From fe310946daaf3ed401a013079c38bdf2f4d4940e Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Tue, 17 Aug 2021 05:13:25 +0000 Subject: [PATCH 01/91] Support remote rg lz referrencing --- storage_accounts.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/storage_accounts.tf b/storage_accounts.tf index 89f6f37066..02a9dd0a1a 100755 --- a/storage_accounts.tf +++ b/storage_accounts.tf @@ -6,13 +6,13 @@ module "storage_accounts" { global_settings = local.global_settings client_config = local.client_config storage_account = each.value - resource_group_name = local.resource_groups[each.value.resource_group_key].name - location = lookup(each.value, "region", null) == null ? local.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region] + resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] vnets = local.combined_objects_networking private_endpoints = try(each.value.private_endpoints, {}) resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups recovery_vaults = local.combined_objects_recovery_vaults - base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags : {} private_dns = local.combined_objects_private_dns } From 6fad5cfd778a082a2faf4c036d0c6edb8077c6ac Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Tue, 17 Aug 2021 09:33:28 +0000 Subject: [PATCH 02/91] Support remote rg lz for msi --- managed_identities.tf | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/managed_identities.tf b/managed_identities.tf index bff4b1ec9a..73a0638d9c 100755 --- a/managed_identities.tf +++ b/managed_identities.tf @@ -1,16 +1,15 @@ - module "managed_identities" { source = "./modules/security/managed_identity" for_each = var.managed_identities - client_config = local.client_config - global_settings = local.global_settings - name = each.value.name - resource_groups = local.combined_objects_resource_groups - settings = each.value + name = each.value.name + resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + location = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + global_settings = local.global_settings + settings = each.value + base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags : {} } output "managed_identities" { value = module.managed_identities - -} +} \ No newline at end of file From 6b0a073e4022c7dc6e149e886921de46d3719638 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Tue, 17 Aug 2021 09:41:43 +0000 Subject: [PATCH 03/91] revert changes and add example --- .../configuration.tfvars | 6 ++++++ managed_identities.tf | 15 ++++++++------- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars b/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars index e1a04f7743..1078479385 100644 --- a/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars +++ b/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars @@ -20,6 +20,12 @@ resource_groups = { storage_accounts = { sa1 = { name = "sa1dev" + # This option is to enable remote RG reference + # resource_group = { + # lz_key = "" + # key = "" + # } + resource_group_key = "test" # Account types are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2 account_kind = "BlobStorage" diff --git a/managed_identities.tf b/managed_identities.tf index 73a0638d9c..bff4b1ec9a 100755 --- a/managed_identities.tf +++ b/managed_identities.tf @@ -1,15 +1,16 @@ + module "managed_identities" { source = "./modules/security/managed_identity" for_each = var.managed_identities - name = each.value.name - resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name - location = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location - global_settings = local.global_settings - settings = each.value - base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags : {} + client_config = local.client_config + global_settings = local.global_settings + name = each.value.name + resource_groups = local.combined_objects_resource_groups + settings = each.value } output "managed_identities" { value = module.managed_identities -} \ No newline at end of file + +} From 5d5e686465adfef45d058e17f706846843e6fa91 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Sun, 22 Aug 2021 11:38:23 +0000 Subject: [PATCH 04/91] Add a new sub-module for PrivateDNSZone Virtual Network Link --- locals.tf | 1 + .../networking/private_dns_vnet_link/main.tf | 15 ++++++++++ .../private_dns_vnet_link/module.tf | 28 +++++++++++++++++ .../private_dns_vnet_link/output.tf | 3 ++ .../private_dns_vnet_link/variables.tf | 30 +++++++++++++++++++ networking_private_dns.tf | 21 +++++++++++++ 6 files changed, 98 insertions(+) create mode 100644 modules/networking/private_dns_vnet_link/main.tf create mode 100644 modules/networking/private_dns_vnet_link/module.tf create mode 100755 modules/networking/private_dns_vnet_link/output.tf create mode 100755 modules/networking/private_dns_vnet_link/variables.tf diff --git a/locals.tf b/locals.tf index 71fc628cfe..82ba3797ec 100755 --- a/locals.tf +++ b/locals.tf @@ -210,6 +210,7 @@ locals { network_security_group_definition = try(var.networking.network_security_group_definition, {}) network_watchers = try(var.networking.network_watchers, {}) private_dns = try(var.networking.private_dns, {}) + private_dns_vnet_link = try(var.networking.private_dns_vnet_link, {}) public_ip_addresses = try(var.networking.public_ip_addresses, {}) route_tables = try(var.networking.route_tables, {}) vhub_peerings = try(var.networking.vhub_peerings, {}) diff --git a/modules/networking/private_dns_vnet_link/main.tf b/modules/networking/private_dns_vnet_link/main.tf new file mode 100644 index 0000000000..b33020ad7e --- /dev/null +++ b/modules/networking/private_dns_vnet_link/main.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } + required_version = ">= 0.13" +} + +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = merge(var.base_tags, local.module_tag, var.tags) +} diff --git a/modules/networking/private_dns_vnet_link/module.tf b/modules/networking/private_dns_vnet_link/module.tf new file mode 100644 index 0000000000..2b05460586 --- /dev/null +++ b/modules/networking/private_dns_vnet_link/module.tf @@ -0,0 +1,28 @@ +resource "azurecaf_name" "pnetlk" { + for_each = var.settings.private_dns_zones + + name = each.value.name + resource_type = "azurerm_private_dns_zone_virtual_network_link" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vnet_links" { + for_each = var.settings.private_dns_zones + + name = azurecaf_name.pnetlk[each.key].result + resource_group_name = coalesce( + try(var.private_dns[each.value.lz_key][each.value.key].resource_group_name, null), + try(var.private_dns[var.client_config.landingzone_key][each.value.key].resource_group_name, null) + ) + private_dns_zone_name = coalesce( + try(var.private_dns[each.value.lz_key][each.value.key].name, null), + try(var.private_dns[var.client_config.landingzone_key][each.value.key].name, null) + ) + virtual_network_id = var.virtual_network_id + registration_enabled = try(each.value.registration_enabled, false) + tags = merge(var.base_tags, local.module_tag, try(each.value.tags, null)) +} \ No newline at end of file diff --git a/modules/networking/private_dns_vnet_link/output.tf b/modules/networking/private_dns_vnet_link/output.tf new file mode 100755 index 0000000000..27e5c82b01 --- /dev/null +++ b/modules/networking/private_dns_vnet_link/output.tf @@ -0,0 +1,3 @@ +output "ids" { + value = azurerm_private_dns_zone_virtual_network_link.vnet_links.* +} \ No newline at end of file diff --git a/modules/networking/private_dns_vnet_link/variables.tf b/modules/networking/private_dns_vnet_link/variables.tf new file mode 100755 index 0000000000..24fa474429 --- /dev/null +++ b/modules/networking/private_dns_vnet_link/variables.tf @@ -0,0 +1,30 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "client_config" { + description = "Client configuration object (see module README.md)." +} +variable "name" { + description = "Name of the Virtual Network Link" +} + +variable "resource_group_name" { + description = "Resource Group Name" +} + +variable "vnet_links" { + default = {} +} + +variable "vnets" { + default = {} +} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) +} + +variable "tags" { + default = {} +} \ No newline at end of file diff --git a/networking_private_dns.tf b/networking_private_dns.tf index d5ab401828..c74f41b5de 100644 --- a/networking_private_dns.tf +++ b/networking_private_dns.tf @@ -17,4 +17,25 @@ module "private_dns" { output "private_dns" { value = module.private_dns +} + +# +# Create vnet links on remote DNS zones +# + +module "private_dns_vnet_link" { + source = "./modules/networking/private_dns_vnet_link" + for_each = try(local.networking.private_dns_vnet_link, {}) + depends = [module.private_dns] + + base_tags = {} + global_settings = local.global_settings + client_config = local.client_config + virtual_network_id = local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].id + private_dns = local.combined_objects_private_dns + settings = each.value +} + +output "private_dns_vnet_link" { + value = module.private_dns_vnet_link } \ No newline at end of file From ac0acd0ab5db52294bcde7a07b05da3d829eb5f1 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Sun, 22 Aug 2021 12:53:00 +0000 Subject: [PATCH 05/91] Add missing variable --- modules/networking/private_dns_vnet_link/variables.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/networking/private_dns_vnet_link/variables.tf b/modules/networking/private_dns_vnet_link/variables.tf index 24fa474429..74fc3862f0 100755 --- a/modules/networking/private_dns_vnet_link/variables.tf +++ b/modules/networking/private_dns_vnet_link/variables.tf @@ -12,6 +12,9 @@ variable "resource_group_name" { description = "Resource Group Name" } +variable "records" { +} + variable "vnet_links" { default = {} } From 5c1b4f90b6338a0ecb5e77ee522fb6d65ff62c72 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Sun, 22 Aug 2021 15:12:30 +0000 Subject: [PATCH 06/91] Add support for remote vnet key --- .../private_dns_vnet_link/module.tf | 22 +++++++++---------- .../private_dns_vnet_link/variables.tf | 16 +++----------- networking_private_dns.tf | 15 ++++++++----- 3 files changed, 23 insertions(+), 30 deletions(-) diff --git a/modules/networking/private_dns_vnet_link/module.tf b/modules/networking/private_dns_vnet_link/module.tf index 2b05460586..afd0ec0f47 100644 --- a/modules/networking/private_dns_vnet_link/module.tf +++ b/modules/networking/private_dns_vnet_link/module.tf @@ -13,16 +13,16 @@ resource "azurecaf_name" "pnetlk" { resource "azurerm_private_dns_zone_virtual_network_link" "vnet_links" { for_each = var.settings.private_dns_zones - name = azurecaf_name.pnetlk[each.key].result - resource_group_name = coalesce( - try(var.private_dns[each.value.lz_key][each.value.key].resource_group_name, null), - try(var.private_dns[var.client_config.landingzone_key][each.value.key].resource_group_name, null) - ) + name = azurecaf_name.pnetlk[each.key].result + resource_group_name = coalesce( + try(var.private_dns[each.value.lz_key][each.value.key].resource_group_name, null), + try(var.private_dns[var.client_config.landingzone_key][each.value.key].resource_group_name, null) + ) private_dns_zone_name = coalesce( - try(var.private_dns[each.value.lz_key][each.value.key].name, null), - try(var.private_dns[var.client_config.landingzone_key][each.value.key].name, null) - ) - virtual_network_id = var.virtual_network_id - registration_enabled = try(each.value.registration_enabled, false) - tags = merge(var.base_tags, local.module_tag, try(each.value.tags, null)) + try(var.private_dns[each.value.lz_key][each.value.key].name, null), + try(var.private_dns[var.client_config.landingzone_key][each.value.key].name, null) + ) + virtual_network_id = var.virtual_network_id + registration_enabled = try(each.value.registration_enabled, false) + tags = merge(var.base_tags, local.module_tag, try(each.value.tags, null)) } \ No newline at end of file diff --git a/modules/networking/private_dns_vnet_link/variables.tf b/modules/networking/private_dns_vnet_link/variables.tf index 74fc3862f0..c8a6ee6d65 100755 --- a/modules/networking/private_dns_vnet_link/variables.tf +++ b/modules/networking/private_dns_vnet_link/variables.tf @@ -4,30 +4,20 @@ variable "global_settings" { variable "client_config" { description = "Client configuration object (see module README.md)." } -variable "name" { - description = "Name of the Virtual Network Link" -} - -variable "resource_group_name" { - description = "Resource Group Name" -} -variable "records" { +variable "virtual_network_id" { } -variable "vnet_links" { - default = {} +variable "private_dns" { } -variable "vnets" { - default = {} +variable "settings" { } variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = map(any) } - variable "tags" { default = {} } \ No newline at end of file diff --git a/networking_private_dns.tf b/networking_private_dns.tf index c74f41b5de..8e87c36ab0 100644 --- a/networking_private_dns.tf +++ b/networking_private_dns.tf @@ -28,12 +28,15 @@ module "private_dns_vnet_link" { for_each = try(local.networking.private_dns_vnet_link, {}) depends = [module.private_dns] - base_tags = {} - global_settings = local.global_settings - client_config = local.client_config - virtual_network_id = local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].id - private_dns = local.combined_objects_private_dns - settings = each.value + base_tags = {} + global_settings = local.global_settings + client_config = local.client_config + virtual_network_id = coalesce( + try(local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].id, null), + try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].id, null) + ) + private_dns = local.combined_objects_private_dns + settings = each.value } output "private_dns_vnet_link" { From 55ff1c1cd5baa93dbfabb9e8304a69c132c93407 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Sun, 22 Aug 2021 15:31:56 +0000 Subject: [PATCH 07/91] Add an example for private dns zone virtual network link --- .../100_pvtdns_vnetlink/configuration.tfvars | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars diff --git a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars new file mode 100644 index 0000000000..16043ecfbe --- /dev/null +++ b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars @@ -0,0 +1,26 @@ +private_dns_vnet_link = { + vnet_pvtdns_link1 = { + vnet_key = "vnet_key1" + private_dns_zones = { + dns_zone1 = { + name = "vnet-pvtdns_link1" + key = "dnszone_southeastasia" + lz_key = "provide the landing zone key of private dns zone" + } + # dns_zone2 = { + # name = "pvtdnstest-vnet1-link2" + # key = "dnszone_eastasia" + + # } + } + } + # vnet_pvtdns_link2 = { + # vnet_key = "vnet_dev_test2" + # private_dns_zones = { + # dns_zone1 = { + # name = "pvtdnstest-vnet2-link1" + # key = "aks_southeastasia" + # } + # } + # } +} \ No newline at end of file From 31ac415cdbed1f3aa6ef5d07a3ded05d0f4eaa2a Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Mon, 23 Aug 2021 06:41:47 +0000 Subject: [PATCH 08/91] Update example for pvt dns zone vnet link --- .../100_pvtdns_vnetlink/configuration.tfvars | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars index 16043ecfbe..bcbb1744ca 100644 --- a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars +++ b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars @@ -1,25 +1,25 @@ private_dns_vnet_link = { vnet_pvtdns_link1 = { vnet_key = "vnet_key1" + #lz_key = "remote landing zone key for vnet" private_dns_zones = { dns_zone1 = { - name = "vnet-pvtdns_link1" - key = "dnszone_southeastasia" + name = "vnet1-link1" + key = "dnszone1_key" lz_key = "provide the landing zone key of private dns zone" } # dns_zone2 = { - # name = "pvtdnstest-vnet1-link2" - # key = "dnszone_eastasia" - + # name = "vnet1-link2" + # key = "dnszone2_key" # } } } # vnet_pvtdns_link2 = { - # vnet_key = "vnet_dev_test2" + # vnet_key = "vnet_key2" # private_dns_zones = { # dns_zone1 = { - # name = "pvtdnstest-vnet2-link1" - # key = "aks_southeastasia" + # name = "vnet2-link1" + # key = "dnszone1_key" # } # } # } From 897021d07cbdfcb2e32d9f5b0a12ded5580daa95 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Thu, 26 Aug 2021 07:29:50 +0000 Subject: [PATCH 09/91] Update logic with co --- storage_accounts.tf | 23 ++++++++++++++++++++--- virtual_machines.tf | 22 +++++++++++++++++++--- 2 files changed, 39 insertions(+), 6 deletions(-) diff --git a/storage_accounts.tf b/storage_accounts.tf index 02a9dd0a1a..a354cccbe0 100755 --- a/storage_accounts.tf +++ b/storage_accounts.tf @@ -6,14 +6,31 @@ module "storage_accounts" { global_settings = local.global_settings client_config = local.client_config storage_account = each.value - resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name - location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] vnets = local.combined_objects_networking private_endpoints = try(each.value.private_endpoints, {}) resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups recovery_vaults = local.combined_objects_recovery_vaults - base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags : {} private_dns = local.combined_objects_private_dns + + location = coalese( + try(local.global_settings.regions[each.value.region],null), + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].location, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location + ) + base_tags = try(local.global_settings.inherit_tags, false) ? coalese( + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].tags, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags + ) : {} + resource_group_name = coalese( + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].name, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name + ) } output "storage_accounts" { diff --git a/virtual_machines.tf b/virtual_machines.tf index abe4e20dbe..d47397a0ba 100755 --- a/virtual_machines.tf +++ b/virtual_machines.tf @@ -35,9 +35,25 @@ module "virtual_machines" { vnets = local.combined_objects_networking dedicated_hosts = local.combined_objects_dedicated_hosts - resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name - location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] - base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags : {} + location = coalese( + try(local.global_settings.regions[each.value.region],null), + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].location, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location + ) + base_tags = try(local.global_settings.inherit_tags, false) ? coalese( + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].tags, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags + ) : {} + resource_group_name = coalese( + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].name, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name + ) } From 61fee78a60710232d5d2eca4422e07e17fac71bc Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Fri, 27 Aug 2021 19:24:27 -0400 Subject: [PATCH 10/91] Add a module for storage account management policy This module contains all the code needed for storage account management. --- .../configuration.tfvars | 117 ++++++++++++++++++ .../management_policy/management_policy.tf | 63 ++++++++++ .../management_policy/output.tf | 0 .../management_policy/variables.tf | 2 + modules/storage_account/storage_account.tf | 7 ++ 5 files changed, 189 insertions(+) create mode 100755 examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars create mode 100644 modules/storage_account/management_policy/management_policy.tf create mode 100644 modules/storage_account/management_policy/output.tf create mode 100644 modules/storage_account/management_policy/variables.tf diff --git a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars new file mode 100755 index 0000000000..b002bbcc92 --- /dev/null +++ b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars @@ -0,0 +1,117 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + test = { + name = "test" + } +} + +# https://docs.microsoft.com/en-us/azure/storage/ +storage_accounts = { + sa1 = { + name = "sa1dev" + resource_group_key = "test" + account_kind = "StorageV2" #Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2 + account_tier = "Standard" #Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid + account_replication_type = "LRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy + min_tls_version = "TLS1_2" # Possible values are TLS1_0, TLS1_1, and TLS1_2. Defaults to TLS1_0 for new storage accounts. + large_file_share_enabled = true + + # azure_files_authentication = { + # directory_type = "AADDS" + # } + + management_policies = { + rules = { + rule_1 = { + name = "rule1" + enabled = true + filters = { + filter_specs = { + prefix_match = ["container1/prefix1"] + blob_types = ["blockBlob"] + # This code can only be used if enable `BlobIndex` + #match_blob_index_tag = { + #match_blob_index_tag_specs = { + # name = "tag1" + # operation = "==" + # value = "val1" + #} + #} + } + } + actions = { + # Only have one blob object + base_blob = { + blob_specs = { + tier_to_cool_after_days_since_modification_greater_than = 11 + tier_to_archive_after_days_since_modification_greater_than = 51 + delete_after_days_since_modification_greater_than = 101 + } + } + snapshot = { + snapshot_specs = { + change_tier_to_archive_after_days_since_creation = 90 + change_tier_to_cool_after_days_since_creation = 23 + delete_after_days_since_creation_greater_than = 31 + } + } + version = { + version_specs = { + change_tier_to_archive_after_days_since_creation = 9 + change_tier_to_cool_after_days_since_creation = 90 + delete_after_days_since_creation = 3 + } + } + } + } + # rule_2 = { + # name = "rule2" + # enabled = false + # } + } + } + + backup = { + vault_key = "asr1" + # lz_key = "" + } + + tags = { + environment = "dev" + team = "IT" + } + } +} + +recovery_vaults = { + asr1 = { + name = "asr-container-protection" + resource_group_key = "test" + + region = "region1" + backup_policies = { + + fs = { + policy1 = { + name = "FSBackupPolicy1" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" + backup = { + frequency = "Daily" + time = "23:00" + } + retention_daily = { + count = 10 + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/storage_account/management_policy/management_policy.tf b/modules/storage_account/management_policy/management_policy.tf new file mode 100644 index 0000000000..ea6c964052 --- /dev/null +++ b/modules/storage_account/management_policy/management_policy.tf @@ -0,0 +1,63 @@ +resource "azurerm_storage_management_policy" "mgmt_policy" { + storage_account_id = var.storage_account_id + + dynamic "rule" { + for_each = var.settings.rules + + content { + name = rule.value.name + enabled = rule.value.enabled + + dynamic "filters" { + for_each = try(rule.value.filters, {}) + + content { + prefix_match = filters.value.prefix_match + blob_types = filters.value.blob_types + + dynamic "match_blob_index_tag" { + for_each = try(filters.match_blob_index_tag, {}) + + content { + name = match_blob_index_tag.value.name + operation = match_blob_index_tag.value.operation + value = match_blob_index_tag.value.value + } + } + } + + } + actions { + dynamic "base_blob" { + for_each = try(rule.value.actions.base_blob, {}) + + content { + tier_to_cool_after_days_since_modification_greater_than = base_blob.value.tier_to_cool_after_days_since_modification_greater_than + tier_to_archive_after_days_since_modification_greater_than = base_blob.value.tier_to_archive_after_days_since_modification_greater_than + delete_after_days_since_modification_greater_than = base_blob.value.delete_after_days_since_modification_greater_than + } + } + + dynamic "snapshot" { + for_each = try(rule.value.actions.snapshot, {}) + + content { + change_tier_to_archive_after_days_since_creation = snapshot.value.change_tier_to_archive_after_days_since_creation + change_tier_to_cool_after_days_since_creation = snapshot.value.change_tier_to_cool_after_days_since_creation + delete_after_days_since_creation_greater_than = snapshot.value.delete_after_days_since_creation_greater_than + } + } + + dynamic "version" { + for_each = try(rule.value.actions.version, {}) + + content { + change_tier_to_archive_after_days_since_creation = version.value.change_tier_to_archive_after_days_since_creation + change_tier_to_cool_after_days_since_creation = version.value.change_tier_to_cool_after_days_since_creation + delete_after_days_since_creation = version.value.delete_after_days_since_creation + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/storage_account/management_policy/output.tf b/modules/storage_account/management_policy/output.