.value.next_hop_type), null) == "virtualappliance" ? try( try(local.combined_objects_azurerm_firewalls[try(each.value.private_ip_keys.azurerm_firewall.lz_key, local.client_config.landingzone_key)][each.value.private_ip_keys.azurerm_firewall.key].ip_configuration[each.value.private_ip_keys.azurerm_firewall.interface_index].private_ip_address, null), - try(local.combined_objects_azurerm_firewalls[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.private_ip_keys.azurerm_firewall.key].ip_configuration[each.value.private_ip_keys.azurerm_firewall.interface_index].private_ip_address, null) + try(local.combined_objects_azurerm_firewalls[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.private_ip_keys.azurerm_firewall.key].ip_configuration[each.value.private_ip_keys.azurerm_firewall.interface_index].private_ip_address, null), + null ) : null } From 642a5f7714519c928f1a06984f7009a63c2c34b6 Mon Sep 17 00:00:00 2001 From: Chun Saen Sean Lok Date: Mon, 12 Jul 2021 12:52:40 +0800 Subject: [PATCH 011/102] Fix vhub connection outputs with s so that it will pickup by landing zones module --- networking_virtual_hub_connection.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/networking_virtual_hub_connection.tf b/networking_virtual_hub_connection.tf index c5b03465aa..25b8599b7b 100644 --- a/networking_virtual_hub_connection.tf +++ b/networking_virtual_hub_connection.tf @@ -5,7 +5,7 @@ # # -output "virtual_hub_connection" { +output "virtual_hub_connections" { value = azurerm_virtual_hub_connection.vhub_connection } @@ -87,4 +87,4 @@ locals { ) } } -} \ No newline at end of file +} From 6b906bc8056e4649f860b4b71c76971ea6262b72 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 12 Jul 2021 07:19:05 +0000 Subject: [PATCH 012/102] Modernize old aad_apps policy --- .../security/keyvault_access_policies/policies.tf | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/security/keyvault_access_policies/policies.tf b/modules/security/keyvault_access_policies/policies.tf index 45b6f94d4f..523cddf9d6 100755 --- a/modules/security/keyvault_access_policies/policies.tf +++ b/modules/security/keyvault_access_policies/policies.tf @@ -6,10 +6,19 @@ module "azuread_apps" { if try(access_policy.azuread_app_key, null) != null } - keyvault_id = var.keyvault_id == null ? var.keyvaults[try(each.value.keyvault_lz_key, each.value.lz_key, var.client_config.landingzone_key)][var.keyvault_key].id : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null) + ) access_policy = each.value tenant_id = var.client_config.tenant_id - object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key), var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id + object_id = coalesce( + try(var.azuread_apps[each.value.lz_key][each.value.azuread_app_key].azuread_service_principal.object_id, null), + try(var.azuread_apps[each.value.azuread_app_lz_key][each.value.azuread_app_key].azuread_service_principal.object_id, null), + try(var.azuread_apps[var.client_config.landingzone_key][each.value.azuread_app_key].azuread_service_principal.object_id, null) + ) } module "azuread_service_principals" { From 8a3ef9251f859d69550d01f826b52a85e8f10c85 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 12 Jul 2021 07:24:43 +0000 Subject: [PATCH 013/102] readme --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dcb90382ef..c2e208905f 100755 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ This module can be used inside [Cloud Adoption Framework Landing zones](https:// ```terraform module "caf" { source = "aztfmod/caf/azurerm" - version = "~>5.1.0" + version = "~>5.4.0" # insert the 7 required variables here } ``` @@ -33,6 +33,8 @@ For a complete set of examples you can review the [full library here](./examples Feel free to open an issue for feature or bug, or to submit a PR, [please review the module contribution and conventions guidelines](./documentation/conventions.md) +[Please check out the WIKI for coding standards, common patterns and PR checklist.](https://github.com/aztfmod/terraform-azurerm-caf/wiki) + In case you have any question, you can reach out to tf-landingzones at microsoft dot com. You can also reach us on [Gitter](https://gitter.im/aztfmod/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) From 28a3b611c1d561c05044ad3cd383026a5113639d Mon Sep 17 00:00:00 2001 From: lolorol Date: Mon, 12 Jul 2021 14:32:50 +0000 Subject: [PATCH 014/102] Add waf_configuration example --- .../configuration.tfvars | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/examples/app_gateway/100-simple-app-gateway/configuration.tfvars b/examples/app_gateway/100-simple-app-gateway/configuration.tfvars index 9ce87687af..62886d4560 100644 --- a/examples/app_gateway/100-simple-app-gateway/configuration.tfvars +++ b/examples/app_gateway/100-simple-app-gateway/configuration.tfvars @@ -57,6 +57,43 @@ application_gateways = { protocol = "Https" } } + + waf_configuration = { + enabled = true + firewall_mode = "Prevention" # or Detection + rule_set_type = "OWASP" # OWASP + rule_set_version = "3.1" # OWASP(2.2.9, 3.0, 3.1, 3.2) + file_upload_limit_mb = 100 + request_body_check = true + max_request_body_size_kb = 128 + + # Optional + disabled_rule_groups = { + general = { + rule_group_name = "General" + rules = ["200004"] + } + # Disable a spacific rule in the rule group + REQUEST-913-SCANNER-DETECTION = { + rule_group_name = "REQUEST-913-SCANNER-DETECTION" + rules = ["913102"] + } + # Disable all rule in the rule group + REQUEST-930-APPLICATION-ATTACK-LFI = { + rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI" + } + } + + # Optional + exclusions = { + exc1 = { + match_variable = "RequestHeaderNames" + selector_match_operator = "Equals" # StartsWith, EndsWith, Contains + selector = "SomeHeader" + } + } + } + } } From 2414aabad62ba33e9e2f390430c0d1e9fab3142f Mon Sep 17 00:00:00 2001 From: lolorol Date: Tue, 13 Jul 2021 12:34:14 +0000 Subject: [PATCH 015/102] Patch in grant consent and membership for logged_in user --- .../azuread_groups_membership.tf | 34 +++++++++++++++++++ .../azuread/groups_members/groups_members.tf | 13 +++---- .../grant_api_permissions.tf | 15 ++++---- .../scripts/grant_consent.sh | 10 +++--- 4 files changed, 52 insertions(+), 20 deletions(-) create mode 100644 modules/azuread/groups_members/azuread_groups_membership.tf diff --git a/modules/azuread/groups_members/azuread_groups_membership.tf b/modules/azuread/groups_members/azuread_groups_membership.tf new file mode 100644 index 0000000000..3e6388aed5 --- /dev/null +++ b/modules/azuread/groups_members/azuread_groups_membership.tf @@ -0,0 +1,34 @@ +# +# Process membership for var.azuread_groups_membership +# + +module "azuread_service_principals_membership" { + source = "./membership" + for_each = try(var.settings.azuread_service_principals, {}) + + group_object_id = var.group_id + azuread_service_principals = var.azuread_service_principals[try(each.value.lz_key, var.client_config.landingzone_key)] + members = each.value +} + +module "membership_object_id" { + source = "./member" + for_each = { + for key, value in try(var.settings.object_ids, {}) : key => value + if key != "logged_in" + } + + group_object_id = var.group_id + member_object_id = each.value +} + +module "membership_logged_in_object_id" { + source = "./member" + for_each = { + for key, value in try(var.settings.object_ids, {}) : key => value + if key == "logged_in" + } + + group_object_id = var.group_id + member_object_id = var.client_config.object_id +} diff --git a/modules/azuread/groups_members/groups_members.tf b/modules/azuread/groups_members/groups_members.tf index 21e1a01267..d32e5bb489 100755 --- a/modules/azuread/groups_members/groups_members.tf +++ b/modules/azuread/groups_members/groups_members.tf @@ -1,3 +1,7 @@ +# +# Process membership for var.azuread_groups in members attribute +# + data "azuread_user" "upn" { for_each = toset(try(var.settings.members.user_principal_names, [])) @@ -28,15 +32,6 @@ module "azuread_service_principals" { member_object_id = var.azuread_service_principals[each.key].object_id } -module "azuread_service_principals_membership" { - source = "./membership" - for_each = try(var.settings.azuread_service_principals, {}) - - group_object_id = var.group_id - azuread_service_principals = var.azuread_service_principals[try(each.value.lz_key, var.client_config.landingzone_key)] - members = each.value -} - module "object_id" { source = "./member" for_each = toset(try(var.settings.members.object_ids, [])) diff --git a/modules/azuread/service_principal/grant_api_permissions.tf b/modules/azuread/service_principal/grant_api_permissions.tf index 881ab89bb0..c1df5d99a1 100755 --- a/modules/azuread/service_principal/grant_api_permissions.tf +++ b/modules/azuread/service_principal/grant_api_permissions.tf @@ -21,11 +21,13 @@ locals { resource "null_resource" "grant_admin_consent" { + depends_on = [time_sleep.propagate_to_azuread] triggers = { - resourceAppId = each.value.resource_app_id - appRoleId = each.value.id - principalId = azuread_service_principal.app.object_id + resourceAppId = each.value.resource_app_id + appRoleId = each.value.id + principalId = azuread_service_principal.app.object_id + application_id = azuread_service_principal.app.application_id } for_each = { @@ -38,9 +40,10 @@ resource "null_resource" "grant_admin_consent" { on_failure = fail environment = { - resourceAppId = self.triggers.resourceAppId - appRoleId = self.triggers.appRoleId - principalId = self.triggers.principalId + resourceAppId = self.triggers.resourceAppId + appRoleId = self.triggers.appRoleId + principalId = self.triggers.principalId + application_id = self.triggers.application_id } } } diff --git a/modules/azuread/service_principal/scripts/grant_consent.sh b/modules/azuread/service_principal/scripts/grant_consent.sh index 9a422583c9..644eb02d69 100755 --- a/modules/azuread/service_principal/scripts/grant_consent.sh +++ b/modules/azuread/service_principal/scripts/grant_consent.sh @@ -6,7 +6,7 @@ user_type=$(az account show --query user.type -o tsv) if [ "${user_type}" = "user" ]; then - az ad app permission admin-consent --id ${applicationId} + az ad app permission admin-consent --id ${application_id} else resourceId=$(az ad sp show --id "${resourceAppId}" --query "objectId" -o tsv) @@ -21,10 +21,10 @@ else if [ -z ${existingAppRoleId} ]; then JSON=$( jq -n \ - --arg principalId "${principalId}" \ - --arg resourceId "${resourceId}" \ - --arg appRoleId "${appRoleId}" \ - '{principalId: $principalId, resourceId: $resourceId, appRoleId: $appRoleId}' ) && echo " - body: $JSON" + --arg principalId "${principalId}" \ + --arg resourceId "${resourceId}" \ + --arg appRoleId "${appRoleId}" \ + '{principalId: $principalId, resourceId: $resourceId, appRoleId: $appRoleId}' ) && echo " - body: $JSON" az rest --method POST --uri $URI --header Content-Type=application/json --body "$JSON" else From 2a7aa4d0a8c2054b8ccf1020152109411d27e6f4 Mon Sep 17 00:00:00 2001 From: naeemdhby Date: Tue, 13 Jul 2021 22:01:20 -0700 Subject: [PATCH 016/102] Add nat gateway module --- locals.combined_objects.tf | 1 + locals.tf | 1 + modules/networking/nat_gateway/main.tf | 15 +++++++ modules/networking/nat_gateway/module.tf | 30 +++++++++++++ modules/networking/nat_gateway/output.tf | 8 ++++ .../public_ip_association/module.tf | 4 ++ .../public_ip_association/variables.tf | 2 + .../nat_gateway/subnet_association/module.tf | 4 ++ .../subnet_association/variables.tf | 2 + modules/networking/nat_gateway/variables.tf | 43 +++++++++++++++++++ networking_nat_gateway.tf | 25 +++++++++++ 11 files changed, 135 insertions(+) create mode 100644 modules/networking/nat_gateway/main.tf create mode 100644 modules/networking/nat_gateway/module.tf create mode 100644 modules/networking/nat_gateway/output.tf create mode 100644 modules/networking/nat_gateway/public_ip_association/module.tf create mode 100644 modules/networking/nat_gateway/public_ip_association/variables.tf create mode 100644 modules/networking/nat_gateway/subnet_association/module.tf create mode 100644 modules/networking/nat_gateway/subnet_association/variables.tf create mode 100644 modules/networking/nat_gateway/variables.tf create mode 100644 networking_nat_gateway.tf diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index a9aca6f793..87826bde42 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -44,6 +44,7 @@ locals { combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances_secondary }), try(var.remote_objects.mssql_managed_instances_secondary, {})) combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_servers }), try(var.remote_objects.mssql_servers, {})) combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), try(var.remote_objects.mysql_servers, {})) + combined_objects_nat_gateway = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateway }), try(var.remote_objects.nat_gateway, {})) combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), try(var.remote_objects.network_security_groups, {})) combined_objects_network_watchers = merge(tomap({ (local.client_config.landingzone_key) = module.network_watchers }), try(var.remote_objects.network_watchers, {})) combined_objects_networking = merge(tomap({ (local.client_config.landingzone_key) = module.networking }), try(var.remote_objects.vnets, {})) diff --git a/locals.tf b/locals.tf index 5a5be65c4a..c5d075f6f0 100755 --- a/locals.tf +++ b/locals.tf @@ -202,6 +202,7 @@ locals { ip_groups = try(var.networking.ip_groups, {}) load_balancers = try(var.networking.load_balancers, {}) local_network_gateways = try(var.networking.local_network_gateways, {}) + nat_gateway = try(var.networking.nat_gateway, {}) network_security_group_definition = try(var.networking.network_security_group_definition, {}) network_watchers = try(var.networking.network_watchers, {}) private_dns = try(var.networking.private_dns, {}) diff --git a/modules/networking/nat_gateway/main.tf b/modules/networking/nat_gateway/main.tf new file mode 100644 index 0000000000..f3786b24ad --- /dev/null +++ b/modules/networking/nat_gateway/main.tf @@ -0,0 +1,15 @@ +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null)) +} + +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} + diff --git a/modules/networking/nat_gateway/module.tf b/modules/networking/nat_gateway/module.tf new file mode 100644 index 0000000000..bcc1435df7 --- /dev/null +++ b/modules/networking/nat_gateway/module.tf @@ -0,0 +1,30 @@ +resource "azurerm_nat_gateway" "nat_gateway" { + name = var.name + location = var.location + resource_group_name = var.resource_group_name + idle_timeout_in_minutes = var.idle_timeout_in_minutes + zones = try(var.settings.zones, null) + tags = local.tags +} + + + + +module "nat_gateway_subnet" { + count = try(var.settings.subnet_key, null) == null ? 0 : 1 + source = "./subnet_association" + + subnet_id = var.subnet_id + nat_gateway_id = azurerm_nat_gateway.nat_gateway.id +} + + + + +module "nat_gateway_public_ip" { + count = try(var.settings.public_ip_key, null) == null ? 0 : 1 + source = "./public_ip_association" + + public_ip_address_id = var.public_ip_address_id + nat_gateway_id = azurerm_nat_gateway.nat_gateway.id +} \ No newline at end of file diff --git a/modules/networking/nat_gateway/output.tf b/modules/networking/nat_gateway/output.tf new file mode 100644 index 0000000000..545cb2e4c0 --- /dev/null +++ b/modules/networking/nat_gateway/output.tf @@ -0,0 +1,8 @@ +output "nat_gateway" { + value = azurerm_nat_gateway.nat_gateway + description = "Nat Gateway object" +} +output "id" { + value = azurerm_nat_gateway.nat_gateway.id + description = "Nat Gateway object id" +} diff --git a/modules/networking/nat_gateway/public_ip_association/module.tf b/modules/networking/nat_gateway/public_ip_association/module.tf new file mode 100644 index 0000000000..752f71c613 --- /dev/null +++ b/modules/networking/nat_gateway/public_ip_association/module.tf @@ -0,0 +1,4 @@ +resource "azurerm_nat_gateway_public_ip_association" "public_ip" { + nat_gateway_id = var.nat_gateway_id + public_ip_address_id = var.public_ip_address_id +} \ No newline at end of file diff --git a/modules/networking/nat_gateway/public_ip_association/variables.tf b/modules/networking/nat_gateway/public_ip_association/variables.tf new file mode 100644 index 0000000000..1d1550b770 --- /dev/null +++ b/modules/networking/nat_gateway/public_ip_association/variables.tf @@ -0,0 +1,2 @@ +variable "public_ip_address_id" {} +variable "nat_gateway_id" {} \ No newline at end of file diff --git a/modules/networking/nat_gateway/subnet_association/module.tf b/modules/networking/nat_gateway/subnet_association/module.tf new file mode 100644 index 0000000000..d8d441142a --- /dev/null +++ b/modules/networking/nat_gateway/subnet_association/module.tf @@ -0,0 +1,4 @@ +resource "azurerm_subnet_nat_gateway_association" "subnet" { + subnet_id = var.subnet_id + nat_gateway_id = var.nat_gateway_id +} \ No newline at end of file diff --git a/modules/networking/nat_gateway/subnet_association/variables.tf b/modules/networking/nat_gateway/subnet_association/variables.tf new file mode 100644 index 0000000000..967d963779 --- /dev/null +++ b/modules/networking/nat_gateway/subnet_association/variables.tf @@ -0,0 +1,2 @@ +variable "subnet_id" {} +variable "nat_gateway_id" {} \ No newline at end of file diff --git a/modules/networking/nat_gateway/variables.tf b/modules/networking/nat_gateway/variables.tf new file mode 100644 index 0000000000..718373fad5 --- /dev/null +++ b/modules/networking/nat_gateway/variables.tf @@ -0,0 +1,43 @@ +variable "settings" {} +variable "name" {} +variable "location" {} +variable "resource_group_name" {} +variable "subnet_id" {} +variable "public_ip_address_id" {} +variable "idle_timeout_in_minutes" { + description = "(Optional) Specifies the timeout for the TCP idle connection. The value can be set between 4 and 30 minutes." + type = number + default = null + + validation { + condition = (try(var.idle_timeout_in_minutes, false) == true ? (var.idle_timeout_in_minutes.value >= 4 || var.idle_timeout_in_minutes.value <= 30) : true) + error_message = "Provide an allowed value as defined in https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway#idle_timeout_in_minutes." + } +} +variable "zones" { + description = "(Optional) The availability zone to allocate the Public IP in. Possible values are Zone-Redundant, 1, 2, 3, and No-Zone. Defaults to Zone-Redundant." + type = string + default = "" + + validation { + condition = contains(["", "1", "2", "3"], var.zones) + error_message = "Provide an allowed value as defined in https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway#zones." + } +} +variable "base_tags" { + default = {} +} +variable "tags" { + description = "(Optional) Tags for the resource to be deployed." + default = null + type = map(any) +} +variable "diagnostics" { + description = "(Optional) Diagnostics objects where to deploy the diagnostics profiles." + default = {} +} + +variable "diagnostic_profiles" { + description = "(Optional) Diagnostics profile settings to be deployed for the resource." + default = {} +} diff --git a/networking_nat_gateway.tf b/networking_nat_gateway.tf new file mode 100644 index 0000000000..a817eec1df --- /dev/null +++ b/networking_nat_gateway.tf @@ -0,0 +1,25 @@ + +# +# +# Nat Gateway +# +# + +output "nat_gateway" { + value = module.nat_gateway +} + +module "nat_gateway" { + source = "./modules/networking/nat_gateway" + for_each = try(local.networking.nat_gateway, {}) + + settings = each.value + name = try(each.value.name, null) + location = try(local.global_settings.regions[each.value.region], local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].location) + resource_group_name = local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].name + subnet_id = try(local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][try(each.value.vnet.vnet_key, each.value.vnet_key)].subnets[try(each.value.vnet.subnet_key, each.value.subnet_key)].id, null) + public_ip_address_id = try(local.combined_objects_public_ip_addresses[try(each.value.public_ip.lz_key, local.client_config.landingzone_key)][try(each.value.public_ip.public_ip_key, each.value.public_ip_key)].id, null) + idle_timeout_in_minutes = try(each.value.idle_timeout_in_minutes, null) + tags = try(each.value.tags, null) + base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].tags : {} +} From b8c388a925d91aaff1f5a7c4a15d6aaecbd1b23b Mon Sep 17 00:00:00 2001 From: naeemdhby Date: Tue, 13 Jul 2021 22:08:04 -0700 Subject: [PATCH 017/102] Add example --- .../networking.tfvars | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 examples/networking/nat_gateway/100-nat_gateway-with_public_ip/networking.tfvars diff --git a/examples/networking/nat_gateway/100-nat_gateway-with_public_ip/networking.tfvars b/examples/networking/nat_gateway/100-nat_gateway-with_public_ip/networking.tfvars new file mode 100644 index 0000000000..fdedac218f --- /dev/null +++ b/examples/networking/nat_gateway/100-nat_gateway-with_public_ip/networking.tfvars @@ -0,0 +1,83 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" # You can adjust the Azure Region you want to use to deploy NAT Gateway + # region2 = "eastasia" # Optional - Add additional regions + } +} +resource_groups = { + nat_gateway_re1 = { + name = "nat_gateway_re1" + region = "region1" + } +} + +vnets = { + vnet_nat_gateway_re1 = { + resource_group_key = "nat_gateway_re1" + region = "region1" + vnet = { + name = "vnet_nat_gateway_re1" + address_space = ["10.100.80.0/22"] + } + subnets = { + subnet1 = { + name = "subnet1" + cidr = ["10.100.81.0/24"] + } + subnet2 = { + name = "subnet2" + cidr = ["10.100.82.0/24"] + } + } //subnets + + specialsubnets = {} + + } +} //vnets + +public_ip_addresses = { + + public_ip_nat_gateway1 = { + name = "public_ip_nat_gateway1" + region = "region1" + resource_group_key = "nat_gateway_re1" + sku = "Standard" + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + } + public_ip_nat_gateway2 = { + name = "public_ip_nat_gateway2" + region = "region1" + resource_group_key = "nat_gateway_re1" + sku = "Standard" + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + } +} + +nat_gateway = { + nat_gateway1 = { + name = "nat_gateway1" + region = "region1" #we need to use the CAF regions rather than using location value + idle_timeout_in_minutes = 10 #optional if not defined will default to 4 minutes + #zones = ["1"] #optional need to match public ip zone + vnet_key = "vnet_nat_gateway_re1" + subnet_key = "subnet1" + public_ip_key = "public_ip_nat_gateway1" + resource_group_key = "nat_gateway_re1" + } + + nat_gateway2 = { + name = "nat_gateway2" + region = "region1" #we need to use the CAF regions rather than using location value + idle_timeout_in_minutes = 10 #optional if not defined will default to 4 minutes + #zones = ["1"] #optional need to match public ip zone + vnet_key = "vnet_nat_gateway_re1" + subnet_key = "subnet2" + public_ip_key = "public_ip_nat_gateway2" + resource_group_key = "nat_gateway_re1" + } +} \ No newline at end of file From 0a0c5a74bb9861f5862aefd5f9b98343818de58c Mon Sep 17 00:00:00 2001 From: naeemdhby Date: Tue, 13 Jul 2021 22:12:03 -0700 Subject: [PATCH 018/102] updated integration test with nat gateway example --- .github/workflows/standalone-scenarios.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index f70c0563b9..40d8515f0f 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -92,6 +92,7 @@ "networking/load_balancers/102-internal-load-balancer", "networking/load_balancers/103-load-balancer-nic-association", "networking/load_balancers/104-load-balancer-diagnostics", + "networking/nat_gateway/100-nat_gateway-with_public_ip", "networking/private_dns/100-private-dns-vnet-links", "networking/private_links/endpoints/centralized", "networking/virtual_network_gateway/100-expressroute-gateway", From bffc7d50b6060b9f21384d5549fd0eac35df12e7 Mon Sep 17 00:00:00 2001 From: naeemdhby Date: Tue, 13 Jul 2021 23:13:53 -0700 Subject: [PATCH 019/102] rename nat_gateway > nat_gateways --- .github/workflows/standalone-scenarios.json | 2 +- .../100-nat_gateways-with_public_ip}/networking.tfvars | 2 +- locals.combined_objects.tf | 2 +- locals.tf | 2 +- modules/networking/{nat_gateway => nat_gateways}/main.tf | 0 .../networking/{nat_gateway => nat_gateways}/module.tf | 0 .../networking/{nat_gateway => nat_gateways}/output.tf | 2 +- .../public_ip_association/module.tf | 0 .../public_ip_association/variables.tf | 0 .../subnet_association/module.tf | 0 .../subnet_association/variables.tf | 0 .../networking/{nat_gateway => nat_gateways}/variables.tf | 0 networking_nat_gateway.tf => networking_nat_gateways.tf | 8 ++++---- 13 files changed, 9 insertions(+), 9 deletions(-) rename examples/networking/{nat_gateway/100-nat_gateway-with_public_ip => nat_gateways/100-nat_gateways-with_public_ip}/networking.tfvars (99%) rename modules/networking/{nat_gateway => nat_gateways}/main.tf (100%) rename modules/networking/{nat_gateway => nat_gateways}/module.tf (100%) rename modules/networking/{nat_gateway => nat_gateways}/output.tf (88%) rename modules/networking/{nat_gateway => nat_gateways}/public_ip_association/module.tf (100%) rename modules/networking/{nat_gateway => nat_gateways}/public_ip_association/variables.tf (100%) rename modules/networking/{nat_gateway => nat_gateways}/subnet_association/module.tf (100%) rename modules/networking/{nat_gateway => nat_gateways}/subnet_association/variables.tf (100%) rename modules/networking/{nat_gateway => nat_gateways}/variables.tf (100%) rename networking_nat_gateway.tf => networking_nat_gateways.tf (90%) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 40d8515f0f..a839142ba2 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -92,7 +92,7 @@ "networking/load_balancers/102-internal-load-balancer", "networking/load_balancers/103-load-balancer-nic-association", "networking/load_balancers/104-load-balancer-diagnostics", - "networking/nat_gateway/100-nat_gateway-with_public_ip", + "networking/nat_gateways/100-nat_gateways-with_public_ip", "networking/private_dns/100-private-dns-vnet-links", "networking/private_links/endpoints/centralized", "networking/virtual_network_gateway/100-expressroute-gateway", diff --git a/examples/networking/nat_gateway/100-nat_gateway-with_public_ip/networking.tfvars b/examples/networking/nat_gateways/100-nat_gateways-with_public_ip/networking.tfvars similarity index 99% rename from examples/networking/nat_gateway/100-nat_gateway-with_public_ip/networking.tfvars rename to examples/networking/nat_gateways/100-nat_gateways-with_public_ip/networking.tfvars index fdedac218f..f805344e72 100644 --- a/examples/networking/nat_gateway/100-nat_gateway-with_public_ip/networking.tfvars +++ b/examples/networking/nat_gateways/100-nat_gateways-with_public_ip/networking.tfvars @@ -58,7 +58,7 @@ public_ip_addresses = { } } -nat_gateway = { +nat_gateways = { nat_gateway1 = { name = "nat_gateway1" region = "region1" #we need to use the CAF regions rather than using location value diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 87826bde42..71639150af 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -44,7 +44,7 @@ locals { combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances_secondary }), try(var.remote_objects.mssql_managed_instances_secondary, {})) combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_servers }), try(var.remote_objects.mssql_servers, {})) combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), try(var.remote_objects.mysql_servers, {})) - combined_objects_nat_gateway = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateway }), try(var.remote_objects.nat_gateway, {})) + combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateway }), try(var.remote_objects.nat_gateways, {})) combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), try(var.remote_objects.network_security_groups, {})) combined_objects_network_watchers = merge(tomap({ (local.client_config.landingzone_key) = module.network_watchers }), try(var.remote_objects.network_watchers, {})) combined_objects_networking = merge(tomap({ (local.client_config.landingzone_key) = module.networking }), try(var.remote_objects.vnets, {})) diff --git a/locals.tf b/locals.tf index c5d075f6f0..eff85d0992 100755 --- a/locals.tf +++ b/locals.tf @@ -202,7 +202,7 @@ locals { ip_groups = try(var.networking.ip_groups, {}) load_balancers = try(var.networking.load_balancers, {}) local_network_gateways = try(var.networking.local_network_gateways, {}) - nat_gateway = try(var.networking.nat_gateway, {}) + nat_gateways = try(var.networking.nat_gateways, {}) network_security_group_definition = try(var.networking.network_security_group_definition, {}) network_watchers = try(var.networking.network_watchers, {}) private_dns = try(var.networking.private_dns, {}) diff --git a/modules/networking/nat_gateway/main.tf b/modules/networking/nat_gateways/main.tf similarity index 100% rename from modules/networking/nat_gateway/main.tf rename to modules/networking/nat_gateways/main.tf diff --git a/modules/networking/nat_gateway/module.tf b/modules/networking/nat_gateways/module.tf similarity index 100% rename from modules/networking/nat_gateway/module.tf rename to modules/networking/nat_gateways/module.tf diff --git a/modules/networking/nat_gateway/output.tf b/modules/networking/nat_gateways/output.tf similarity index 88% rename from modules/networking/nat_gateway/output.tf rename to modules/networking/nat_gateways/output.tf index 545cb2e4c0..f886d17c50 100644 --- a/modules/networking/nat_gateway/output.tf +++ b/modules/networking/nat_gateways/output.tf @@ -1,4 +1,4 @@ -output "nat_gateway" { +output "nat_gateways" { value = azurerm_nat_gateway.nat_gateway description = "Nat Gateway object" } diff --git a/modules/networking/nat_gateway/public_ip_association/module.tf b/modules/networking/nat_gateways/public_ip_association/module.tf similarity index 100% rename from modules/networking/nat_gateway/public_ip_association/module.tf rename to modules/networking/nat_gateways/public_ip_association/module.tf diff --git a/modules/networking/nat_gateway/public_ip_association/variables.tf b/modules/networking/nat_gateways/public_ip_association/variables.tf similarity index 100% rename from modules/networking/nat_gateway/public_ip_association/variables.tf rename to modules/networking/nat_gateways/public_ip_association/variables.tf diff --git a/modules/networking/nat_gateway/subnet_association/module.tf b/modules/networking/nat_gateways/subnet_association/module.tf similarity index 100% rename from modules/networking/nat_gateway/subnet_association/module.tf rename to modules/networking/nat_gateways/subnet_association/module.tf diff --git a/modules/networking/nat_gateway/subnet_association/variables.tf b/modules/networking/nat_gateways/subnet_association/variables.tf similarity index 100% rename from modules/networking/nat_gateway/subnet_association/variables.tf rename to modules/networking/nat_gateways/subnet_association/variables.tf diff --git a/modules/networking/nat_gateway/variables.tf b/modules/networking/nat_gateways/variables.tf similarity index 100% rename from modules/networking/nat_gateway/variables.tf rename to modules/networking/nat_gateways/variables.tf diff --git a/networking_nat_gateway.tf b/networking_nat_gateways.tf similarity index 90% rename from networking_nat_gateway.tf rename to networking_nat_gateways.tf index a817eec1df..cb43282314 100644 --- a/networking_nat_gateway.tf +++ b/networking_nat_gateways.tf @@ -5,13 +5,13 @@ # # -output "nat_gateway" { +output "nat_gateways" { value = module.nat_gateway } -module "nat_gateway" { - source = "./modules/networking/nat_gateway" - for_each = try(local.networking.nat_gateway, {}) +module "nat_gateways" { + source = "./modules/networking/nat_gateways" + for_each = try(local.networking.nat_gateways, {}) settings = each.value name = try(each.value.name, null) From a44335c7069f386fe1813154aaa35d5d00cc15d3 Mon Sep 17 00:00:00 2001 From: naeemdhby Date: Tue, 13 Jul 2021 23:23:15 -0700 Subject: [PATCH 020/102] rename example folder --- .../networking.tfvars | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename examples/networking/nat_gateways/{100-nat_gateways-with_public_ip => 100-nat-gateways-with-public-ip}/networking.tfvars (100%) diff --git a/examples/networking/nat_gateways/100-nat_gateways-with_public_ip/networking.tfvars b/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars similarity index 100% rename from examples/networking/nat_gateways/100-nat_gateways-with_public_ip/networking.tfvars rename to examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars From 2c9d626b353f3f6d2d39e22bf0d3d8bdfcdd4453 Mon Sep 17 00:00:00 2001 From: naeemdhby Date: Tue, 13 Jul 2021 23:39:18 -0700 Subject: [PATCH 021/102] adding the missed renamed module --- locals.combined_objects.tf | 2 +- networking_nat_gateways.