Merge pull request #687 from aztfmod/patch.5.4.4

Integration 5.4.4

.devcontainer/docker-compose.yml

@@ -6,7 +6,7 @@
   version: '3.7'
   services:
     rover:
-      image: aztfmod/rover:1.0.4-2108.1802
+      image: aztfmod/rover:1.0.7-2109.2410
       user: vscode
 
       labels:

.github/workflows/master-standalone-tf100-longrunners.yaml

@@ -42,7 +42,7 @@ jobs:
       matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}}
 
     container:
-      image: aztfmod/rover:1.0.4-2108.1802
+      image: aztfmod/rover:1.0.7-2109.2410
       options: --user 0
 
     steps:
@@ -67,7 +67,7 @@ jobs:
     needs: examples
 
     container:
-      image: aztfmod/rover:1.0.4-2108.1802
+      image: aztfmod/rover:1.0.7-2109.2410
       options: --user 0
 
     steps:

.github/workflows/master-standalone-tf100.yaml

@@ -42,7 +42,7 @@ jobs:
       matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}}
 
     container:
-      image: aztfmod/rover:1.0.4-2108.1802
+      image: aztfmod/rover:1.0.7-2109.2410
       options: --user 0
 
     steps:
@@ -67,7 +67,7 @@ jobs:
     needs: examples
 
     container:
-      image: aztfmod/rover:1.0.4-2108.1802
+      image: aztfmod/rover:1.0.7-2109.2410
       options: --user 0
 
     steps:

.github/workflows/master-standalone-tf14-longrunners.yaml

@@ -31,7 +31,7 @@ jobs:
           cases=$((
             cat ./.github/workflows/standalone-scenarios.json) | jq -c .)
           echo "::set-output name=matrix::${cases}"
-          
+
   examples:
     name: examples
     runs-on: ubuntu-latest
@@ -41,7 +41,7 @@ jobs:
       matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}}
 
     container:
-      image: aztfmod/rover:0.14.11-2108.1802
+      image: aztfmod/rover:0.14.11-2109.2410
       options: --user 0
 
     steps:
@@ -66,7 +66,7 @@ jobs:
     needs: examples
 
     container:
-      image: aztfmod/rover:0.14.11-2108.1802
+      image: aztfmod/rover:0.14.11-2109.2410
       options: --user 0
 
     steps:

.github/workflows/master-standalone-tf14.yaml

@@ -42,7 +42,7 @@ jobs:
       matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}}
 
     container:
-      image: aztfmod/rover:0.14.11-2108.1802
+      image: aztfmod/rover:0.14.11-2109.2410
       options: --user 0
 
     steps:
@@ -67,7 +67,7 @@ jobs:
     needs: examples
 
     container:
-      image: aztfmod/rover:0.14.11-2108.1802
+      image: aztfmod/rover:0.14.11-2109.2410
       options: --user 0
 
     steps:

.github/workflows/master-standalone-tf15-longrunners.yaml

@@ -41,7 +41,7 @@ jobs:
       matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}}
 
     container:
-      image: aztfmod/rover:0.15.5-2108.1802
+      image: aztfmod/rover:0.15.5-2109.2410
       options: --user 0
 
     steps:
@@ -66,7 +66,7 @@ jobs:
     needs: examples
 
     container:
-      image: aztfmod/rover:0.15.5-2108.1802
+      image: aztfmod/rover:0.15.5-2109.2410
       options: --user 0
 
     steps:

.github/workflows/master-standalone-tf15.yaml

@@ -42,7 +42,7 @@ jobs:
       matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}}
 
     container:
-      image: aztfmod/rover:0.15.5-2108.1802
+      image: aztfmod/rover:0.15.5-2109.2410
       options: --user 0
 
     steps:
@@ -67,7 +67,7 @@ jobs:
     needs: examples
 
     container:
-      image: aztfmod/rover:0.15.5-2108.1802
+      image: aztfmod/rover:0.15.5-2109.2410
       options: --user 0
 
     steps:

.github/workflows/standalone-scenarios-additional.json

@@ -1,12 +1,12 @@
 {
   "config_files": [
+
     "consumption_budget/100-consumption-budget-rg",
     "consumption_budget/101-consumption-budget-subscription",
     "consumption_budget/102-consumption-budget-rg-alerts",
     "consumption_budget/103-consumption-budget-subscription-alerts",
     "consumption_budget/104-consumption-budget-subscription-vm",
-    "consumption_budget/105-consumption-budget-subscription-aks"
-
+    "consumption_budget/105-consumption-budget-subscription-aks",
 