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/modules/storage_account/management_policy/variables.tf b/modules/storage_account/management_policy/variables.tf new file mode 100644 index 0000000000..03ade4fa1a --- /dev/null +++ b/modules/storage_account/management_policy/variables.tf @@ -0,0 +1,2 @@ +variable "settings" {} +variable "storage_account_id" {} diff --git a/modules/storage_account/storage_account.tf b/modules/storage_account/storage_account.tf index 243937c771..b2f82f3ac2 100755 --- a/modules/storage_account/storage_account.tf +++ b/modules/storage_account/storage_account.tf @@ -230,4 +230,11 @@ module "file_share" { settings = each.value recovery_vault = local.recovery_vault resource_group_name = var.resource_group_name +} + +module "management_policy" { + source = "./management_policy" + #for_each = try(var.storage_account.management_policies, {}) + storage_account_id = azurerm_storage_account.stg.id + settings = try(var.storage_account.management_policies, {}) } \ No newline at end of file From 7d78322da2bb9677d4f8956e0cf5a6affebc964c Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Fri, 27 Aug 2021 19:42:18 -0400 Subject: [PATCH 11/91] Add another example and try Terraform is not clear on which blocks/parameters are optional. Action is not optional, but I made everything else optional. --- .../configuration.tfvars | 48 +++++++++++++++++-- .../management_policy/management_policy.tf | 30 ++++++------ 2 files changed, 59 insertions(+), 19 deletions(-) diff --git a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars index b002bbcc92..7564a38147 100755 --- a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars +++ b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars @@ -36,6 +36,50 @@ storage_accounts = { prefix_match = ["container1/prefix1"] blob_types = ["blockBlob"] # This code can only be used if enable `BlobIndex` + # https://azure.microsoft.com/en-us/blog/manage-and-find-data-with-blob-index-for-azure-storage-now-in-preview/ + #match_blob_index_tag = { + #match_blob_index_tag_specs = { + # name = "tag1" + # operation = "==" + # value = "val1" + #} + #} + } + } + actions = { + # Only have one blob object + base_blob = { + blob_specs = { + tier_to_cool_after_days_since_modification_greater_than = 11 + tier_to_archive_after_days_since_modification_greater_than = 51 + delete_after_days_since_modification_greater_than = 101 + } + } + snapshot = { + snapshot_specs = { + change_tier_to_archive_after_days_since_creation = 90 + change_tier_to_cool_after_days_since_creation = 23 + delete_after_days_since_creation_greater_than = 31 + } + } + version = { + version_specs = { + change_tier_to_archive_after_days_since_creation = 9 + change_tier_to_cool_after_days_since_creation = 90 + delete_after_days_since_creation = 3 + } + } + } + }, + rule_2 = { + name = "rule2" + enabled = true + filters = { + filter_specs = { + prefix_match = ["container1/prefix2"] + blob_types = ["blockBlob"] + # This code can only be used if enable `BlobIndex` + # https://azure.microsoft.com/en-us/blog/manage-and-find-data-with-blob-index-for-azure-storage-now-in-preview/ #match_blob_index_tag = { #match_blob_index_tag_specs = { # name = "tag1" @@ -70,10 +114,6 @@ storage_accounts = { } } } - # rule_2 = { - # name = "rule2" - # enabled = false - # } } } diff --git a/modules/storage_account/management_policy/management_policy.tf b/modules/storage_account/management_policy/management_policy.tf index ea6c964052..ceb70c4b5c 100644 --- a/modules/storage_account/management_policy/management_policy.tf +++ b/modules/storage_account/management_policy/management_policy.tf @@ -12,16 +12,16 @@ resource "azurerm_storage_management_policy" "mgmt_policy" { for_each = try(rule.value.filters, {}) content { - prefix_match = filters.value.prefix_match - blob_types = filters.value.blob_types - + prefix_match = try(filters.value.prefix_match, null) + blob_types = try(filters.value.blob_types, null) + dynamic "match_blob_index_tag" { for_each = try(filters.match_blob_index_tag, {}) content { - name = match_blob_index_tag.value.name - operation = match_blob_index_tag.value.operation - value = match_blob_index_tag.value.value + name = try(match_blob_index_tag.value.name, null) + operation = try(match_blob_index_tag.value.operation, null) + value = try(match_blob_index_tag.value.value, null) } } } @@ -32,9 +32,9 @@ resource "azurerm_storage_management_policy" "mgmt_policy" { for_each = try(rule.value.actions.base_blob, {}) content { - tier_to_cool_after_days_since_modification_greater_than = base_blob.value.tier_to_cool_after_days_since_modification_greater_than - tier_to_archive_after_days_since_modification_greater_than = base_blob.value.tier_to_archive_after_days_since_modification_greater_than - delete_after_days_since_modification_greater_than = base_blob.value.delete_after_days_since_modification_greater_than + tier_to_cool_after_days_since_modification_greater_than = try(base_blob.value.tier_to_cool_after_days_since_modification_greater_than, null) + tier_to_archive_after_days_since_modification_greater_than = try(base_blob.value.tier_to_archive_after_days_since_modification_greater_than, null) + delete_after_days_since_modification_greater_than = try(base_blob.value.delete_after_days_since_modification_greater_than, null) } } @@ -42,9 +42,9 @@ resource "azurerm_storage_management_policy" "mgmt_policy" { for_each = try(rule.value.actions.snapshot, {}) content { - change_tier_to_archive_after_days_since_creation = snapshot.value.change_tier_to_archive_after_days_since_creation - change_tier_to_cool_after_days_since_creation = snapshot.value.change_tier_to_cool_after_days_since_creation - delete_after_days_since_creation_greater_than = snapshot.value.delete_after_days_since_creation_greater_than + change_tier_to_archive_after_days_since_creation = try(snapshot.value.change_tier_to_archive_after_days_since_creation, null) + change_tier_to_cool_after_days_since_creation = try(snapshot.value.change_tier_to_cool_after_days_since_creation, null) + delete_after_days_since_creation_greater_than = try(snapshot.value.delete_after_days_since_creation_greater_than, null) } } @@ -52,9 +52,9 @@ resource "azurerm_storage_management_policy" "mgmt_policy" { for_each = try(rule.value.actions.version, {}) content { - change_tier_to_archive_after_days_since_creation = version.value.change_tier_to_archive_after_days_since_creation - change_tier_to_cool_after_days_since_creation = version.value.change_tier_to_cool_after_days_since_creation - delete_after_days_since_creation = version.value.delete_after_days_since_creation + change_tier_to_archive_after_days_since_creation = try(version.value.change_tier_to_archive_after_days_since_creation, null) + change_tier_to_cool_after_days_since_creation = try(version.value.change_tier_to_cool_after_days_since_creation, null) + delete_after_days_since_creation = try(version.value.delete_after_days_since_creation, null) } } } From e06ec0ef600c2729db2742d558ad12b0c2941b48 Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Fri, 27 Aug 2021 19:47:22 -0400 Subject: [PATCH 12/91] Remove unnecessary comment --- .../107-storage-account-management-policy/configuration.tfvars | 2 -- 1 file changed, 2 deletions(-) diff --git a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars index 7564a38147..7a31be827b 100755 --- a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars +++ b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars @@ -47,7 +47,6 @@ storage_accounts = { } } actions = { - # Only have one blob object base_blob = { blob_specs = { tier_to_cool_after_days_since_modification_greater_than = 11 @@ -90,7 +89,6 @@ storage_accounts = { } } actions = { - # Only have one blob object base_blob = { blob_specs = { tier_to_cool_after_days_since_modification_greater_than = 11 From c08f4f2d753110c4a4ea44d384622387dcf6d249 Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Wed, 1 Sep 2021 05:53:56 +0000 Subject: [PATCH 13/91] Change the module name according to the standard convention --- .../100_pvtdns_vnetlink/configuration.tfvars | 2 +- locals.tf | 2 +- networking_private_dns.tf | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars index bcbb1744ca..4638f2883c 100644 --- a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars +++ b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars @@ -1,4 +1,4 @@ -private_dns_vnet_link = { +private_dns_vnet_links = { vnet_pvtdns_link1 = { vnet_key = "vnet_key1" #lz_key = "remote landing zone key for vnet" diff --git a/locals.tf b/locals.tf index 82ba3797ec..3ebf24e945 100755 --- a/locals.tf +++ b/locals.tf @@ -210,7 +210,7 @@ locals { network_security_group_definition = try(var.networking.network_security_group_definition, {}) network_watchers = try(var.networking.network_watchers, {}) private_dns = try(var.networking.private_dns, {}) - private_dns_vnet_link = try(var.networking.private_dns_vnet_link, {}) + private_dns_vnet_links = try(var.networking.private_dns_vnet_links, {}) public_ip_addresses = try(var.networking.public_ip_addresses, {}) route_tables = try(var.networking.route_tables, {}) vhub_peerings = try(var.networking.vhub_peerings, {}) diff --git a/networking_private_dns.tf b/networking_private_dns.tf index 8e87c36ab0..e9b901f339 100644 --- a/networking_private_dns.tf +++ b/networking_private_dns.tf @@ -23,9 +23,9 @@ output "private_dns" { # Create vnet links on remote DNS zones # -module "private_dns_vnet_link" { +module "private_dns_vnet_links" { source = "./modules/networking/private_dns_vnet_link" - for_each = try(local.networking.private_dns_vnet_link, {}) + for_each = try(local.networking.private_dns_vnet_links, {}) depends = [module.private_dns] base_tags = {} @@ -39,6 +39,6 @@ module "private_dns_vnet_link" { settings = each.value } -output "private_dns_vnet_link" { - value = module.private_dns_vnet_link +output "private_dns_vnet_links" { + value = module.private_dns_vnet_links } \ No newline at end of file From 1eae459189e5b731608676b544adb480c700ba73 Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Wed, 1 Sep 2021 10:52:27 -0400 Subject: [PATCH 14/91] Validate that a management_policy exists before triggering module --- modules/storage_account/storage_account.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/storage_account/storage_account.tf b/modules/storage_account/storage_account.tf index b2f82f3ac2..5278a4d27a 100755 --- a/modules/storage_account/storage_account.tf +++ b/modules/storage_account/storage_account.tf @@ -233,8 +233,8 @@ module "file_share" { } module "management_policy" { - source = "./management_policy" - #for_each = try(var.storage_account.management_policies, {}) + source = "./management_policy" + for_each = try(var.storage_account.management_policies, {}) storage_account_id = azurerm_storage_account.stg.id settings = try(var.storage_account.management_policies, {}) } \ No newline at end of file From bf04446f059e2347056e98f4f892144994f21c4e Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Wed, 1 Sep 2021 17:01:22 -0400 Subject: [PATCH 15/91] Create a custom_data string with Terraform Ouputs # Overview Currently, users have the ability to add `custom_data` to a linux VM in two ways: 1. Passing a local path to a script. 2. Directly inserting code in the `tfvars` This allows users to manually enter `custom_data` for these machines. But it does __not__ allow users to build a a string for the `custom_data` from the outputs of other Terraform outputs. # Our Use Case In our use case, we need to set the following string as the `custom_data`: ``` storage-account=stname, access-key=some-secret, file-share=myfileshare, share-directory=testdirectory ``` # Implementation The implementation isnt exactly the cleanest. It currently requires a nested `if` statement to mimic an `elif` block. In the future is others want to add other dynamically created string for `custom_data`, they will have to add other another loop. --- .../configuration.tfvars | 264 ++++++++++++++++++ modules/compute/virtual_machine/variables.tf | 4 + modules/compute/virtual_machine/vm_linux.tf | 11 +- modules/storage_account/file_share/output.tf | 5 + .../file_share_directory/output.tf | 4 + modules/storage_account/output.tf | 5 + virtual_machines.tf | 1 + 7 files changed, 293 insertions(+), 1 deletion(-) create mode 100755 examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars diff --git a/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars b/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars new file mode 100755 index 0000000000..d7d5b0210a --- /dev/null +++ b/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars @@ -0,0 +1,264 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } + resource_defaults = { + virtual_machines = { + # set the below to enable az managed boot diagostics for vms + # this will be override if a user managed storage account is defined for the vm + # use_azmanaged_storage_for_boot_diagnostics = true + } + } +} + +resource_groups = { + vm_region1 = { + name = "example-virtual-machine-rg1" + } +} + +# Virtual machines +virtual_machines = { + + # Configuration to deploy a bastion host linux virtual machine + example_vm1 = { + resource_group_key = "vm_region1" + provision_vm_agent = true + # when boot_diagnostics_storage_account_key is empty string "", boot diagnostics will be put on azure managed storage + # when boot_diagnostics_storage_account_key is a non-empty string, it needs to point to the key of a user managed storage defined in diagnostic_storage_accounts + # if boot_diagnostics_storage_account_key is not defined, but global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics is true, boot diagnostics will be put on azure managed storage + boot_diagnostics_storage_account_key = "bootdiag_region1" + + os_type = "linux" + + # the auto-generated ssh key in keyvault secret. Secret name being {VM name}-ssh-public and {VM name}-ssh-private + keyvault_key = "example_vm_rg1" + + # Define the number of networking cards to attach the virtual machine + networking_interfaces = { + nic0 = { + # Value of the keys from networking.tfvars + vnet_key = "vnet_region1" + subnet_key = "example" + primary = true + name = "0" + enable_ip_forwarding = false + internal_dns_name_label = "nic0" + public_ip_address_key = "example_vm_pip1_rg1" + # example with external network objects + # subnet_id = "/subscriptions/sub-id/resourceGroups/test-manual/providers/Microsoft.Network/virtualNetworks/vnet/subnets/default" + # public_address_id = "/subscriptions/sub-id/resourceGroups/test-manual/providers/Microsoft.Network/publicIPAddresses/arnaudip" + # nsg_id = "/subscriptions/sub-id/resourceGroups/test-manual/providers/Microsoft.Network/networkSecurityGroups/nsgtest" + + } + } + + virtual_machine_settings = { + linux = { + name = "example_vm1" + size = "Standard_F2" + admin_username = "adminuser" + disable_password_authentication = true + + #custom_data = "scripts/cloud-init/install-rover-tools.config" +# custom_data = < Date: Wed, 1 Sep 2021 20:09:34 -0400 Subject: [PATCH 16/91] Add extra layers to the dynamic_custom_data --- .../configuration.tfvars | 5 +++++ modules/compute/virtual_machine/vm_linux.tf | 16 ++++++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars b/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars index d7d5b0210a..1badab5c1c 100755 --- a/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars +++ b/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars @@ -67,6 +67,11 @@ virtual_machines = { #echo "Execute your super awesome commands here!" #CUSTOM_DATA custom_data = "palo_alto_connection_string" + palo_alto_connection_string = { + storage_account = "sa1" + file_share = "share1" + file_share_directory = "dir1" + } # Spot VM to save money priority = "Spot" diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 2e0c65178f..8afa30f0b7 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -1,3 +1,12 @@ +locals { + dynamic_custom_data = { + palo_alto_connection_string = { + for item in var.settings.virtual_machine_settings: + item.name => base64encode("storage-account=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].name}, access-key=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].primary_access_key}, file-share=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].name}, share-directory=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].file_share_directories[item.palo_alto_connection_string.file_share_directory].name}") + } + } +} + resource "tls_private_key" "ssh" { for_each = local.create_sshkeys ? var.settings.virtual_machine_settings : {} @@ -77,12 +86,11 @@ resource "azurerm_linux_virtual_machine" "vm" { custom_data = ( try(each.value.custom_data, null) == null ? null - : (each.value.custom_data == "palo_alto_connection_string" - ? base64encode("storage-account=${var.storage_accounts["examples"]["sa1"].name}, access-key=${var.storage_accounts["examples"]["sa1"].primary_access_key}, file-share=${var.storage_accounts["examples"]["sa1"].file_share["share1"].name}, share-directory=${var.storage_accounts["examples"]["sa1"].file_share["share1"].file_share_directories["dir1"].name}") - : try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)) + : (can(local.dynamic_custom_data[each.value.custom_data][each.value.name]) == true + ? local.dynamic_custom_data[each.value.custom_data][each.value.name] + : null ) ) - #custom_data = base64encode("storage-account=${var.storage_accounts["examples"]["sa1"].name}, access-key=${var.storage_accounts["examples"]["sa1"].primary_access_key}, file-share=${var.storage_accounts["examples"]["sa1"].file_share["share1"].name}, share-directory=${var.storage_accounts["examples"]["sa1"].file_share["share1"].file_share_directories["dir1"].name}") availability_set_id = try(var.availability_sets[var.client_config.landingzone_key][each.value.availability_set_key].id, var.availability_sets[each.value.availability_sets].id, null) proximity_placement_group_id = try(var.proximity_placement_groups[var.client_config.landingzone_key][each.value.proximity_placement_group_key].id, var.proximity_placement_groups[each.value.proximity_placement_groups].id, null) dedicated_host_id = try(coalesce( From 8afd0e820737227cc361ac70ca7d1956bc578ea7 Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Wed, 1 Sep 2021 20:11:04 -0400 Subject: [PATCH 17/91] Update vm_linux.tf --- modules/compute/virtual_machine/vm_linux.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 8afa30f0b7..bf8281547d 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -82,7 +82,6 @@ resource "azurerm_linux_virtual_machine" "vm" { provision_vm_agent = try(each.value.provision_vm_agent, true) zone = try(each.value.zone, null) disable_password_authentication = try(each.value.disable_password_authentication, true) - #custom_data = try(each.value.custom_data, null) == null ? null : try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)) custom_data = ( try(each.value.custom_data, null) == null ? null From 4cff65b7a6ec50459bebf24a3b17d5562ffb7bd3 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Thu, 2 Sep 2021 16:24:08 +0000 Subject: [PATCH 18/91] add mssql vm support to vm module --- .github/workflows/standalone-scenarios.json | 1 + .../108-mssql-vm/configuration.tfvars | 214 ++++++++++++++++++ modules/compute/virtual_machine/mssql_vm.tf | 126 +++++++++++ modules/compute/virtual_machine/output.tf | 2 +- modules/compute/virtual_machine/variables.tf | 3 + modules/compute/virtual_machine/vm_linux.tf | 4 +- modules/compute/virtual_machine/vm_windows.tf | 2 +- virtual_machines.tf | 1 + 8 files changed, 349 insertions(+), 4 deletions(-) create mode 100644 examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars create mode 100644 modules/compute/virtual_machine/mssql_vm.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 4bf063d8ff..80faaf2fc5 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -32,6 +32,7 @@ "compute/virtual_machine/102-single-vm-data-disks", "compute/virtual_machine/104-single-windows-backup", "compute/virtual_machine/106-marketplace-image-with-plan", + "compute/virtual_machine/108-mssql-vm", "compute/virtual_machine/210-vm-bastion-winrm", "compute/virtual_machine/211-vm-bastion-winrm-agents", "compute/virtual_machine_scale_set/100-linux-win-vmss-lb", diff --git a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars new file mode 100644 index 0000000000..0fadac9db5 --- /dev/null +++ b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars @@ -0,0 +1,214 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + rg1 = { + name = "mssql-vm-rg" + } +} + +storage_accounts = { + sa1 = { + name = "backupsa" + resource_group_key = "rg1" + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + } +} + +keyvaults = { + kv1 = { + name = "vmsecretskv" + resource_group_key = "rg1" + sku_name = "standard" + soft_delete_enabled = true + purge_protection_enabled = true + tags = { + env = "Standalone" + } + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"] + } + } + } +} + +dynamic_keyvault_secrets = { + kv1 = { # Key of the keyvault + vmadmin-username = { + secret_name = "vmadmin-username" + value = "vmadmin" + } + vmadmin-password = { + secret_name = "vmadmin-password" + value = "Very@Str5ngP!44w0rdToChaNge#" + } + sql-username = { + secret_name = "sql-username" + value = "sqllogin" + } + sql-password = { + secret_name = "sql-password" + value = "Password1234!" + } + } +} + +vnets = { + vnet1 = { + resource_group_key = "rg1" + vnet = { + name = "mssqlvm" + address_space = ["10.100.0.0/16"] + } + specialsubnets = {} + subnets = { + subnet1 = { + name = "compute" + cidr = ["10.100.1.0/24"] + } + } + + } +} + + +public_ip_addresses = { + pip1 = { + name = "pip1" + resource_group_key = "rg1" + sku = "Standard" + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + + } +} + +# Virtual machines +virtual_machines = { + + # Configuration to deploy a bastion host linux virtual machine + example_vm1 = { + resource_group_key = "rg1" + provision_vm_agent = true + # when boot_diagnostics_storage_account_key is empty string "", boot diagnostics will be put on azure managed storage + # when boot_diagnostics_storage_account_key is a non-empty string, it needs to point to the key of a user managed storage defined in diagnostic_storage_accounts + # if boot_diagnostics_storage_account_key is not defined, but global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics is true, boot diagnostics will be put on azure managed storage + boot_diagnostics_storage_account_key = "" + + os_type = "windows" + + # the auto-generated ssh key in keyvault secret. Secret name being {VM name}-ssh-public and {VM name}-ssh-private + keyvault_key = "kv1" + + # Define the number of networking cards to attach the virtual machine + networking_interfaces = { + nic0 = { + # Value of the keys from networking.tfvars + vnet_key = "vnet1" + subnet_key = "subnet1" + name = "0" + enable_ip_forwarding = false + internal_dns_name_label = "nic0" + public_ip_address_key = "pip1" + } + } + + virtual_machine_settings = { + windows = { + name = "mssqlvm" + size = "Standard_D4as_v4" + zone = "1" + + admin_username_key = "vmadmin-username" + admin_password_key = "vmadmin-password" + + # Spot VM to save money + priority = "Spot" + eviction_policy = "Deallocate" + + # Value of the nic keys to attach the VM. The first one in the list is the default nic + network_interface_keys = ["nic0"] + + os_disk = { + name = "osdisk" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + managed_disk_type = "StandardSSD_LRS" + disk_size_gb = "128" + create_option = "FromImage" + } + source_image_reference = { + publisher = "MicrosoftSQLServer" + offer = "SQL2017-WS2016" + # offer = "sql2019-ws2019" + sku = "SQLDEV" + version = "latest" + } + + mssql_settings = { # requires SQL Image in source_image_reference + sql_license_type = "PAYG" + r_services_enabled = true + sql_connectivity_port = 1433 + sql_connectivity_type = "PRIVATE" + + # sql credentials is the same as the one for vm + + auto_patching = { + day_of_week = "Sunday" + maintenance_window_duration_in_minutes = 60 + maintenance_window_starting_hour = 2 + } + auto_backup = { + encryption_enabled = false # uses the vmadmin password + retention_period_in_days = 7 + storage_account = { + # lz_key = "" + key = "sa1" + } + manual_schedule = { + full_backup_frequency = "Weekly" # Daily / Weekly + full_backup_start_hour = 0 # 0 - 23 + full_backup_window_in_hours = 1 # 1 - 23 + log_backup_frequency_in_minutes = 60 # 5 - 60f + } + + } + + + storage_configuration = { + disk_type = "NEW" # NEW, EXTEND, ADD + storage_workload_type = "GENERAL" # GENERAL, OLTP, DW + + data_settings = { + default_file_path = "F:\\data" + luns = [1] + } + } + + # key_vault_credentials = {} # not supported yet + } + + } + } + data_disks = { + data1 = { + name = "datadisk1" + storage_account_type = "Premium_LRS" + create_option = "Empty" + disk_size_gb = "10" + lun = 1 + zones = ["1"] + } + } + + } +} diff --git a/modules/compute/virtual_machine/mssql_vm.tf b/modules/compute/virtual_machine/mssql_vm.tf new file mode 100644 index 0000000000..f89d37c35a --- /dev/null +++ b/modules/compute/virtual_machine/mssql_vm.tf @@ -0,0 +1,126 @@ +resource "azurerm_mssql_virtual_machine" "mssqlvm" { + for_each = { + for key, value in try(var.settings.virtual_machine_settings, {}) : key => value + if try(value.mssql_settings, null) != null + } + + virtual_machine_id = local.os_type == "windows" ? try(azurerm_windows_virtual_machine.vm[each.key].id, null) : try(azurerm_linux_virtual_machine.vm[each.key].id, null) + sql_license_type = try(each.value.mssql_settings.sql_license_type, null) + r_services_enabled = try(each.value.mssql_settings.r_services_enabled, null) + sql_connectivity_port = try(each.value.mssql_settings.sql_connectivity_port, null) + sql_connectivity_type = try(each.value.mssql_settings.sql_connectivity_type, null) + # should the username and password for sql be the same as the one in vm + sql_connectivity_update_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username + sql_connectivity_update_password = try(each.value.admin_password_key, null) == null ? random_password.admin[local.os_type].result : local.admin_password + tags = merge(local.tags, try(each.value.tags, null)) + + dynamic "auto_backup" { + for_each = try(each.value.mssql_settings.auto_backup, null) != null ? [1] : [] + + content { + encryption_enabled = try(each.value.mssql_settings.auto_backup.encryption_enabled, null) + # should the encryption password be different? + encryption_password = try(each.value.mssql_settings.auto_backup.encryption_enabled, false) ? try(each.value.admin_password_key, null) == null ? random_password.admin[local.os_type].result : local.admin_password : null + retention_period_in_days = each.value.mssql_settings.auto_backup.retention_period_in_days + system_databases_backup_enabled = try(each.value.mssql_settings.auto_backup.system_databases_backup_enabled, null) + storage_account_access_key = data.azurerm_storage_account.mssqlvm_backup_sa[each.key].primary_access_key + storage_blob_endpoint = coalesce( + try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].primary_blob_endpoint, null), + try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].primary_blob_endpoint, null), + ) + + dynamic "manual_schedule" { + for_each = try(each.value.mssql_settings.auto_backup.manual_schedule, null) != null ? [1] : [] + + content { + full_backup_frequency = try(each.value.mssql_settings.auto_backup.manual_schedule.full_backup_frequency, null) + full_backup_start_hour = try(each.value.mssql_settings.auto_backup.manual_schedule.full_backup_start_hour, null) + full_backup_window_in_hours = try(each.value.mssql_settings.auto_backup.manual_schedule.full_backup_window_in_hours, null) + log_backup_frequency_in_minutes = try(each.value.mssql_settings.auto_backup.manual_schedule.log_backup_frequency_in_minutes, null) + } + } + + } + } + + dynamic "auto_patching" { + for_each = try(each.value.mssql_settings.auto_patching, null) != null ? [1] : [] + + content { + day_of_week = each.value.mssql_settings.auto_patching.day_of_week + maintenance_window_duration_in_minutes = each.value.mssql_settings.auto_patching.maintenance_window_duration_in_minutes + maintenance_window_starting_hour = each.value.mssql_settings.auto_patching.maintenance_window_starting_hour + } + } + + # dynamic "key_vault_credentials" { + # for_each = try(each.value.mssql_settings.key_vault_credentials, null) != null ? [1] : [] + + # content { + # name = each.value.mssql_settings.key_vault_credentials.name + # key_vault_url = + # service_principal_name = + # service_principal_secret = + # } + # } + + # should the sp secret be stored in the vm kv or a separate one? + # if not shared with vm kv, should the kv_url be the same kv as where the sp credential is stored? + + + + dynamic "storage_configuration" { + for_each = try(each.value.mssql_settings.storage_configuration, null) != null ? [1] : [] + + content { + disk_type = each.value.mssql_settings.storage_configuration.disk_type + storage_workload_type = each.value.mssql_settings.storage_configuration.storage_workload_type + + dynamic "data_settings" { + for_each = try(each.value.mssql_settings.storage_configuration.data_settings, null) != null ? [1] : [] + + content { + default_file_path = each.value.mssql_settings.storage_configuration.data_settings.default_file_path + luns = each.value.mssql_settings.storage_configuration.data_settings.luns + } + } + dynamic "log_settings" { + for_each = try(each.value.mssql_settings.storage_configuration.log_settings, null) != null ? [1] : [] + + content { + default_file_path = each.value.mssql_settings.storage_configuration.log_settings.default_file_path + luns = each.value.mssql_settings.storage_configuration.log_settings.luns + } + } + dynamic "temp_db_settings" { + for_each = try(each.value.mssql_settings.storage_configuration.temp_db_settings, null) != null ? [1] : [] + + content { + default_file_path = each.value.mssql_settings.storage_configuration.temp_db_settings.default_file_path + luns = each.value.mssql_settings.storage_configuration.temp_db_settings.luns + } + } + + } + } + +} + + +# storage account sas + +data "azurerm_storage_account" "mssqlvm_backup_sa" { + for_each = { + for key, value in try(var.settings.virtual_machine_settings, {}) : key => value + if try(value.mssql_settings.auto_backup, null) != null + } + + name = coalesce( + try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].name, null), + try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].name, null), + ) + resource_group_name = coalesce( + try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].resource_group_name, null), + try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].resource_group_name, null), + ) +} \ No newline at end of file diff --git a/modules/compute/virtual_machine/output.tf b/modules/compute/virtual_machine/output.tf index c5830f26a8..cabdfb791f 100755 --- a/modules/compute/virtual_machine/output.tf +++ b/modules/compute/virtual_machine/output.tf @@ -37,7 +37,7 @@ output "ssh_keys" { value = local.create_sshkeys ? { keyvault_id = local.keyvault.id ssh_private_key_pem = azurerm_key_vault_secret.ssh_private_key[local.os_type].name - ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name + ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name ssh_private_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name #for backard compat, wrong name, will be removed in future version. } : null } diff --git a/modules/compute/virtual_machine/variables.tf b/modules/compute/virtual_machine/variables.tf index f5d1d1fa63..f7ad107c82 100755 --- a/modules/compute/virtual_machine/variables.tf +++ b/modules/compute/virtual_machine/variables.tf @@ -85,3 +85,6 @@ variable "dedicated_hosts" { default = {} } +variable "storage_accounts" { + default = {} +} \ No newline at end of file diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 671b9ae50b..626a5b9348 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -44,7 +44,7 @@ resource "azurecaf_name" "os_disk_linux" { clean_input = true passthrough = var.global_settings.passthrough use_slug = var.global_settings.use_slug - + lifecycle { ignore_changes = [ name @@ -146,7 +146,7 @@ resource "azurerm_linux_virtual_machine" "vm" { os_disk[0].name ] } - + } # diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 1aced9b747..4d9cad521a 100755 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -35,7 +35,7 @@ resource "azurecaf_name" "os_disk_windows" { clean_input = true passthrough = var.global_settings.passthrough use_slug = var.global_settings.use_slug - + lifecycle { ignore_changes = [ name diff --git a/virtual_machines.tf b/virtual_machines.tf index abe4e20dbe..ee3bbdf67f 100755 --- a/virtual_machines.tf +++ b/virtual_machines.tf @@ -34,6 +34,7 @@ module "virtual_machines" { settings = each.value vnets = local.combined_objects_networking dedicated_hosts = local.combined_objects_dedicated_hosts + storage_accounts = local.combined_objects_storage_accounts resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] From ca523a804a3212f98c3fa5c214f189a2865ae8dd Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Fri, 3 Sep 2021 03:21:46 +0000 Subject: [PATCH 19/91] set purge protection to false in example --- .../virtual_machine/108-mssql-vm/configuration.tfvars | 10 +--------- modules/compute/virtual_machine/mssql_vm.tf | 2 +- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars index 0fadac9db5..31ffdac86a 100644 --- a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars +++ b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars @@ -27,7 +27,7 @@ keyvaults = { resource_group_key = "rg1" sku_name = "standard" soft_delete_enabled = true - purge_protection_enabled = true + purge_protection_enabled = false tags = { env = "Standalone" } @@ -50,14 +50,6 @@ dynamic_keyvault_secrets = { secret_name = "vmadmin-password" value = "Very@Str5ngP!44w0rdToChaNge#" } - sql-username = { - secret_name = "sql-username" - value = "sqllogin" - } - sql-password = { - secret_name = "sql-password" - value = "Password1234!" - } } } diff --git a/modules/compute/virtual_machine/mssql_vm.tf b/modules/compute/virtual_machine/mssql_vm.tf index f89d37c35a..368a059600 100644 --- a/modules/compute/virtual_machine/mssql_vm.tf +++ b/modules/compute/virtual_machine/mssql_vm.tf @@ -9,7 +9,7 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { r_services_enabled = try(each.value.mssql_settings.r_services_enabled, null) sql_connectivity_port = try(each.value.mssql_settings.sql_connectivity_port, null) sql_connectivity_type = try(each.value.mssql_settings.sql_connectivity_type, null) - # should the username and password for sql be the same as the one in vm + # should the username and password for sql be the same as the one in vm? sql_connectivity_update_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username sql_connectivity_update_password = try(each.value.admin_password_key, null) == null ? random_password.admin[local.os_type].result : local.admin_password tags = merge(local.tags, try(each.value.tags, null)) From 32dd8a8d8d00bff09e4a0d325ac08ecec5d0ebcb Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Sat, 4 Sep 2021 05:50:21 +0000 Subject: [PATCH 20/91] add ignore for data disk change --- modules/compute/virtual_machine/vm_disk.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/modules/compute/virtual_machine/vm_disk.tf b/modules/compute/virtual_machine/vm_disk.tf index 34cdb118fa..2106f9339b 100755 --- a/modules/compute/virtual_machine/vm_disk.tf +++ b/modules/compute/virtual_machine/vm_disk.tf @@ -8,6 +8,13 @@ resource "azurecaf_name" "disk" { clean_input = true passthrough = var.global_settings.passthrough use_slug = var.global_settings.use_slug + + lifecycle { + ignore_changes = [ + name + ] + } + } resource "azurerm_managed_disk" "disk" { @@ -24,6 +31,12 @@ resource "azurerm_managed_disk" "disk" { disk_mbps_read_write = try(each.value.disk.disk_mbps_read_write, null) tags = local.tags disk_encryption_set_id = try(each.value.disk_encryption_set_key, null) == null ? null : var.disk_encryption_sets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.disk_encryption_set_key].id + + lifecycle { + ignore_changes = [ + name + ] + } } @@ -35,4 +48,11 @@ resource "azurerm_virtual_machine_data_disk_attachment" "disk" { lun = each.value.lun caching = lookup(each.value, "caching", "None") write_accelerator_enabled = lookup(each.value, "write_accelerator_enabled", false) + + lifecycle { + ignore_changes = [ + managed_disk_id + ] + } + } \ No newline at end of file From 27683ac11678d144a9822000c2e128a2957680ab Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Sun, 5 Sep 2021 16:09:05 +0000 Subject: [PATCH 21/91] Fix Function name --- storage_accounts.tf | 4 ++-- virtual_machines.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/storage_accounts.tf b/storage_accounts.tf index a354cccbe0..58c667d116 100755 --- a/storage_accounts.tf +++ b/storage_accounts.tf @@ -12,7 +12,7 @@ module "storage_accounts" { recovery_vaults = local.combined_objects_recovery_vaults private_dns = local.combined_objects_private_dns - location = coalese( + location = coalesce( try(local.global_settings.regions[each.value.region],null), local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].location, @@ -25,7 +25,7 @@ module "storage_accounts" { local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags ) : {} - resource_group_name = coalese( + resource_group_name = coalesce( local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].name, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, diff --git a/virtual_machines.tf b/virtual_machines.tf index d47397a0ba..d52c2a1021 100755 --- a/virtual_machines.tf +++ b/virtual_machines.tf @@ -35,7 +35,7 @@ module "virtual_machines" { vnets = local.combined_objects_networking dedicated_hosts = local.combined_objects_dedicated_hosts - location = coalese( + location = coalesce( try(local.global_settings.regions[each.value.region],null), local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].location, @@ -48,7 +48,7 @@ module "virtual_machines" { local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags ) : {} - resource_group_name = coalese( + resource_group_name = coalesce( local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].name, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, From 3c1c838ba86481b4b4afc1065ba7a38b0c984062 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Sun, 5 Sep 2021 16:15:45 +0000 Subject: [PATCH 22/91] Fix syntax issue --- storage_accounts.tf | 6 +++--- virtual_machines.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/storage_accounts.tf b/storage_accounts.tf index 58c667d116..5c05438da3 100755 --- a/storage_accounts.tf +++ b/storage_accounts.tf @@ -15,19 +15,19 @@ module "storage_accounts" { location = coalesce( try(local.global_settings.regions[each.value.region],null), local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].location, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location ) base_tags = try(local.global_settings.inherit_tags, false) ? coalese( local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].tags, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags ) : {} resource_group_name = coalesce( local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].name, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name ) diff --git a/virtual_machines.tf b/virtual_machines.tf index d52c2a1021..498f158232 100755 --- a/virtual_machines.tf +++ b/virtual_machines.tf @@ -38,19 +38,19 @@ module "virtual_machines" { location = coalesce( try(local.global_settings.regions[each.value.region],null), local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].location, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location ) base_tags = try(local.global_settings.inherit_tags, false) ? coalese( local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].tags, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags ) : {} resource_group_name = coalesce( local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key)].name, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name ) From fd67469f14a170c841e76faf54cf9f19837e0456 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Sun, 5 Sep 2021 16:29:13 +0000 Subject: [PATCH 23/91] Fix syntax issue --- storage_accounts.tf | 2 +- virtual_machines.