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 71639150af..1720140d0b 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -44,7 +44,7 @@ locals { combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances_secondary }), try(var.remote_objects.mssql_managed_instances_secondary, {})) combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_servers }), try(var.remote_objects.mssql_servers, {})) combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), try(var.remote_objects.mysql_servers, {})) - combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateway }), try(var.remote_objects.nat_gateways, {})) + combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), try(var.remote_objects.nat_gateways, {})) combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), try(var.remote_objects.network_security_groups, {})) combined_objects_network_watchers = merge(tomap({ (local.client_config.landingzone_key) = module.network_watchers }), try(var.remote_objects.network_watchers, {})) combined_objects_networking = merge(tomap({ (local.client_config.landingzone_key) = module.networking }), try(var.remote_objects.vnets, {})) diff --git a/networking_nat_gateways.tf b/networking_nat_gateways.tf index cb43282314..2614c82e1a 100644 --- a/networking_nat_gateways.tf +++ b/networking_nat_gateways.tf @@ -6,7 +6,7 @@ # output "nat_gateways" { - value = module.nat_gateway + value = module.nat_gateways } module "nat_gateways" { From 3933b266ee8bbfb787a98c70181199c1c916357e Mon Sep 17 00:00:00 2001 From: Scott Date: Wed, 14 Jul 2021 18:54:13 +1000 Subject: [PATCH 022/102] adding probe example --- .../100-simple-app-gateway/application.tfvars | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/examples/app_gateway/100-simple-app-gateway/application.tfvars b/examples/app_gateway/100-simple-app-gateway/application.tfvars index 9aac68047a..b872eb3bf1 100644 --- a/examples/app_gateway/100-simple-app-gateway/application.tfvars +++ b/examples/app_gateway/100-simple-app-gateway/application.tfvars @@ -24,6 +24,7 @@ application_gateway_applications = { port = 443 protocol = "Https" pick_host_name_from_backend_address = true + probe_key = "probe_1" } backend_pool = { @@ -32,5 +33,20 @@ application_gateway_applications = { ] } + probes = { + probe_1 = { + name = "probe-backend-443" + protocol = "Https" + path = "/status-0123456789abcdef" + host = "cafdemo.appserviceenvironment.net" + interval = 30 + timeout = 30 + unhealthy_threshold = 3 + match = { + status_code = ["200-399"] + } + } + } + } } \ No newline at end of file From 2d5f9c01cfb606242fffc863e66a444cad6c960e Mon Sep 17 00:00:00 2001 From: naeemdhby Date: Wed, 14 Jul 2021 15:05:22 -0700 Subject: [PATCH 023/102] change example, change output, use for_each instead of count, remove var.zone --- .../networking.tfvars | 2 -- modules/networking/nat_gateways/output.tf | 4 +-- modules/networking/nat_gateways/variables.tf | 29 +++++-------------- networking_nat_gateways.tf | 2 +- 4 files changed, 10 insertions(+), 27 deletions(-) diff --git a/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars b/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars index f805344e72..a95f22016d 100644 --- a/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars +++ b/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars @@ -65,8 +65,6 @@ nat_gateways = { idle_timeout_in_minutes = 10 #optional if not defined will default to 4 minutes #zones = ["1"] #optional need to match public ip zone vnet_key = "vnet_nat_gateway_re1" - subnet_key = "subnet1" - public_ip_key = "public_ip_nat_gateway1" resource_group_key = "nat_gateway_re1" } diff --git a/modules/networking/nat_gateways/output.tf b/modules/networking/nat_gateways/output.tf index f886d17c50..1d376bb060 100644 --- a/modules/networking/nat_gateways/output.tf +++ b/modules/networking/nat_gateways/output.tf @@ -1,5 +1,5 @@ -output "nat_gateways" { - value = azurerm_nat_gateway.nat_gateway +output "nat_gateways_resource_guid" { + value = azurerm_nat_gateway.nat_gateway.resource_guid description = "Nat Gateway object" } output "id" { diff --git a/modules/networking/nat_gateways/variables.tf b/modules/networking/nat_gateways/variables.tf index 718373fad5..56123c1479 100644 --- a/modules/networking/nat_gateways/variables.tf +++ b/modules/networking/nat_gateways/variables.tf @@ -2,8 +2,12 @@ variable "settings" {} variable "name" {} variable "location" {} variable "resource_group_name" {} -variable "subnet_id" {} -variable "public_ip_address_id" {} +variable "subnet_id" { + default = "" +} +variable "public_ip_address_id" { + default = "" +} variable "idle_timeout_in_minutes" { description = "(Optional) Specifies the timeout for the TCP idle connection. The value can be set between 4 and 30 minutes." type = number @@ -14,16 +18,6 @@ variable "idle_timeout_in_minutes" { error_message = "Provide an allowed value as defined in https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway#idle_timeout_in_minutes." } } -variable "zones" { - description = "(Optional) The availability zone to allocate the Public IP in. Possible values are Zone-Redundant, 1, 2, 3, and No-Zone. Defaults to Zone-Redundant." - type = string - default = "" - - validation { - condition = contains(["", "1", "2", "3"], var.zones) - error_message = "Provide an allowed value as defined in https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway#zones." - } -} variable "base_tags" { default = {} } @@ -31,13 +25,4 @@ variable "tags" { description = "(Optional) Tags for the resource to be deployed." default = null type = map(any) -} -variable "diagnostics" { - description = "(Optional) Diagnostics objects where to deploy the diagnostics profiles." - default = {} -} - -variable "diagnostic_profiles" { - description = "(Optional) Diagnostics profile settings to be deployed for the resource." - default = {} -} +} \ No newline at end of file diff --git a/networking_nat_gateways.tf b/networking_nat_gateways.tf index 2614c82e1a..39c5994311 100644 --- a/networking_nat_gateways.tf +++ b/networking_nat_gateways.tf @@ -1,7 +1,7 @@ # # -# Nat Gateway +# Nat Gateways # # From e983c0f3625475a65a0c9223e345d2a3d9321c73 Mon Sep 17 00:00:00 2001 From: naeemdhby Date: Wed, 14 Jul 2021 16:58:46 -0700 Subject: [PATCH 024/102] removing extra vnet and PIP from example --- .../networking.tfvars | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars b/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars index a95f22016d..794419d8c7 100644 --- a/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars +++ b/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars @@ -25,10 +25,6 @@ vnets = { name = "subnet1" cidr = ["10.100.81.0/24"] } - subnet2 = { - name = "subnet2" - cidr = ["10.100.82.0/24"] - } } //subnets specialsubnets = {} @@ -47,15 +43,6 @@ public_ip_addresses = { ip_version = "IPv4" idle_timeout_in_minutes = "4" } - public_ip_nat_gateway2 = { - name = "public_ip_nat_gateway2" - region = "region1" - resource_group_key = "nat_gateway_re1" - sku = "Standard" - allocation_method = "Static" - ip_version = "IPv4" - idle_timeout_in_minutes = "4" - } } nat_gateways = { @@ -74,8 +61,8 @@ nat_gateways = { idle_timeout_in_minutes = 10 #optional if not defined will default to 4 minutes #zones = ["1"] #optional need to match public ip zone vnet_key = "vnet_nat_gateway_re1" - subnet_key = "subnet2" - public_ip_key = "public_ip_nat_gateway2" + subnet_key = "subnet1" + public_ip_key = "public_ip_nat_gateway1" resource_group_key = "nat_gateway_re1" } } \ No newline at end of file From cb1f739dec0ee09672ba693aa4d19faae3fcf86c Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 15 Jul 2021 01:34:54 +0000 Subject: [PATCH 025/102] Adding try #574 --- modules/networking/application_gateway/application_gateway.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index d2bd11eacb..fd1d8dc6ae 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -140,7 +140,7 @@ resource "azurerm_application_gateway" "agw" { } } dynamic "probe" { - for_each = local.probes + for_each = try(local.probes) content { name = probe.value.name @@ -175,7 +175,7 @@ resource "azurerm_application_gateway" "agw" { pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false) trusted_root_certificate_names = try(backend_http_settings.value.trusted_root_certificate_names, null) host_name = try(backend_http_settings.value.host_name, null) - probe_name = local.probes[format("%s-%s",backend_http_settings.key, backend_http_settings.value.probe_key)].name + probe_name = try(local.probes[format("%s-%s",backend_http_settings.key, backend_http_settings.value.probe_key)].name, null) } } From 0f683c3e06cd7e765565287d5343a52b277e1c18 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 15 Jul 2021 02:02:49 +0000 Subject: [PATCH 026/102] Keep old outputs for backward compat --- modules/compute/virtual_machine/output.tf | 1 + modules/compute/virtual_machine_scale_set/output.tf | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/compute/virtual_machine/output.tf b/modules/compute/virtual_machine/output.tf index e83716c908..c5830f26a8 100755 --- a/modules/compute/virtual_machine/output.tf +++ b/modules/compute/virtual_machine/output.tf @@ -38,6 +38,7 @@ output "ssh_keys" { keyvault_id = local.keyvault.id ssh_private_key_pem = azurerm_key_vault_secret.ssh_private_key[local.os_type].name ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name + ssh_private_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name #for backard compat, wrong name, will be removed in future version. } : null } diff --git a/modules/compute/virtual_machine_scale_set/output.tf b/modules/compute/virtual_machine_scale_set/output.tf index 307922ac87..246e514d23 100644 --- a/modules/compute/virtual_machine_scale_set/output.tf +++ b/modules/compute/virtual_machine_scale_set/output.tf @@ -28,5 +28,6 @@ output "ssh_keys" { keyvault_id = local.keyvault.id ssh_private_key_pem = azurerm_key_vault_secret.ssh_private_key[local.os_type].name ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name + ssh_private_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name #for backard compat, wrong name, will be removed in future version. } : null } From 55f0084ca1f68d817bef5922b0a210a8938c4b76 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 15 Jul 2021 02:48:44 +0000 Subject: [PATCH 027/102] Adding nat_gateways in example LZ and name convention todo --- examples/module.tf | 1 + .../networking.tfvars | 2 +- examples/variables.tf | 3 +++ modules/networking/nat_gateways/module.tf | 18 ++++++++++++------ 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/examples/module.tf b/examples/module.tf index 14e46c12d5..47e9419980 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -137,6 +137,7 @@ module "example" { ip_groups = var.ip_groups load_balancers = var.load_balancers local_network_gateways = var.local_network_gateways + nat_gateways = var.nat_gateways network_security_group_definition = var.network_security_group_definition network_watchers = var.network_watchers private_dns = var.private_dns diff --git a/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars b/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars index 794419d8c7..8d1e9d3766 100644 --- a/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars +++ b/examples/networking/nat_gateways/100-nat-gateways-with-public-ip/networking.tfvars @@ -51,7 +51,7 @@ nat_gateways = { region = "region1" #we need to use the CAF regions rather than using location value idle_timeout_in_minutes = 10 #optional if not defined will default to 4 minutes #zones = ["1"] #optional need to match public ip zone - vnet_key = "vnet_nat_gateway_re1" + #vnet_key = "vnet_nat_gateway_re1" resource_group_key = "nat_gateway_re1" } diff --git a/examples/variables.tf b/examples/variables.tf index 5c4da7e73e..b204df9a88 100755 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -551,4 +551,7 @@ variable "storage_account_queues" { } variable "storage_account_blobs" { default = {} +} +variable "nat_gateways" { + default = {} } \ No newline at end of file diff --git a/modules/networking/nat_gateways/module.tf b/modules/networking/nat_gateways/module.tf index bcc1435df7..a01d87dda6 100644 --- a/modules/networking/nat_gateways/module.tf +++ b/modules/networking/nat_gateways/module.tf @@ -1,3 +1,15 @@ +#TODO: Implement right naming convention +# resource "azurecaf_name" "nat_gateway" { +# name = var.name +# resource_type = "azurerm_nat_gateway" +# prefixes = var.global_settings.prefixes +# random_length = var.global_settings.random_length +# clean_input = true +# passthrough = var.global_settings.passthrough +# use_slug = var.global_settings.use_slug +# } + + resource "azurerm_nat_gateway" "nat_gateway" { name = var.name location = var.location @@ -7,9 +19,6 @@ resource "azurerm_nat_gateway" "nat_gateway" { tags = local.tags } - - - module "nat_gateway_subnet" { count = try(var.settings.subnet_key, null) == null ? 0 : 1 source = "./subnet_association" @@ -18,9 +27,6 @@ module "nat_gateway_subnet" { nat_gateway_id = azurerm_nat_gateway.nat_gateway.id } - - - module "nat_gateway_public_ip" { count = try(var.settings.public_ip_key, null) == null ? 0 : 1 source = "./public_ip_association" From a662d87c7ceee3c062f468eb003144812fae2d65 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 15 Jul 2021 02:50:53 +0000 Subject: [PATCH 028/102] Outputs --- modules/networking/nat_gateways/output.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/networking/nat_gateways/output.tf b/modules/networking/nat_gateways/output.tf index 1d376bb060..f29c403dca 100644 --- a/modules/networking/nat_gateways/output.tf +++ b/modules/networking/nat_gateways/output.tf @@ -1,8 +1,9 @@ -output "nat_gateways_resource_guid" { +output "resource_guid" { value = azurerm_nat_gateway.nat_gateway.resource_guid - description = "Nat Gateway object" + description = "The resource GUID property of the NAT Gateway." } + output "id" { value = azurerm_nat_gateway.nat_gateway.id - description = "Nat Gateway object id" + description = "The ID of the NAT Gateway." } From 87e7b86c0287c7260ad055fabb35f51b4e735e1b Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Thu, 15 Jul 2021 05:06:10 +0000 Subject: [PATCH 029/102] Add support for a user managed identity while creating AKS cluster --- modules/compute/aks/aks.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 1777e018b4..e129231e3f 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -146,10 +146,15 @@ resource "azurerm_kubernetes_cluster" "aks" { disk_encryption_set_id = try(var.settings.disk_encryption_set_id, null) dynamic "identity" { - for_each = try(var.settings.identity[*], {}) + for_each = try(var.settings.identity, null) == null ? [] : [1] content { - type = identity.value.type + type = var.settings.identity.type + user_assigned_identity_id = lower(var.settings.identity.type) == "userassigned" ? coalesce( + try(var.settings.identity.user_assigned_identity_id, null), + try(var.managed_identities[var.settings.identity.lz_key][var.settings.identity.managed_identity_key].id, null), + try(var.managed_identities[var.client_config.landingzone_key][var.settings.identity.managed_identity_key].id, null) + ) : null } } From 5df412591cd519b4d492e20edbf6653846b98d06 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Thu, 15 Jul 2021 05:55:30 +0000 Subject: [PATCH 030/102] BugFix: Fix the private dns zone id key and variables in the aks module --- aks_clusters.tf | 3 +-- modules/compute/aks/aks.tf | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/aks_clusters.tf b/aks_clusters.tf index 607e9a85fe..727566a2bd 100755 --- a/aks_clusters.tf +++ b/aks_clusters.tf @@ -15,8 +15,7 @@ module "aks_clusters" { settings = each.value subnets = lookup(each.value, "lz_key", null) == null ? local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].subnets : local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].subnets resource_group = local.resource_groups[each.value.resource_group_key] - private_dns_zone_id = try(local.combined_objects_private_dns[try(each.value.private_dns_zone.lz_key, local.client_config.landingzone_key)][each.value.key].id, null) - + private_dns_zone_id = try(local.combined_objects_private_dns[try(each.value.private_dns_zone.lz_key, local.client_config.landingzone_key)][each.value.private_dns_zone.key].id, null) admin_group_object_ids = try(each.value.admin_groups.azuread_group_keys, null) == null ? null : try(each.value.admin_groups.ids, [ for group_key in try(each.value.admin_groups.azuread_groups.keys, {}) : local.combined_objects_azuread_groups[local.client_config.landingzone_key][group_key].id ]) diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 1777e018b4..a95bd86213 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -212,7 +212,7 @@ resource "azurerm_kubernetes_cluster" "aks" { node_resource_group = azurecaf_name.rg_node.result private_cluster_enabled = try(var.settings.private_cluster_enabled, false) - private_dns_zone_id = try(var.settings.private_dns_zone_id, null) + private_dns_zone_id = var.private_dns_zone_id lifecycle { ignore_changes = [ From 8867e605fad5971cb57777aadc478b63e55b13a5 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Thu, 15 Jul 2021 06:03:25 +0000 Subject: [PATCH 031/102] Add variable for managed identities --- aks_clusters.tf | 1 + modules/compute/aks/variables.tf | 3 +++ 2 files changed, 4 insertions(+) diff --git a/aks_clusters.tf b/aks_clusters.tf index 607e9a85fe..99a615373b 100755 --- a/aks_clusters.tf +++ b/aks_clusters.tf @@ -16,6 +16,7 @@ module "aks_clusters" { subnets = lookup(each.value, "lz_key", null) == null ? local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].subnets : local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].subnets resource_group = local.resource_groups[each.value.resource_group_key] private_dns_zone_id = try(local.combined_objects_private_dns[try(each.value.private_dns_zone.lz_key, local.client_config.landingzone_key)][each.value.key].id, null) + managed_identities = local.combined_objects_managed_identities admin_group_object_ids = try(each.value.admin_groups.azuread_group_keys, null) == null ? null : try(each.value.admin_groups.ids, [ for group_key in try(each.value.admin_groups.azuread_groups.keys, {}) : local.combined_objects_azuread_groups[local.client_config.landingzone_key][group_key].id diff --git a/modules/compute/aks/variables.tf b/modules/compute/aks/variables.tf index 8b704dfe74..52e44c4bb2 100755 --- a/modules/compute/aks/variables.tf +++ b/modules/compute/aks/variables.tf @@ -17,4 +17,7 @@ variable "diagnostic_profiles" { } variable "private_dns_zone_id" { default = null +} +variable "managed_identities" { + default = {} } \ No newline at end of file From b4e84db0d20c3f6b7042582d6277aa9c15be4a39 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Thu, 15 Jul 2021 06:44:29 +0000 Subject: [PATCH 032/102] refactor: add parent local_combined_resources obj refactor for consumption_budgets_resource_groups --- consumption_budgets.tf | 11 ++++++----- .../configuration.tfvars | 10 ++++++---- .../configuration.tfvars | 10 ++++++---- .../resource_group/resource_group_budget.tf | 16 ++++++++-------- .../resource_group/variables.tf | 8 ++------ 5 files changed, 28 insertions(+), 27 deletions(-) diff --git a/consumption_budgets.tf b/consumption_budgets.tf index 46ed2956a7..f16fa507a7 100644 --- a/consumption_budgets.tf +++ b/consumption_budgets.tf @@ -5,11 +5,12 @@ module "consumption_budgets_resource_groups" { if try(value.resource_group, null) != null } - client_config = local.client_config - global_settings = local.global_settings - monitor_action_groups = local.combined_objects_monitor_action_groups - # lz_key used in dimension to reference remote state - resource_groups = local.combined_objects_resource_groups + local_combined_resources = { + monitor_action_groups = local.combined_objects_monitor_action_groups, + resource_groups = local.combined_objects_resource_groups, + } + client_config = local.client_config + global_settings = local.global_settings settings = each.value } diff --git a/examples/consumption_budget/100-consumption-budget-rg/configuration.tfvars b/examples/consumption_budget/100-consumption-budget-rg/configuration.tfvars index c3d1ffdfc5..de7d160a4a 100644 --- a/examples/consumption_budget/100-consumption-budget-rg/configuration.tfvars +++ b/examples/consumption_budget/100-consumption-budget-rg/configuration.tfvars @@ -64,9 +64,10 @@ consumption_budgets = { "example", ] }, - resource_group_key = { + resource_key = { # lz_key = "examples" - name = "resource_group_key" + name = "resource_key" + resource_key = "resource_groups" values = [ "test", ] @@ -94,9 +95,10 @@ consumption_budgets = { # # "example", # # ] # # }, - # resource_group_key = { + # resource_key = { # # lz_key = "examples" - # name = "resource_group_key" + # name = "resource_key" + # resource_key = "resource_groups" # values = [ # "test", # ] diff --git a/examples/consumption_budget/102-consumption-budget-rg-alerts/configuration.tfvars b/examples/consumption_budget/102-consumption-budget-rg-alerts/configuration.tfvars index e58440852c..b5cac485f2 100644 --- a/examples/consumption_budget/102-consumption-budget-rg-alerts/configuration.tfvars +++ b/examples/consumption_budget/102-consumption-budget-rg-alerts/configuration.tfvars @@ -81,9 +81,10 @@ consumption_budgets = { "example", ] }, - resource_group_key = { + resource_key = { # lz_key = "examples" - name = "resource_group_key" + name = "resource_key" + resource_key = "resource_groups" values = [ "test", ] @@ -111,9 +112,10 @@ consumption_budgets = { # # "example", # # ] # # }, - # resource_group_key = { + # resource_key = { # # lz_key = "examples" - # name = "resource_group_key" + # name = "resource_key" + # resource_key = "resource_groups" # values = [ # "test", # ] diff --git a/modules/consumption_budget/resource_group/resource_group_budget.tf b/modules/consumption_budget/resource_group/resource_group_budget.tf index 8963e5d0a6..69fb0cdaa2 100755 --- a/modules/consumption_budget/resource_group/resource_group_budget.tf +++ b/modules/consumption_budget/resource_group/resource_group_budget.tf @@ -12,7 +12,7 @@ resource "azurerm_consumption_budget_resource_group" "this" { name = azurecaf_name.this_name.result resource_group_id = coalesce( try(var.settings.resource_group.id, null), - try(var.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].id, null) + try(var.local_combined_resources["resource_groups"][try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].id, null) ) amount = var.settings.amount @@ -32,7 +32,7 @@ resource "azurerm_consumption_budget_resource_group" "this" { contact_emails = try(notification.value.contact_emails, []) contact_groups = try(notification.value.contact_groups, try(flatten([ - for key, value in var.monitor_action_groups[try(notification.value.lz_key, var.client_config.landingzone_key)] : value.id + for key, value in var.local_combined_resources["monitor_action_groups"][try(notification.value.lz_key, var.client_config.landingzone_key)] : value.id if contains(notification.value.contact_groups_keys, key) ]), []) ) @@ -48,7 +48,7 @@ resource "azurerm_consumption_budget_resource_group" "this" { dynamic "dimension" { for_each = { for key, value in try(var.settings.filter.dimensions, {}) : key => value - if lower(value.name) != "resource_group_key" + if lower(value.name) != "resource_key" } content { @@ -61,14 +61,14 @@ resource "azurerm_consumption_budget_resource_group" "this" { dynamic "dimension" { for_each = { for key, value in try(var.settings.filter.dimensions, {}) : key => value - if lower(value.name) == "resource_group_key" + if lower(value.name) == "resource_key" } content { name = "ResourceId" operator = try(dimension.value.operator, "In") values = try(flatten([ - for key, value in var.resource_groups[try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id + for key, value in var.local_combined_resources[dimension.value.resource_key][try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id if contains(dimension.value.values, key) ]), []) } @@ -93,7 +93,7 @@ resource "azurerm_consumption_budget_resource_group" "this" { dynamic "dimension" { for_each = { for key, value in try(var.settings.filter.not.dimension, {}) : key => value - if lower(value.name) != "resource_group_key" + if lower(value.name) != "resource_key" } content { @@ -106,14 +106,14 @@ resource "azurerm_consumption_budget_resource_group" "this" { dynamic "dimension" { for_each = { for key, value in try(var.settings.filter.not.dimension, {}) : key => value - if lower(value.name) == "resource_group_key" + if lower(value.name) == "resource_key" } content { name = "ResourceId" operator = try(dimension.value.operator, "In") values = try(flatten([ - for key, value in var.resource_groups[try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id + for key, value in var.local_combined_resources[dimension.value.resource_key][try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id if contains(dimension.value.values, key) ]), []) } diff --git a/modules/consumption_budget/resource_group/variables.tf b/modules/consumption_budget/resource_group/variables.tf index 0b3d3b48e3..2d7d2c131d 100755 --- a/modules/consumption_budget/resource_group/variables.tf +++ b/modules/consumption_budget/resource_group/variables.tf @@ -6,12 +6,8 @@ variable "global_settings" { description = "Global settings object" } -variable "monitor_action_groups" { - description = "Map of monitor action group keys to monitor action groups group ids" -} - -variable "resource_groups" { - description = "Map of resource group keys to resource group attributes" +variable "local_combined_resources" { + description = "object of local combined resources" } variable "settings" { From ee9d972fb44097fb59661ebfd565d54e251748f3 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 15 Jul 2021 07:01:57 +0000 Subject: [PATCH 033/102] Path to example update --- .github/workflows/standalone-scenarios.