     // Waiting for support to register arm provider - https://github.com/Azure/caf-terraform-landingzones/pull/238
     "cognitive_services/100-cognitive-services-account"
@@ -22,8 +22,8 @@
     "networking/virtual_wan/103-vwan-hub-gw",
     "networking/virtual_wan/104-vwan-hub-gw-spp",
     "networking/virtual_wan/105-vwan-hub-route-table",
-    "networking/virtual_wan/106-vwan-hub-routes", 
-    
+    "networking/virtual_wan/106-vwan-hub-routes",
+
     "mssql_mi/200-mi-two-regions",
 
     "compute/vmware_cluster/102-vmware_express_route_authorization"

.github/workflows/standalone-scenarios.json

@@ -15,6 +15,7 @@
     "azuread/100-azuread-application-with-sevice-principle-with-builtin-roles",
     "azuread/101-azuread-application-with-service-principle-with-custom-roles",
     "azuread/103-service-principal-only",
+    "azuread/104-azuread-group-membership",
     "compute/availability_set/100-simple-availabilityset",
     "compute/availability_set/101-availabilityset-with-proximity-placement-group",
     "compute/container_groups/101-aci-rover",
@@ -33,6 +34,7 @@
     "compute/virtual_machine/102-single-vm-data-disks",
     "compute/virtual_machine/104-single-windows-backup",
     "compute/virtual_machine/106-marketplace-image-with-plan",
+    "compute/virtual_machine/108-mssql-vm",
     "compute/virtual_machine/210-vm-bastion-winrm",
     "compute/virtual_machine/211-vm-bastion-winrm-agents",
     "compute/virtual_machine_scale_set/100-linux-win-vmss-lb",
@@ -103,6 +105,7 @@
     "networking/load_balancers/104-load-balancer-diagnostics",
     "networking/nat_gateways/100-nat-gateways-with-public-ip",
     "networking/private_dns/100-private-dns-vnet-links",
+    "networking/private_dns_vnet_link/100_pvtdns_vnetlink",
     "networking/private_links/endpoints/centralized",
     "networking/virtual_network_gateway/100-expressroute-gateway",
     "networking/virtual_network_gateway/101-vpn-site-to-site",
@@ -134,6 +137,7 @@
     "storage_accounts/104-file-share-with-backup",
     "storage_accounts/105-nfsv3",
     "storage_accounts/106-storage-account-queue",
+    "storage_accounts/107-storage-account-management-policy",
     "synapse_analytics/100-synapse",
     "synapse_analytics/101-synapse-sparkpool",
     "webapps/appservice/101-appservice-simple",

UPGRADE.md

@@ -1,6 +1,10 @@
 # Upgrade notes
 
-When ugrading to a newer version of the CAF module, some configuration structures must be updated before applying the modifications.
+When upgrading to a newer version of the CAF module, some configuration structures must be updated before applying the modifications.
+
+## 5.4.4
+
+Due to a regression in the Terraform provider >2.78, this update is not capable of cross-tenant, cross-subscriptions peering between vhub and vwans. This is available in 5.4.3 and will be fixed in 5.5.0.
 
 ## 5.4.0
 
@@ -85,4 +89,4 @@ admin_user_key = "vm-win-admin-username"
 by
 ```hcl
 admin_username_key = "vm-win-admin-username"
-```
+```

azuread_groups.tf

@@ -10,6 +10,7 @@ module "azuread_groups" {
   global_settings = local.global_settings
   azuread_groups  = each.value
   tenant_id       = local.client_config.tenant_id
+  client_config   = local.client_config
 }
 
 output "azuread_groups" {
@@ -38,4 +39,5 @@ module "azuread_groups_membership" {
   settings                   = each.value
   group_id                   = local.combined_objects_azuread_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.key].id
   azuread_service_principals = local.combined_objects_azuread_service_principals
+  managed_identities         = local.combined_objects_managed_identities
 }

container_registry.tf

@@ -19,6 +19,8 @@ module "container_registry" {
   resource_groups     = local.resource_groups
   base_tags           = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {}
   private_dns         = local.combined_objects_private_dns
+
+  public_network_access_enabled = try(each.value.public_network_access_enabled, "true")
 }
 
 output "azure_container_registries" {

examples/README.md

@@ -48,9 +48,9 @@ The current folder contains an example of module with the whole features set of
 cd /tf/caf/examples
 az login
 terraform init
-terraform plan -var-file <path to your variable files>
-terraform apply
-terraform destroy
+terraform plan -var-file <path to your variable file>
+terraform apply -var-file <path to your variable file>
+terraform destroy -var-file <path to your variable file>
 ```
 
 ## Deploying examples within a landing zone

examples/app_gateway/301-agw-v1/certificates.tfvars

@@ -10,17 +10,17 @@ keyvault_certificates = {
     validity_in_months = 12
 
     subject_alternative_names = {
-      #  A list of alternative DNS names (FQDNs) identified by the Certificate. 
+      #  A list of alternative DNS names (FQDNs) identified by the Certificate.
       # Changing this forces a new resource to be created.
       dns_names = [
         "demoapp1.cafsandpit.com"
       ]
 