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/storage_accounts.tf b/storage_accounts.tf index 5c05438da3..d698f2871f 100755 --- a/storage_accounts.tf +++ b/storage_accounts.tf @@ -19,7 +19,7 @@ module "storage_accounts" { local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location ) - base_tags = try(local.global_settings.inherit_tags, false) ? coalese( + base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, diff --git a/virtual_machines.tf b/virtual_machines.tf index 498f158232..6016e4ff56 100755 --- a/virtual_machines.tf +++ b/virtual_machines.tf @@ -42,7 +42,7 @@ module "virtual_machines" { local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location ) - base_tags = try(local.global_settings.inherit_tags, false) ? coalese( + base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags, local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, From e73ecd486935ca40d36539848034d28c13896f61 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Sun, 5 Sep 2021 16:54:13 +0000 Subject: [PATCH 24/91] Fix try check --- storage_accounts.tf | 24 ++++++++++++------------ virtual_machines.tf | 24 ++++++++++++------------ 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/storage_accounts.tf b/storage_accounts.tf index d698f2871f..787ffa53ff 100755 --- a/storage_accounts.tf +++ b/storage_accounts.tf @@ -14,22 +14,22 @@ module "storage_accounts" { location = coalesce( try(local.global_settings.regions[each.value.region],null), - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location,null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location,null) ) base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags,null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags,null) ) : {} resource_group_name = coalesce( - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name,null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name,null) ) } diff --git a/virtual_machines.tf b/virtual_machines.tf index 6016e4ff56..6fb3228080 100755 --- a/virtual_machines.tf +++ b/virtual_machines.tf @@ -37,22 +37,22 @@ module "virtual_machines" { location = coalesce( try(local.global_settings.regions[each.value.region],null), - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location,null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location,null) ) base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags,null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags,null) ) : {} resource_group_name = coalesce( - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, - local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, - local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name,null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name,null) ) } From 7fa3050b95b3607be284bf46418967f81d8a20cd Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Sun, 5 Sep 2021 17:12:57 +0000 Subject: [PATCH 25/91] Initial Commit --- .../100-single-linux-vm/configuration.tfvars | 3 +++ .../virtual_machine/application_security_group.tf | 2 +- modules/compute/virtual_machine/diagnostics.tf | 3 +-- modules/compute/virtual_machine/network_interface.tf | 9 ++++++++- modules/compute/virtual_machine/output.tf | 11 ++++++++--- 5 files changed, 21 insertions(+), 7 deletions(-) diff --git a/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars b/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars index 3dbcd1b430..4133244cfd 100755 --- a/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars +++ b/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars @@ -37,6 +37,9 @@ virtual_machines = { keyvault_key = "example_vm_rg1" # Define the number of networking cards to attach the virtual machine + # Option to use when BYOI (Bring your Own Interface) + # networking_interface_ids = ["/subscriptions//resourceGroups//providers/Microsoft.Network/networkInterfaces/"] + networking_interfaces = { nic0 = { # Value of the keys from networking.tfvars diff --git a/modules/compute/virtual_machine/application_security_group.tf b/modules/compute/virtual_machine/application_security_group.tf index 2bae8d7cc4..747ef252b6 100755 --- a/modules/compute/virtual_machine/application_security_group.tf +++ b/modules/compute/virtual_machine/application_security_group.tf @@ -9,7 +9,7 @@ locals { nic_asg = { for nic in flatten( [ - for nic_key, nic_value in var.settings.networking_interfaces : [ + for nic_key, nic_value in try(var.settings.networking_interfaces,[]) : [ for asg_key, asg_value in try(nic_value.networking_interface_asg_associations, {}) : { nic_key = nic_key asg_key = asg_key diff --git a/modules/compute/virtual_machine/diagnostics.tf b/modules/compute/virtual_machine/diagnostics.tf index 5730ed4d66..7409151379 100755 --- a/modules/compute/virtual_machine/diagnostics.tf +++ b/modules/compute/virtual_machine/diagnostics.tf @@ -1,7 +1,6 @@ - module "nics" { source = "../../diagnostics" - for_each = var.settings.networking_interfaces + for_each = try(var.settings.networking_interfaces,toset([])) resource_id = azurerm_network_interface.nic[each.key].id resource_location = azurerm_network_interface.nic[each.key].location diff --git a/modules/compute/virtual_machine/network_interface.tf b/modules/compute/virtual_machine/network_interface.tf index d8866cb54d..c5ef7fb115 100755 --- a/modules/compute/virtual_machine/network_interface.tf +++ b/modules/compute/virtual_machine/network_interface.tf @@ -1,7 +1,14 @@ locals { nic_ids = flatten( [ - for nic_key in var.settings.virtual_machine_settings[var.settings.os_type].network_interface_keys : [ + local.network_interface_ids, + try(var.settings.networking_interface_ids,[]) + ] + ) + + network_interface_ids = flatten( + [ + for nic_key in try(var.settings.virtual_machine_settings[var.settings.os_type].network_interface_keys,[]) : [ azurerm_network_interface.nic[nic_key].id ] ] diff --git a/modules/compute/virtual_machine/output.tf b/modules/compute/virtual_machine/output.tf index c5830f26a8..01f76b7701 100755 --- a/modules/compute/virtual_machine/output.tf +++ b/modules/compute/virtual_machine/output.tf @@ -43,9 +43,14 @@ output "ssh_keys" { } output "nic_id" { - value = flatten([ - for nic_key in var.settings.virtual_machine_settings[local.os_type].network_interface_keys : format("%s.%s", try(azurerm_network_interface.nic[nic_key].id, try(azurerm_linux_virtual_machine.vm["linux"].name, azurerm_windows_virtual_machine.vm["windows"].name)), azurerm_network_interface.nic[nic_key].id) - ]) + value = coalescelist( + flatten( + [ + for nic_key in try(var.settings.virtual_machine_settings[local.os_type].network_interface_keys,[]) : format("%s.%s", try(azurerm_network_interface.nic[nic_key].id, try(azurerm_linux_virtual_machine.vm["linux"].name, azurerm_windows_virtual_machine.vm["windows"].name)), azurerm_network_interface.nic[nic_key].id) + ] + ), + try(var.settings.networking_interface_ids,[]) + ) } output "nics" { From 3494574f16e7d82ad225743c4ac22eeef1fe978f Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Sun, 5 Sep 2021 17:18:13 +0000 Subject: [PATCH 26/91] Update output conditions --- modules/compute/virtual_machine/output.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/compute/virtual_machine/output.tf b/modules/compute/virtual_machine/output.tf index 01f76b7701..d054ffa005 100755 --- a/modules/compute/virtual_machine/output.tf +++ b/modules/compute/virtual_machine/output.tf @@ -11,9 +11,9 @@ output "os_type" { } output "internal_fqdns" { - value = flatten([ - for nic_key in var.settings.virtual_machine_settings[local.os_type].network_interface_keys : format("%s.%s", try(azurerm_network_interface.nic[nic_key].internal_dns_name_label, try(azurerm_linux_virtual_machine.vm["linux"].name, azurerm_windows_virtual_machine.vm["windows"].name)), azurerm_network_interface.nic[nic_key].internal_domain_name_suffix) - ]) + value = try(var.settings.networking_interfaces,null) != null ? flatten([ + for nic_key in try(var.settings.virtual_machine_settings[local.os_type].network_interface_keys,[]) : format("%s.%s", try(azurerm_network_interface.nic[nic_key].internal_dns_name_label, try(azurerm_linux_virtual_machine.vm["linux"].name, azurerm_windows_virtual_machine.vm["windows"].name)), azurerm_network_interface.nic[nic_key].internal_domain_name_suffix) + ]) : null } output "admin_username" { From 9fa70042080936f721241f513138819196b6547e Mon Sep 17 00:00:00 2001 From: Swetha Sundar Date: Mon, 6 Sep 2021 15:58:13 +0800 Subject: [PATCH 27/91] Minor fix --- networking_private_dns.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/networking_private_dns.tf b/networking_private_dns.tf index e9b901f339..c354b01dfd 100644 --- a/networking_private_dns.tf +++ b/networking_private_dns.tf @@ -26,7 +26,7 @@ output "private_dns" { module "private_dns_vnet_links" { source = "./modules/networking/private_dns_vnet_link" for_each = try(local.networking.private_dns_vnet_links, {}) - depends = [module.private_dns] + depends_on = [module.private_dns] base_tags = {} global_settings = local.global_settings From caa2b6a3a160848f2990a3d9fd0dca30bb385133 Mon Sep 17 00:00:00 2001 From: Chun Saen Sean Lok Date: Tue, 7 Sep 2021 18:08:37 +0800 Subject: [PATCH 28/91] update typo --- networking.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/networking.tf b/networking.tf index 1fb6a522a4..c4e3ee1497 100755 --- a/networking.tf +++ b/networking.tf @@ -41,7 +41,7 @@ module "networking" { base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags : {} remote_dns = { - azurerm_firewall = try(var.remote_objects.azurerm_firewall, null) #assumed from remote lz only + azurerm_firewalls = try(var.remote_objects.azurerm_firewalls, null) #assumed from remote lz only } } @@ -228,4 +228,4 @@ module "network_watchers" { settings = each.value tags = try(each.value.tags, null) global_settings = local.global_settings -} \ No newline at end of file +} From 3cefad70cda7b53e97d732b4c24e60c17d2ef81a Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Tue, 7 Sep 2021 10:13:09 +0000 Subject: [PATCH 29/91] update example --- .../configuration.tfvars | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars index 7f3a3185fa..d412a53f0f 100644 --- a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars +++ b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars @@ -22,16 +22,16 @@ vnets = { #dns_servers = ["10.2.0.5", "10.2.0.6"] # dns_servers_keys = { # ip1 = { - # lz_key = "", - # key = "", - # . resource_type = "azurerm_firewall", + # lz_key = "" + # key = "" + # . resource_type = "azurerm_firewalls" # interface_index = 0 #Optional it will take 0. # # } # ip2 = { - # lz_key = "", - # key = "", - # resource_type = "azurerm_firewall", + # lz_key = "" + # key = "" + # resource_type = "azurerm_firewalls" # } # } } From 0c0f943bc2af7b8255fe384ee48d18829bc9270b Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Sun, 5 Sep 2021 17:21:21 +0000 Subject: [PATCH 30/91] Support IDS in policy --- .../firewall_policies/firewall_policy.tf | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/modules/networking/firewall_policies/firewall_policy.tf b/modules/networking/firewall_policies/firewall_policy.tf index 9e7a273cfd..33d4b9123c 100755 --- a/modules/networking/firewall_policies/firewall_policy.tf +++ b/modules/networking/firewall_policies/firewall_policy.tf @@ -38,4 +38,36 @@ resource "azurerm_firewall_policy" "fwpol" { fqdns = try(var.settings.threat_intelligence_allowlist.fqdns, null) } } + + dynamic "intrusion_detection" { + for_each = try(var.settings.intrusion_detection, null) == null ? [] : [1] + + content { + mode = try(var.settings.intrusion_detection.mode, "Off") + + dynamic "signature_overrides" { + for_each = try(var.settings.intrusion_detection.signature_overrides, {}) + + content { + id = try(signature_overrides.value.id, null) + state = try(signature_overrides.value.state, null) + } + } + dynamic "traffic_bypass" { + for_each = try(var.settings.intrusion_detection.traffic_bypass, {}) + + content { + name = traffic_bypass.value.name + protocol = traffic_bypass.value.protocol + description = try(traffic_bypass.value.description, null) + destination_addresses = try(traffic_bypass.value.destination_addresses, null) + destination_ip_groups = try(traffic_bypass.value.destination_ip_groups, null) + destination_ports = try(traffic_bypass.value.destination_ports, null) + source_addresses = try(traffic_bypass.value.source_addresses , null) + source_ip_groups = try(traffic_bypass.value.source_ip_groups , null) + + } + } + } + } } \ No newline at end of file From 7032099ef813525d397c48dfc8d1ba18d98bcbcc Mon Sep 17 00:00:00 2001 From: Chun Saen Sean Lok Date: Tue, 7 Sep 2021 18:42:10 +0800 Subject: [PATCH 31/91] Add example --- .../configuration.tfvars | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/examples/networking/firewall/103-firewall-policies/configuration.tfvars b/examples/networking/firewall/103-firewall-policies/configuration.tfvars index 9d75df11d1..4163cd7d3d 100644 --- a/examples/networking/firewall/103-firewall-policies/configuration.tfvars +++ b/examples/networking/firewall/103-firewall-policies/configuration.tfvars @@ -70,7 +70,32 @@ azurerm_firewall_policies = { name = "firewall_policy" resource_group_key = "test" region = "region1" - } + sku = "Premium" + + # threat_intelligence_mode = "Alert" + + # threat_intelligence_allowlist = { + # ip_addresses = [] + # fqdns = [] + # } + + # intrusion_detection = { + # mode = "Alert" + # signature_overrides = { + # id = "" + # state = "" + # } + # traffic_bypass = { + # name = "" + # protocol = "" + # description = "" + # destination_addresses = "" + # destination_ip_groups = "" + # destination_ports = "" + # source_addresses = "" + # source_ip_groups = "" + # } + # } } azurerm_firewall_policy_rule_collection_groups = { From 71c311cbe4add563a1aaacce36d60c615a6e1ead Mon Sep 17 00:00:00 2001 From: Elgeario <80390348+Elgeario@users.noreply.github.com> Date: Tue, 7 Sep 2021 17:10:13 +0100 Subject: [PATCH 32/91] Add Owner to Azuread group Code taken from Azuread_Application --- modules/azuread/groups/group.