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index a839142ba2..c3f39403b0 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -92,7 +92,7 @@ "networking/load_balancers/102-internal-load-balancer", "networking/load_balancers/103-load-balancer-nic-association", "networking/load_balancers/104-load-balancer-diagnostics", - "networking/nat_gateways/100-nat_gateways-with_public_ip", + "networking/nat_gateways/100-nat-gateways-with-public-ip", "networking/private_dns/100-private-dns-vnet-links", "networking/private_links/endpoints/centralized", "networking/virtual_network_gateway/100-expressroute-gateway", From a86e1bf3fc20b9a45c8ceb4e2207d7fa125f0c24 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Thu, 15 Jul 2021 07:02:45 +0000 Subject: [PATCH 034/102] refactor: add parent local_combined_resources obj refactor for consumption_budgets_subscriptions --- consumption_budgets.tf | 11 ++++++----- .../configuration.tfvars | 10 ++++++---- .../configuration.tfvars | 10 ++++++---- .../subscription/subscription_budget.tf | 14 +++++++------- .../consumption_budget/subscription/variables.tf | 8 ++------ 5 files changed, 27 insertions(+), 26 deletions(-) diff --git a/consumption_budgets.tf b/consumption_budgets.tf index f16fa507a7..cd38c99844 100644 --- a/consumption_budgets.tf +++ b/consumption_budgets.tf @@ -21,11 +21,12 @@ module "consumption_budgets_subscriptions" { if try(value.subscription, null) != null } - client_config = local.client_config - global_settings = local.global_settings - monitor_action_groups = local.combined_objects_monitor_action_groups - # lz_key used in dimension to reference remote state - resource_groups = local.combined_objects_resource_groups + local_combined_resources = { + monitor_action_groups = local.combined_objects_monitor_action_groups, + resource_groups = local.combined_objects_resource_groups, + } + client_config = local.client_config + global_settings = local.global_settings settings = each.value subscription_id = coalesce( try(each.value.subscription.id, null), diff --git a/examples/consumption_budget/101-consumption-budget-subscription/configuration.tfvars b/examples/consumption_budget/101-consumption-budget-subscription/configuration.tfvars index f699f1aeef..83d9556b0f 100644 --- a/examples/consumption_budget/101-consumption-budget-subscription/configuration.tfvars +++ b/examples/consumption_budget/101-consumption-budget-subscription/configuration.tfvars @@ -63,9 +63,10 @@ consumption_budgets = { "example", ] }, - resource_group_key = { + resource_key = { # lz_key = "examples" - name = "resource_group_key" + name = "resource_key" + resource_key = "resource_groups" values = [ "test", ] @@ -93,9 +94,10 @@ consumption_budgets = { # # "example", # # ] # # }, - # resource_group_key = { + # resource_key = { # # lz_key = "examples" - # name = "resource_group_key" + # name = "resource_key" + # resource_key = "resource_groups" # values = [ # "test", # ] diff --git a/examples/consumption_budget/103-consumption-budget-subscription-alerts/configuration.tfvars b/examples/consumption_budget/103-consumption-budget-subscription-alerts/configuration.tfvars index c3b5443197..b6eecef9d8 100644 --- a/examples/consumption_budget/103-consumption-budget-subscription-alerts/configuration.tfvars +++ b/examples/consumption_budget/103-consumption-budget-subscription-alerts/configuration.tfvars @@ -80,9 +80,10 @@ consumption_budgets = { "example", ] }, - resource_group_key = { + resource_key = { # lz_key = "examples" - name = "resource_group_key" + name = "resource_key" + resource_key = "resource_groups" values = [ "test", ] @@ -110,9 +111,10 @@ consumption_budgets = { # # "example", # # ] # # }, - # resource_group_key = { + # resource_key = { # # lz_key = "examples" - # name = "resource_group_key" + # name = "resource_key" + # resource_key = "resource_groups" # values = [ # "test", # ] diff --git a/modules/consumption_budget/subscription/subscription_budget.tf b/modules/consumption_budget/subscription/subscription_budget.tf index 134b491a06..5f23e62a25 100755 --- a/modules/consumption_budget/subscription/subscription_budget.tf +++ b/modules/consumption_budget/subscription/subscription_budget.tf @@ -29,7 +29,7 @@ resource "azurerm_consumption_budget_subscription" "this" { contact_emails = try(notification.value.contact_emails, []) contact_groups = try(notification.value.contact_groups, try(flatten([ - for key, value in var.monitor_action_groups[try(notification.value.lz_key, var.client_config.landingzone_key)] : value.id + for key, value in var.local_combined_resources["monitor_action_groups"][try(notification.value.lz_key, var.client_config.landingzone_key)] : value.id if contains(notification.value.contact_groups_keys, key) ]), []) ) @@ -45,7 +45,7 @@ resource "azurerm_consumption_budget_subscription" "this" { dynamic "dimension" { for_each = { for key, value in try(var.settings.filter.dimensions, {}) : key => value - if lower(value.name) != "resource_group_key" + if lower(value.name) != "resource_key" } content { @@ -58,14 +58,14 @@ resource "azurerm_consumption_budget_subscription" "this" { dynamic "dimension" { for_each = { for key, value in try(var.settings.filter.dimensions, {}) : key => value - if lower(value.name) == "resource_group_key" + if lower(value.name) == "resource_key" } content { name = "ResourceId" operator = try(dimension.value.operator, "In") values = try(flatten([ - for key, value in var.resource_groups[try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id + for key, value in var.local_combined_resources[dimension.value.resource_key][try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id if contains(dimension.value.values, key) ]), []) } @@ -90,7 +90,7 @@ resource "azurerm_consumption_budget_subscription" "this" { dynamic "dimension" { for_each = { for key, value in try(var.settings.filter.not.dimension, {}) : key => value - if lower(value.name) != "resource_group_key" + if lower(value.name) != "resource_key" } content { @@ -103,14 +103,14 @@ resource "azurerm_consumption_budget_subscription" "this" { dynamic "dimension" { for_each = { for key, value in try(var.settings.filter.not.dimension, {}) : key => value - if lower(value.name) == "resource_group_key" + if lower(value.name) == "resource_key" } content { name = "ResourceId" operator = try(dimension.value.operator, "In") values = try(flatten([ - for key, value in var.resource_groups[try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id + for key, value in var.local_combined_resources[dimension.value.resource_key][try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id if contains(dimension.value.values, key) ]), []) } diff --git a/modules/consumption_budget/subscription/variables.tf b/modules/consumption_budget/subscription/variables.tf index 973545f74c..5a2dbcffb9 100755 --- a/modules/consumption_budget/subscription/variables.tf +++ b/modules/consumption_budget/subscription/variables.tf @@ -6,12 +6,8 @@ variable "global_settings" { description = "Global settings object" } -variable "monitor_action_groups" { - description = "Map of monitor action group keys to monitor action groups group ids" -} - -variable "resource_groups" { - description = "Map of resource group keys to resource group attributes" +variable "local_combined_resources" { + description = "object of local combined resources" } variable "settings" { From 32735a2a1b1294f20d17a85e0cf69eee108dca5b Mon Sep 17 00:00:00 2001 From: Scott Date: Thu, 15 Jul 2021 20:58:19 +1000 Subject: [PATCH 035/102] Added support for rewrite rule sets --- .../application_gateway.tf | 50 +++++++++++++++++-- .../networking/application_gateway/locals.tf | 13 +++++ 2 files changed, 59 insertions(+), 4 deletions(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index fd1d8dc6ae..adc085c4c5 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -115,8 +115,7 @@ resource "azurerm_application_gateway" "agw" { backend_address_pool_name = local.backend_pools[request_routing_rule.value.app_key].name url_path_map_name = try(local.request_routing_rules[format("%s-%s", request_routing_rule.value.app_key, request_routing_rule.value.request_routing_rule_key)].rule.url_path_map_name, try(local.url_path_maps[format("%s-%s", request_routing_rule.value.app_key, local.request_routing_rules[format("%s-%s", request_routing_rule.value.app_key, request_routing_rule.value.request_routing_rule_key)].rule.url_path_map_key)].name, null)) - - + rewrite_rule_set_name = try(local.rewrite_rule_sets[format("%s-%s", request_routing_rule.value.app_key, local.request_routing_rules[format("%s-%s", request_routing_rule.value.app_key, request_routing_rule.value.request_routing_rule_key)].rule.rewrite_rule_set_key)].name, null) } } @@ -126,6 +125,7 @@ resource "azurerm_application_gateway" "agw" { default_backend_address_pool_name = try(url_path_map.value.default_backend_address_pool_name, var.application_gateway_applications[url_path_map.value.app_key].name) default_backend_http_settings_name = try(url_path_map.value.default_backend_http_settings_name, var.application_gateway_applications[url_path_map.value.app_key].name) name = url_path_map.value.name + default_rewrite_rule_set_name = try(local.rewrite_rule_sets[format("%s-%s", url_path_map.value.app_key, url_path_map.value.default_rewrite_rule_set_key)].name, null) dynamic "path_rule" { for_each = try(url_path_map.value.path_rules, []) @@ -135,6 +135,7 @@ resource "azurerm_application_gateway" "agw" { backend_http_settings_name = try(var.application_gateway_applications[path_rule.value.backend_http_setting.app_key].name, var.application_gateway_applications[url_path_map.value.app_key].name) name = path_rule.value.name paths = path_rule.value.paths + rewrite_rule_set_name = try(local.rewrite_rule_sets[format("%s-%s", url_path_map.value.app_key, path_rule.value.rewrite_rule_set_key)].name, null) } } } @@ -287,9 +288,50 @@ resource "azurerm_application_gateway" "agw" { # autoscale_configuration {} - # rewrite_rule_set {} - + dynamic "rewrite_rule_set" { + for_each = try(local.rewrite_rule_sets) + content { + name = rewrite_rule_set.value.name + dynamic "rewrite_rule" { + for_each = try(rewrite_rule_set.value.rewrite_rules, {}) + content { + name = rewrite_rule.value.name + rule_sequence = rewrite_rule.value.rule_sequence + dynamic "condition" { + for_each = try(rewrite_rule.value.conditions, {}) + content { + variable = condition.value.variable + pattern = condition.value.pattern + ignore_case = try(condition.value.ignore_case, false) + negate = try(condition.value.negate, false) + } + } + dynamic "request_header_configuration" { + for_each = try(rewrite_rule.value.request_header_configurations, {}) + content { + header_name = request_header_configuration.value.header_name + header_value = request_header_configuration.value.header_value + } + } + dynamic "response_header_configuration" { + for_each = try(rewrite_rule.value.response_header_configurations, {}) + content { + header_name = response_header_configuration.value.header_name + header_value = response_header_configuration.value.header_value + } + } + dynamic "url" { + for_each = try(rewrite_rule.value.url, null) == null ? [] : [1] + content { + path = url.value.path + query_string = url.value.query_string + } + } + } + } + } + } } output "certificate_keys" { diff --git a/modules/networking/application_gateway/locals.tf b/modules/networking/application_gateway/locals.tf index ce1a0fc96c..a23dae5184 100644 --- a/modules/networking/application_gateway/locals.tf +++ b/modules/networking/application_gateway/locals.tf @@ -61,6 +61,19 @@ locals { ) : format("%s-%s", probe.value.app_key, probe.value.probe_key) => probe.value } + rewrite_rule_sets = { + for rewrite_rule_set in + flatten( + [ + for app_key, config in var.application_gateway_applications : [ + for key, value in try(config.rewrite_rule_sets, []) : { + value = merge({ app_key = app_key, rewrite_rule_set_key = key }, value) + } + ] + ] + ) : format("%s-%s", rewrite_rule_set.value.app_key, rewrite_rule_set.value.rewrite_rule_set_key) => rewrite_rule_set.value + } + certificate_keys = distinct(flatten([ for key, value in local.listeners : [try(value.keyvault_certificate.certificate_key, [])] ])) From e74a99170a33b78e4cc5aec5500f1a0fece52a4f Mon Sep 17 00:00:00 2001 From: Scott Date: Thu, 15 Jul 2021 20:59:21 +1000 Subject: [PATCH 036/102] fixed formatting --- modules/networking/application_gateway/application_gateway.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index adc085c4c5..82685e9b8e 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -113,8 +113,8 @@ resource "azurerm_application_gateway" "agw" { http_listener_name = request_routing_rule.value.name backend_http_settings_name = local.backend_http_settings[request_routing_rule.value.app_key].name backend_address_pool_name = local.backend_pools[request_routing_rule.value.app_key].name - url_path_map_name = try(local.request_routing_rules[format("%s-%s", request_routing_rule.value.app_key, request_routing_rule.value.request_routing_rule_key)].rule.url_path_map_name, try(local.url_path_maps[format("%s-%s", request_routing_rule.value.app_key, - local.request_routing_rules[format("%s-%s", request_routing_rule.value.app_key, request_routing_rule.value.request_routing_rule_key)].rule.url_path_map_key)].name, null)) + url_path_map_name = try(local.request_routing_rules[format("%s-%s", request_routing_rule.value.app_key, request_routing_rule.value.request_routing_rule_key)].rule.url_path_map_name, + try(local.url_path_maps[format("%s-%s", request_routing_rule.value.app_key,local.request_routing_rules[format("%s-%s", request_routing_rule.value.app_key, request_routing_rule.value.request_routing_rule_key)].rule.url_path_map_key)].name, null)) rewrite_rule_set_name = try(local.rewrite_rule_sets[format("%s-%s", request_routing_rule.value.app_key, local.request_routing_rules[format("%s-%s", request_routing_rule.value.app_key, request_routing_rule.value.request_routing_rule_key)].rule.rewrite_rule_set_key)].name, null) } } From e516badb67d2421256c0bd7e39dff39c341b843e Mon Sep 17 00:00:00 2001 From: Edgar Hernandez Date: Thu, 15 Jul 2021 16:59:12 -0500 Subject: [PATCH 037/102] Fix event hub provate link issue 583 --- event_hubs.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/event_hubs.tf b/event_hubs.tf index 76709ac8d3..5e81c3f844 100755 --- a/event_hubs.tf +++ b/event_hubs.tf @@ -12,6 +12,10 @@ module "event_hub_namespaces" { base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].tags : {} } +output "event_hub_namespaces" { + value = module.event_hub_namespaces +} + module "event_hub_namespace_auth_rules" { source = "./modules/event_hubs/namespaces/auth_rules" for_each = try(var.event_hub_namespace_auth_rules, {}) From 653168f69145c2713ac1aa3217510125d5a9e5a9 Mon Sep 17 00:00:00 2001 From: Scott Date: Fri, 16 Jul 2021 09:46:40 +1000 Subject: [PATCH 038/102] optional handling of rewrite url --- .../networking/application_gateway/application_gateway.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index 82685e9b8e..dc0425b730 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -324,8 +324,9 @@ resource "azurerm_application_gateway" "agw" { dynamic "url" { for_each = try(rewrite_rule.value.url, null) == null ? [] : [1] content { - path = url.value.path - query_string = url.value.query_string + path = try(url.value.path,null) + query_string = try(url.value.query_string,null) + reroute = try(url.value.reroute,null) } } } From 7954029d7eba5068ec76bd8f4fc0b14411ad197c Mon Sep 17 00:00:00 2001 From: Scott Date: Fri, 16 Jul 2021 09:52:39 +1000 Subject: [PATCH 039/102] added example --- .../101-private-public/application.tfvars | 110 ++++++++++++++++++ .../application_gateways.tfvars | 5 + 2 files changed, 115 insertions(+) diff --git a/examples/app_gateway/101-private-public/application.tfvars b/examples/app_gateway/101-private-public/application.tfvars index b7d1138402..6d1015490a 100644 --- a/examples/app_gateway/101-private-public/application.tfvars +++ b/examples/app_gateway/101-private-public/application.tfvars @@ -18,11 +18,43 @@ application_gateway_applications = { front_end_port_key = "81" host_name = "cafdemo.com" } + public_82 = { + name = "demo-app1-82-public" + front_end_ip_configuration_key = "public" + front_end_port_key = "82" + host_name = "cafdemo.com" + request_routing_rule_key = "path_based" + } } request_routing_rules = { default = { rule_type = "Basic" + #rewrite_rule_set_key = "rule_set_1" + } + path_based = { + rule_type = "PathBasedRouting" + url_path_map_key = "path_map_1" + } + } + + url_path_maps = { + path_map_1 = { + name = "path_map_1" + default_rewrite_rule_set_key = "rule_set_1" + path_rules = { + pathRuleIdentity = { + name = "pathRuleIdentity" + paths = ["/identity*"] + #rewrite_rule_set_key = "rule_set_1" + } + + pathRuleAuthorisation = { + name = "pathRuleAuthorization" + paths = ["/authorization*"] + #rewrite_rule_set_key = "rule_set_1" + } + } } } @@ -38,5 +70,83 @@ application_gateway_applications = { ] } + rewrite_rule_sets = { + rule_set_1 = { + name = "headers-response-processing" + rewrite_rules = { + rule_1 = { + name = "server-header-remove" + rule_sequence = 100 + #conditions = { + #condition_1 = { + #variable = "http_status" + #pattern = "200" + #ignore_case = true + #negate = false + #} + #} + response_header_configurations = { + server_header = { + header_name = "Server" + header_value = "" # Use blank value to remove header + } + } + # url = { + # path = "" + # query_string = "" + # reroute = false + # } + } + + rule_2 = { + name = "hsts-add-header" + rule_sequence = 101 + #conditions = { + #condition_1 = { + #variable = "http_status" + #pattern = "200" + #ignore_case = true + #negate = false + #} + #} + response_header_configurations = { + hsts_header = { + header_name = "Strict-Transport-Security" + header_value = "max-age=31536000" + } + } + # url = { + # path = "" + # query_string = "" + # reroute = false + # } + } + + rule_3 = { + name = "add-request-header" + rule_sequence = 102 + #conditions = { + #condition_1 = { + #variable = "http_status" + #pattern = "200" + #ignore_case = true + #negate = false + #} + #} + request_header_configurations = { + foo_header = { + header_name = "foo" + header_value = "123456" + } + } + # url = { + # path = "" + # query_string = "" + # reroute = false + # } + } + } + } + } } } \ No newline at end of file diff --git a/examples/app_gateway/101-private-public/application_gateways.tfvars b/examples/app_gateway/101-private-public/application_gateways.tfvars index 2af7549e89..ec56412f30 100644 --- a/examples/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/app_gateway/101-private-public/application_gateways.tfvars @@ -42,6 +42,11 @@ application_gateways = { port = 81 protocol = "Http" } + 82 = { + name = "http-82" + port = 82 + protocol = "Http" + } 443 = { name = "https-443" port = 443 From ec3933383d744ddec553e633ed655353e759d2a3 Mon Sep 17 00:00:00 2001 From: Scott Date: Fri, 16 Jul 2021 10:00:59 +1000 Subject: [PATCH 040/102] fixed resolving of backend address pool name --- modules/networking/application_gateway/application_gateway.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index fd1d8dc6ae..f3636af2ff 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -131,7 +131,7 @@ resource "azurerm_application_gateway" "agw" { for_each = try(url_path_map.value.path_rules, []) content { - backend_address_pool_name = try(var.application_gateway_applications[path_rule.value.backend_pool.app_key].name, var.application_gateway_applications[path_rule.value.backend_pool.app_key].name) + backend_address_pool_name = try(var.application_gateway_applications[path_rule.value.backend_pool.app_key].name, var.application_gateway_applications[url_path_map.value.app_key].name) backend_http_settings_name = try(var.application_gateway_applications[path_rule.value.backend_http_setting.app_key].name, var.application_gateway_applications[url_path_map.value.app_key].name) name = path_rule.value.name paths = path_rule.value.paths From 278f74460353ef1447728a4e56d1f79507f40c65 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Fri, 16 Jul 2021 06:03:23 +0000 Subject: [PATCH 041/102] refactor: move subscription to local_comb_rsrc_obj --- consumption_budgets.tf | 6 +----- .../subscription/subscription_budget.tf | 8 ++++++-- modules/consumption_budget/subscription/variables.tf | 5 ----- 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/consumption_budgets.tf b/consumption_budgets.tf index cd38c99844..52cc4a165f 100644 --- a/consumption_budgets.tf +++ b/consumption_budgets.tf @@ -24,15 +24,11 @@ module "consumption_budgets_subscriptions" { local_combined_resources = { monitor_action_groups = local.combined_objects_monitor_action_groups, resource_groups = local.combined_objects_resource_groups, + subscriptions = local.combined_objects_subscriptions, } client_config = local.client_config global_settings = local.global_settings settings = each.value - subscription_id = coalesce( - try(each.value.subscription.id, null), - try(local.combined_objects_subscriptions[try(each.value.subscription.lz_key, local.client_config.landingzone_key)][each.value.subscription.key].subscription_id, null), - local.client_config.subscription_id - ) } output "consumption_budgets_resource_groups" { diff --git a/modules/consumption_budget/subscription/subscription_budget.tf b/modules/consumption_budget/subscription/subscription_budget.tf index 5f23e62a25..142961c7b3 100755 --- a/modules/consumption_budget/subscription/subscription_budget.tf +++ b/modules/consumption_budget/subscription/subscription_budget.tf @@ -9,8 +9,12 @@ resource "azurecaf_name" "this_name" { } resource "azurerm_consumption_budget_subscription" "this" { - name = azurecaf_name.this_name.result - subscription_id = var.subscription_id + name = azurecaf_name.this_name.result + subscription_id = coalesce( + try(var.settings.subscription.id, null), + try(var.local_combined_resources["subscriptions"][try(var.settings.subscription.lz_key, var.client_config.landingzone_key)][var.settings.subscription.key].subscription_id, null), + var.client_config.subscription_id + ) amount = var.settings.amount time_grain = var.settings.time_grain diff --git a/modules/consumption_budget/subscription/variables.tf b/modules/consumption_budget/subscription/variables.tf index 5a2dbcffb9..e06adba891 100755 --- a/modules/consumption_budget/subscription/variables.tf +++ b/modules/consumption_budget/subscription/variables.tf @@ -12,9 +12,4 @@ variable "local_combined_resources" { variable "settings" { description = "Configuration object for the consumption budget subscription" -} - -variable "subscription_id" { - description = "The ID of the Subscription to create the consumption budget for" - type = string } \ No newline at end of file From 4c16187c82973613afc9fa1697b0af0a193eb287 Mon Sep 17 00:00:00 2001 From: Alexandre Proulx Date: Fri, 16 Jul 2021 14:29:50 -0400 Subject: [PATCH 042/102] Adding p2s support to virtual gateway --- .../configuration.tfvars | 106 ++++++++++++++++++ .../virtual_network_gateways/module.tf | 18 +++ 2 files changed, 124 insertions(+) create mode 100644 examples/networking/virtual_network_gateway/104-vpn-point-to-site-gateway/configuration.tfvars diff --git a/examples/networking/virtual_network_gateway/104-vpn-point-to-site-gateway/configuration.tfvars b/examples/networking/virtual_network_gateway/104-vpn-point-to-site-gateway/configuration.tfvars new file mode 100644 index 0000000000..d19087bbcd --- /dev/null +++ b/examples/networking/virtual_network_gateway/104-vpn-point-to-site-gateway/configuration.tfvars @@ -0,0 +1,106 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + vpngw = { + name = "example-vpn-gateway-connection" + } +} + +vnets = { + vnet_vpn = { + resource_group_key = "vpngw" + vnet = { + name = "test-vpn" + address_space = ["10.2.0.0/16"] + } + specialsubnets = { + GatewaySubnet = { + name = "GatewaySubnet" # must be named GatewaySubnet + cidr = ["10.2.1.0/24"] + } + } + subnets = {} + } +} + +public_ip_addresses = { + vngw_pip = { + name = "vngw_pip1" + resource_group_key = "vpngw" + sku = "Basic" + # Note: For UltraPerformance ExpressRoute Virtual Network gateway, the associated Public IP needs to be sku "Basic" not "Standard" + allocation_method = "Dynamic" + # allocation method needs to be Dynamic + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + } +} + +virtual_network_gateways = { + gateway1 = { + name = "mygateway" + resource_group_key = "vpngw" + type = "VPN" + sku = "VpnGw1" + private_ip_address_enabled = true + # enable_bpg defaults to false. If set, true, input the necessary parameters as well. VPN Type only + enable_bgp = false + vpn_type = "RouteBased" + # multiple IP configs are needed for active_active state. VPN Type only. + ip_configuration = { + ipconfig1 = { + ipconfig_name = "gatewayIp1" + public_ip_address_key = "vngw_pip" + #lz_key = "examples" + #lz_key optional, only needed if the vnet_key is inside another landing zone + vnet_key = "vnet_vpn" + private_ip_address_allocation = "Dynamic" + } + } + vpn_client_configuration = { + vpnconfig1 = { + address_space = ["10.3.1.0/24"] + revoked_certificate = { + revoked_a = { + name = "Verizon-Global-Root-CA2" + thumbprint = "912198EEF23DCAC40939312FEE97DD560BAE49B1" + } + revoked_b = { + name = "Verizon-Global-Root-CA" + thumbprint = "912198EEF23DCAC40939312FEE97DD560BAE49B2" + } + } + root_certificate = { + name = "Verizon-Global-Root-CA" + public_cert_data = < Date: Mon, 19 Jul 2021 02:14:19 +0000 Subject: [PATCH 043/102] Fix pre-existing network watcher #527 --- .../202-nsg-flow-logs-v2/configuration.tfvars | 117 ++++ .../diagnostics_definitions.tfvars | 61 +++ .../diagnostics_destinations.tfvars | 52 ++ .../nsg_definitions.tfvars | 505 ++++++++++++++++++ .../network_security_group/nsg_flow_logs.tf | 1 + .../network_security_group/variables.tf | 4 + modules/networking/network_watcher/output.tf | 6 + modules/networking/virtual_network/module.tf | 1 + .../nsg/flow_logs/flow_logs.tf | 24 +- .../nsg/flow_logs/variables.tf | 4 + .../virtual_network/nsg/nsg_flow_logs.tf | 1 + network_security_groups.tf | 1 + networking.tf | 6 +- 13 files changed, 772 insertions(+), 11 deletions(-) create mode 100644 examples/networking/virtual_network/202-nsg-flow-logs-v2/configuration.tfvars create mode 100644 examples/networking/virtual_network/202-nsg-flow-logs-v2/diagnostics_definitions.tfvars create mode 100644 examples/networking/virtual_network/202-nsg-flow-logs-v2/diagnostics_destinations.tfvars create mode 100644 examples/networking/virtual_network/202-nsg-flow-logs-v2/nsg_definitions.tfvars diff --git a/examples/networking/virtual_network/202-nsg-flow-logs-v2/configuration.tfvars b/examples/networking/virtual_network/202-nsg-flow-logs-v2/configuration.tfvars new file mode 100644 index 0000000000..f7803e7683 --- /dev/null +++ b/examples/networking/virtual_network/202-nsg-flow-logs-v2/configuration.tfvars @@ -0,0 +1,117 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "eastus" + region2 = "westus" + } +} + +resource_groups = { + vnet_hub_re1 = { + name = "vnet-hub-re1" + region = "region1" + } +} + +vnets = { + hub_re1 = { + resource_group_key = "vnet_hub_re1" + region = "region1" + vnet = { + name = "hub-re1" + address_space = ["100.64.92.0/22"] + } + specialsubnets = { + GatewaySubnet = { + name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway + cidr = ["100.64.92.0/27"] + } + AzureFirewallSubnet = { + name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet + cidr = ["100.64.93.0/26"] + } + } + subnets = { + AzureBastionSubnet = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = ["100.64.93.64/26"] + nsg_key = "azure_bastion_nsg" + } + jumpbox = { + name = "jumpbox" + cidr = ["100.64.94.0/27"] + nsg_key = "jumpbox" + } + private_endpoints = { + name = "private_endpoints" + cidr = ["100.64.95.128/25"] + enforce_private_link_endpoint_network_policies = true + nsg_key = "empty_nsg" + } + } + + # you can setup up to 5 keys - vnet diganostic + diagnostic_profiles = { + central_logs_region1 = { + definition_key = "networking_all" + destination_type = "log_analytics" + destination_key = "central_logs" + } + } + + } +} + +public_ip_addresses = { + + bastion_host_rg1 = { + name = "bastion-rg1-pip1" + region = "region1" + resource_group_key = "vnet_hub_re1" + sku = "Standard" + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + + # you can setup up to 5 key + diagnostic_profiles = { + central_logs_region1 = { + definition_key = "public_ip_address" + destination_type = "log_analytics" + destination_key = "central_logs" + } + } + } + +} + + +bastion_hosts = { + bastion_hub_re1 = { + name = "bastion-rg1" + region = "region1" + resource_group_key = "vnet_hub_re1" + vnet_key = "hub_re1" + subnet_key = "AzureBastionSubnet" + public_ip_key = "bastion_host_rg1" + + # you can setup up to 5 profiles + diagnostic_profiles = { + central_logs_region1 = { + definition_key = "bastion_host" + destination_type = "log_analytics" + destination_key = "central_logs" + } + } + } + +} + + +network_watchers = { + network_watcher_1 = { + name = "nwwatcher_eastus" + resource_group_key = "vnet_hub_re1" + region = "region1" + } +} \ No newline at end of file diff --git a/examples/networking/virtual_network/202-nsg-flow-logs-v2/diagnostics_definitions.tfvars b/examples/networking/virtual_network/202-nsg-flow-logs-v2/diagnostics_definitions.tfvars new file mode 100644 index 0000000000..abf9c32133 --- /dev/null +++ b/examples/networking/virtual_network/202-nsg-flow-logs-v2/diagnostics_definitions.tfvars @@ -0,0 +1,61 @@ +# +# Define the settings for the diagnostics settings +# Demonstrate how to log diagnostics in the correct region +# Different profiles to target different operational teams +# +diagnostics_definition = { + network_security_group = { + name = "operational_logs_and_metrics" + categories = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["NetworkSecurityGroupEvent", true, false, 14], + ["NetworkSecurityGroupRuleCounter", true, false, 14], + ] + } + } + + networking_all = { + name = "operational_logs_and_metrics" + categories = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, false, 7], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, false, 7], + ] + } + + } + bastion_host = { + name = "operational_logs_and_metrics" + categories = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["BastionAuditLogs", true, false, 7], + ] + metric = [ + ["AllMetrics", true, true, 7], + ] + } + + } + + public_ip_address = { + name = "operational_logs_and_metrics" + categories = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 7], + ["DDoSMitigationFlowLogs", true, true, 7], + ["DDoSMitigationReports", true, true, 7], + ] + metric = [ + ["AllMetrics", true, true, 7], + ] + } + } + +} diff --git a/examples/networking/virtual_network/202-nsg-flow-logs-v2/diagnostics_destinations.tfvars b/examples/networking/virtual_network/202-nsg-flow-logs-v2/diagnostics_destinations.tfvars new file mode 100644 index 0000000000..f53e9801ee --- /dev/null +++ b/examples/networking/virtual_network/202-nsg-flow-logs-v2/diagnostics_destinations.tfvars @@ -0,0 +1,52 @@ +## resources deployment +diagnostic_log_analytics = { + central_logs_region1 = { + region = "region1" + name = "logs" + resource_group_key = "vnet_hub_re1" + + } +} + +diagnostic_storage_accounts = { + # Stores diagnostic logging for region1 + diaglogs_region1 = { + name = "diaglogsre1" + region = "region1" + resource_group_key = "vnet_hub_re1" + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + access_tier = "Hot" + } + diaglogs_region2 = { + name = "diaglogsre2" + region = "region2" + resource_group_key = "vnet_hub_re1" + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + access_tier = "Hot" + } +} + +## destinations definition +diagnostics_destinations = { + log_analytics = { + central_logs = { + log_analytics_key = "central_logs_region1" + log_analytics_destination_type = "Dedicated" + } + } + + storage = { + all_regions = { + southeastasia = { + storage_account_key = "diaglogs_region1" + } + eastasia = { + storage_account_key = "diaglogs_region2" + } + } + } +} \ No newline at end of file diff --git a/examples/networking/virtual_network/202-nsg-flow-logs-v2/nsg_definitions.tfvars b/examples/networking/virtual_network/202-nsg-flow-logs-v2/nsg_definitions.tfvars new file mode 100644 index 0000000000..76b07f6eea --- /dev/null +++ b/examples/networking/virtual_network/202-nsg-flow-logs-v2/nsg_definitions.tfvars @@ -0,0 +1,505 @@ + +# +# Definition of the networking security groups +# +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = { + version = 1 + resource_group_key = "vnet_hub_re1" + name = "empty_nsg" + + flow_logs = { + version = 2 + enabled = true + storage_account = { + storage_account_destination = "all_regions" + retention = { + enabled = true + days = 30 + } + } + traffic_analytics = { + enabled = true + log_analytics_workspace_destination = "central_logs" + interval_in_minutes = "10" + } + } + diagnostic_profiles = { + nsg = { + definition_key = "network_security_group" + destination_type = "storage" + destination_key = "all_regions" + } + operations = { + name = "operations" + definition_key = "network_security_group" + destination_type = "log_analytics" + destination_key = "central_logs" + } + } + nsg = [] + } + + azure_bastion_nsg = { + version = 1 + resource_group_key = "vnet_hub_re1" + name = "azure_bastion_nsg" + + # flow_logs block is optionnal + # flow_logs = { + # version = 2 + # enabled = true + # storage_account = { + # storage_account_destination = "all_regions" + # retention = { + # enabled = true + # days = 30 + # } + # } + # # traffic_analytics = { + # # enabled = false + # # log_analytics_workspace_destination = "central_logs" + # # interval_in_minutes = "10" + # # } + # } + + diagnostic_profiles = { + nsg = { + definition_key = "network_security_group" + destination_type = "storage" + destination_key = "all_regions" + } + operations = { + name = "operations" + definition_key = "network_security_group" + destination_type = "log_analytics" + destination_key = "central_logs" + } + } + + nsg = [ + { + name = "bastion-in-allow", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "bastion-control-in-allow-443", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "135" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "Kerberos-password-change", + priority = "121" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "4443" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "bastion-vnet-out-allow-22", + priority = "103" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-vnet-out-allow-3389", + priority = "101" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-azure-out-allow", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + } + ] + } + + application_gateway = { + version = 1 + resource_group_key = "vnet_hub_re1" + name = "application_gateway" + + diagnostic_profiles = { + nsg = { + definition_key = "network_security_group" + destination_type = "storage" + destination_key = "all_regions" + } + operations = { + name = "operations" + definition_key = "network_security_group" + destination_type = "log_analytics" + destination_key = "central_logs" + } + } + + flow_logs = { + version = 2 + enabled = true + storage_account = { + storage_account_destination = "all_regions" + retention = { + enabled = true + days = 30 + } + } + # traffic_analytics = { + # enabled = true + # log_analytics_workspace_destination = "central_logs" + # interval_in_minutes = "10" + # } + } + + nsg = [ + { + name = "Inbound-HTTP", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "80-82" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Inbound-HTTPs", + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Inbound-AGW", + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "65200-65535" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + ] + } + + api_management = { + version = 1 + resource_group_key = "vnet_hub_re1" + name = "api_management" + + diagnostic_profiles = { + nsg = { + definition_key = "network_security_group" + destination_type = "storage" + destination_key = "all_regions" + } + operations = { + name = "operations" + definition_key = "network_security_group" + destination_type = "log_analytics" + destination_key = "central_logs" + } + } + flow_logs = { + version = 2 + enabled = true + storage_account = { + storage_account_destination = "all_regions" + retention = { + enabled = true + days = 30 + } + } + traffic_analytics = { + enabled = true + log_analytics_workspace_destination = "central_logs" + interval_in_minutes = "10" + } + } + + nsg = [ + { + name = "Inbound-APIM", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "3443" + source_address_prefix = "ApiManagement" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "Inbound-Redis", + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "6381-6383" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "Inbound-LoadBalancer", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "AzureLoadBalancer" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "Outbound-StorageHttp", + priority = "100" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Storage" + }, + { + name = "Outbound-StorageHttps", + priority = "110" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Storage" + }, + { + name = "Outbound-AADHttp", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureActiveDirectory" + }, + { + name = "Outbound-AADHttps", + priority = "130" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureActiveDirectory" + }, + { + name = "Outbound-SQL", + priority = "140" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "1433" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "SQL" + }, + { + name = "Outbound-EventHub", + priority = "150" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "5671-5672" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "EventHub" + }, + { + name = "Outbound-EventHubHttps", + priority = "160" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "EventHub" + }, + { + name = "Outbound-FileShareGit", + priority = "170" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "445" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Storage" + }, + { + name = "Outbound-Health", + priority = "180" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "1886" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "INTERNET" + }, + { + name = "Outbound-Monitor", + priority = "190" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureMonitor" + }, + { + name = "Outbound-MoSMTP1itor", + priority = "200" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "25" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "INTERNET" + }, + { + name = "Outbound-SMTP2", + priority = "210" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "587" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "INTERNET" + }, + { + name = "Outbound-SMTP3", + priority = "220" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "25028" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "INTERNET" + }, + { + name = "Outbound-Redis", + priority = "230" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "6381-6383" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "VirtualNetwork" + }, + ] + } + + jumpbox = { + version = 1 + resource_group_key = "vnet_hub_re1" + name = "jumpbox" + + flow_logs = { + version = 2 + enabled = true + + network_watcher_key = "network_watcher_1" + lz_key = "lz_key" #Put the Landing Zone Key here. + + storage_account = { + storage_account_destination = "all_regions" + retention = { + enabled = true + days = 30 + } + } + traffic_analytics = { + enabled = true + log_analytics_workspace_destination = "central_logs" + interval_in_minutes = "10" + } + } + + diagnostic_profiles = { + nsg = { + definition_key = "network_security_group" + destination_type = "storage" + destination_key = "all_regions" + } + operations = { + name = "operations" + definition_key = "network_security_group" + destination_type = "log_analytics" + destination_key = "central_logs" + } + } + + nsg = [ + { + name = "ssh-inbound-22", + priority = "200" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + ] + } + +} diff --git a/modules/networking/network_security_group/nsg_flow_logs.tf b/modules/networking/network_security_group/nsg_flow_logs.tf index aaba40f192..74b0646942 100755 --- a/modules/networking/network_security_group/nsg_flow_logs.tf +++ b/modules/networking/network_security_group/nsg_flow_logs.tf @@ -8,4 +8,5 @@ module "nsg_flows" { diagnostics = var.diagnostics settings = var.settings.flow_logs network_watchers = var.network_watchers + client_config = var.client_config } diff --git a/modules/networking/network_security_group/variables.tf b/modules/networking/network_security_group/variables.tf index acbec5ee84..b7347addf7 100755 --- a/modules/networking/network_security_group/variables.tf +++ b/modules/networking/network_security_group/variables.tf @@ -28,4 +28,8 @@ variable "base_tags" { variable "network_watchers" { description = "Optional - Network Watches Object" default = {} +} + +variable "client_config" { + description = "client_config object (see module README.md)" } \ No newline at end of file diff --git a/modules/networking/network_watcher/output.tf b/modules/networking/network_watcher/output.tf index ac150f40bf..fb23734d90 100644 --- a/modules/networking/network_watcher/output.tf +++ b/modules/networking/network_watcher/output.tf @@ -1,3 +1,9 @@ output "id" { value = azurerm_network_watcher.netwatcher.id } +output "name" { + value = azurerm_network_watcher.netwatcher.name +} +output "resource_group_name" { + value = var.resource_group_name +} \ No newline at end of file diff --git a/modules/networking/virtual_network/module.tf b/modules/networking/virtual_network/module.tf index 7945fd670e..734dcffea4 100644 --- a/modules/networking/virtual_network/module.tf +++ b/modules/networking/virtual_network/module.tf @@ -71,6 +71,7 @@ module "nsg" { network_security_group_definition = var.network_security_group_definition resource_group = var.resource_group_name subnets = var.settings.subnets + network_watchers = var.network_watchers tags = local.tags virtual_network_name = azurerm_virtual_network.vnet.name } diff --git a/modules/networking/virtual_network/nsg/flow_logs/flow_logs.tf b/modules/networking/virtual_network/nsg/flow_logs/flow_logs.tf index 876595ecaa..40a9557766 100644 --- a/modules/networking/virtual_network/nsg/flow_logs/flow_logs.tf +++ b/modules/networking/virtual_network/nsg/flow_logs/flow_logs.tf @@ -1,14 +1,20 @@ - resource "azurerm_network_watcher_flow_log" "flow" { count = try(var.settings, {}) == {} ? 0 : 1 - - network_watcher_name = try(var.network_watchers[var.settings.network_watcher_key].name, format("NetworkWatcher_%s", var.resource_location)) - resource_group_name = try(var.network_watchers[var.settings.network_watcher_rg_key].resource_group_name, "NetworkWatcherRG") - version = try(var.settings.version, 2) - + + + network_watcher_name = try( + var.network_watchers[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.network_watcher_key].name, + format("NetworkWatcher_%s", var.resource_location) + ) + + resource_group_name = try( + var.network_watchers[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.network_watcher_key].resource_group_name, + "NetworkWatcherRG" + ) + + version = try(var.settings.version, 2) network_security_group_id = var.resource_id storage_account_id = try(var.diagnostics.storage_accounts[var.diagnostics.diagnostics_destinations.storage[var.settings.storage_account.storage_account_destination][var.resource_location].storage_account_key].id) - enabled = try(var.settings.enabled, false) retention_policy { @@ -18,7 +24,6 @@ resource "azurerm_network_watcher_flow_log" "flow" { dynamic "traffic_analytics" { for_each = try(var.settings.traffic_analytics, {}) != {} ? [1] : [] - content { enabled = var.settings.traffic_analytics.enabled interval_in_minutes = try(var.settings.interval_in_minutes, null) @@ -27,5 +32,4 @@ resource "azurerm_network_watcher_flow_log" "flow" { workspace_resource_id = var.diagnostics.log_analytics[var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_key].id } } -} - +} \ No newline at end of file diff --git a/modules/networking/virtual_network/nsg/flow_logs/variables.tf b/modules/networking/virtual_network/nsg/flow_logs/variables.tf index ce99a97167..704ac135d1 100755 --- a/modules/networking/virtual_network/nsg/flow_logs/variables.tf +++ b/modules/networking/virtual_network/nsg/flow_logs/variables.tf @@ -7,6 +7,10 @@ variable "resource_location" { description = "(Required) location of the resource" } +variable "client_config" { + description = "client_config object (see module README.md)" +} + variable "diagnostics" { description = "(Required) Contains the diagnostics setting object." } diff --git a/modules/networking/virtual_network/nsg/nsg_flow_logs.tf b/modules/networking/virtual_network/nsg/nsg_flow_logs.tf index a2a6c1672e..fb125fbfe0 100755 --- a/modules/networking/virtual_network/nsg/nsg_flow_logs.tf +++ b/modules/networking/virtual_network/nsg/nsg_flow_logs.tf @@ -6,6 +6,7 @@ module "nsg_flows" { if try(var.network_security_group_definition[subnet.nsg_key].flow_logs, null) != null && try(var.network_security_group_definition[subnet.nsg_key].version, 0) == 0 } + client_config = var.client_config resource_id = try(var.network_security_groups[each.value.nsg_key], null) == null ? azurerm_network_security_group.nsg_obj[each.key].id : var.network_security_groups[each.value.nsg_key].id resource_location = var.location diagnostics = var.diagnostics diff --git a/network_security_groups.tf b/network_security_groups.tf index 5dd9522844..7d54ebc5df 100755 --- a/network_security_groups.tf +++ b/network_security_groups.tf @@ -12,6 +12,7 @@ module "network_security_groups" { location = lookup(each.value, "region", null) == null ? local.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region] resource_group_name = local.resource_groups[each.value.resource_group_key].name settings = each.value + client_config = local.client_config // Module to support the NSG creation outside of the a subnet // version = 1 of NSG can be attached to a nic or a subnet diff --git a/networking.tf b/networking.tf index 62559cac09..4a4527e329 100755 --- a/networking.tf +++ b/networking.tf @@ -6,7 +6,10 @@ output "vnets" { output "public_ip_addresses" { value = module.public_ip_addresses +} +output "network_watchers" { + value = module.network_watchers } @@ -17,6 +20,7 @@ output "public_ip_addresses" { # module "networking" { + depends_on = [module.network_watchers] source = "./modules/networking/virtual_network" for_each = local.networking.vnets @@ -27,7 +31,7 @@ module "networking" { global_settings = local.global_settings network_security_groups = module.network_security_groups network_security_group_definition = local.networking.network_security_group_definition - network_watchers = try(local.combined_objects_network_watchers, null) + network_watchers = local.combined_objects_network_watchers route_tables = module.route_tables settings = each.value tags = try(each.value.tags, null) From 91203392712d9de5aa79e7d468236ceaa6b2eba3 Mon Sep 17 00:00:00 2001 From: Scott Date: Mon, 19 Jul 2021 15:10:10 +1000 Subject: [PATCH 044/102] example formatting and data changes --- .../101-private-public/application.tfvars | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/app_gateway/101-private-public/application.tfvars b/examples/app_gateway/101-private-public/application.tfvars index 6d1015490a..377a0d5169 100644 --- a/examples/app_gateway/101-private-public/application.tfvars +++ b/examples/app_gateway/101-private-public/application.tfvars @@ -72,7 +72,7 @@ application_gateway_applications = { rewrite_rule_sets = { rule_set_1 = { - name = "headers-response-processing" + name = "header-rules" rewrite_rules = { rule_1 = { name = "server-header-remove" @@ -87,8 +87,8 @@ application_gateway_applications = { #} response_header_configurations = { server_header = { - header_name = "Server" - header_value = "" # Use blank value to remove header + header_name = "Server" + header_value = "" # Use blank value to remove header } } # url = { @@ -111,8 +111,8 @@ application_gateway_applications = { #} response_header_configurations = { hsts_header = { - header_name = "Strict-Transport-Security" - header_value = "max-age=31536000" + header_name = "Strict-Transport-Security" + header_value = "max-age=31536000" } } # url = { @@ -135,8 +135,8 @@ application_gateway_applications = { #} request_header_configurations = { foo_header = { - header_name = "foo" - header_value = "123456" + header_name = "foo" + header_value = "123456" } } # url = { From 906f211399bd0bbad8ede91ded0db31fa02c3869 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Mon, 19 Jul 2021 07:10:46 +0000 Subject: [PATCH 045/102] Add an example for AKS cluster with User Assigned Identity --- .../105-cluster-usermsi/aks.tfvars | 83 ++++++++ .../105-cluster-usermsi/diagnostics.tfvars | 7 + .../105-cluster-usermsi/networking.tfvars | 190 ++++++++++++++++++ 3 files changed, 280 insertions(+) create mode 100644 examples/compute/kubernetes_services/105-cluster-usermsi/aks.tfvars create mode 100644 examples/compute/kubernetes_services/105-cluster-usermsi/diagnostics.tfvars create mode 100644 examples/compute/kubernetes_services/105-cluster-usermsi/networking.tfvars diff --git a/examples/compute/kubernetes_services/105-cluster-usermsi/aks.tfvars b/examples/compute/kubernetes_services/105-cluster-usermsi/aks.tfvars new file mode 100644 index 0000000000..b70947dbd6 --- /dev/null +++ b/examples/compute/kubernetes_services/105-cluster-usermsi/aks.tfvars @@ -0,0 +1,83 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + aks_re1 = { + name = "aks-re1" + region = "region1" + } +} + +managed_identities = { + aks_usermsi = { + name = "aks-useraccess" + resource_group_key = "aks_re1" + } +} + +aks_clusters = { + cluster_re1 = { + name = "akscluster-re1-001" + resource_group_key = "aks_re1" + os_type = "Linux" + + identity = { + type = "UserAssigned" + managed_identity_key = "aks_usermsi" + } + + vnet_key = "spoke_aks_re1" + + network_profile = { + network_plugin = "azure" + load_balancer_sku = "Standard" + } + + # enable_rbac = true + role_based_access_control = { + enabled = true + azure_active_directory = { + managed = true + } + } + + addon_profile = { + oms_agent = { + enabled = true + log_analytics_key = "central_logs_region1" + } + } + # admin_groups = { + # # ids = [] + # # azuread_groups = { + # # keys = [] + # # } + # } + + load_balancer_profile = { + # Only one option can be set + managed_outbound_ip_count = 1 + } + + default_node_pool = { + name = "sharedsvc" + vm_size = "Standard_F4s_v2" + subnet_key = "aks_nodepool_system" + enabled_auto_scaling = false + enable_node_public_ip = false + max_pods = 30 + node_count = 1 + os_disk_size_gb = 512 + tags = { + "project" = "system services" + } + } + + node_resource_group_name = "aks-nodes-re1" + + } +} \ No newline at end of file diff --git a/examples/compute/kubernetes_services/105-cluster-usermsi/diagnostics.tfvars b/examples/compute/kubernetes_services/105-cluster-usermsi/diagnostics.tfvars new file mode 100644 index 0000000000..6cef8d8694 --- /dev/null +++ b/examples/compute/kubernetes_services/105-cluster-usermsi/diagnostics.tfvars @@ -0,0 +1,7 @@ +diagnostic_log_analytics = { + central_logs_region1 = { + region = "region1" + name = "logs" + resource_group_key = "aks_re1" + } +} \ No newline at end of file diff --git a/examples/compute/kubernetes_services/105-cluster-usermsi/networking.tfvars b/examples/compute/kubernetes_services/105-cluster-usermsi/networking.tfvars new file mode 100644 index 0000000000..04a9ceba6a --- /dev/null +++ b/examples/compute/kubernetes_services/105-cluster-usermsi/networking.tfvars @@ -0,0 +1,190 @@ +vnets = { + spoke_aks_re1 = { + resource_group_key = "aks_re1" + region = "region1" + vnet = { + name = "aks" + address_space = ["100.64.48.0/22"] + } + specialsubnets = {} + subnets = { + aks_nodepool_system = { + name = "aks_nodepool_system" + cidr = ["100.64.48.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + aks_nodepool_user1 = { + name = "aks_nodepool_user1" + cidr = ["100.64.49.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + aks_nodepool_user2 = { + name = "aks_nodepool_user2" + cidr = ["100.64.50.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + AzureBastionSubnet = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = ["100.64.51.64/27"] + nsg_key = "azure_bastion_nsg" + } + private_endpoints = { + name = "private_endpoints" + cidr = ["100.64.51.0/27"] + enforce_private_link_endpoint_network_policies = true + } + jumpbox = { + name = "jumpbox" + cidr = ["100.64.51.128/27"] + nsg_key = "azure_bastion_nsg" + } + } + + } +} + +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = {} + azure_kubernetes_cluster_nsg = { + nsg = [ + { + name = "aks-http-in-allow", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-https-in-allow", + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-api-out-allow-1194", + priority = "100" + direction = "Outbound" + access = "Allow" + protocol = "udp" + source_port_range = "*" + destination_port_range = "1194" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + }, + { + name = "aks-api-out-allow-9000", + priority = "110" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "9000" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + }, + { + name = "aks-ntp-out-allow", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "udp" + source_port_range = "*" + destination_port_range = "123" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-https-out-allow-443", + priority = "130" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + ] + } + azure_bastion_nsg = { + + nsg = [ + { + name = "bastion-in-allow", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "bastion-control-in-allow-443", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "135" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "Kerberos-password-change", + priority = "121" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "4443" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "bastion-vnet-out-allow-22", + priority = "103" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-vnet-out-allow-3389", + priority = "101" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-azure-out-allow", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + } + ] + } +} \ No newline at end of file From 3257320507bc2ff7a582051ab988771c1a8438fc Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Mon, 19 Jul 2021 20:35:30 -0400 Subject: [PATCH 046/102] ** Cognitive Services with required variables ** --- cognitive_service.tf | 10 ++++++ .../configuration.tfvars | 31 +++++++++++++++++++ examples/cognitive_service/main.tf | 2 ++ examples/module.tf | 5 +++ examples/variables.tf | 3 ++ locals.combined_objects.tf | 1 + locals.tf | 4 +++ .../cognitive_service_account.tf | 20 ++++++++++++ .../cognitive_service_account/main.tf | 7 +++++ .../cognitive_service_account/variables.tf | 17 ++++++++++ variables.tf | 5 +++ 11 files changed, 105 insertions(+) create mode 100644 cognitive_service.tf create mode 100644 examples/cognitive_service/100-cognitive-service-account/configuration.tfvars create mode 100644 examples/cognitive_service/main.tf create mode 100644 modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf create mode 100644 modules/cognitive_service/cognitive_service_account/main.tf create mode 100644 modules/cognitive_service/cognitive_service_account/variables.tf diff --git a/cognitive_service.tf b/cognitive_service.tf new file mode 100644 index 0000000000..6c098960f5 --- /dev/null +++ b/cognitive_service.tf @@ -0,0 +1,10 @@ +module "cognitive_service_account" { + source = "./modules/cognitive_service/cognitive_service_account" + for_each = local.cognitive_service.cognitive_service_account + + client_config = local.client_config + global_settings = local.global_settings + resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] + settings = each.value +} \ No newline at end of file diff --git a/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars b/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars new file mode 100644 index 0000000000..6b408d6f7f --- /dev/null +++ b/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars @@ -0,0 +1,31 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } + random_length = 5 +} + +resource_groups = { + test = { + name = "test" + } +} + +cognitive_service_account = { + test_account = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test" + } + name = "example" + kind = "Academic" + sku_name = "S0" + tags = { + env = "test" + } + } +} + diff --git a/examples/cognitive_service/main.tf b/examples/cognitive_service/main.tf new file mode 100644 index 0000000000..b3c3234b5e --- /dev/null +++ b/examples/cognitive_service/main.tf @@ -0,0 +1,2 @@ +# This is an empty file for Terraform registry visibility. +# For examples on how to consume the CAF module, please refer to https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples \ No newline at end of file diff --git a/examples/module.tf b/examples/module.tf index 14e46c12d5..6de5396906 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -70,6 +70,11 @@ module "example" { # synapseAnalyticsResourceId = var.synapseAnalyticsResourceId # vmImageAliasDoc = var.vmImageAliasDoc # } + + cognitive_service = { + cognitive_service_account = var.cognitive_service_account + } + compute = { aks_clusters = var.aks_clusters availability_sets = var.availability_sets diff --git a/examples/variables.tf b/examples/variables.tf index 5c4da7e73e..4d5555944b 100755 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -551,4 +551,7 @@ variable "storage_account_queues" { } variable "storage_account_blobs" { default = {} +} +variable "cognitive_service_account" { + default = {} } \ No newline at end of file diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index a9aca6f793..2e2da9051c 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -17,6 +17,7 @@ locals { combined_objects_azuread_groups = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_groups }), try(var.remote_objects.azuread_groups, {})) combined_objects_azuread_users = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_users }), try(var.remote_objects.azuread_users, {})) combined_objects_azurerm_firewalls = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewalls }), try(var.remote_objects.azurerm_firewalls, {})) + combined_objects_cognitive_service_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_service_account }), try(var.remote_objects.cognitive_service_account, {})) combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), try(var.remote_objects.consumption_budgets_resource_groups, {})) combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), try(var.remote_objects.consumption_budgets_subscriptions, {})) combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {})) diff --git a/locals.tf b/locals.tf index 5a5be65c4a..a78f38e81b 100755 --- a/locals.tf +++ b/locals.tf @@ -179,6 +179,10 @@ locals { logic_app_workflow = try(var.logic_app.logic_app_workflow, {}) } + cognitive_service = { + cognitive_service_account = try(var.cognitive_service.cognitive_service_account, {}) + } + networking = { application_gateway_applications = try(var.networking.application_gateway_applications, {}) application_gateway_waf_policies = try(var.networking.application_gateway_waf_policies, {}) diff --git a/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf b/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf new file mode 100644 index 0000000000..0743086b63 --- /dev/null +++ b/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf @@ -0,0 +1,20 @@ +resource "azurecaf_name" "service" { + name = var.settings.name + prefixes = var.global_settings.prefixes + resource_type = "azurerm_consumption_budget_resource_group" + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_cognitive_account" "service" { + name = azurecaf_name.service.result + location = var.location + resource_group_name = var.resource_group_name + kind = var.settings.kind + + sku_name = var.settings.sku_name + + tags = var.settings.tags +} \ No newline at end of file diff --git a/modules/cognitive_service/cognitive_service_account/main.tf b/modules/cognitive_service/cognitive_service_account/main.tf new file mode 100644 index 0000000000..b34ed51903 --- /dev/null +++ b/modules/cognitive_service/cognitive_service_account/main.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} \ No newline at end of file diff --git a/modules/cognitive_service/cognitive_service_account/variables.tf b/modules/cognitive_service/cognitive_service_account/variables.tf new file mode 100644 index 0000000000..58ad5a65ba --- /dev/null +++ b/modules/cognitive_service/cognitive_service_account/variables.tf @@ -0,0 +1,17 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "client_config" { + description = "Client configuration object (see module README.md)." +} +variable "location" { + description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + type = string +} + +variable "resource_group_name" { + description = "Name of the existing resource group to deploy the virtual machine" +} + +variable "settings" {} + diff --git a/variables.tf b/variables.tf index 6d8d9bed71..64620048aa 100755 --- a/variables.tf +++ b/variables.tf @@ -354,3 +354,8 @@ variable "random_strings" { description = "Configuration object - Random string generator resources" default = {} } + +variable "cognitive_service" { + description = "onfiguration object - Cognitive Service Resource " + default = {} +} \ No newline at end of file From 4711a4fcddda97713bb8ad61947c8eaac8a34669 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Tue, 20 Jul 2021 09:00:49 +0000 Subject: [PATCH 047/102] Fix the resource group keys and unused lz_keys in the kubernetes multi-clusters examples --- .../compute/kubernetes_services/103-multi-clusters/aks.tfvars | 2 -- .../kubernetes_services/103-multi-clusters/networking.tfvars | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/examples/compute/kubernetes_services/103-multi-clusters/aks.tfvars b/examples/compute/kubernetes_services/103-multi-clusters/aks.tfvars index 73ee1f8877..db79f5b947 100644 --- a/examples/compute/kubernetes_services/103-multi-clusters/aks.tfvars +++ b/examples/compute/kubernetes_services/103-multi-clusters/aks.tfvars @@ -10,7 +10,6 @@ aks_clusters = { # kubernetes_version = "1.19.6" - lz_key = "networking_spoke_aks" vnet_key = "spoke_aks_re1" @@ -68,7 +67,6 @@ aks_clusters = { type = "SystemAssigned" } - lz_key = "networking_spoke_aks" vnet_key = "spoke_aks_re2" network_policy = { diff --git a/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars b/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars index ad86bf542c..ddbceb2518 100644 --- a/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars +++ b/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars @@ -1,6 +1,6 @@ vnets = { spoke_aks_re1 = { - resource_group_key = "aks_spoke_re1" + resource_group_key = "aks_re1" region = "region1" vnet = { name = "aks-re1" @@ -43,7 +43,7 @@ vnets = { } spoke_aks_re2 = { - resource_group_key = "aks_spoke_re2" + resource_group_key = "aks_re2" region = "region2" vnet = { name = "aks-re2" From 30481fbb9dfed4140ea9a37ec5b7d2811878129d Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Tue, 20 Jul 2021 09:14:34 +0000 Subject: [PATCH 048/102] - Add the missing storage account diagnostics and resource group - Remove unused vnet and peering - Fix the incorrect/unused landing zone keys --- .../104-private-cluster/acr.tfvars | 5 +- .../104-private-cluster/aks.tfvars | 3 +- .../104-private-cluster/configuration.tfvars | 2 +- .../104-private-cluster/diagnostics.tfvars | 12 +++ .../104-private-cluster/networking.tfvars | 79 +------------------ .../104-private-cluster/vm.tfvars | 1 - 6 files changed, 17 insertions(+), 85 deletions(-) diff --git a/examples/compute/kubernetes_services/104-private-cluster/acr.tfvars b/examples/compute/kubernetes_services/104-private-cluster/acr.tfvars index 5476c61e58..6ea4189439 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/acr.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/acr.tfvars @@ -1,7 +1,7 @@ azure_container_registries = { acr1 = { name = "acr-test" - resource_group_key = "aks1_re1" + resource_group_key = "aks_re1" sku = "Premium" diagnostic_profiles = { operations = { @@ -17,9 +17,8 @@ azure_container_registries = { # Require enforce_private_link_endpoint_network_policies set to true on the subnet spoke_aks_re1-aks_nodepool_system = { name = "acr-test-private-link" - resource_group_key = "aks1_re1" + resource_group_key = "aks_re1" - lz_key = "networking_spoke_aks" vnet_key = "spoke_aks_re1" subnet_key = "private_endpoints" diff --git a/examples/compute/kubernetes_services/104-private-cluster/aks.tfvars b/examples/compute/kubernetes_services/104-private-cluster/aks.tfvars index fd1d6b79ec..9f29c0d8a1 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/aks.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/aks.tfvars @@ -1,7 +1,7 @@ aks_clusters = { cluster_re1 = { name = "akscluster-001" - resource_group_key = "aks1_re1" + resource_group_key = "aks_re1" os_type = "Linux" diagnostic_profiles = { @@ -16,7 +16,6 @@ aks_clusters = { type = "SystemAssigned" } - lz_key = "networking_spoke_aks" vnet_key = "spoke_aks_re1" network_policy = { diff --git a/examples/compute/kubernetes_services/104-private-cluster/configuration.tfvars b/examples/compute/kubernetes_services/104-private-cluster/configuration.tfvars index 10373881e9..b1ef87927c 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/configuration.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/configuration.tfvars @@ -8,7 +8,7 @@ global_settings = { resource_groups = { - aks1_re1 = { + aks_re1 = { name = "aks-re1" region = "region1" } diff --git a/examples/compute/kubernetes_services/104-private-cluster/diagnostics.tfvars b/examples/compute/kubernetes_services/104-private-cluster/diagnostics.tfvars index 6cef8d8694..656135ea4a 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/diagnostics.