-      # A list of email addresses identified by this Certificate. 
+      # A list of email addresses identified by this Certificate.
       # Changing this forces a new resource to be created.
       # emails = []
 
-      # A list of User Principal Names identified by the Certificate. 
+      # A list of User Principal Names identified by the Certificate.
       # Changing this forces a new resource to be created.
       # upns = []
     }
@@ -29,49 +29,49 @@ keyvault_certificates = {
       type = "SelfSigned"
     }
 
-    # Possible values include Self (for self-signed certificate), 
-    # or Unknown (for a certificate issuing authority like Let's Encrypt 
-    # and Azure direct supported ones). 
+    # Possible values include Self (for self-signed certificate),
+    # or Unknown (for a certificate issuing authority like Let's Encrypt
+    # and Azure direct supported ones).
     # Changing this forces a new resource to be created
     issuer_parameters = "Self"
 
     exportable = true
 
-    # Possible values include 2048 and 4096. 
+    # Possible values include 2048 and 4096.
     # Changing this forces a new resource to be created.
     key_size  = 4096
     key_type  = "RSA"
     reuse_key = true
 
-    # The Type of action to be performed when the lifetime trigger is triggered. 
-    # Possible values include AutoRenew and EmailContacts. 
+    # The Type of action to be performed when the lifetime trigger is triggered.
+    # Possible values include AutoRenew and EmailContacts.
     # Changing this forces a new resource to be created.
     action_type = "AutoRenew"
 
-    # The number of days before the Certificate expires that the action 
-    # associated with this Trigger should run. 
-    # Changing this forces a new resource to be created. 
+    # The number of days before the Certificate expires that the action
+    # associated with this Trigger should run.
+    # Changing this forces a new resource to be created.
     # Conflicts with lifetime_percentage
     days_before_expiry = 30
 
 
-    # The percentage at which during the Certificates Lifetime the action 
-    # associated with this Trigger should run. 
-    # Changing this forces a new resource to be created. 
+    # The percentage at which during the Certificates Lifetime the action
+    # associated with this Trigger should run.
+    # Changing this forces a new resource to be created.
     # Conflicts with days_before_expiry
     # lifetime_percentage = 90
 
-    # The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX 
-    # or application/x-pem-file for a PEM. 
+    # The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX
+    # or application/x-pem-file for a PEM.
     # Changing this forces a new resource to be created.
     content_type = "application/x-pkcs12"
 
-    # A list of uses associated with this Key. 
-    # Possible values include 
-    # cRLSign, dataEncipherment, decipherOnly, 
-    # digitalSignature, encipherOnly, keyAgreement, keyCertSign, 
-    # keyEncipherment and nonRepudiation 
-    # and are case-sensitive. 
+    # A list of uses associated with this Key.
+    # Possible values include
+    # cRLSign, dataEncipherment, decipherOnly,
+    # digitalSignature, encipherOnly, keyAgreement, keyCertSign,
+    # keyEncipherment and nonRepudiation
+    # and are case-sensitive.
     # Changing this forces a new resource to be created
     key_usage = [
       "cRLSign",

examples/azuread/103-service-principal-only/configuration.tfvars

@@ -31,8 +31,8 @@ keyvaults = {
 keyvault_access_policies_azuread_apps = {
   test_client = {
     test_client = {
-      azuread_app_key    = "test_client"
-      secret_permissions = ["Set", "Get", "List", "Delete"]
+      azuread_application_key = "test_client"
+      secret_permissions      = ["Set", "Get", "List", "Delete"]
     }
   }
 }

examples/azuread/104-azuread-group-membership/configuration.tfvars

@@ -0,0 +1,54 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+  }
+  random_length = 5
+}
+
+resource_groups = {
+  rg1 = {
+    name = "example-msi-rg"
+  }
+}
+
+
+managed_identities = {
+  msi1 = {
+    name               = "example-msi1"
+    resource_group_key = "rg1"
+  }
+}
+
+azuread_groups = {
+  ad_group1 = {
+    name        = "example-group1"
+    description = "Provide read and write access"
+    members = {
+      user_principal_names = []
+      group_names          = []
+      object_ids           = []
+      group_keys           = []
+
+      service_principal_keys = []
+
+    }
+    owners = {
+      user_principal_names = []
+    }
+    prevent_duplicate_name = false
+  }
+}
+
+
+azuread_groups_membership = {
+  ad_group1 = { # ad group key
+    # lz_key = "" # lz_key for ad group
+    managed_identities = {
+      launchpad = {
+        # lz_key = ""
+        keys = ["msi1"]
+      }
+    }
+  }
+}