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/azuread/groups/group.tf b/modules/azuread/groups/group.tf index d68f93d270..6aeccb83f1 100755 --- a/modules/azuread/groups/group.tf +++ b/modules/azuread/groups/group.tf @@ -3,5 +3,10 @@ resource "azuread_group" "group" { display_name = var.global_settings.passthrough ? format("%s", var.azuread_groups.name) : format("%s%s", try(format("%s-", var.global_settings.prefixes.0), ""), var.azuread_groups.name) description = lookup(var.azuread_groups, "description", null) prevent_duplicate_names = lookup(var.azuread_groups, "prevent_duplicate_names", null) - + owners = coalescelist( + try(var.settings.owners, []), + [ + var.client_config.object_id + ] + ) } From d0f4925651f0e72559ec3527c65f1c4da53a60b6 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Wed, 8 Sep 2021 07:51:51 +0000 Subject: [PATCH 33/91] add support for azure ad group membershipt for managed identities --- azuread_groups.tf | 1 + .../azuread/groups_members/azuread_groups_membership.tf | 9 +++++++++ modules/azuread/groups_members/membership/membership.tf | 9 ++++++++- modules/azuread/groups_members/membership/variables.tf | 3 +++ modules/azuread/groups_members/variables.tf | 3 +++ 5 files changed, 24 insertions(+), 1 deletion(-) diff --git a/azuread_groups.tf b/azuread_groups.tf index 36b4765efb..37b317f676 100644 --- a/azuread_groups.tf +++ b/azuread_groups.tf @@ -38,4 +38,5 @@ module "azuread_groups_membership" { settings = each.value group_id = local.combined_objects_azuread_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.key].id azuread_service_principals = local.combined_objects_azuread_service_principals + managed_identities = local.combined_objects_managed_identities } diff --git a/modules/azuread/groups_members/azuread_groups_membership.tf b/modules/azuread/groups_members/azuread_groups_membership.tf index 3e6388aed5..f657d25625 100644 --- a/modules/azuread/groups_members/azuread_groups_membership.tf +++ b/modules/azuread/groups_members/azuread_groups_membership.tf @@ -11,6 +11,15 @@ module "azuread_service_principals_membership" { members = each.value } +module "managed_identities_membership" { + source = "./membership" + for_each = try(var.settings.managed_identities, {}) + + group_object_id = var.group_id + managed_identities = var.managed_identities[try(each.value.lz_key, var.client_config.landingzone_key)] + members = each.value +} + module "membership_object_id" { source = "./member" for_each = { diff --git a/modules/azuread/groups_members/membership/membership.tf b/modules/azuread/groups_members/membership/membership.tf index f10cb944fa..2ea36201fe 100755 --- a/modules/azuread/groups_members/membership/membership.tf +++ b/modules/azuread/groups_members/membership/membership.tf @@ -1,6 +1,13 @@ resource "azuread_group_member" "ids" { - for_each = toset(try(var.members.keys, [])) + for_each = var.azuread_service_principals != {} ? toset(try(var.members.keys, [])) : [] group_object_id = var.group_object_id member_object_id = var.azuread_service_principals[each.key].object_id +} + +resource "azuread_group_member" "msi_ids" { + for_each = var.managed_identities != {} ? toset(try(var.members.keys, [])): [] + + group_object_id = var.group_object_id + member_object_id = var.managed_identities[each.key].principal_id } \ No newline at end of file diff --git a/modules/azuread/groups_members/membership/variables.tf b/modules/azuread/groups_members/membership/variables.tf index db250692e4..e154b7a5bd 100644 --- a/modules/azuread/groups_members/membership/variables.tf +++ b/modules/azuread/groups_members/membership/variables.tf @@ -5,6 +5,9 @@ variable "member_object_id" { variable "azuread_service_principals" { default = {} } +variable "managed_identities" { + default = {} +} variable "members" { default = {} } \ No newline at end of file diff --git a/modules/azuread/groups_members/variables.tf b/modules/azuread/groups_members/variables.tf index 2b13c8d9e1..63ce6af0a3 100755 --- a/modules/azuread/groups_members/variables.tf +++ b/modules/azuread/groups_members/variables.tf @@ -9,4 +9,7 @@ variable "azuread_apps" { } variable "azuread_service_principals" { default = {} +} +variable "managed_identities" { + default = {} } \ No newline at end of file From 540131532995d3b5e76fa34d48a8cc0ad23130fb Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Thu, 9 Sep 2021 03:54:57 +0000 Subject: [PATCH 34/91] Update to singular --- .../100-simple-vnet-subnets-nsgs/configuration.tfvars | 4 ++-- networking.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars index d412a53f0f..f5e56ae06f 100644 --- a/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars +++ b/examples/networking/virtual_network/100-simple-vnet-subnets-nsgs/configuration.tfvars @@ -24,14 +24,14 @@ vnets = { # ip1 = { # lz_key = "" # key = "" - # . resource_type = "azurerm_firewalls" + # . resource_type = "azurerm_firewall" # interface_index = 0 #Optional it will take 0. # # } # ip2 = { # lz_key = "" # key = "" - # resource_type = "azurerm_firewalls" + # resource_type = "azurerm_firewall" # } # } } diff --git a/networking.tf b/networking.tf index c4e3ee1497..9cd3a67fea 100755 --- a/networking.tf +++ b/networking.tf @@ -41,7 +41,7 @@ module "networking" { base_tags = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags : {} remote_dns = { - azurerm_firewalls = try(var.remote_objects.azurerm_firewalls, null) #assumed from remote lz only + azurerm_firewall = try(var.remote_objects.azurerm_firewalls, null) #assumed from remote lz only } } From 9265b7ed3fdc629e928d73168bc2ed6c49eb2c54 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Thu, 9 Sep 2021 14:33:49 +0000 Subject: [PATCH 35/91] decouple key vault secrets --- modules/compute/virtual_machine/mssql_vm.tf | 122 ++++++++++++++++---- 1 file changed, 100 insertions(+), 22 deletions(-) diff --git a/modules/compute/virtual_machine/mssql_vm.tf b/modules/compute/virtual_machine/mssql_vm.tf index 368a059600..32e44e1865 100644 --- a/modules/compute/virtual_machine/mssql_vm.tf +++ b/modules/compute/virtual_machine/mssql_vm.tf @@ -9,18 +9,16 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { r_services_enabled = try(each.value.mssql_settings.r_services_enabled, null) sql_connectivity_port = try(each.value.mssql_settings.sql_connectivity_port, null) sql_connectivity_type = try(each.value.mssql_settings.sql_connectivity_type, null) - # should the username and password for sql be the same as the one in vm? - sql_connectivity_update_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username - sql_connectivity_update_password = try(each.value.admin_password_key, null) == null ? random_password.admin[local.os_type].result : local.admin_password + sql_connectivity_update_username = try(data.external.sql_username[each.key].result.value, null) + sql_connectivity_update_password = try(data.external.sql_password[each.key].result.value, null) tags = merge(local.tags, try(each.value.tags, null)) dynamic "auto_backup" { - for_each = try(each.value.mssql_settings.auto_backup, null) != null ? [1] : [] + for_each = try(each.value.mssql_settings.auto_backup, null) != null ? [1] : [] content { - encryption_enabled = try(each.value.mssql_settings.auto_backup.encryption_enabled, null) - # should the encryption password be different? - encryption_password = try(each.value.mssql_settings.auto_backup.encryption_enabled, false) ? try(each.value.admin_password_key, null) == null ? random_password.admin[local.os_type].result : local.admin_password : null + encryption_enabled = try(each.value.mssql_settings.auto_backup.encryption_enabled, false) + encryption_password = try(each.value.mssql_settings.auto_backup.encryption_enabled, false) ? try(data.external.encryption_password[each.key].result.value, null) : null retention_period_in_days = each.value.mssql_settings.auto_backup.retention_period_in_days system_databases_backup_enabled = try(each.value.mssql_settings.auto_backup.system_databases_backup_enabled, null) storage_account_access_key = data.azurerm_storage_account.mssqlvm_backup_sa[each.key].primary_access_key @@ -53,22 +51,17 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { } } - # dynamic "key_vault_credentials" { - # for_each = try(each.value.mssql_settings.key_vault_credentials, null) != null ? [1] : [] + dynamic "key_vault_credential" { + for_each = try(each.value.mssql_settings.sql_authentication.keyvault_credential, null) != null ? [1] : [] - # content { - # name = each.value.mssql_settings.key_vault_credentials.name - # key_vault_url = - # service_principal_name = - # service_principal_secret = - # } - # } + content { + name = each.value.mssql_settings.sql_authentication.keyvault_credential.name + key_vault_url = try(var.keyvaults[try(each.value.mssql_settings.sql_authentication.keyvault_credential.lz_key,var.client_config.landingzone_key)][each.value.mssql_settings.sql_authentication.keyvault_credential.keyvault_key].vault_uri, null) + service_principal_name = try(data.external.sp_client_id[each.key].result.value, null) + service_principal_secret = try(data.external.sp_client_secret[each.key].result.value, null) + } + } - # should the sp secret be stored in the vm kv or a separate one? - # if not shared with vm kv, should the kv_url be the same kv as where the sp credential is stored? - - - dynamic "storage_configuration" { for_each = try(each.value.mssql_settings.storage_configuration, null) != null ? [1] : [] @@ -123,4 +116,89 @@ data "azurerm_storage_account" "mssqlvm_backup_sa" { try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].resource_group_name, null), try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].resource_group_name, null), ) -} \ No newline at end of file +} + + +# Use data external to retrieve value from different subscription + +data "external" "sql_username" { + for_each = { + for key, value in try(var.settings.virtual_machine_settings, {}) : key => value + if try(value.mssql_settings.sql_authentication.sql_credential, null) != null + } + + program = [ + "bash", "-c", + format( + "az keyvault secret show --name '%s' --vault-name '%s' --query '{value: value }' -o json", + each.value.mssql_settings.sql_authentication.sql_credential.sql_username_key, + try(var.keyvaults[try(each.value.mssql_settings.sql_authentication.sql_credential.lz_key, var.client_config.landingzone_key)][each.value.mssql_settings.sql_authentication.sql_credential.keyvault_key].name, null) + ) + ] +} + +data "external" "sql_password" { + for_each = { + for key, value in try(var.settings.virtual_machine_settings, {}) : key => value + if try(value.mssql_settings.sql_authentication.sql_credential, null) != null + } + + program = [ + "bash", "-c", + format( + "az keyvault secret show --name '%s' --vault-name '%s' --query '{value: value }' -o json", + each.value.mssql_settings.sql_authentication.sql_credential.sql_password_key, + try(var.keyvaults[try(each.value.mssql_settings.sql_authentication.sql_credential.lz_key, var.client_config.landingzone_key)][each.value.mssql_settings.sql_authentication.sql_credential.keyvault_key].name, null) + ) + ] +} + +data "external" "encryption_password" { + for_each = { + for key, value in try(var.settings.virtual_machine_settings, {}) : key => value + if try(value.mssql_settings.auto_backup.encryption_password, null) != null + } + + program = [ + "bash", "-c", + format( + "az keyvault secret show --name '%s' --vault-name '%s' --query '{value: value }' -o json", + each.value.mssql_settings.auto_backup.encryption_password.encryption_password_key, + try(var.keyvaults[try(each.value.mssql_settings.auto_backup.encryption_password.lz_key, var.client_config.landingzone_key)][each.value.mssql_settings.auto_backup.encryption_password.keyvault_key].name, null) + ) + ] +} + + +data "external" "sp_client_id" { + for_each = { + for key, value in try(var.settings.virtual_machine_settings, {}) : key => value + if try(value.mssql_settings.sql_authentication.keyvault_credential.service_principal_secrets, null) != null + } + + program = [ + "bash", "-c", + format( + "az keyvault secret show --name '%s' --vault-name '%s' --query '{value: value }' -o json", + each.value.mssql_settings.sql_authentication.keyvault_credential.service_principal_secrets.sp_client_id_key, + try(var.keyvaults[try(each.value.mssql_settings.sql_authentication.keyvault_credential.service_principal_secrets.lz_key, var.client_config.landingzone_key)][each.value.mssql_settings.sql_authentication.keyvault_credential.service_principal_secrets.keyvault_key].name, null) + ) + ] +} + +data "external" "sp_client_secret" { + for_each = { + for key, value in try(var.settings.virtual_machine_settings, {}) : key => value + if try(value.mssql_settings.sql_authentication.keyvault_credential.service_principal_secrets, null) != null + } + + program = [ + "bash", "-c", + format( + "az keyvault secret show --name '%s' --vault-name '%s' --query '{value: value }' -o