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/diagnostics.tfvars @@ -4,4 +4,16 @@ diagnostic_log_analytics = { name = "logs" resource_group_key = "aks_re1" } +} + +diagnostic_storage_accounts = { + # Stores boot diagnostic for region1 + bootdiag_region1 = { + name = "bootrg1" + resource_group_key = "aks_jumpbox_re1" + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + access_tier = "Cool" + } } \ No newline at end of file diff --git a/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars b/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars index ad86bf542c..df04c22ae7 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars @@ -1,6 +1,6 @@ vnets = { spoke_aks_re1 = { - resource_group_key = "aks_spoke_re1" + resource_group_key = "aks_re1" region = "region1" vnet = { name = "aks-re1" @@ -42,48 +42,6 @@ vnets = { } - spoke_aks_re2 = { - resource_group_key = "aks_spoke_re2" - region = "region2" - vnet = { - name = "aks-re2" - address_space = ["100.65.48.0/22"] - } - specialsubnets = {} - subnets = { - aks_nodepool_system = { - name = "aks_nodepool_system" - cidr = ["100.65.48.0/24"] - nsg_key = "azure_kubernetes_cluster_nsg" - } - aks_nodepool_user1 = { - name = "aks_nodepool_user1" - cidr = ["100.65.49.0/24"] - nsg_key = "azure_kubernetes_cluster_nsg" - } - aks_nodepool_user2 = { - name = "aks_nodepool_user2" - cidr = ["100.65.50.0/24"] - nsg_key = "azure_kubernetes_cluster_nsg" - } - AzureBastionSubnet = { - name = "AzureBastionSubnet" #Must be called AzureBastionSubnet - cidr = ["100.65.51.64/27"] - nsg_key = "azure_bastion_nsg" - } - private_endpoints = { - name = "private_endpoints" - cidr = ["100.65.51.0/27"] - enforce_private_link_endpoint_network_policies = true - } - jumpbox = { - name = "jumpbox" - cidr = ["100.65.51.128/27"] - nsg_key = "azure_bastion_nsg" - } - } - - } } network_security_group_definition = { @@ -269,39 +227,4 @@ vnet_peerings = { use_remote_gateways = false } - # - # Peering Region2 - # - spoke_aks_re2_TO_hub_re2 = { - name = "spoke_aks_re2_TO_hub_re2" - from = { - vnet_key = "spoke_aks_re2" - } - to = { - lz_key = "networking_hub" - output_key = "vnets" - vnet_key = "hub_re2" - } - allow_virtual_network_access = true - allow_forwarded_traffic = false - allow_gateway_transit = false - use_remote_gateways = false - } - - hub_re2_TO_spoke_aks_re2 = { - name = "hub_re2_TO_spoke_aks_re2" - from = { - lz_key = "networking_hub" - output_key = "vnets" - vnet_key = "hub_re2" - } - to = { - vnet_key = "spoke_aks_re2" - } - allow_virtual_network_access = true - allow_forwarded_traffic = true - allow_gateway_transit = true - use_remote_gateways = false - } - } \ No newline at end of file diff --git a/examples/compute/kubernetes_services/104-private-cluster/vm.tfvars b/examples/compute/kubernetes_services/104-private-cluster/vm.tfvars index 1af8b02d77..57401bf931 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/vm.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/vm.tfvars @@ -16,7 +16,6 @@ virtual_machines = { nic0 = { # AKS rely on a remote network and need the details of the tfstate to connect (tfstate_key), assuming RBAC authorization. - lz_key = "networking_spoke_aks" vnet_key = "spoke_aks_re1" subnet_key = "jumpbox" name = "0" From dedfb4a2195a22b11e24f28bf26987f0cf4f4978 Mon Sep 17 00:00:00 2001 From: abdulrabbani00 Date: Tue, 20 Jul 2021 21:13:40 -0400 Subject: [PATCH 049/102] ** Include both required and optional parameters ** --- .../configuration.tfvars | 39 ++++++++++++++----- .../cognitive_service_account.tf | 18 +++++++-- 2 files changed, 45 insertions(+), 12 deletions(-) diff --git a/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars b/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars index 6b408d6f7f..fba32365d3 100644 --- a/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars +++ b/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars @@ -1,31 +1,52 @@ global_settings = { default_region = "region1" regions = { - region1 = "southeastasia" + region1 = "westus" } - random_length = 5 + #random_length = 5 } resource_groups = { - test = { - name = "test" + test-rg = { + name = "rg-alz-caf-test-1" } } cognitive_service_account = { - test_account = { + test_account-1 = { resource_group = { # accepts either id or key to get resource group id # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" # lz_key = "examples" - key = "test" + key = "test-rg" } - name = "example" - kind = "Academic" - sku_name = "S0" + name = "cs-alz-caf-test-1" + kind = "ComputerVision" + sku_name = "F0" tags = { env = "test" } + custom_subdomain_name = "cs-alz-caf-test-1" + network_acls = { + default_action = "Allow" + ip_rules = ["10.10.10.0/16"] + } + } + test_account-2 = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + name = "cs-alz-caf-test-2" + kind = "QnAMaker" + sku_name = "F0" + tags = { + env = "test" + } + qna_runtime_endpoint = "https://cs-alz-caf-test-2.azurewebsites.net" + } } diff --git a/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf b/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf index 0743086b63..0491b30030 100644 --- a/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf +++ b/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf @@ -1,7 +1,7 @@ resource "azurecaf_name" "service" { name = var.settings.name prefixes = var.global_settings.prefixes - resource_type = "azurerm_consumption_budget_resource_group" + resource_type = "azurerm_cognitive_account" random_length = var.global_settings.random_length clean_input = true passthrough = var.global_settings.passthrough @@ -13,8 +13,20 @@ resource "azurerm_cognitive_account" "service" { location = var.location resource_group_name = var.resource_group_name kind = var.settings.kind - sku_name = var.settings.sku_name - tags = var.settings.tags + qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null) + + dynamic "network_acls" { + for_each = try(var.settings.network_acls, null) == null ? [] : [1] + content { + default_action = var.settings.network_acls.default_action + ip_rules = var.settings.network_acls.ip_rules + virtual_network_subnet_ids = var.settings.network_acls.virtual_network_subnet_ids + } + } + + custom_subdomain_name = try(var.settings.custom_subdomain_name, null) + + tags = try(var.settings.tags, {}) } \ No newline at end of file From 0e2fa412ea38c9b645d83ab8108e503ccb6244da Mon Sep 17 00:00:00 2001 From: abdulrabbani00 Date: Tue, 20 Jul 2021 21:18:30 -0400 Subject: [PATCH 050/102] Format code and add try for optional variables --- .../configuration.tfvars | 14 +++++------ .../cognitive_service_account.tf | 24 +++++++++---------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars b/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars index fba32365d3..b6c66736a6 100644 --- a/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars +++ b/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars @@ -26,11 +26,11 @@ cognitive_service_account = { tags = { env = "test" } - custom_subdomain_name = "cs-alz-caf-test-1" - network_acls = { - default_action = "Allow" - ip_rules = ["10.10.10.0/16"] - } + custom_subdomain_name = "cs-alz-caf-test-1" + network_acls = { + default_action = "Allow" + ip_rules = ["10.10.10.0/16"] + } } test_account-2 = { resource_group = { @@ -45,8 +45,8 @@ cognitive_service_account = { tags = { env = "test" } - qna_runtime_endpoint = "https://cs-alz-caf-test-2.azurewebsites.net" - + qna_runtime_endpoint = "https://cs-alz-caf-test-2.azurewebsites.net" + } } diff --git a/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf b/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf index 0491b30030..28341d4244 100644 --- a/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf +++ b/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf @@ -13,20 +13,20 @@ resource "azurerm_cognitive_account" "service" { location = var.location resource_group_name = var.resource_group_name kind = var.settings.kind - sku_name = var.settings.sku_name + sku_name = var.settings.sku_name - qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null) - - dynamic "network_acls" { - for_each = try(var.settings.network_acls, null) == null ? [] : [1] - content { - default_action = var.settings.network_acls.default_action - ip_rules = var.settings.network_acls.ip_rules - virtual_network_subnet_ids = var.settings.network_acls.virtual_network_subnet_ids - } - } + qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null) - custom_subdomain_name = try(var.settings.custom_subdomain_name, null) + dynamic "network_acls" { + for_each = try(var.settings.network_acls, null) == null ? [] : [1] + content { + default_action = var.settings.network_acls.default_action + ip_rules = try(var.settings.network_acls.ip_rules, null) + virtual_network_subnet_ids = try(var.settings.network_acls.virtual_network_subnet_ids, null) + } + } + + custom_subdomain_name = try(var.settings.custom_subdomain_name, null) tags = try(var.settings.tags, {}) } \ No newline at end of file From 54d6c2043f75c03fea8447043327b08ade9b63a3 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Wed, 21 Jul 2021 05:45:01 +0000 Subject: [PATCH 051/102] Add support for remote lz for role_mapping scope --- roles.tf | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/roles.tf b/roles.tf index 410b5bf582..6783967856 100755 --- a/roles.tf +++ b/roles.tf @@ -16,10 +16,13 @@ module "custom_roles" { resource "azurerm_role_assignment" "for" { for_each = try(local.roles_to_process, {}) - scope = local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id + scope = coalesce( + try(local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id, null), + try(local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id, null) + ) role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null role_definition_id = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null - principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : try(local.services_roles[each.value.object_id_resource_type][each.value.lz_key][each.value.object_id_key_resource].rbac_id, local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id) + principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : try(local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id, local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id) lifecycle { ignore_changes = [ @@ -119,17 +122,18 @@ locals { { # "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_aks_admins" = { mode = key_mode # "mode" = "built_in_role_mapping" scope_resource_key = key + scope_lz_key = try(role_mapping.lz_key, null) scope_key_resource = scope_key_resource role_definition_name = role_definition_name object_id_resource_type = object_id_key object_id_key_resource = object_id_key_resource # "object_id_key_resource" = "aks_admins" - lz_key = try(object_resources.lz_key, null) - } - ] - ] + object_id_lz_key = try(object_resources.lz_key, null) + } + ] + ] if role_definition_name != "lz_key" ] ] - ] + ] ] ) : format("%s_%s_%s_%s", mapping.object_id_resource_type, mapping.scope_key_resource, replace(mapping.role_definition_name, " ", "_"), mapping.object_id_key_resource) => mapping } From 39c940cc2d228636d0988928268fd05ac02199d3 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Wed, 21 Jul 2021 06:01:21 +0000 Subject: [PATCH 052/102] Added example for remote role_mapping --- .github/workflows/standalone-scenarios.json | 1 + .../configuration.tfvars | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 examples/role_mapping/100-simple-role-mapping/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index f70c0563b9..12442499b7 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -123,6 +123,7 @@ "redis_cache/100-redis-standard", "redis_cache/101-redis-diagnostics", "redis_cache/102-redis-private", + "role_mapping/100-simple-role-mapping", "storage_accounts/101-storage-account-with-protection", "storage_accounts/102-storage-account-advanced-options", "storage_accounts/103-storage-account-network-rules", diff --git a/examples/role_mapping/100-simple-role-mapping/configuration.tfvars b/examples/role_mapping/100-simple-role-mapping/configuration.tfvars new file mode 100644 index 0000000000..b6614a1e00 --- /dev/null +++ b/examples/role_mapping/100-simple-role-mapping/configuration.tfvars @@ -0,0 +1,51 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + rg1 = { + name = "example-msi-kv-rg1" + } +} + +keyvaults = { + kv1 = { + name = "kv1examplemsi" + resource_group_key = "rg1" + sku_name = "premium" + soft_delete_enabled = true + enable_rbac_authorization = true + + # creation_policies = {} + # } + + } +} + +managed_identities = { + example_msi = { + name = "example-msi-kv-rolemap-msi" + resource_group_key = "rg1" + } +} + +role_mapping = { + built_in_role_mapping = { + keyvaults = { + kv1 = { + # lz_key = "" to be defined when the keyvault is created in a different lz + + "Key Vault Secrets User" = { + managed_identities = { + # lz_key = "" to be defined when the msi is created in a different lz + keys = ["example_msi"] + } + } + } + + } + } +} \ No newline at end of file From 3462f8dcb44e80d14aff9581d70d43b2432d1e8f Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Wed, 21 Jul 2021 07:16:07 +0000 Subject: [PATCH 053/102] Fix routes to handle null error --- networking.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/networking.tf b/networking.tf index 62559cac09..ad77cfa99d 100755 --- a/networking.tf +++ b/networking.tf @@ -170,10 +170,10 @@ module "routes" { address_prefix = each.value.address_prefix next_hop_type = each.value.next_hop_type next_hop_in_ip_address = try(lower(each.value.next_hop_type), null) == "virtualappliance" ? try(each.value.next_hop_in_ip_address, null) : null - next_hop_in_ip_address_fw = try(lower(each.value.next_hop_type), null) == "virtualappliance" ? coalesce( + next_hop_in_ip_address_fw = try(lower(each.value.next_hop_type), null) == "virtualappliance" ? try(coalesce( try(local.combined_objects_azurerm_firewalls[try(each.value.private_ip_keys.azurerm_firewall.lz_key, local.client_config.landingzone_key)][each.value.private_ip_keys.azurerm_firewall.key].ip_configuration[each.value.private_ip_keys.azurerm_firewall.interface_index].private_ip_address, null), try(local.combined_objects_azurerm_firewalls[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.private_ip_keys.azurerm_firewall.key].ip_configuration[each.value.private_ip_keys.azurerm_firewall.interface_index].private_ip_address, null) - ) : null + ), null) : null } From 6449d51fb2512014c5d440b1a9acaf66ea38c8d4 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 07:40:24 +0000 Subject: [PATCH 054/102] style: terraform fmt --- networking_firewall_policy.tf | 2 +- networking_virtual_hub_connection.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/networking_firewall_policy.tf b/networking_firewall_policy.tf index a7b622b469..e58b1c59bd 100755 --- a/networking_firewall_policy.tf +++ b/networking_firewall_policy.tf @@ -10,7 +10,7 @@ module "azurerm_firewall_policies" { settings = each.value tags = try(each.value.tags, null) - resource_group = coalesce( + resource_group = coalesce( try(local.combined_objects_resource_groups[each.value.lz_key][each.value.resource_group_key], null), try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key], null), try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key], null), diff --git a/networking_virtual_hub_connection.tf b/networking_virtual_hub_connection.tf index c5b03465aa..f44e8b8036 100644 --- a/networking_virtual_hub_connection.tf +++ b/networking_virtual_hub_connection.tf @@ -61,8 +61,8 @@ resource "azurerm_virtual_hub_connection" "vhub_connection" { for_each = try(routing.value.static_vnet_route, {}) content { - name = static_vnet_route.value.name - address_prefixes = static_vnet_route.value.address_prefixes + name = static_vnet_route.value.name + address_prefixes = static_vnet_route.value.address_prefixes next_hop_ip_address = coalesce( try(static_vnet_route.value.next_hop_ip_address, null), try(local.combined_objects_azurerm_firewalls[static_vnet_route.value.next_hop.lz_key][static_vnet_route.value.next_hop.key].ip_configuration[static_vnet_route.value.next_hop.interface_index].private_ip_address, null), From 209bb3472b43b24c57ab8f8e53c6c92c492b95ed Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 07:40:32 +0000 Subject: [PATCH 055/102] feat: integrate vm as filter in consumption budget --- consumption_budgets.tf | 4 + .../consumption-budgets.tfvars | 46 ++++++ .../single-windows-vm.tfvars | 134 ++++++++++++++++++ 3 files changed, 184 insertions(+) create mode 100644 examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars create mode 100755 examples/consumption_budget/104-consumption-budget-subscription-vm/single-windows-vm.tfvars diff --git a/consumption_budgets.tf b/consumption_budgets.tf index 52cc4a165f..b8e39f6eb4 100644 --- a/consumption_budgets.tf +++ b/consumption_budgets.tf @@ -6,8 +6,10 @@ module "consumption_budgets_resource_groups" { } local_combined_resources = { + # Add combined objects that need to be included in the filter monitor_action_groups = local.combined_objects_monitor_action_groups, resource_groups = local.combined_objects_resource_groups, + virtual_machines = local.combined_objects_virtual_machines, } client_config = local.client_config global_settings = local.global_settings @@ -22,9 +24,11 @@ module "consumption_budgets_subscriptions" { } local_combined_resources = { + # Add combined objects that need to be included in the filter monitor_action_groups = local.combined_objects_monitor_action_groups, resource_groups = local.combined_objects_resource_groups, subscriptions = local.combined_objects_subscriptions, + virtual_machines = local.combined_objects_virtual_machines, } client_config = local.client_config global_settings = local.global_settings diff --git a/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars b/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars new file mode 100644 index 0000000000..08b8860a86 --- /dev/null +++ b/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars @@ -0,0 +1,46 @@ +consumption_budgets = { + test_budget = { + subscription = { + # id = "" + # lz_key = "" + # key = "" + } + name = "example" + amount = 1000 + time_grain = "Monthly" + time_period = { + # uncomment to customize start_date + # start_date = "2022-06-01T00:00:00Z" + } + notifications = { + default = { + enabled = true + threshold = 95.0 + operator = "EqualTo" + contact_emails = [ + "foo@example.com", + "bar@example.com", + ] + } + } + filter = { + dimensions = { + # explicit_name = { + # name = "ResourceGroupName" + # operator = "In" + # values = [ + # "example", + # ] + # }, + resource_key = { + # lz_key = "examples" + name = "resource_key" + resource = "virtual_machines" + values = [ + "example_vm1", + ] + } + } + } + } +} \ No newline at end of file diff --git a/examples/consumption_budget/104-consumption-budget-subscription-vm/single-windows-vm.tfvars b/examples/consumption_budget/104-consumption-budget-subscription-vm/single-windows-vm.tfvars new file mode 100755 index 0000000000..d3bac3ddc0 --- /dev/null +++ b/examples/consumption_budget/104-consumption-budget-subscription-vm/single-windows-vm.tfvars @@ -0,0 +1,134 @@ + +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + vm_region1 = { + name = "example-virtual-machine-rg1" + } +} + +# Virtual machines +virtual_machines = { + + # Configuration to deploy a bastion host linux virtual machine + example_vm1 = { + resource_group_key = "vm_region1" + provision_vm_agent = true + # when boot_diagnostics_storage_account_key is empty string "", boot diagnostics will be put on azure managed storage + # when boot_diagnostics_storage_account_key is a non-empty string, it needs to point to the key of a user managed storage defined in diagnostic_storage_accounts + # if boot_diagnostics_storage_account_key is not defined, but global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics is true, boot diagnostics will be put on azure managed storage + boot_diagnostics_storage_account_key = "bootdiag_region1" + + os_type = "windows" + + # the auto-generated ssh key in keyvault secret. Secret name being {VM name}-ssh-public and {VM name}-ssh-private + keyvault_key = "example_vm_rg1" + + # Define the number of networking cards to attach the virtual machine + networking_interfaces = { + nic0 = { + # Value of the keys from networking.tfvars + vnet_key = "vnet_region1" + subnet_key = "example" + name = "0" + enable_ip_forwarding = false + internal_dns_name_label = "nic0" + public_ip_address_key = "example_vm_pip1_rg1" + } + } + + virtual_machine_settings = { + windows = { + name = "example_vm2" + size = "Standard_F2" + admin_username = "adminuser" + + # Spot VM to save money + priority = "Spot" + eviction_policy = "Deallocate" + + # Value of the nic keys to attach the VM. The first one in the list is the default nic + network_interface_keys = ["nic0"] + + os_disk = { + name = "example_vm1-os" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference = { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + } + } + + } +} + + +diagnostic_storage_accounts = { + # Stores boot diagnostic for region1 + bootdiag_region1 = { + name = "bootrg1" + resource_group_key = "vm_region1" + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + access_tier = "Cool" + } +} + + + +keyvaults = { + example_vm_rg1 = { + name = "vmsecrets" + resource_group_key = "vm_region1" + sku_name = "standard" + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + } + } + } +} + + +vnets = { + vnet_region1 = { + resource_group_key = "vm_region1" + vnet = { + name = "virtual_machines" + address_space = ["10.100.100.0/24"] + } + specialsubnets = {} + subnets = { + example = { + name = "examples" + cidr = ["10.100.100.0/29"] + } + } + + } +} + +public_ip_addresses = { + example_vm_pip1_rg1 = { + name = "example_vm_pip1" + resource_group_key = "vm_region1" + sku = "Standard" + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + + } +} \ No newline at end of file From 684f3907f92a105d33c2c2b9ecf0a0b3746e33f5 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 07:58:58 +0000 Subject: [PATCH 056/102] test: add consumption budget with windows vm --- .github/workflows/standalone-scenarios.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index f70c0563b9..42dbd2b52b 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -35,6 +35,7 @@ "consumption_budget/101-consumption-budget-subscription", "consumption_budget/102-consumption-budget-rg-alerts", "consumption_budget/103-consumption-budget-subscription-alerts", + "consumption_budget/104-consumption-budget-subscription-vm", "compute/virtual_machine_scale_set/100-linux-win-vmss-lb", "compute/virtual_machine_scale_set/101-linux-win-vmss-agw", "compute/windows_virtual_desktop/wvd_resources", From 39ddb3e9722c71bd1f2a6eecbfe89a35e999d704 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 09:02:55 +0000 Subject: [PATCH 057/102] feat: add support remote rg for managed identity --- managed_identities.tf | 11 ++++--- .../managed_identity/managed_identity.tf | 30 ++++++++++++++++--- .../security/managed_identity/variables.tf | 16 ++++------ 3 files changed, 36 insertions(+), 21 deletions(-) diff --git a/managed_identities.tf b/managed_identities.tf index 5458037131..bff4b1ec9a 100755 --- a/managed_identities.tf +++ b/managed_identities.tf @@ -3,12 +3,11 @@ module "managed_identities" { source = "./modules/security/managed_identity" for_each = var.managed_identities - name = each.value.name - resource_group_name = local.resource_groups[each.value.resource_group_key].name - location = local.resource_groups[each.value.resource_group_key].location - global_settings = local.global_settings - settings = each.value - base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + client_config = local.client_config + global_settings = local.global_settings + name = each.value.name + resource_groups = local.combined_objects_resource_groups + settings = each.value } output "managed_identities" { diff --git a/modules/security/managed_identity/managed_identity.tf b/modules/security/managed_identity/managed_identity.tf index 8753bf0b45..928e0c926e 100644 --- a/modules/security/managed_identity/managed_identity.tf +++ b/modules/security/managed_identity/managed_identity.tf @@ -12,10 +12,32 @@ resource "azurecaf_name" "msi" { } resource "azurerm_user_assigned_identity" "msi" { - name = azurecaf_name.msi.result - resource_group_name = var.resource_group_name - location = var.location - tags = try(merge(var.base_tags, local.tags), {}) + name = azurecaf_name.msi.result + resource_group_name = coalesce( + try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group.key].name, null), + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group.key].name, null), + try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group_key].name, null), + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group_key].name, null), + ) + location = coalesce( + try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group.key].location, null), + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group.key].location, null), + try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group_key].location, null), + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group_key].location, null), + ) + tags = try( + merge( + try(var.global_settings.inherit_tags, false) ? + coalesce( + try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group.key].tags, null), + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group.key].tags, null), + try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group_key].tags, null), + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group_key].tags, null), + ) : {}, + local.tags + ), + {} + ) } resource "time_sleep" "propagate_to_azuread" { diff --git a/modules/security/managed_identity/variables.tf b/modules/security/managed_identity/variables.tf index eb58f700d7..535705f8f3 100755 --- a/modules/security/managed_identity/variables.tf +++ b/modules/security/managed_identity/variables.tf @@ -1,20 +1,14 @@ -variable "resource_group_name" { - description = "(Required) The name of the resource group where to create the resource." - type = string -} -variable "location" { - description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." - type = string +variable "client_config" { + description = "Client configuration object" } variable "name" {} variable "global_settings" { description = "Global settings object (see module README.md)" } -variable "settings" {} -variable "base_tags" { - description = "Base tags for the resource to be inherited from the resource group." - type = map(any) +variable "resource_groups" { + description = "Combined object of local and remote resource groups." } +variable "settings" {} variable "tags" { default = null } From a784ecd286af24bff4097711bb35b5393095e683 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 09:03:33 +0000 Subject: [PATCH 058/102] refactor: managed identity resource_group ref --- .../100-msi-levels/configuration.tfvars | 55 +++++++++++++++---- 1 file changed, 45 insertions(+), 10 deletions(-) diff --git a/examples/managed_service_identity/100-msi-levels/configuration.tfvars b/examples/managed_service_identity/100-msi-levels/configuration.tfvars index a5df3309a1..b8938ec5a6 100644 --- a/examples/managed_service_identity/100-msi-levels/configuration.tfvars +++ b/examples/managed_service_identity/100-msi-levels/configuration.tfvars @@ -17,8 +17,15 @@ managed_identities = { level0 = { # Used by the release agent to access the level0 keyvault and storage account with the tfstates in read / write # Assign read access to level0 - name = "msi-level0" - resource_group_key = "msi_region1" + name = "msi-level0" + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "msi_region1" + } + # resource_group_key will be deprecated in the future + # resource_group_key = "msi_region1" tags = { level = "level0" } @@ -26,8 +33,15 @@ managed_identities = { level1 = { # Used by the release agent to access the level1 keyvault and storage account with the tfstates in read / write # Assign read access to level0 - name = "msi-level1" - resource_group_key = "msi_region1" + name = "msi-level1" + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "msi_region1" + } + # resource_group_key will be deprecated in the future + # resource_group_key = "msi_region1" tags = { level = "level1" } @@ -35,8 +49,15 @@ managed_identities = { level2 = { # Used by the release agent to access the level2 keyvault and storage account with the tfstates in read / write # Assign read access to level1 - name = "msi-level2" - resource_group_key = "msi_region1" + name = "msi-level2" + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "msi_region1" + } + # resource_group_key will be deprecated in the future + # resource_group_key = "msi_region1" tags = { level = "level2" } @@ -44,8 +65,15 @@ managed_identities = { level3 = { # Used by the release agent to access the level3 keyvault and storage account with the tfstates in read / write # Assign read access to level2 - name = "msi-level3" - resource_group_key = "msi_region1" + name = "msi-level3" + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "msi_region1" + } + # resource_group_key will be deprecated in the future + # resource_group_key = "msi_region1" tags = { level = "level3" } @@ -53,8 +81,15 @@ managed_identities = { level4 = { # Used by the release agent to access the level4 keyvault and storage account with the tfstates in read / write # Assign read access to level3 - name = "msi-level4" - resource_group_key = "msi_region1" + name = "msi-level4" + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "msi_region1" + } + # resource_group_key will be deprecated in the future + # resource_group_key = "msi_region1" tags = { level = "level4" } From 2221ffe63be21eccb1aa6479927560e955297f93 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 09:30:31 +0000 Subject: [PATCH 059/102] chore: remove id comment from resource_group obj --- .../100-msi-levels/configuration.tfvars | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/examples/managed_service_identity/100-msi-levels/configuration.tfvars b/examples/managed_service_identity/100-msi-levels/configuration.tfvars index b8938ec5a6..1ab2cc0d9e 100644 --- a/examples/managed_service_identity/100-msi-levels/configuration.tfvars +++ b/examples/managed_service_identity/100-msi-levels/configuration.tfvars @@ -19,8 +19,6 @@ managed_identities = { # Assign read access to level0 name = "msi-level0" resource_group = { - # accepts either id or key to get resource group id - # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" # lz_key = "examples" key = "msi_region1" } @@ -35,8 +33,6 @@ managed_identities = { # Assign read access to level0 name = "msi-level1" resource_group = { - # accepts either id or key to get resource group id - # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" # lz_key = "examples" key = "msi_region1" } @@ -51,8 +47,6 @@ managed_identities = { # Assign read access to level1 name = "msi-level2" resource_group = { - # accepts either id or key to get resource group id - # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" # lz_key = "examples" key = "msi_region1" } @@ -67,8 +61,6 @@ managed_identities = { # Assign read access to level2 name = "msi-level3" resource_group = { - # accepts either id or key to get resource group id - # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" # lz_key = "examples" key = "msi_region1" } @@ -83,8 +75,6 @@ managed_identities = { # Assign read access to level3 name = "msi-level4" resource_group = { - # accepts either id or key to get resource group id - # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" # lz_key = "examples" key = "msi_region1" } From c22f7721b75069de8a937cc5dea1020ea589057c Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 09:35:17 +0000 Subject: [PATCH 060/102] docs: add instructions to run msi example --- examples/managed_service_identity/README.md | 41 ++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/examples/managed_service_identity/README.md b/examples/managed_service_identity/README.md index 3dcb2c7e55..9c5094eaf7 100755 --- a/examples/managed_service_identity/README.md +++ b/examples/managed_service_identity/README.md @@ -7,7 +7,46 @@ You can instantiate this directly using the following parameters: ```hcl module "caf" { source = "aztfmod/caf/azurerm" - version = "5.1.0" + version = "5.4.2" # insert the 7 required variables here } ``` + +## Example scenarios + +The following examples are available: + +| Scenario | Description | +| ------------------------------------------------------------ | ------------------------------------------------------------ | +| [100-msi-levels](./100-msi-levels) | Deploys 4 levels of managed service identities. | + +## Run this example + +You can run this example directly using Terraform or via rover: + +### With Terraform + +```bash +#Login to your Azure subscription +az login + +#Run the example +cd /tf/caf/examples + +terraform init + +terraform [plan | apply | destroy] \ + -var-file ./managed_service_identity/100-msi-levels/configuration.tfvars +``` + +### With rover + +To test this deployment in the example landingzone, make sure the launchpad has been deployed first, then run the following command: + +```bash +rover \ + -lz /tf/caf/examples \ + -var-folder /tf/caf/examples/managed_service_identity/100-msi-levels/ \ + -level level1 \ + -a [plan | apply | destroy] +``` \ No newline at end of file From dd28fa055f76e6a765fd6ee2fe9c83c1bd4a12a5 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 13:25:00 +0000 Subject: [PATCH 061/102] fix: change resource to resource_key for ref --- .../consumption-budgets.tfvars | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars b/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars index 08b8860a86..e00d12c46a 100644 --- a/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars +++ b/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars @@ -34,8 +34,8 @@ consumption_budgets = { # }, resource_key = { # lz_key = "examples" - name = "resource_key" - resource = "virtual_machines" + name = "resource_key" + resource_key = "virtual_machines" values = [ "example_vm1", ] From 9fb73ae8f5273330d814ee3459a111dbf6201437 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 13:31:35 +0000 Subject: [PATCH 062/102] chore: remove commented block for rsrc grp --- .../consumption-budgets.tfvars | 7 ------- 1 file changed, 7 deletions(-) diff --git a/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars b/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars index e00d12c46a..299efaa07a 100644 --- a/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars +++ b/examples/consumption_budget/104-consumption-budget-subscription-vm/consumption-budgets.tfvars @@ -25,13 +25,6 @@ consumption_budgets = { } filter = { dimensions = { - # explicit_name = { - # name = "ResourceGroupName" - # operator = "In" - # values = [ - # "example", - # ] - # }, resource_key = { # lz_key = "examples" name = "resource_key" From dbc4c2cbcf09bd07035c81b2dc375d73d39fd811 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 13:54:59 +0000 Subject: [PATCH 063/102] docs: add scenario for consumption budget and vm --- examples/consumption_budget/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/consumption_budget/README.md b/examples/consumption_budget/README.md index 2c000f0a01..794fe41526 100755 --- a/examples/consumption_budget/README.md +++ b/examples/consumption_budget/README.md @@ -22,6 +22,7 @@ The following examples are available: | [101-consumption-budget-subscription](./101-consumption-budget-subscription) | Simple example for consumption budget deployed at subscription scope. | | [102-consumption-budget-rg-alerts](./102-consumption-budget-rg-alerts) | Simple example for consumption budget deployed at resource group scope, integrated with action groups. | | [103-consumption-budget-subscription-alerts](./103-consumption-budget-subscription-alerts) | Simple example for consumption budget deployed at subscription scope, integrated with action groups. | +| [104-consumption-budget-subscription-vm](./104-consumption-budget-subscription-vm) | Consumption budget deployed at subscription scope, integrated with Azure windows virtual machine. | ## Run this example From 68c0ec5231ed99e830b8ab0bc1343861496453b6 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 13:55:27 +0000 Subject: [PATCH 064/102] feat: integrate aks filter in consumption budget --- consumption_budgets.tf | 2 + .../aks.tfvars | 75 +++++++ .../consumption-budgets.tfvars | 39 ++++ .../diagnostics.tfvars | 7 + .../networking.tfvars | 190 ++++++++++++++++++ 5 files changed, 313 insertions(+) create mode 100644 examples/consumption_budget/105-consumption-budget-subscription-aks/aks.tfvars create mode 100644 examples/consumption_budget/105-consumption-budget-subscription-aks/consumption-budgets.tfvars create mode 100644 examples/consumption_budget/105-consumption-budget-subscription-aks/diagnostics.tfvars create mode 100644 examples/consumption_budget/105-consumption-budget-subscription-aks/networking.tfvars diff --git a/consumption_budgets.tf b/consumption_budgets.tf index b8e39f6eb4..54f519dc63 100644 --- a/consumption_budgets.tf +++ b/consumption_budgets.tf @@ -7,6 +7,7 @@ module "consumption_budgets_resource_groups" { local_combined_resources = { # Add combined objects that need to be included in the filter + aks = local.combined_objects_aks_clusters, monitor_action_groups = local.combined_objects_monitor_action_groups, resource_groups = local.combined_objects_resource_groups, virtual_machines = local.combined_objects_virtual_machines, @@ -25,6 +26,7 @@ module "consumption_budgets_subscriptions" { local_combined_resources = { # Add combined objects that need to be included in the filter + aks = local.combined_objects_aks_clusters, monitor_action_groups = local.combined_objects_monitor_action_groups, resource_groups = local.combined_objects_resource_groups, subscriptions = local.combined_objects_subscriptions, diff --git a/examples/consumption_budget/105-consumption-budget-subscription-aks/aks.tfvars b/examples/consumption_budget/105-consumption-budget-subscription-aks/aks.tfvars new file mode 100644 index 0000000000..f15391be3d --- /dev/null +++ b/examples/consumption_budget/105-consumption-budget-subscription-aks/aks.tfvars @@ -0,0 +1,75 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + aks_re1 = { + name = "aks-re1" + region = "region1" + } +} + +aks_clusters = { + cluster_re1 = { + name = "akscluster-re1-001" + resource_group_key = "aks_re1" + os_type = "Linux" + + identity = { + type = "SystemAssigned" + } + + vnet_key = "spoke_aks_re1" + + network_profile = { + network_plugin = "azure" + load_balancer_sku = "Standard" + } + + # enable_rbac = true + role_based_access_control = { + enabled = true + azure_active_directory = { + managed = true + } + } + + addon_profile = { + oms_agent = { + enabled = true + log_analytics_key = "central_logs_region1" + } + } + # admin_groups = { + # # ids = [] + # # azuread_groups = { + # # keys = [] + # # } + # } + + load_balancer_profile = { + # Only one option can be set + managed_outbound_ip_count = 1 + } + + default_node_pool = { + name = "sharedsvc" + vm_size = "Standard_F4s_v2" + subnet_key = "aks_nodepool_system" + enabled_auto_scaling = false + enable_node_public_ip = false + max_pods = 30 + node_count = 1 + os_disk_size_gb = 512 + tags = { + "project" = "system services" + } + } + + node_resource_group_name = "aks-nodes-re1" + + } +} \ No newline at end of file diff --git a/examples/consumption_budget/105-consumption-budget-subscription-aks/consumption-budgets.tfvars b/examples/consumption_budget/105-consumption-budget-subscription-aks/consumption-budgets.tfvars new file mode 100644 index 0000000000..47a63ee21d --- /dev/null +++ b/examples/consumption_budget/105-consumption-budget-subscription-aks/consumption-budgets.tfvars @@ -0,0 +1,39 @@ +consumption_budgets = { + test_budget = { + subscription = { + # id = "" + # lz_key = "" + # key = "" + } + name = "example" + amount = 1000 + time_grain = "Monthly" + time_period = { + # uncomment to customize start_date + # start_date = "2022-06-01T00:00:00Z" + } + notifications = { + default = { + enabled = true + threshold = 95.0 + operator = "EqualTo" + contact_emails = [ + "foo@example.com", + "bar@example.com", + ] + } + } + filter = { + dimensions = { + resource_key = { + # lz_key = "examples" + name = "resource_key" + resource_key = "aks" + values = [ + "cluster_re1", + ] + } + } + } + } +} \ No newline at end of file diff --git a/examples/consumption_budget/105-consumption-budget-subscription-aks/diagnostics.tfvars b/examples/consumption_budget/105-consumption-budget-subscription-aks/diagnostics.tfvars new file mode 100644 index 0000000000..6cef8d8694 --- /dev/null +++ b/examples/consumption_budget/105-consumption-budget-subscription-aks/diagnostics.tfvars @@ -0,0 +1,7 @@ +diagnostic_log_analytics = { + central_logs_region1 = { + region = "region1" + name = "logs" + resource_group_key = "aks_re1" + } +} \ No newline at end of file diff --git a/examples/consumption_budget/105-consumption-budget-subscription-aks/networking.tfvars b/examples/consumption_budget/105-consumption-budget-subscription-aks/networking.tfvars new file mode 100644 index 0000000000..04a9ceba6a --- /dev/null +++ b/examples/consumption_budget/105-consumption-budget-subscription-aks/networking.tfvars @@ -0,0 +1,190 @@ +vnets = { + spoke_aks_re1 = { + resource_group_key = "aks_re1" + region = "region1" + vnet = { + name = "aks" + address_space = ["100.64.48.0/22"] + } + specialsubnets = {} + subnets = { + aks_nodepool_system = { + name = "aks_nodepool_system" + cidr = ["100.64.48.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + aks_nodepool_user1 = { + name = "aks_nodepool_user1" + cidr = ["100.64.49.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + aks_nodepool_user2 = { + name = "aks_nodepool_user2" + cidr = ["100.64.50.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + AzureBastionSubnet = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = ["100.64.51.64/27"] + nsg_key = "azure_bastion_nsg" + } + private_endpoints = { + name = "private_endpoints" + cidr = ["100.64.51.0/27"] + enforce_private_link_endpoint_network_policies = true + } + jumpbox = { + name = "jumpbox" + cidr = ["100.64.51.128/27"] + nsg_key = "azure_bastion_nsg" + } + } + + } +} + +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = {} + azure_kubernetes_cluster_nsg = { + nsg = [ + { + name = "aks-http-in-allow", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-https-in-allow", + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-api-out-allow-1194", + priority = "100" + direction = "Outbound" + access = "Allow" + protocol = "udp" + source_port_range = "*" + destination_port_range = "1194" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + }, + { + name = "aks-api-out-allow-9000", + priority = "110" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "9000" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + }, + { + name = "aks-ntp-out-allow", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "udp" + source_port_range = "*" + destination_port_range = "123" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-https-out-allow-443", + priority = "130" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + ] + } + azure_bastion_nsg = { + + nsg = [ + { + name = "bastion-in-allow", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "bastion-control-in-allow-443", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "135" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "Kerberos-password-change", + priority = "121" + direction = "Inbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "4443" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "bastion-vnet-out-allow-22", + priority = "103" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-vnet-out-allow-3389", + priority = "101" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-azure-out-allow", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + } + ] + } +} \ No newline at end of file From c87d848ae82211fad9472f16f8c92122b436b3d4 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 13:56:04 +0000 Subject: [PATCH 065/102] docs: add scenario for consumption budget and aks --- examples/consumption_budget/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/consumption_budget/README.md b/examples/consumption_budget/README.md index 794fe41526..5878939494 100755 --- a/examples/consumption_budget/README.md +++ b/examples/consumption_budget/README.md @@ -23,6 +23,7 @@ The following examples are available: | [102-consumption-budget-rg-alerts](./102-consumption-budget-rg-alerts) | Simple example for consumption budget deployed at resource group scope, integrated with action groups. | | [103-consumption-budget-subscription-alerts](./103-consumption-budget-subscription-alerts) | Simple example for consumption budget deployed at subscription scope, integrated with action groups. | | [104-consumption-budget-subscription-vm](./104-consumption-budget-subscription-vm) | Consumption budget deployed at subscription scope, integrated with Azure windows virtual machine. | +| [105-consumption-budget-subscription-aks](./105-consumption-budget-subscription-vm) | Consumption budget deployed at subscription scope, integrated with Azure Kubernetes Service single cluster | ## Run this example From c68fff2b16129a367ccb13580635a3faf5d3727d Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 21 Jul 2021 14:10:19 +0000 Subject: [PATCH 066/102] test: add consumption budget with aks --- .github/workflows/standalone-scenarios.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 42dbd2b52b..b576cd04d0 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -36,6 +36,7 @@ "consumption_budget/102-consumption-budget-rg-alerts", "consumption_budget/103-consumption-budget-subscription-alerts", "consumption_budget/104-consumption-budget-subscription-vm", + "consumption_budget/105-consumption-budget-subscription-aks", "compute/virtual_machine_scale_set/100-linux-win-vmss-lb", "compute/virtual_machine_scale_set/101-linux-win-vmss-agw", "compute/windows_virtual_desktop/wvd_resources", From 78f338be5676612ff3f9570e367e73f6d17dd740 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 22 Jul 2021 03:29:31 +0000 Subject: [PATCH 067/102] Adding AKS 103 and 104 to CI after #594 --- .github/workflows/standalone-scenarios.json | 2 + .../103-multi-clusters/networking.tfvars | 74 ------------------- .../104-private-cluster/networking.tfvars | 39 ---------- .../104-private-cluster/vm.tfvars | 1 - 4 files changed, 2 insertions(+), 114 deletions(-) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index c3f39403b0..eb2985af3d 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -24,6 +24,8 @@ "compute/dedicated_hosts/102-dedicated-host-vms", "compute/kubernetes_services/101-single-cluster", "compute/kubernetes_services/102-multi-nodepools", + "compute/kubernetes_services/103-multi-clusters", + "compute/kubernetes_services/104-private-cluster", "compute/proximity_placement_group", "compute/virtual_machine/101-single-windows-vm", "compute/virtual_machine/102-single-vm-data-disks", diff --git a/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars b/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars index ddbceb2518..427a87de8a 100644 --- a/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars +++ b/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars @@ -231,77 +231,3 @@ network_security_group_definition = { ] } } - - -vnet_peerings = { - # - # Peering Region1 - # - spoke_aks_re1_TO_hub_re1 = { - name = "spoke_aks_re1_TO_hub_re1" - from = { - vnet_key = "spoke_aks_re1" - } - to = { - lz_key = "networking_hub" - output_key = "vnets" - vnet_key = "hub_re1" - } - allow_virtual_network_access = true - allow_forwarded_traffic = false - allow_gateway_transit = false - use_remote_gateways = false - } - - hub_re1_TO_spoke_aks_re1 = { - name = "hub_re1_TO_spoke_aks_re1" - from = { - lz_key = "networking_hub" - output_key = "vnets" - vnet_key = "hub_re1" - } - to = { - vnet_key = "spoke_aks_re1" - } - allow_virtual_network_access = true - allow_forwarded_traffic = true - allow_gateway_transit = true - use_remote_gateways = false - } - - # - # Peering Region2 - # - spoke_aks_re2_TO_hub_re2 = { - name = "spoke_aks_re2_TO_hub_re2" - from = { - vnet_key = "spoke_aks_re2" - } - to = { - lz_key = "networking_hub" - output_key = "vnets" - vnet_key = "hub_re2" - } - allow_virtual_network_access = true - allow_forwarded_traffic = false - allow_gateway_transit = false - use_remote_gateways = false - } - - hub_re2_TO_spoke_aks_re2 = { - name = "hub_re2_TO_spoke_aks_re2" - from = { - lz_key = "networking_hub" - output_key = "vnets" - vnet_key = "hub_re2" - } - to = { - vnet_key = "spoke_aks_re2" - } - allow_virtual_network_access = true - allow_forwarded_traffic = true - allow_gateway_transit = true - use_remote_gateways = false - } - -} \ No newline at end of file diff --git a/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars b/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars index df04c22ae7..b64fc2d494 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars @@ -188,43 +188,4 @@ network_security_group_definition = { } ] } -} - - -vnet_peerings = { - # - # Peering Region1 - # - spoke_aks_re1_TO_hub_re1 = { - name = "spoke_aks_re1_TO_hub_re1" - from = { - vnet_key = "spoke_aks_re1" - } - to = { - lz_key = "networking_hub" - output_key = "vnets" - vnet_key = "hub_re1" - } - allow_virtual_network_access = true - allow_forwarded_traffic = false - allow_gateway_transit = false - use_remote_gateways = false - } - - hub_re1_TO_spoke_aks_re1 = { - name = "hub_re1_TO_spoke_aks_re1" - from = { - lz_key = "networking_hub" - output_key = "vnets" - vnet_key = "hub_re1" - } - to = { - vnet_key = "spoke_aks_re1" - } - allow_virtual_network_access = true - allow_forwarded_traffic = true - allow_gateway_transit = true - use_remote_gateways = false - } - } \ No newline at end of file diff --git a/examples/compute/kubernetes_services/104-private-cluster/vm.tfvars b/examples/compute/kubernetes_services/104-private-cluster/vm.tfvars index 57401bf931..0a08f1a3e5 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/vm.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/vm.tfvars @@ -3,7 +3,6 @@ virtual_machines = { # Configuration to deploy a bastion host linux virtual machine bastion_host = { resource_group_key = "aks_jumpbox_re1" - boot_diagnostics_storage_account_key = "bootdiag_re1" provision_vm_agent = true os_type = "linux" From caab530f8c6b2caaf9a4ae10d27f8df7ed85e09f Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 22 Jul 2021 04:38:40 +0000 Subject: [PATCH 068/102] Update to use plural and example in CI --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/standalone-scenarios.json | 1 + cognitive_service.tf | 6 +++--- .../configuration.tfvars | 14 +++++++------- .../main.tf | 0 examples/module.tf | 4 ++-- examples/variables.tf | 4 ++-- locals.combined_objects.tf | 2 +- locals.tf | 4 ++-- .../cognitive_service_account.tf | 0 .../cognitive_services_account}/main.tf | 0 .../cognitive_services_account}/variables.tf | 1 + networking_firewall_policy.tf | 2 +- networking_nat_gateways.tf | 18 +++++++++--------- networking_virtual_hub_connection.tf | 4 ++-- variables.tf | 4 ++-- 16 files changed, 34 insertions(+), 32 deletions(-) rename examples/{cognitive_service/100-cognitive-service-account => cognitive_services/100-cognitive-services-account}/configuration.tfvars (82%) rename examples/{cognitive_service => cognitive_services}/main.tf (100%) rename modules/{cognitive_service/cognitive_service_account => cognitive_services/cognitive_services_account}/cognitive_service_account.tf (100%) rename modules/{cognitive_service/cognitive_service_account => cognitive_services/cognitive_services_account}/main.tf (100%) rename modules/{cognitive_service/cognitive_service_account => cognitive_services/cognitive_services_account}/variables.tf (95%) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index e0260c630c..f757ef3ccb 100755 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.0.1-2106.3012 + image: aztfmod/rover-preview:1.0.3-2107.220222 user: vscode labels: diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index eb2985af3d..f608992e0f 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -14,6 +14,7 @@ "azuread/100-azuread-application-with-sevice-principle-with-builtin-roles", "azuread/101-azuread-application-with-service-principle-with-custom-roles", "azuread/103-service-principal-only", + "cognitive_services/100-cognitive-services-account", "compute/availability_set/100-simple-availabilityset", "compute/availability_set/101-availabilityset-with-proximity-placement-group", "compute/container_groups/101-aci-rover", diff --git a/cognitive_service.tf b/cognitive_service.tf index 6c098960f5..64a8a02868 100644 --- a/cognitive_service.tf +++ b/cognitive_service.tf @@ -1,6 +1,6 @@ -module "cognitive_service_account" { - source = "./modules/cognitive_service/cognitive_service_account" - for_each = local.cognitive_service.cognitive_service_account +module "cognitive_services_account" { + source = "./modules/cognitive_services/cognitive_services_account" + for_each = local.cognitive_services.cognitive_services_account client_config = local.client_config global_settings = local.global_settings diff --git a/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars b/examples/cognitive_services/100-cognitive-services-account/configuration.tfvars similarity index 82% rename from examples/cognitive_service/100-cognitive-service-account/configuration.tfvars rename to examples/cognitive_services/100-cognitive-services-account/configuration.tfvars index b6c66736a6..8a4fb6d01d 100644 --- a/examples/cognitive_service/100-cognitive-service-account/configuration.tfvars +++ b/examples/cognitive_services/100-cognitive-services-account/configuration.tfvars @@ -3,7 +3,7 @@ global_settings = { regions = { region1 = "westus" } - #random_length = 5 + random_length = 5 } resource_groups = { @@ -12,7 +12,7 @@ resource_groups = { } } -cognitive_service_account = { +cognitive_services_account = { test_account-1 = { resource_group = { # accepts either id or key to get resource group id @@ -26,11 +26,11 @@ cognitive_service_account = { tags = { env = "test" } - custom_subdomain_name = "cs-alz-caf-test-1" - network_acls = { - default_action = "Allow" - ip_rules = ["10.10.10.0/16"] - } + # custom_subdomain_name = "cs-alz-caf-test-1" + # network_acls = { + # default_action = "Allow" + # ip_rules = ["10.10.10.0/16"] + # } } test_account-2 = { resource_group = { diff --git a/examples/cognitive_service/main.tf b/examples/cognitive_services/main.tf similarity index 100% rename from examples/cognitive_service/main.tf rename to examples/cognitive_services/main.tf diff --git a/examples/module.tf b/examples/module.tf index b2f74eee35..3e88104bcd 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -71,8 +71,8 @@ module "example" { # vmImageAliasDoc = var.vmImageAliasDoc # } - cognitive_service = { - cognitive_service_account = var.cognitive_service_account + cognitive_services = { + cognitive_services_account = var.cognitive_services_account } compute = { diff --git a/examples/variables.tf b/examples/variables.tf index 8ca9bf6188..204e0f9c99 100755 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -553,8 +553,8 @@ variable "storage_account_blobs" { default = {} } variable "nat_gateways" { - default = {} + default = {} } -variable "cognitive_service_account" { +variable "cognitive_services_account" { default = {} } \ No newline at end of file diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 0b1e2a19ff..5996231955 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -17,7 +17,7 @@ locals { combined_objects_azuread_groups = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_groups }), try(var.remote_objects.azuread_groups, {})) combined_objects_azuread_users = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_users }), try(var.remote_objects.azuread_users, {})) combined_objects_azurerm_firewalls = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewalls }), try(var.remote_objects.azurerm_firewalls, {})) - combined_objects_cognitive_service_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_service_account }), try(var.remote_objects.cognitive_service_account, {})) + combined_objects_cognitive_services_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_services_account }), try(var.remote_objects.cognitive_services_account, {})) combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), try(var.remote_objects.consumption_budgets_resource_groups, {})) combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), try(var.remote_objects.consumption_budgets_subscriptions, {})) combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {})) diff --git a/locals.tf b/locals.tf index 209f078951..71fc628cfe 100755 --- a/locals.tf +++ b/locals.tf @@ -179,8 +179,8 @@ locals { logic_app_workflow = try(var.logic_app.logic_app_workflow, {}) } - cognitive_service = { - cognitive_service_account = try(var.cognitive_service.cognitive_service_account, {}) + cognitive_services = { + cognitive_services_account = try(var.cognitive_services.cognitive_services_account, {}) } networking = { diff --git a/modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf b/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf similarity index 100% rename from modules/cognitive_service/cognitive_service_account/cognitive_service_account.tf rename to modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf diff --git a/modules/cognitive_service/cognitive_service_account/main.tf b/modules/cognitive_services/cognitive_services_account/main.tf similarity index 100% rename from modules/cognitive_service/cognitive_service_account/main.tf rename to modules/cognitive_services/cognitive_services_account/main.tf diff --git a/modules/cognitive_service/cognitive_service_account/variables.tf b/modules/cognitive_services/cognitive_services_account/variables.tf similarity index 95% rename from modules/cognitive_service/cognitive_service_account/variables.tf rename to modules/cognitive_services/cognitive_services_account/variables.tf index 58ad5a65ba..6a1d64e03b 100644 --- a/modules/cognitive_service/cognitive_service_account/variables.tf +++ b/modules/cognitive_services/cognitive_services_account/variables.tf @@ -11,6 +11,7 @@ variable "location" { variable "resource_group_name" { description = "Name of the existing resource group to deploy the virtual machine" + type = string } variable "settings" {} diff --git a/networking_firewall_policy.tf b/networking_firewall_policy.tf index a7b622b469..e58b1c59bd 100755 --- a/networking_firewall_policy.tf +++ b/networking_firewall_policy.tf @@ -10,7 +10,7 @@ module "azurerm_firewall_policies" { settings = each.value tags = try(each.value.tags, null) - resource_group = coalesce( + resource_group = coalesce( try(local.combined_objects_resource_groups[each.value.lz_key][each.value.resource_group_key], null), try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key], null), try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key], null), diff --git a/networking_nat_gateways.tf b/networking_nat_gateways.tf index 39c5994311..fdcbd8fad0 100644 --- a/networking_nat_gateways.tf +++ b/networking_nat_gateways.tf @@ -13,13 +13,13 @@ module "nat_gateways" { source = "./modules/networking/nat_gateways" for_each = try(local.networking.nat_gateways, {}) - settings = each.value - name = try(each.value.name, null) - location = try(local.global_settings.regions[each.value.region], local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].location) - resource_group_name = local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].name - subnet_id = try(local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][try(each.value.vnet.vnet_key, each.value.vnet_key)].subnets[try(each.value.vnet.subnet_key, each.value.subnet_key)].id, null) - public_ip_address_id = try(local.combined_objects_public_ip_addresses[try(each.value.public_ip.lz_key, local.client_config.landingzone_key)][try(each.value.public_ip.public_ip_key, each.value.public_ip_key)].id, null) - idle_timeout_in_minutes = try(each.value.idle_timeout_in_minutes, null) - tags = try(each.value.tags, null) - base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].tags : {} + settings = each.value + name = try(each.value.name, null) + location = try(local.global_settings.regions[each.value.region], local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].location) + resource_group_name = local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].name + subnet_id = try(local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][try(each.value.vnet.vnet_key, each.value.vnet_key)].subnets[try(each.value.vnet.subnet_key, each.value.subnet_key)].id, null) + public_ip_address_id = try(local.combined_objects_public_ip_addresses[try(each.value.public_ip.lz_key, local.client_config.landingzone_key)][try(each.value.public_ip.public_ip_key, each.value.public_ip_key)].id, null) + idle_timeout_in_minutes = try(each.value.idle_timeout_in_minutes, null) + tags = try(each.value.tags, null) + base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].tags : {} } diff --git a/networking_virtual_hub_connection.tf b/networking_virtual_hub_connection.tf index 25b8599b7b..e62d03f8bd 100644 --- a/networking_virtual_hub_connection.tf +++ b/networking_virtual_hub_connection.tf @@ -61,8 +61,8 @@ resource "azurerm_virtual_hub_connection" "vhub_connection" { for_each = try(routing.value.static_vnet_route, {}) content { - name = static_vnet_route.value.name - address_prefixes = static_vnet_route.value.address_prefixes + name = static_vnet_route.value.name + address_prefixes = static_vnet_route.value.address_prefixes next_hop_ip_address = coalesce( try(static_vnet_route.value.next_hop_ip_address, null), try(local.combined_objects_azurerm_firewalls[static_vnet_route.value.next_hop.lz_key][static_vnet_route.value.next_hop.key].ip_configuration[static_vnet_route.value.next_hop.interface_index].private_ip_address, null), diff --git a/variables.tf b/variables.tf index 64620048aa..4e7f5f9204 100755 --- a/variables.tf +++ b/variables.tf @@ -355,7 +355,7 @@ variable "random_strings" { default = {} } -variable "cognitive_service" { - description = "onfiguration object - Cognitive Service Resource " +variable "cognitive_services" { + description = "Configuration object - Cognitive Service Resource " default = {} } \ No newline at end of file From a6903bf1999b2112ba05c1a3870fa5720c9b0974 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 22 Jul 2021 04:44:45 +0000 Subject: [PATCH 069/102] Adding outputs --- cognitive_service.tf | 6 +++++- .../cognitive_services_account/output.tf | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 modules/cognitive_services/cognitive_services_account/output.tf diff --git a/cognitive_service.tf b/cognitive_service.tf index 64a8a02868..04659f9f28 100644 --- a/cognitive_service.tf +++ b/cognitive_service.tf @@ -7,4 +7,8 @@ module "cognitive_services_account" { resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] settings = each.value -} \ No newline at end of file +} + +output "cognitive_services_account" { + value = module.cognitive_services_account +} diff --git a/modules/cognitive_services/cognitive_services_account/output.tf b/modules/cognitive_services/cognitive_services_account/output.tf new file mode 100644 index 0000000000..fd2a6239a4 --- /dev/null +++ b/modules/cognitive_services/cognitive_services_account/output.tf @@ -0,0 +1,9 @@ +output "id" { + description = "The ID of the Cognitive Service Account." + value = azurerm_cognitive_account.service.id +} + +output "endpoint" { + description = "The endpoint used to connect to the Cognitive Service Account." + value = azurerm_cognitive_account.service.endpoint +} \ No newline at end of file From ed59075c9fae232bfc97746386bdcde973e5eb6b Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 22 Jul 2021 05:46:48 +0000 Subject: [PATCH 070/102] Adding #585 to CI --- .github/workflows/standalone-scenarios.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index eb2985af3d..bcbd7427a1 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -26,6 +26,7 @@ "compute/kubernetes_services/102-multi-nodepools", "compute/kubernetes_services/103-multi-clusters", "compute/kubernetes_services/104-private-cluster", + "compute/kubernetes_services/105-cluster-usermsi", "compute/proximity_placement_group", "compute/virtual_machine/101-single-windows-vm", "compute/virtual_machine/102-single-vm-data-disks", From 0bc18374ebeeefdd9693b55b9274b7f2496448b8 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Thu, 22 Jul 2021 06:16:17 +0000 Subject: [PATCH 071/102] ci: ignore all README file updates --- .github/workflows/master-standalone-tf100.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/master-standalone-tf100.yaml b/.github/workflows/master-standalone-tf100.yaml index b18268c18f..c4b6698368 100755 --- a/.github/workflows/master-standalone-tf100.yaml +++ b/.github/workflows/master-standalone-tf100.yaml @@ -12,8 +12,7 @@ on: - .github/workflows/master-100.yaml - 'documentation/**' - '_pictures/**' - - 'README.md' - - 'examples/README.md' + - '**/README.md' - 'CHANGELOG.md' schedule: - cron: '0 0 * * 0' #1 AM on Sunday From 3fbd24c9d20b7e982df416212326e0de312724c8 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Thu, 22 Jul 2021 11:45:06 +0000 Subject: [PATCH 072/102] refactor to use coalsece for roles --- roles.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles.tf b/roles.tf index 6783967856..f3c64aa785 100755 --- a/roles.tf +++ b/roles.tf @@ -22,7 +22,10 @@ resource "azurerm_role_assignment" "for" { ) role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null role_definition_id = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null - principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : try(local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id, local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id) + principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : coalesce( + try(local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id, null), + try(local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id, null) + ) lifecycle { ignore_changes = [ From f3098de1f1f77aa5265a0f2ca55c461611867226 Mon Sep 17 00:00:00 2001 From: Abdullah Khairi Date: Thu, 22 Jul 2021 18:09:00 +0000 Subject: [PATCH 073/102] fix empty fqdn issue --- modules/networking/application_gateway/application_gateway.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index 11a2ea8ac8..5d2205cdc5 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -159,7 +159,7 @@ resource "azurerm_application_gateway" "agw" { content { name = var.application_gateway_applications[backend_address_pool.key].name - fqdns = try(backend_address_pool.value.fqdns, null) + fqdns = try(length(backend_address_pool.value.fqdns), 0) == 0 ? null : backend_address_pool.value.fqdns ip_addresses = try(backend_address_pool.value.ip_addresses, null) } } From 537b4f7e733157ffa1f74e4a9af613feb9e7162e Mon Sep 17 00:00:00 2001 From: GlennChia Date: Fri, 23 Jul 2021 09:55:22 +0000 Subject: [PATCH 074/102] fix: temp move consumption budget to separate file test cases are failing due to permission issues with the CI agent --- .github/workflows/standalone-scenarios-additional.json | 10 ++++++++++ .github/workflows/standalone-scenarios.json | 6 ------ 2 files changed, 10 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/standalone-scenarios-additional.json diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json new file mode 100644 index 0000000000..1dd0ba2221 --- /dev/null +++ b/.github/workflows/standalone-scenarios-additional.json @@ -0,0 +1,10 @@ +{ + "config_files": [ + "consumption_budget/100-consumption-budget-rg", + "consumption_budget/101-consumption-budget-subscription", + "consumption_budget/102-consumption-budget-rg-alerts", + "consumption_budget/103-consumption-budget-subscription-alerts", + "consumption_budget/104-consumption-budget-subscription-vm", + "consumption_budget/105-consumption-budget-subscription-aks" + ] +} diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 8bee69c0b7..f3eedbf6d6 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -35,12 +35,6 @@ "compute/virtual_machine/106-marketplace-image-with-plan", "compute/virtual_machine/210-vm-bastion-winrm", "compute/virtual_machine/211-vm-bastion-winrm-agents", - "consumption_budget/100-consumption-budget-rg", - "consumption_budget/101-consumption-budget-subscription", - "consumption_budget/102-consumption-budget-rg-alerts", - "consumption_budget/103-consumption-budget-subscription-alerts", - "consumption_budget/104-consumption-budget-subscription-vm", - "consumption_budget/105-consumption-budget-subscription-aks", "compute/virtual_machine_scale_set/100-linux-win-vmss-lb", "compute/virtual_machine_scale_set/101-linux-win-vmss-agw", "compute/windows_virtual_desktop/wvd_resources", From f897976df53c601376d33eec0f53695756725209 Mon Sep 17 00:00:00 2001 From: GlennChia Date: Sun, 25 Jul 2021 00:25:52 +0800 Subject: [PATCH 075/102] docs: bump caf azurerm module version --- examples/consumption_budget/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/consumption_budget/README.md b/examples/consumption_budget/README.md index 5878939494..f02540b374 100755 --- a/examples/consumption_budget/README.md +++ b/examples/consumption_budget/README.md @@ -7,7 +7,7 @@ You can instantiate this directly using the following parameters: ```hcl module "caf" { source = "aztfmod/caf/azurerm" - version = "5.4.1" + version = "5.4.2" # insert the 7 required variables here } ``` From 3f9b1502dddcd3a00beb0eaf3403c2a10028ff73 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Thu, 29 Jul 2021 01:41:41 +0000 Subject: [PATCH 076/102] Update to support more resource reference in RT nexthop --- .../networking/virtual_hub_route_tables/route_local.tf | 2 ++ modules/networking/virtual_hub_route_tables/variables.tf | 1 + networking_virtual_hub_route_table.tf | 9 +++++---- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/networking/virtual_hub_route_tables/route_local.tf b/modules/networking/virtual_hub_route_tables/route_local.tf index 9f81833500..b86e43ca04 100644 --- a/modules/networking/virtual_hub_route_tables/route_local.tf +++ b/modules/networking/virtual_hub_route_tables/route_local.tf @@ -8,6 +8,8 @@ locals { nextHopType = "ResourceId" nextHop = coalesce( try(value.next_hop_id, ""), + try(var.remote_objects.virtual_hub_connections[value.next_hop.lz_key][value.next_hop.key].id, ""), + try(var.remote_objects.azurerm_firewalls[value.next_hop.lz_key][value.next_hop.key].id, ""), try(var.resource_ids[value.next_hop.resource_type][value.next_hop.lz_key][value.next_hop.key].id, "") # Note the virtual_hub_connection must come from a remote tfstate only. PB with circular reference in the object model of vhub tables and connections ) } diff --git a/modules/networking/virtual_hub_route_tables/variables.tf b/modules/networking/virtual_hub_route_tables/variables.tf index 722d8fb29d..3efc858cc2 100644 --- a/modules/networking/virtual_hub_route_tables/variables.tf +++ b/modules/networking/virtual_hub_route_tables/variables.tf @@ -1,5 +1,6 @@ variable "client_config" {} variable "name" {} +variable "remote_objects" {} variable "resource_ids" {} variable "settings" {} variable "virtual_hub" {} \ No newline at end of file diff --git a/networking_virtual_hub_route_table.tf b/networking_virtual_hub_route_table.tf index 8b4867f9c4..b96a83f05c 100644 --- a/networking_virtual_hub_route_table.tf +++ b/networking_virtual_hub_route_table.tf @@ -54,9 +54,10 @@ resource "azurerm_virtual_hub_route_table" "route_table" { } module "azurerm_virtual_hub_route_table" { - depends_on = [azurerm_virtual_hub_route_table.route_table] - source = "./modules/networking/virtual_hub_route_tables" - for_each = local.networking.virtual_hub_route_tables + remote_objects = var.remote_objects + depends_on = [azurerm_virtual_hub_route_table.route_table] + source = "./modules/networking/virtual_hub_route_tables" + for_each = local.networking.virtual_hub_route_tables client_config = local.client_config name = each.value.name @@ -90,4 +91,4 @@ module "azurerm_virtual_hub_route_table" { # virtual_hub_connection = try(var.remote_objects.virtual_hub_connections, {}) } -} +} \ No newline at end of file From aa586063c92f9bebd7cf209cf61cc3f62be47fd2 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Thu, 29 Jul 2021 08:51:42 +0000 Subject: [PATCH 077/102] Update to pass in particular remote obj only --- networking_virtual_hub_route_table.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/networking_virtual_hub_route_table.tf b/networking_virtual_hub_route_table.tf index b96a83f05c..49fe08accb 100644 --- a/networking_virtual_hub_route_table.tf +++ b/networking_virtual_hub_route_table.tf @@ -54,7 +54,6 @@ resource "azurerm_virtual_hub_route_table" "route_table" { } module "azurerm_virtual_hub_route_table" { - remote_objects = var.remote_objects depends_on = [azurerm_virtual_hub_route_table.route_table] source = "./modules/networking/virtual_hub_route_tables" for_each = local.networking.virtual_hub_route_tables @@ -63,6 +62,11 @@ module "azurerm_virtual_hub_route_table" { name = each.value.name settings = each.value + remote_objects = { + virtual_hub_connections = local.combined_objects_virtual_hub_connections + azurerm_firewalls = local.combined_objects_azurerm_firewalls + } + virtual_hub = { id = coalesce( try(local.combined_objects_virtual_hubs[try(each.value.virtual_hub.lz_key, local.client_config.landingzone_key)][each.value.virtual_hub.key].id, null), From 6175ba7bf6137ca3165129187796dfd81c6a8454 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Thu, 29 Jul 2021 10:27:32 +0000 Subject: [PATCH 078/102] Update import subscription id in the tfstate instead of using the logged in sub id --- modules/subscriptions/output.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/subscriptions/output.tf b/modules/subscriptions/output.tf index 67508007d3..ed8df61ad7 100755 --- a/modules/subscriptions/output.tf +++ b/modules/subscriptions/output.tf @@ -1,8 +1,8 @@ output "id" { - value = format("/subscriptions/%s", try(azurerm_subscription.sub.0.subscription_id, var.client_config.subscription_id)) + value = format("/subscriptions/%s", try(azurerm_subscription.sub.0.subscription_id, var.settings.subscription_id)) } output "subscription_id" { - value = try(azurerm_subscription.sub.0.subscription_id, var.client_config.subscription_id) + value = try(azurerm_subscription.sub.0.subscription_id, var.settings.subscription_id) } output "tenant_id" { From fc7903ab942d3c771506c7339588c27aafd6671e Mon Sep 17 00:00:00 2001 From: Chun Saen Sean Lok Date: Thu, 5 Aug 2021 11:45:46 +0800 Subject: [PATCH 079/102] Fix subnet optional in secure hub firewall --- networking_firewall.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/networking_firewall.tf b/networking_firewall.tf index cfdad8a975..ac85df0fde 100755 --- a/networking_firewall.tf +++ b/networking_firewall.tf @@ -18,7 +18,7 @@ module "azurerm_firewalls" { public_ip_keys = try(each.value.public_ip_keys, null) resource_group_name = local.resource_groups[each.value.resource_group_key].name settings = each.value - subnet_id = module.networking[each.value.vnet_key].subnets["AzureFirewallSubnet"].id + subnet_id = try(module.networking[each.value.vnet_key].subnets["AzureFirewallSubnet"].id,null) tags = try(each.value.tags, null) virtual_hubs = local.combined_objects_virtual_hubs virtual_networks = local.combined_objects_networking From 8f36c60d38cbc6aebf4f12861c405f500968bdfc Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Thu, 5 Aug 2021 05:59:54 +0000 Subject: [PATCH 080/102] add lifecycle to vm os_disk to ignore change for restored os_disk swap --- modules/compute/virtual_machine/vm_linux.tf | 13 +++++++++++++ modules/compute/virtual_machine/vm_windows.tf | 12 ++++++++++++ 2 files changed, 25 insertions(+) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index c4557ae660..ca092a0d68 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -44,6 +44,13 @@ resource "azurecaf_name" "os_disk_linux" { clean_input = true passthrough = var.global_settings.passthrough use_slug = var.global_settings.use_slug + + lifecycle { + ignore_changes = [ + name + ] + } + } resource "azurerm_linux_virtual_machine" "vm" { @@ -133,6 +140,12 @@ resource "azurerm_linux_virtual_machine" "vm" { } } + lifecycle { + ignore_changes = [ + os_disk, + ] + } + } # diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 2f9cf972b4..6dd3d09f13 100755 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -35,6 +35,12 @@ resource "azurecaf_name" "os_disk_windows" { clean_input = true passthrough = var.global_settings.passthrough use_slug = var.global_settings.use_slug + + lifecycle { + ignore_changes = [ + name + ] + } } resource "azurerm_windows_virtual_machine" "vm" { @@ -171,6 +177,12 @@ resource "azurerm_windows_virtual_machine" "vm" { } } + lifecycle { + ignore_changes = [ + os_disk + ] + } + } resource "random_password" "admin" { From c7017a0346524f4fea280f4684f91c37bed13a1d Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Mon, 9 Aug 2021 08:52:53 +0000 Subject: [PATCH 081/102] uncomment support for skuEdition for sqlmi --- modules/databases/mssql_managed_instance/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/databases/mssql_managed_instance/main.tf b/modules/databases/mssql_managed_instance/main.tf index a04031ee3a..4fb19dccc9 100755 --- a/modules/databases/mssql_managed_instance/main.tf +++ b/modules/databases/mssql_managed_instance/main.tf @@ -25,9 +25,9 @@ locals { skuName = { value = var.settings.sku.name } - # skuEdition = { - # value = try(var.settings.sku.edition, "GeneralPurpose") - # } + skuEdition = { + value = try(var.settings.sku.edition, "GeneralPurpose") + } administratorLogin = { value = var.settings.administratorLogin } From 92e03d64d5d4705492be394ad4b1ae084eac8498 Mon Sep 17 00:00:00 2001 From: Hamad Riaz Date: Mon, 9 Aug 2021 21:39:24 -0700 Subject: [PATCH 082/102] Add Ability to Enter admin_password If password_authentication is set to true, allow user to enter password --- modules/compute/virtual_machine/vm_linux.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index c4557ae660..356bbf332f 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -54,6 +54,7 @@ resource "azurerm_linux_virtual_machine" "vm" { resource_group_name = var.resource_group_name size = each.value.size admin_username = each.value.admin_username + admin_password = each.value.disable_password_authentication == false ? each.value.admin_password : null network_interface_ids = local.nic_ids tags = merge(local.tags, try(each.value.tags, null)) From ab4581161ee69cd19c88ad3180d0c5a6851ecddd Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Tue, 10 Aug 2021 09:20:34 +0000 Subject: [PATCH 083/102] update to support multi dns resources --- .../configuration.tfvars | 12 ++++++++++ modules/networking/virtual_network/module.tf | 23 +++++++++++++++++-- .../networking/virtual_network/variables.tf | 4 ++++ networking.tf | 3 +++ 4 files changed, 40 insertions(+), 2 deletions(-) diff --git a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars index c6acfe1a76..223c09e703 100644 --- a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars +++ b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars @@ -19,6 +19,18 @@ vnets = { vnet = { name = "app-vnet" address_space = ["10.1.0.0/16"] + #dns_servers = ["10.2.0.5", "10.2.0.6"] + # dns_servers_keys = { + # ip1 = { + # lz_key = "", + # resource_key = "", + # interface_index = 0 #Optional it will take 0. + # } + # ip2 = { + # lz_key = "", + # resource_key = "", + # } + # } } specialsubnets = {} subnets = { diff --git a/modules/networking/virtual_network/module.tf b/modules/networking/virtual_network/module.tf index 7945fd670e..22611bea74 100644 --- a/modules/networking/virtual_network/module.tf +++ b/modules/networking/virtual_network/module.tf @@ -17,7 +17,10 @@ resource "azurerm_virtual_network" "vnet" { address_space = var.settings.vnet.address_space tags = local.tags - dns_servers = lookup(var.settings.vnet, "dns_servers", null) + dns_servers = coalesce( + try(lookup(var.settings.vnet, "dns_servers", null)), + try(local.dns_servers_process, null) + ) dynamic "ddos_protection_plan" { for_each = var.ddos_id != "" ? [1] : [] @@ -104,4 +107,20 @@ resource "azurerm_subnet_network_security_group_association" "nsg_vnet_associati subnet_id = module.subnets[each.key].id network_security_group_id = var.network_security_groups[each.value.nsg_key].id -} \ No newline at end of file +} + +locals { + dns_servers_process = [ + for obj in try(var.settings.vnet.dns_servers_keys,{}) : #o.ip + coalesce( + try(var.remote_dns.firewalls[obj.lz_key][obj.resource_key].virtual_hub[obj.interface_index].private_ip_address,null), + try(var.remote_dns.firewalls[obj.lz_key][obj.resource_key].virtual_hub.0.private_ip_address,null), + try(var.remote_dns.firewalls[obj.lz_key][obj.resource_key].ip_configuration[obj.interface_index].private_ip_address,null), + try(var.remote_dns.firewalls[obj.lz_key][obj.resource_key].ip_configuration.0.private_ip_address,null), + null + ) + # for ip_key, resouce_ip in var.settings.vnet.dns_servers_keys: [ + # resouce_ip.ip + # ] + ] +} diff --git a/modules/networking/virtual_network/variables.tf b/modules/networking/virtual_network/variables.tf index 0839910c2f..73a4763338 100755 --- a/modules/networking/virtual_network/variables.tf +++ b/modules/networking/virtual_network/variables.tf @@ -54,4 +54,8 @@ variable "network_watchers" { variable "network_security_groups" { default = {} description = "Network Security Group cretaed with different Resource Group" +} + +variable "remote_dns" { + default = {} } \ No newline at end of file diff --git a/networking.tf b/networking.tf index 62559cac09..647b2452c8 100755 --- a/networking.tf +++ b/networking.tf @@ -28,6 +28,9 @@ module "networking" { network_security_groups = module.network_security_groups network_security_group_definition = local.networking.network_security_group_definition network_watchers = try(local.combined_objects_network_watchers, null) + remote_dns = { + firewalls = try(var.remote_objects.azurerm_firewalls, null) #assumed from remote lz only + } route_tables = module.route_tables settings = each.value tags = try(each.value.tags, null) From 8249dc6883d4c8ebaecbc2922f6e4b8d1322c073 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 10 Aug 2021 18:11:23 +0800 Subject: [PATCH 084/102] Update master-standalone-tf100.yaml --- .github/workflows/master-standalone-tf100.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/master-standalone-tf100.yaml b/.github/workflows/master-standalone-tf100.yaml index c4b6698368..49c415ce39 100755 --- a/.github/workflows/master-standalone-tf100.yaml +++ b/.github/workflows/master-standalone-tf100.yaml @@ -7,13 +7,6 @@ name: standalone-scenario-tf100 on: workflow_dispatch: - pull_request: - paths-ignore: - - .github/workflows/master-100.yaml - - 'documentation/**' - - '_pictures/**' - - '**/README.md' - - 'CHANGELOG.md' schedule: - cron: '0 0 * * 0' #1 AM on Sunday From eec42e75c7247d85729d6497b1c64de4f90d7834 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Wed, 11 Aug 2021 02:42:06 +0000 Subject: [PATCH 085/102] Update Key to be more general --- .../100-simple-vnet-subnets-nsgs/configuration.tfvars | 9 ++++++--- modules/networking/virtual_network/module.tf | 8 ++++---- networking.tf | 2 +- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars index 223c09e703..77541bc5ff 100644 --- a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars +++ b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars @@ -22,13 +22,16 @@ vnets = { #dns_servers = ["10.2.0.5", "10.2.0.6"] # dns_servers_keys = { # ip1 = { - # lz_key = "", - # resource_key = "", + # lz_key = "", + # key = "", + # . resource_type = "firewalls", # interface_index = 0 #Optional it will take 0. + # # } # ip2 = { # lz_key = "", - # resource_key = "", + # key = "", + # resource_type = "firewalls", # } # } } diff --git a/modules/networking/virtual_network/module.tf b/modules/networking/virtual_network/module.tf index 22611bea74..c59d193f6c 100644 --- a/modules/networking/virtual_network/module.tf +++ b/modules/networking/virtual_network/module.tf @@ -113,10 +113,10 @@ locals { dns_servers_process = [ for obj in try(var.settings.vnet.dns_servers_keys,{}) : #o.ip coalesce( - try(var.remote_dns.firewalls[obj.lz_key][obj.resource_key].virtual_hub[obj.interface_index].private_ip_address,null), - try(var.remote_dns.firewalls[obj.lz_key][obj.resource_key].virtual_hub.0.private_ip_address,null), - try(var.remote_dns.firewalls[obj.lz_key][obj.resource_key].ip_configuration[obj.interface_index].private_ip_address,null), - try(var.remote_dns.firewalls[obj.lz_key][obj.resource_key].ip_configuration.0.private_ip_address,null), + try(var.remote_dns[obj.resource_type][obj.lz_key][obj.key].virtual_hub[obj.interface_index].private_ip_address,null), + try(var.remote_dns[obj.resource_type][obj.lz_key][obj.key].virtual_hub.0.private_ip_address,null), + try(var.remote_dns[obj.resource_type][obj.lz_key][obj.key].ip_configuration[obj.interface_index].private_ip_address,null), + try(var.remote_dns[obj.resource_type][obj.lz_key][obj.key].ip_configuration.0.private_ip_address,null), null ) # for ip_key, resouce_ip in var.settings.vnet.dns_servers_keys: [ diff --git a/networking.tf b/networking.tf index 647b2452c8..1e12168051 100755 --- a/networking.tf +++ b/networking.tf @@ -29,7 +29,7 @@ module "networking" { network_security_group_definition = local.networking.network_security_group_definition network_watchers = try(local.combined_objects_network_watchers, null) remote_dns = { - firewalls = try(var.remote_objects.azurerm_firewalls, null) #assumed from remote lz only + azurerm_firewall = try(var.remote_objects.azurerm_firewall, null) #assumed from remote lz only } route_tables = module.route_tables settings = each.value From 33b3b2e76c004c5422dc9436403fa64e8f248a2a Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Wed, 11 Aug 2021 05:09:48 +0000 Subject: [PATCH 086/102] Update resource type example --- .../100-simple-vnet-subnets-nsgs/configuration.tfvars | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars index 77541bc5ff..7f3a3185fa 100644 --- a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars +++ b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars @@ -24,14 +24,14 @@ vnets = { # ip1 = { # lz_key = "", # key = "", - # . resource_type = "firewalls", + # . resource_type = "azurerm_firewall", # interface_index = 0 #Optional it will take 0. # # } # ip2 = { # lz_key = "", # key = "", - # resource_type = "firewalls", + # resource_type = "azurerm_firewall", # } # } } From 4854bf001593d82faa874223d4667d54b89b5929 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Wed, 11 Aug 2021 06:24:31 +0000 Subject: [PATCH 087/102] update vm os_disk to only ignore disk name --- modules/compute/virtual_machine/vm_linux.tf | 2 +- modules/compute/virtual_machine/vm_windows.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index ca092a0d68..897b0fc169 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -142,7 +142,7 @@ resource "azurerm_linux_virtual_machine" "vm" { lifecycle { ignore_changes = [ - os_disk, + os_disk[0].name ] } diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 6dd3d09f13..1aced9b747 100755 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -179,7 +179,7 @@ resource "azurerm_windows_virtual_machine" "vm" { lifecycle { ignore_changes = [ - os_disk + os_disk[0].name ] } From 061328dc904e3043daf26a2fb3a667fe01a44e5c Mon Sep 17 00:00:00 2001 From: lolorol Date: Wed, 11 Aug 2021 06:49:37 +0000 Subject: [PATCH 088/102] Add Rover remote ssh host support with docker engine --- .vscode/settings.json | 10 ++++++++-- rover_on_ssh_host.yml | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 rover_on_ssh_host.yml diff --git a/.vscode/settings.json b/.vscode/settings.json index bc03728010..a96ee1608a 100755 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -2,6 +2,12 @@ "files.eol": "\n", "terminal.integrated.shell.linux": "/bin/bash", "editor.tabSize": 2, - "terminal.integrated.scrollback": 8000, - "terminal.integrated.cwd": "/tf/caf", + "terminal.integrated.scrollback": 32000, + "terminal.integrated.profiles.linux": { + "caf (rover)": { + "path": "docker-compose", + "args": ["-f", "rover_on_ssh_host.yml", "run", "-e", "ROVER_RUNNER=true", "--rm", "-w", "/tf/caf" ,"rover", "/bin/bash"], + "overrideName": true + } + } } \ No newline at end of file diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml new file mode 100644 index 0000000000..d3ac97ea26 --- /dev/null +++ b/rover_on_ssh_host.yml @@ -0,0 +1,37 @@ +--- +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- + +# +# Docker compose to open the rover in remote ssh shells +# + +version: '3.7' +services: + rover: + image: aztfmod/rover:1.0.1-2106.3012 + + user: vscode + + labels: + - "caf=Azure CAF" + + volumes: + # This is where VS Code should expect to find your project's source code + # and the value of "workspaceFolder" in .devcontainer/devcontainer.json + - .:/tf/caf + - volume-caf-vscode:/home/vscode + - volume-caf-vscode-bashhistory:/commandhistory + - ~/.ssh:/tmp/.ssh-localhost:ro + - /var/run/docker.sock:/var/run/docker.sock + + # Overrides default command so things don't shut down after the process ends. + command: /bin/sh -c "while sleep 1000; do :; done" + +volumes: + volume-caf-vscode: + labels: + - "caf=Azure CAF" + volume-caf-vscode-bashhistory: From 26b67e6bcddf8977e2b4e3c16bb81433a4e812cc Mon Sep 17 00:00:00 2001 From: lolorol Date: Wed, 11 Aug 2021 06:57:31 +0000 Subject: [PATCH 089/102] Update devcontaine --- .devcontainer/devcontainer.json | 5 ++--- .pre-commit-config.yaml | 1 - 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 6537678615..105159c45d 100755 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -20,9 +20,8 @@ // You can edit these settings after create using File > Preferences > Settings > Remote. "settings": { "files.eol": "\n", - "terminal.integrated.shell.linux": "/bin/bash", "editor.tabSize": 2, - "terminal.integrated.scrollback": 8000, + "terminal.integrated.scrollback": 32000, }, // Uncomment the next line if you want start specific services in your Docker Compose config. @@ -32,7 +31,7 @@ // "shutdownAction": "none", // Uncomment the next line to run commands after the container is created. - "postCreateCommand": "sudo cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chown -R $(whoami):$(whoami) /tf/caf && sudo chmod 400 ~/.ssh/* && git config --global core.editor vi && pre-commit install && pre-commit autoupdate", + "postCreateCommand": "sudo cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chown -R $(whoami):$(whoami) /tf/caf ~/.ssh && sudo chmod 400 ~/.ssh/* && git config --global core.editor vi && pre-commit install && pre-commit autoupdate", // Add the IDs of extensions you want installed when the container is created in the array below. "extensions": [ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 65fdda0ade..49d16fb279 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,7 +16,6 @@ repos: - id: check-merge-conflict - id: trailing-whitespace - id: check-yaml - - id: check-json - id: check-added-large-files - id: detect-private-key # - repo: git://github.com/markdownlint/markdownlint From 672a605dcaf5d94e04a409aeb346349e86409e6f Mon Sep 17 00:00:00 2001 From: lolorol Date: Wed, 11 Aug 2021 06:59:29 +0000 Subject: [PATCH 090/102] Fix a regression in subscription output --- modules/subscriptions/output.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/subscriptions/output.tf b/modules/subscriptions/output.tf index 67508007d3..cdc520bcea 100755 --- a/modules/subscriptions/output.tf +++ b/modules/subscriptions/output.tf @@ -1,8 +1,8 @@ output "id" { - value = format("/subscriptions/%s", try(azurerm_subscription.sub.0.subscription_id, var.client_config.subscription_id)) + value = format("/subscriptions/%s", try(azurerm_subscription.sub.0.subscription_id, var.client_config.subscription_id, var.client_config.subscription_id)) } output "subscription_id" { - value = try(azurerm_subscription.sub.0.subscription_id, var.client_config.subscription_id) + value = try(azurerm_subscription.sub.0.subscription_id, var.client_config.subscription_id, var.client_config.subscription_id) } output "tenant_id" { From 5efde7f8eb1a8d8384bfc32d2ad5c946ba8c9ced Mon Sep 17 00:00:00 2001 From: lolorol Date: Wed, 11 Aug 2021 07:01:11 +0000 Subject: [PATCH 091/102] Fix profile settings --- .vscode/settings.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index a96ee1608a..99a0aa73d5 100755 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,10 +1,9 @@ { "files.eol": "\n", - "terminal.integrated.shell.linux": "/bin/bash", "editor.tabSize": 2, "terminal.integrated.scrollback": 32000, "terminal.integrated.profiles.linux": { - "caf (rover)": { + "caf (rover on docker)": { "path": "docker-compose", "args": ["-f", "rover_on_ssh_host.yml", "run", "-e", "ROVER_RUNNER=true", "--rm", "-w", "/tf/caf" ,"rover", "/bin/bash"], "overrideName": true From 49a2e967c62709f2aa66d5b63a863ef14055361c Mon Sep 17 00:00:00 2001 From: lolorol Date: Wed, 11 Aug 2021 11:09:10 +0000 Subject: [PATCH 092/102] Fix regression on grant_consent from sp --- modules/azuread/applications/scripts/grant_consent.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azuread/applications/scripts/grant_consent.sh b/modules/azuread/applications/scripts/grant_consent.sh index 7409cde31e..e62c0e47d9 100755 --- a/modules/azuread/applications/scripts/grant_consent.sh +++ b/modules/azuread/applications/scripts/grant_consent.sh @@ -13,7 +13,7 @@ else microsoft_graph_endpoint=$(az cloud show | jq -r ".endpoints.microsoftGraphResourceId") - URI=$(echo "${microsoft_graph_endpoint}v1.0/servicePrincipals/${resourceId}/appRoleAssignedTo") && echo " - uri: $URI" + URI=$(echo "${microsoft_graph_endpoint}v1.0/servicePrincipals/${principalId}/appRoleAssignedTo") && echo " - uri: $URI" existingAppRoleId=$(az rest --method GET --uri ${URI} \ --query "value[?appRoleId=='${appRoleId}' && principalId=='${principalId}' && resourceId=='${resourceId}'].appRoleId" -o tsv) From 745454a37f35a9e4f4784219e70cfe8da2c4cc7e Mon Sep 17 00:00:00 2001 From: lolorol Date: Wed, 11 Aug 2021 11:10:16 +0000 Subject: [PATCH 093/102] Fix service principal grant_consent from sp --- modules/azuread/service_principal/scripts/grant_consent.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azuread/service_principal/scripts/grant_consent.sh b/modules/azuread/service_principal/scripts/grant_consent.sh index 9a422583c9..7fa9e8b967 100755 --- a/modules/azuread/service_principal/scripts/grant_consent.sh +++ b/modules/azuread/service_principal/scripts/grant_consent.sh @@ -14,7 +14,7 @@ else microsoft_graph_endpoint=$(az cloud show | jq -r ".endpoints.microsoftGraphResourceId") - URI=$(echo "${microsoft_graph_endpoint}v1.0/servicePrincipals/${resourceId}/appRoleAssignedTo") && echo " - uri: $URI" + URI=$(echo "${microsoft_graph_endpoint}v1.0/servicePrincipals/${principalId}/appRoleAssignedTo") && echo " - uri: $URI" existingAppRoleId=$(az rest --method GET --uri ${URI} \ --query "value[?appRoleId=='${appRoleId}' && principalId=='${principalId}' && resourceId=='${resourceId}'].appRoleId" -o tsv) From 9476480239e9c7740d1914b675bb58c4602c71f9 Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Wed, 11 Aug 2021 18:51:31 -0400 Subject: [PATCH 094/102] Storage - Add files to storage shares Currently, users can create directories in in storage shares using CAF but not [files](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_share_file). This code will allow those files, using either a relative or absolute path. --- .../configuration.tfvars | 16 ++++++++++++++++ .../104-file-share-with-backup/fileA | 1 + .../104-file-share-with-backup/fileB | 1 + .../104-file-share-with-backup/fileC | 1 + modules/storage_account/file_share/share_file.tf | 8 ++++++++ modules/storage_account/file_share_file/file.tf | 11 +++++++++++ .../storage_account/file_share_file/output.tf | 4 ++++ .../storage_account/file_share_file/variables.tf | 2 ++ 8 files changed, 44 insertions(+) create mode 100644 examples/storage_accounts/104-file-share-with-backup/fileA create mode 100644 examples/storage_accounts/104-file-share-with-backup/fileB create mode 100644 examples/storage_accounts/104-file-share-with-backup/fileC create mode 100644 modules/storage_account/file_share/share_file.tf create mode 100644 modules/storage_account/file_share_file/file.tf create mode 100644 modules/storage_account/file_share_file/output.tf create mode 100644 modules/storage_account/file_share_file/variables.tf diff --git a/examples/storage_accounts/104-file-share-with-backup/configuration.tfvars b/examples/storage_accounts/104-file-share-with-backup/configuration.tfvars index 9eb8f19887..81bcb4800b 100755 --- a/examples/storage_accounts/104-file-share-with-backup/configuration.tfvars +++ b/examples/storage_accounts/104-file-share-with-backup/configuration.tfvars @@ -36,6 +36,22 @@ storage_accounts = { name = "testdirectory" } } + files = { + file1 = { + name = "fileA" + source = "/tf/caf/examples/storage_accounts/104-file-share-with-backup/fileA" + } + file2 = { + name = "fileB" + source = "/tf/caf/examples/storage_accounts/104-file-share-with-backup/fileB" + path = "testdirectory" + } + file3 = { + name = "fileC" + source = "./storage_accounts/104-file-share-with-backup/fileC" + path = "testdirectory" + } + } # backups = { # policy_key = "policy1" diff --git a/examples/storage_accounts/104-file-share-with-backup/fileA b/examples/storage_accounts/104-file-share-with-backup/fileA new file mode 100644 index 0000000000..c29eeabb18 --- /dev/null +++ b/examples/storage_accounts/104-file-share-with-backup/fileA @@ -0,0 +1 @@ +This is fileA \ No newline at end of file diff --git a/examples/storage_accounts/104-file-share-with-backup/fileB b/examples/storage_accounts/104-file-share-with-backup/fileB new file mode 100644 index 0000000000..aafd34b18d --- /dev/null +++ b/examples/storage_accounts/104-file-share-with-backup/fileB @@ -0,0 +1 @@ +This is file B diff --git a/examples/storage_accounts/104-file-share-with-backup/fileC b/examples/storage_accounts/104-file-share-with-backup/fileC new file mode 100644 index 0000000000..679f99c840 --- /dev/null +++ b/examples/storage_accounts/104-file-share-with-backup/fileC @@ -0,0 +1 @@ +This is fileC \ No newline at end of file diff --git a/modules/storage_account/file_share/share_file.tf b/modules/storage_account/file_share/share_file.tf new file mode 100644 index 0000000000..b59d2ac8c8 --- /dev/null +++ b/modules/storage_account/file_share/share_file.tf @@ -0,0 +1,8 @@ +module "file_share_file" { + source = "../file_share_file" + depends_on = [module.file_share_directory] + for_each = try(var.settings.files, {}) + + share_id = azurerm_storage_share.fs.id + settings = each.value +} \ No newline at end of file diff --git a/modules/storage_account/file_share_file/file.tf b/modules/storage_account/file_share_file/file.tf new file mode 100644 index 0000000000..466cdeac45 --- /dev/null +++ b/modules/storage_account/file_share_file/file.tf @@ -0,0 +1,11 @@ +resource "azurerm_storage_share_file" "share_file" { + name = var.settings.name + storage_share_id = var.share_id + path = try(var.settings.path, null) + source = try(var.settings.source, null) + content_type = try(var.settings.content_type, null) + content_md5 = try(var.settings.content_md5, null) + content_encoding = try(var.settings.content_encoding, null) + content_disposition = try(var.settings.content_disposition, null) + metadata = try(var.settings.metadata, null) +} \ No newline at end of file diff --git a/modules/storage_account/file_share_file/output.tf b/modules/storage_account/file_share_file/output.tf new file mode 100644 index 0000000000..85158b6d96 --- /dev/null +++ b/modules/storage_account/file_share_file/output.tf @@ -0,0 +1,4 @@ +output "id" { + value = azurerm_storage_share_file.share_file.id +} + diff --git a/modules/storage_account/file_share_file/variables.tf b/modules/storage_account/file_share_file/variables.tf new file mode 100644 index 0000000000..be4e2e106b --- /dev/null +++ b/modules/storage_account/file_share_file/variables.tf @@ -0,0 +1,2 @@ +variable "share_id" {} +variable "settings" {} \ No newline at end of file From d04574cfc10d475d705d58bb5520320a5d8dff4c Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 12 Aug 2021 04:09:55 +0000 Subject: [PATCH 095/102] FMT, Patch policies and azurerm 2.71 --- .gitignore | 3 +- main.tf | 2 +- .../keyvault_access_policies/policies.tf | 80 ++++++++++++++++--- networking_firewall_policy.tf | 2 +- networking_virtual_hub_connection.tf | 4 +- 5 files changed, 73 insertions(+), 18 deletions(-) diff --git a/.gitignore b/.gitignore index 53a292385d..1b3c17ecdf 100755 --- a/.gitignore +++ b/.gitignore @@ -11,4 +11,5 @@ **/backend.azurerm.tf public **/.terraform.lock.hcl -**/*.backup \ No newline at end of file +**/*.backup +landingzones \ No newline at end of file diff --git a/main.tf b/main.tf index 467a050ac8..4e37a7bbcf 100755 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.64.0" + version = "~> 2.71.0" } azuread = { source = "hashicorp/azuread" diff --git a/modules/security/keyvault_access_policies/policies.tf b/modules/security/keyvault_access_policies/policies.tf index 45b6f94d4f..81d8fc7184 100755 --- a/modules/security/keyvault_access_policies/policies.tf +++ b/modules/security/keyvault_access_policies/policies.tf @@ -6,7 +6,13 @@ module "azuread_apps" { if try(access_policy.azuread_app_key, null) != null } - keyvault_id = var.keyvault_id == null ? var.keyvaults[try(each.value.keyvault_lz_key, each.value.lz_key, var.client_config.landingzone_key)][var.keyvault_key].id : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = var.client_config.tenant_id object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key), var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id @@ -22,8 +28,8 @@ module "azuread_service_principals" { keyvault_id = coalesce( var.keyvault_id, try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), - try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null), - try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null) + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility ) access_policy = each.value @@ -42,7 +48,13 @@ module "azuread_group" { if try(access_policy.azuread_group_key, null) != null } - keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = var.client_config.tenant_id object_id = try(each.value.lz_key, null) == null ? var.azuread_groups[var.client_config.landingzone_key][each.value.azuread_group_key].id : var.azuread_groups[each.value.lz_key][each.value.azuread_group_key].id @@ -55,7 +67,13 @@ module "logged_in_user" { if key == "logged_in_user" && var.client_config.logged_user_objectId != null } - keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = var.client_config.tenant_id object_id = var.client_config.object_id @@ -68,7 +86,13 @@ module "logged_in_aad_app" { if key == "logged_in_aad_app" && var.client_config.logged_aad_app_objectId != null } - keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = var.client_config.tenant_id object_id = var.client_config.object_id @@ -81,7 +105,13 @@ module "object_id" { if try(access_policy.object_id, null) != null && var.client_config.logged_aad_app_objectId != null } - keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = try(each.value.tenant_id, var.client_config.tenant_id) object_id = each.value.object_id @@ -97,8 +127,8 @@ module "managed_identity" { keyvault_id = coalesce( var.keyvault_id, try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), - try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null), - try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null) + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility ) access_policy = each.value @@ -117,7 +147,13 @@ module "mssql_managed_instance" { if try(access_policy.mssql_managed_instance_key, null) != null } - keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = var.client_config.tenant_id object_id = try(each.value.lz_key, null) == null ? var.resources.mssql_managed_instances[var.client_config.landingzone_key][each.value.mssql_managed_instance_key].principal_id : var.resources.mssql_managed_instances[each.value.lz_key][each.value.mssql_managed_instance_key].principal_id @@ -130,7 +166,13 @@ module "mssql_managed_instances_secondary" { if try(access_policy.mssql_managed_instance_secondary_key, null) != null } - keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = var.client_config.tenant_id object_id = try(each.value.lz_key, null) == null ? var.resources.mssql_managed_instances_secondary[var.client_config.landingzone_key][each.value.mssql_managed_instance_secondary_key].principal_id : var.resources.mssql_managed_instances_secondary[each.value.lz_key][each.value.mssql_managed_instance_secondary_key].principal_id @@ -145,7 +187,13 @@ module "storage_accounts" { if try(access_policy.storage_account_key, null) != null } - keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = var.resources.storage_accounts[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.storage_account_key].identity.0.tenant_id object_id = var.resources.storage_accounts[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.storage_account_key].identity.0.principal_id @@ -158,7 +206,13 @@ module "diagnostic_storage_accounts" { if try(access_policy.diagnostic_storage_account_key, null) != null } - keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id + keyvault_id = coalesce( + var.keyvault_id, + try(var.keyvaults[each.value.keyvault_lz_key][var.keyvault_key].id, null), + try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, null), + try(var.keyvaults[each.value.lz_key][var.keyvault_key].id, null) // For backward compatibility + ) + access_policy = each.value tenant_id = var.resources.diagnostic_storage_accounts[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.diagnostic_storage_account_key].identity.0.tenant_id object_id = var.resources.diagnostic_storage_accounts[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.diagnostic_storage_account_key].identity.0.principal_id diff --git a/networking_firewall_policy.tf b/networking_firewall_policy.tf index a7b622b469..e58b1c59bd 100755 --- a/networking_firewall_policy.tf +++ b/networking_firewall_policy.tf @@ -10,7 +10,7 @@ module "azurerm_firewall_policies" { settings = each.value tags = try(each.value.tags, null) - resource_group = coalesce( + resource_group = coalesce( try(local.combined_objects_resource_groups[each.value.lz_key][each.value.resource_group_key], null), try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key], null), try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key], null), diff --git a/networking_virtual_hub_connection.tf b/networking_virtual_hub_connection.tf index c5b03465aa..f44e8b8036 100644 --- a/networking_virtual_hub_connection.tf +++ b/networking_virtual_hub_connection.tf @@ -61,8 +61,8 @@ resource "azurerm_virtual_hub_connection" "vhub_connection" { for_each = try(routing.value.static_vnet_route, {}) content { - name = static_vnet_route.value.name - address_prefixes = static_vnet_route.value.address_prefixes + name = static_vnet_route.value.name + address_prefixes = static_vnet_route.value.address_prefixes next_hop_ip_address = coalesce( try(static_vnet_route.value.next_hop_ip_address, null), try(local.combined_objects_azurerm_firewalls[static_vnet_route.value.next_hop.lz_key][static_vnet_route.value.next_hop.key].ip_configuration[static_vnet_route.value.next_hop.interface_index].private_ip_address, null), From ddb2810124edf4fca6f618ba7badc9a66ffb8170 Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 12 Aug 2021 10:40:43 +0000 Subject: [PATCH 096/102] Update azurerm to 2.70.0 - fix ci - fmt --- .../workflows/standalone-scenarios-additional.json | 4 ++++ .github/workflows/standalone-scenarios.json | 1 - aks_clusters.tf | 8 ++++---- examples/ci.sh | 2 +- .../configuration.tfvars | 14 ++++++++------ main.tf | 2 +- networking.tf | 4 ++-- networking_firewall.tf | 2 +- networking_virtual_hub_route_table.tf | 10 +++++----- roles.tf | 10 +++++----- 10 files changed, 31 insertions(+), 26 deletions(-) diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json index 1dd0ba2221..e5ce1ffbeb 100644 --- a/.github/workflows/standalone-scenarios-additional.json +++ b/.github/workflows/standalone-scenarios-additional.json @@ -6,5 +6,9 @@ "consumption_budget/103-consumption-budget-subscription-alerts", "consumption_budget/104-consumption-budget-subscription-vm", "consumption_budget/105-consumption-budget-subscription-aks" + + + // Waiting for support to register arm provider - https://github.com/Azure/caf-terraform-landingzones/pull/238 + "cognitive_services/100-cognitive-services-account" ] } diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index f3eedbf6d6..4bf063d8ff 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -14,7 +14,6 @@ "azuread/100-azuread-application-with-sevice-principle-with-builtin-roles", "azuread/101-azuread-application-with-service-principle-with-custom-roles", "azuread/103-service-principal-only", - "cognitive_services/100-cognitive-services-account", "compute/availability_set/100-simple-availabilityset", "compute/availability_set/101-availabilityset-with-proximity-placement-group", "compute/container_groups/101-aci-rover", diff --git a/aks_clusters.tf b/aks_clusters.tf index a4620be948..629472bb1e 100755 --- a/aks_clusters.tf +++ b/aks_clusters.tf @@ -15,10 +15,10 @@ module "aks_clusters" { settings = each.value subnets = lookup(each.value, "lz_key", null) == null ? local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].subnets : local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].subnets resource_group = local.resource_groups[each.value.resource_group_key] - private_dns_zone_id = try(local.combined_objects_private_dns[each.value.private_dns_zone.lz_key][each.value.private_dns_zone.key].id, - local.combined_objects_private_dns[local.client_config.landingzone_key][each.value.private_dns_zone.key].id, - null) - managed_identities = local.combined_objects_managed_identities + private_dns_zone_id = try(local.combined_objects_private_dns[each.value.private_dns_zone.lz_key][each.value.private_dns_zone.key].id, + local.combined_objects_private_dns[local.client_config.landingzone_key][each.value.private_dns_zone.key].id, + null) + managed_identities = local.combined_objects_managed_identities admin_group_object_ids = try(each.value.admin_groups.azuread_group_keys, null) == null ? null : try(each.value.admin_groups.ids, [ for group_key in try(each.value.admin_groups.azuread_groups.keys, {}) : local.combined_objects_azuread_groups[local.client_config.landingzone_key][group_key].id diff --git a/examples/ci.sh b/examples/ci.sh index 1297d470e4..8aa8668743 100755 --- a/examples/ci.sh +++ b/examples/ci.sh @@ -7,7 +7,7 @@ parameter_files=$(find ${current_folder} | grep .tfvars | sed 's/.*/-var-file &/ cd ${2} -terraform init +terraform init -upgrade terraform apply \ ${parameter_files} \ diff --git a/examples/storage_accounts/104-file-share-with-backup/configuration.tfvars b/examples/storage_accounts/104-file-share-with-backup/configuration.tfvars index 81bcb4800b..8d98caf1af 100755 --- a/examples/storage_accounts/104-file-share-with-backup/configuration.tfvars +++ b/examples/storage_accounts/104-file-share-with-backup/configuration.tfvars @@ -39,17 +39,19 @@ storage_accounts = { files = { file1 = { name = "fileA" - source = "/tf/caf/examples/storage_accounts/104-file-share-with-backup/fileA" + # source = "/tf/caf/examples/storage_accounts/104-file-share-with-backup/fileA" + # Prefer the relative path for CI + source = "./storage_accounts/104-file-share-with-backup/fileA" } file2 = { - name = "fileB" - source = "/tf/caf/examples/storage_accounts/104-file-share-with-backup/fileB" - path = "testdirectory" + name = "fileB" + source = "./storage_accounts/104-file-share-with-backup/fileB" + path = "testdirectory" } file3 = { - name = "fileC" + name = "fileC" source = "./storage_accounts/104-file-share-with-backup/fileC" - path = "testdirectory" + path = "testdirectory" } } diff --git a/main.tf b/main.tf index 4e37a7bbcf..1f47921eab 100755 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.71.0" + version = "~> 2.70.0" } azuread = { source = "hashicorp/azuread" diff --git a/networking.tf b/networking.tf index b2a1115491..1fb6a522a4 100755 --- a/networking.tf +++ b/networking.tf @@ -21,8 +21,8 @@ output "network_watchers" { module "networking" { depends_on = [module.network_watchers] - source = "./modules/networking/virtual_network" - for_each = local.networking.vnets + source = "./modules/networking/virtual_network" + for_each = local.networking.vnets application_security_groups = local.combined_objects_application_security_groups client_config = local.client_config diff --git a/networking_firewall.tf b/networking_firewall.tf index ac85df0fde..efc915db7e 100755 --- a/networking_firewall.tf +++ b/networking_firewall.tf @@ -18,7 +18,7 @@ module "azurerm_firewalls" { public_ip_keys = try(each.value.public_ip_keys, null) resource_group_name = local.resource_groups[each.value.resource_group_key].name settings = each.value - subnet_id = try(module.networking[each.value.vnet_key].subnets["AzureFirewallSubnet"].id,null) + subnet_id = try(module.networking[each.value.vnet_key].subnets["AzureFirewallSubnet"].id, null) tags = try(each.value.tags, null) virtual_hubs = local.combined_objects_virtual_hubs virtual_networks = local.combined_objects_networking diff --git a/networking_virtual_hub_route_table.tf b/networking_virtual_hub_route_table.tf index 49fe08accb..8502c757ce 100644 --- a/networking_virtual_hub_route_table.tf +++ b/networking_virtual_hub_route_table.tf @@ -54,9 +54,9 @@ resource "azurerm_virtual_hub_route_table" "route_table" { } module "azurerm_virtual_hub_route_table" { - depends_on = [azurerm_virtual_hub_route_table.route_table] - source = "./modules/networking/virtual_hub_route_tables" - for_each = local.networking.virtual_hub_route_tables + depends_on = [azurerm_virtual_hub_route_table.route_table] + source = "./modules/networking/virtual_hub_route_tables" + for_each = local.networking.virtual_hub_route_tables client_config = local.client_config name = each.value.name @@ -64,9 +64,9 @@ module "azurerm_virtual_hub_route_table" { remote_objects = { virtual_hub_connections = local.combined_objects_virtual_hub_connections - azurerm_firewalls = local.combined_objects_azurerm_firewalls + azurerm_firewalls = local.combined_objects_azurerm_firewalls } - + virtual_hub = { id = coalesce( try(local.combined_objects_virtual_hubs[try(each.value.virtual_hub.lz_key, local.client_config.landingzone_key)][each.value.virtual_hub.key].id, null), diff --git a/roles.tf b/roles.tf index f3c64aa785..9f463c7c63 100755 --- a/roles.tf +++ b/roles.tf @@ -16,13 +16,13 @@ module "custom_roles" { resource "azurerm_role_assignment" "for" { for_each = try(local.roles_to_process, {}) - scope = coalesce( + scope = coalesce( try(local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id, null), try(local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id, null) ) role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null role_definition_id = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null - principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : coalesce( + principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : coalesce( try(local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id, null), try(local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id, null) ) @@ -131,12 +131,12 @@ locals { object_id_resource_type = object_id_key object_id_key_resource = object_id_key_resource # "object_id_key_resource" = "aks_admins" object_id_lz_key = try(object_resources.lz_key, null) - } - ] + } + ] ] if role_definition_name != "lz_key" ] ] - ] + ] ] ) : format("%s_%s_%s_%s", mapping.object_id_resource_type, mapping.scope_key_resource, replace(mapping.role_definition_name, " ", "_"), mapping.object_id_key_resource) => mapping } From a2ed21c4b33efbe489e1116948547c1aeb3f7be2 Mon Sep 17 00:00:00 2001 From: lolorol Date: Fri, 13 Aug 2021 02:03:43 +0000 Subject: [PATCH 097/102] Fix role cycle --- roles.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles.tf b/roles.tf index 9f463c7c63..62d209bbc5 100755 --- a/roles.tf +++ b/roles.tf @@ -29,7 +29,8 @@ resource "azurerm_role_assignment" "for" { lifecycle { ignore_changes = [ - principal_id + principal_id, + scope ] create_before_destroy = true From 9aa3ce11310a0d2ab61c0e2f7f75b3217fb8ebd0 Mon Sep 17 00:00:00 2001 From: lolorol Date: Fri, 13 Aug 2021 02:50:42 +0000 Subject: [PATCH 098/102] Add directory propagation timeout --- modules/azuread/applications/api_permissions.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/azuread/applications/api_permissions.tf b/modules/azuread/applications/api_permissions.tf index ba320ce201..d05b9c3a9c 100755 --- a/modules/azuread/applications/api_permissions.tf +++ b/modules/azuread/applications/api_permissions.tf @@ -44,9 +44,14 @@ locals { } +resource "time_sleep" "wait_for_directory_propagation" { + depends_on = [azuread_service_principal.app] + + create_duration = "65s" +} resource "null_resource" "grant_admin_consent" { - depends_on = [azuread_service_principal.app] + depends_on = [time_sleep.wait_for_directory_propagation] for_each = { for key, permission in local.api_permissions : key => permission From 7ba2371000c46795b9f86e1f2561cdd1b7fb1c7c Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 13 Aug 2021 03:49:18 +0000 Subject: [PATCH 099/102] Updating relative paths --- README.md | 8 +++----- examples/README.md | 10 +++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index c2e208905f..b0d7cb23b4 100755 --- a/README.md +++ b/README.md @@ -22,18 +22,16 @@ module "caf" { } ``` -Fill the variables as needed and documented, there is a [quick example here](./examples/standalone.md). +Fill the variables as needed and documented, there is a [quick example here](https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples/standalone.md). -For a complete set of examples you can review the [full library here](./examples). +For a complete set of examples you can review the [full library here](https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples).

## Community -Feel free to open an issue for feature or bug, or to submit a PR, [please review the module contribution and conventions guidelines](./documentation/conventions.md) - -[Please check out the WIKI for coding standards, common patterns and PR checklist.](https://github.com/aztfmod/terraform-azurerm-caf/wiki) +Feel free to open an issue for feature or bug, or to submit a PR, [Please check out the WIKI for coding standards, common patterns and PR checklist.](https://github.com/aztfmod/terraform-azurerm-caf/wiki) In case you have any question, you can reach out to tf-landingzones at microsoft dot com. diff --git a/examples/README.md b/examples/README.md index 8c12d67c34..bd5254b4cb 100755 --- a/examples/README.md +++ b/examples/README.md @@ -9,7 +9,7 @@ You can instantiate this module directly using the following syntax: ```hcl module "caf" { source = "aztfmod/caf/azurerm" - version = "5.3.11" + version = "5.4.2" # insert the 7 required variables here } ``` @@ -21,7 +21,7 @@ A minimal example could be: ```hcl module "caf" { source = "aztfmod/caf/azurerm" - version = "5.3.11" + version = "5.4.2" global_settings = var.global_settings resource_groups = var.resource_groups @@ -42,7 +42,7 @@ You can [find here a minimal example](./standalone.md) ### Run all the examples in this library -The current folder contains an example of module with the whole features set of the module, to run all the examples in the subfolders. You can leverage it the following way: +The current folder contains an example of module with the whole features set of the module, to run all the examples in the subfolders. You can leverage it the following way: ```bash cd /tf/caf/examples @@ -68,9 +68,9 @@ rover login --tenant .onmicrosoft.com -s ### 2. Deploy the basic launchpad ```bash -rover -lz /tf/caf/public/landingzones/caf_launchpad \ +rover -lz /tf/caf/landingzones/caf_launchpad \ -launchpad \ --var-folder /tf/caf/public/landingzones/caf_launchpad/scenario/100 \ +-var-folder /tf/caf/landingzones/caf_launchpad/scenario/100 \ -a apply ``` From 659cad2d3a9116d0a6e57e379be4e11f91e1ebfa Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 13 Aug 2021 04:28:47 +0000 Subject: [PATCH 100/102] Update URL --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index b0d7cb23b4..aee5c742ad 100755 --- a/README.md +++ b/README.md @@ -26,8 +26,7 @@ Fill the variables as needed and documented, there is a [quick example here](htt For a complete set of examples you can review the [full library here](https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples). -

- +

## Community From bf348d06d778e980cd4078d5c78c1e11a072995b Mon Sep 17 00:00:00 2001 From: lolorol Date: Fri, 13 Aug 2021 06:21:00 +0000 Subject: [PATCH 101/102] Update with 2108 version of the rover --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/master-standalone-tf100-longrunners.yaml | 4 ++-- .github/workflows/master-standalone-tf100.yaml | 4 ++-- .github/workflows/master-standalone-tf14-longrunners.yaml | 4 ++-- .github/workflows/master-standalone-tf14.yaml | 4 ++-- .github/workflows/master-standalone-tf15-longrunners.yaml | 4 ++-- .github/workflows/master-standalone-tf15.yaml | 4 ++-- rover_on_ssh_host.yml | 2 +- 8 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index f757ef3ccb..9a3cfa2738 100755 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover-preview:1.0.3-2107.220222 + image: aztfmod/rover:1.0.4-2108.1305 user: vscode labels: diff --git a/.github/workflows/master-standalone-tf100-longrunners.yaml b/.github/workflows/master-standalone-tf100-longrunners.yaml index 2f1329215c..0cc51111f0 100755 --- a/.github/workflows/master-standalone-tf100-longrunners.yaml +++ b/.github/workflows/master-standalone-tf100-longrunners.yaml @@ -32,7 +32,7 @@ jobs: ] container: - image: aztfmod/rover:1.0.1-2106.3012 + image: aztfmod/rover:1.0.4-2108.1305 options: --user 0 steps: @@ -57,7 +57,7 @@ jobs: needs: examples container: - image: aztfmod/rover:1.0.1-2106.3012 + image: aztfmod/rover:1.0.4-2108.1305 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf100.yaml b/.github/workflows/master-standalone-tf100.yaml index 49c415ce39..d79366fba6 100755 --- a/.github/workflows/master-standalone-tf100.yaml +++ b/.github/workflows/master-standalone-tf100.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.0.1-2106.3012 + image: aztfmod/rover:1.0.4-2108.1305 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover:1.0.1-2106.3012 + image: aztfmod/rover:1.0.4-2108.1305 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf14-longrunners.yaml b/.github/workflows/master-standalone-tf14-longrunners.yaml index 45763b2fa0..7475c0c6fc 100755 --- a/.github/workflows/master-standalone-tf14-longrunners.yaml +++ b/.github/workflows/master-standalone-tf14-longrunners.yaml @@ -32,7 +32,7 @@ jobs: ] container: - image: aztfmod/rover:0.14.11-2106.3012 + image: aztfmod/rover:0.14.11-2108.1305 options: --user 0 steps: @@ -57,7 +57,7 @@ jobs: needs: examples container: - image: aztfmod/rover:0.14.11-2106.3007 + image: aztfmod/rover:0.14.11-2108.1305 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf14.yaml b/.github/workflows/master-standalone-tf14.yaml index 1b61c5c9fb..993b92a51f 100755 --- a/.github/workflows/master-standalone-tf14.yaml +++ b/.github/workflows/master-standalone-tf14.yaml @@ -41,7 +41,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:0.14.11-2106.3012 + image: aztfmod/rover:0.14.11-2108.1305 options: --user 0 steps: @@ -66,7 +66,7 @@ jobs: needs: examples container: - image: aztfmod/rover:0.14.11-2106.3012 + image: aztfmod/rover:0.14.11-2108.1305 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf15-longrunners.yaml b/.github/workflows/master-standalone-tf15-longrunners.yaml index ae190b12b7..ca8334bfc7 100755 --- a/.github/workflows/master-standalone-tf15-longrunners.yaml +++ b/.github/workflows/master-standalone-tf15-longrunners.yaml @@ -32,7 +32,7 @@ jobs: ] container: - image: aztfmod/rover:0.15.5-2106.3012 + image: aztfmod/rover:0.15.5-2108.1305 options: --user 0 steps: @@ -57,7 +57,7 @@ jobs: needs: examples container: - image: aztfmod/rover:0.15.5-2106.3012 + image: aztfmod/rover:0.15.5-2108.1305 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf15.yaml b/.github/workflows/master-standalone-tf15.yaml index ef42f97d08..f31ac0a4af 100755 --- a/.github/workflows/master-standalone-tf15.yaml +++ b/.github/workflows/master-standalone-tf15.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:0.15.5-2106.3012 + image: aztfmod/rover:0.15.5-2108.1305 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover:0.15.5-2106.3012 + image: aztfmod/rover:0.15.5-2108.1305 options: --user 0 steps: diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml index d3ac97ea26..db596dd57a 100644 --- a/rover_on_ssh_host.yml +++ b/rover_on_ssh_host.yml @@ -11,7 +11,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.0.1-2106.3012 + image: aztfmod/rover:1.0.4-2108.1305 user: vscode From 4e933be3b9aa42a719158f53b2ca82dd9a7f964e Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 13 Aug 2021 06:25:47 +0000 Subject: [PATCH 102/102] Adding daily CI for master --- .github/workflows/master-standalone-tf100.yaml | 2 +- .github/workflows/master-standalone-tf14.yaml | 2 +- .github/workflows/master-standalone-tf15.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/master-standalone-tf100.yaml b/.github/workflows/master-standalone-tf100.yaml index d79366fba6..46dc89cae9 100755 --- a/.github/workflows/master-standalone-tf100.yaml +++ b/.github/workflows/master-standalone-tf100.yaml @@ -8,7 +8,7 @@ name: standalone-scenario-tf100 on: workflow_dispatch: schedule: - - cron: '0 0 * * 0' #1 AM on Sunday + - cron: '0 0 * * *' #1 AM on Sunday env: TF_CLI_ARGS: '-no-color' diff --git a/.github/workflows/master-standalone-tf14.yaml b/.github/workflows/master-standalone-tf14.yaml index 993b92a51f..faa646e61a 100755 --- a/.github/workflows/master-standalone-tf14.yaml +++ b/.github/workflows/master-standalone-tf14.yaml @@ -7,7 +7,7 @@ name: standalone-scenario-tf14 on: schedule: - - cron: '0 5 * * 0' #1 AM on Sunday + - cron: '0 5 * * *' #1 AM on Sunday env: TF_CLI_ARGS: '-no-color' diff --git a/.github/workflows/master-standalone-tf15.yaml b/.github/workflows/master-standalone-tf15.yaml index f31ac0a4af..35838321f9 100755 --- a/.github/workflows/master-standalone-tf15.yaml +++ b/.github/workflows/master-standalone-tf15.yaml @@ -8,7 +8,7 @@ name: standalone-scenario-tf15 on: workflow_dispatch: schedule: - - cron: '0 2 * * 0' #1 AM on Sunday + - cron: '0 2 * * *' #1 AM on Sunday env: TF_CLI_ARGS: '-no-color'