json", + each.value.mssql_settings.sql_authentication.keyvault_credential.service_principal_secrets.sp_client_secret_key, + try(var.keyvaults[try(each.value.mssql_settings.sql_authentication.keyvault_credential.service_principal_secrets.lz_key, var.client_config.landingzone_key)][each.value.mssql_settings.sql_authentication.keyvault_credential.service_principal_secrets.keyvault_key].name, null) + ) + ] +} + From 7b2a33caad026a8c33f6501e0e700ddcd452150b Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Fri, 10 Sep 2021 02:13:24 +0000 Subject: [PATCH 36/91] decouple secrets to kv --- .../108-mssql-vm/configuration.tfvars | 281 ++++++++++++++++++ modules/compute/virtual_machine/mssql_vm.tf | 5 +- 2 files changed, 285 insertions(+), 1 deletion(-) diff --git a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars index 31ffdac86a..39a60d8cab 100644 --- a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars +++ b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars @@ -176,6 +176,287 @@ virtual_machines = { } + storage_configuration = { + disk_type = "NEW" # NEW, EXTEND, ADD + storage_workload_type = "GENERAL" # GENERAL, OLTP, DW + + data_settings = { + default_file_path = "F:\\data" + luns = [1] + } + } + + # key_vault_credentials = {} # not supported yet + } + + } + } + data_disks = { + data1 = { + name = "datadisk1" + storage_account_type = "Premium_LRS" + create_option = "Empty" + disk_size_gb = "10" + lun = 1 + zones = ["1"] + } + } + + } +} + +resource_groups = { + rg1 = { + name = "mssql-vm-rg" + } +} + +storage_accounts = { + sa1 = { + name = "backupsa" + resource_group_key = "rg1" + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + } +} + +keyvaults = { + kv1 = { + name = "vmsecretskv" + resource_group_key = "rg1" + sku_name = "standard" + soft_delete_enabled = true + purge_protection_enabled = false + tags = { + env = "Standalone" + } + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"] + } + } + } + sql_cred_kv = { + name = "sqlsecretkv" + resource_group_key = "rg1" + sku_name = "standard" + soft_delete_enabled = true + purge_protection_enabled = false + tags = { + env = "Standalone" + } + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"] + } + } + } + sp_secrets = { + name = "spsecretkv" + resource_group_key = "rg1" + sku_name = "standard" + soft_delete_enabled = true + purge_protection_enabled = false + tags = { + env = "Standalone" + } + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"] + } + } + } +} + +dynamic_keyvault_secrets = { + kv1 = { # Key of the keyvault + vmadmin-username = { + secret_name = "vmadmin-username" + value = "vmadmin" + } + vmadmin-password = { + secret_name = "vmadmin-password" + value = "Very@Str5ngP!44w0rdToChaNge#" + } + sql-username = { + secret_name = "sql-username" + value = "sqllogin" + } + sql-password = { + secret_name = "sql-password" + value = "Very@Str5ngP!44w0rdToChaNge#" + } + encryption-password = { + secret_name = "encryption-password" + value = "Very@Str5ngP!44w0rdToChaNge#" + } + } + sp_secrets = { + sp-client-id = { + secret_name = "sp-client-id" + value = "" + } + sp-client-secret = { + secret_name = "sp-client-secret" + value = "" + } + } +} + +vnets = { + vnet1 = { + resource_group_key = "rg1" + vnet = { + name = "mssqlvm" + address_space = ["10.100.0.0/16"] + } + specialsubnets = {} + subnets = { + subnet1 = { + name = "compute" + cidr = ["10.100.1.0/24"] + } + } + + } +} + + +public_ip_addresses = { + pip1 = { + name = "pip1" + resource_group_key = "rg1" + sku = "Standard" + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + + } +} + +# Virtual machines +virtual_machines = { + + # Configuration to deploy a bastion host linux virtual machine + example_vm1 = { + resource_group_key = "rg1" + provision_vm_agent = true + # when boot_diagnostics_storage_account_key is empty string "", boot diagnostics will be put on azure managed storage + # when boot_diagnostics_storage_account_key is a non-empty string, it needs to point to the key of a user managed storage defined in diagnostic_storage_accounts + # if boot_diagnostics_storage_account_key is not defined, but global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics is true, boot diagnostics will be put on azure managed storage + boot_diagnostics_storage_account_key = "" + + os_type = "windows" + + # the auto-generated ssh key in keyvault secret. Secret name being {VM name}-ssh-public and {VM name}-ssh-private + keyvault_key = "kv1" + + # Define the number of networking cards to attach the virtual machine + networking_interfaces = { + nic0 = { + # Value of the keys from networking.tfvars + vnet_key = "vnet1" + subnet_key = "subnet1" + name = "0" + enable_ip_forwarding = false + internal_dns_name_label = "nic0" + public_ip_address_key = "pip1" + } + } + + virtual_machine_settings = { + windows = { + name = "mssqlvm" + size = "Standard_D4as_v4" + zone = "1" + + admin_username_key = "vmadmin-username" + admin_password_key = "vmadmin-password" + + # Spot VM to save money + priority = "Spot" + eviction_policy = "Deallocate" + + # Value of the nic keys to attach the VM. The first one in the list is the default nic + network_interface_keys = ["nic0"] + + os_disk = { + name = "osdisk" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + managed_disk_type = "StandardSSD_LRS" + disk_size_gb = "128" + create_option = "FromImage" + } + source_image_reference = { + publisher = "MicrosoftSQLServer" + offer = "SQL2017-WS2016" + # offer = "sql2019-ws2019" + sku = "SQLDEV" + version = "latest" + } + + mssql_settings = { # requires SQL Image in source_image_reference + sql_license_type = "PAYG" + r_services_enabled = true + sql_connectivity_port = 1433 + sql_connectivity_type = "PRIVATE" + + # sql credentials is the same as the one for vm + sql_authentication = { + sql_credential = { + # lz_key = "" + keyvault_key = "kv1" + sql_username_key = "sql-username" + sql_password_key = "sql-password" + } + + keyvault_credential = { + name = "sqlkv_credentials" + # lz_key = "" + keyvault_key = "sql_cred_kv" # get url from here + service_principal_secrets = { # sp secret to access the kv above + # lz_key = "" + keyvault_key = "sp_secrets" # get url from here + sp_client_id_key = "sp-client-id" + sp_client_secret_key = "sp-client-secret" + } + } + + } + + auto_patching = { + day_of_week = "Sunday" + maintenance_window_duration_in_minutes = 60 + maintenance_window_starting_hour = 2 + } + auto_backup = { + encryption_enabled = false # uses the vmadmin password + # ERROR: unable to locate password as the secret has not been created yet + encryption_password = { + # lz_key = "" + keyvault_key = "kv1" + encryption_password_key = "encryption-password" + } + retention_period_in_days = 7 + storage_account = { + # lz_key = "" + key = "sa1" + } + manual_schedule = { + full_backup_frequency = "Weekly" # Daily / Weekly + full_backup_start_hour = 0 # 0 - 23 + full_backup_window_in_hours = 1 # 1 - 23 + log_backup_frequency_in_minutes = 60 # 5 - 60f + } + + } + + storage_configuration = { disk_type = "NEW" # NEW, EXTEND, ADD storage_workload_type = "GENERAL" # GENERAL, OLTP, DW diff --git a/modules/compute/virtual_machine/mssql_vm.tf b/modules/compute/virtual_machine/mssql_vm.tf index 32e44e1865..2e3acccb0f 100644 --- a/modules/compute/virtual_machine/mssql_vm.tf +++ b/modules/compute/virtual_machine/mssql_vm.tf @@ -56,7 +56,10 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { content { name = each.value.mssql_settings.sql_authentication.keyvault_credential.name - key_vault_url = try(var.keyvaults[try(each.value.mssql_settings.sql_authentication.keyvault_credential.lz_key,var.client_config.landingzone_key)][each.value.mssql_settings.sql_authentication.keyvault_credential.keyvault_key].vault_uri, null) + key_vault_url = coalesce( + try(var.keyvaults[each.value.mssql_settings.sql_authentication.keyvault_credential.lz_key][each.value.mssql_settings.sql_authentication.keyvault_credential.keyvault_key].vault_uri , null), + try(var.keyvaults[var.client_config.landingzone_key][each.value.mssql_settings.sql_authentication.keyvault_credential.keyvault_key].vault_uri , null), + ) service_principal_name = try(data.external.sp_client_id[each.key].result.value, null) service_principal_secret = try(data.external.sp_client_secret[each.key].result.value, null) } From 66683728a0be5efec0d4fc6e9b0bf01f586d68e3 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Fri, 10 Sep 2021 02:39:22 +0000 Subject: [PATCH 37/91] clean up example config --- .../108-mssql-vm/configuration.tfvars | 200 ------------------ 1 file changed, 200 deletions(-) diff --git a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars index 39a60d8cab..ddf2836d61 100644 --- a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars +++ b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars @@ -21,206 +21,6 @@ storage_accounts = { } } -keyvaults = { - kv1 = { - name = "vmsecretskv" - resource_group_key = "rg1" - sku_name = "standard" - soft_delete_enabled = true - purge_protection_enabled = false - tags = { - env = "Standalone" - } - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"] - } - } - } -} - -dynamic_keyvault_secrets = { - kv1 = { # Key of the keyvault - vmadmin-username = { - secret_name = "vmadmin-username" - value = "vmadmin" - } - vmadmin-password = { - secret_name = "vmadmin-password" - value = "Very@Str5ngP!44w0rdToChaNge#" - } - } -} - -vnets = { - vnet1 = { - resource_group_key = "rg1" - vnet = { - name = "mssqlvm" - address_space = ["10.100.0.0/16"] - } - specialsubnets = {} - subnets = { - subnet1 = { - name = "compute" - cidr = ["10.100.1.0/24"] - } - } - - } -} - - -public_ip_addresses = { - pip1 = { - name = "pip1" - resource_group_key = "rg1" - sku = "Standard" - allocation_method = "Static" - ip_version = "IPv4" - idle_timeout_in_minutes = "4" - - } -} - -# Virtual machines -virtual_machines = { - - # Configuration to deploy a bastion host linux virtual machine - example_vm1 = { - resource_group_key = "rg1" - provision_vm_agent = true - # when boot_diagnostics_storage_account_key is empty string "", boot diagnostics will be put on azure managed storage - # when boot_diagnostics_storage_account_key is a non-empty string, it needs to point to the key of a user managed storage defined in diagnostic_storage_accounts - # if boot_diagnostics_storage_account_key is not defined, but global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics is true, boot diagnostics will be put on azure managed storage - boot_diagnostics_storage_account_key = "" - - os_type = "windows" - - # the auto-generated ssh key in keyvault secret. Secret name being {VM name}-ssh-public and {VM name}-ssh-private - keyvault_key = "kv1" - - # Define the number of networking cards to attach the virtual machine - networking_interfaces = { - nic0 = { - # Value of the keys from networking.tfvars - vnet_key = "vnet1" - subnet_key = "subnet1" - name = "0" - enable_ip_forwarding = false - internal_dns_name_label = "nic0" - public_ip_address_key = "pip1" - } - } - - virtual_machine_settings = { - windows = { - name = "mssqlvm" - size = "Standard_D4as_v4" - zone = "1" - - admin_username_key = "vmadmin-username" - admin_password_key = "vmadmin-password" - - # Spot VM to save money - priority = "Spot" - eviction_policy = "Deallocate" - - # Value of the nic keys to attach the VM. The first one in the list is the default nic - network_interface_keys = ["nic0"] - - os_disk = { - name = "osdisk" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - managed_disk_type = "StandardSSD_LRS" - disk_size_gb = "128" - create_option = "FromImage" - } - source_image_reference = { - publisher = "MicrosoftSQLServer" - offer = "SQL2017-WS2016" - # offer = "sql2019-ws2019" - sku = "SQLDEV" - version = "latest" - } - - mssql_settings = { # requires SQL Image in source_image_reference - sql_license_type = "PAYG" - r_services_enabled = true - sql_connectivity_port = 1433 - sql_connectivity_type = "PRIVATE" - - # sql credentials is the same as the one for vm - - auto_patching = { - day_of_week = "Sunday" - maintenance_window_duration_in_minutes = 60 - maintenance_window_starting_hour = 2 - } - auto_backup = { - encryption_enabled = false # uses the vmadmin password - retention_period_in_days = 7 - storage_account = { - # lz_key = "" - key = "sa1" - } - manual_schedule = { - full_backup_frequency = "Weekly" # Daily / Weekly - full_backup_start_hour = 0 # 0 - 23 - full_backup_window_in_hours = 1 # 1 - 23 - log_backup_frequency_in_minutes = 60 # 5 - 60f - } - - } - - - storage_configuration = { - disk_type = "NEW" # NEW, EXTEND, ADD - storage_workload_type = "GENERAL" # GENERAL, OLTP, DW - - data_settings = { - default_file_path = "F:\\data" - luns = [1] - } - } - - # key_vault_credentials = {} # not supported yet - } - - } - } - data_disks = { - data1 = { - name = "datadisk1" - storage_account_type = "Premium_LRS" - create_option = "Empty" - disk_size_gb = "10" - lun = 1 - zones = ["1"] - } - } - - } -} - -resource_groups = { - rg1 = { - name = "mssql-vm-rg" - } -} - -storage_accounts = { - sa1 = { - name = "backupsa" - resource_group_key = "rg1" - account_kind = "StorageV2" - account_tier = "Standard" - account_replication_type = "LRS" - } -} - keyvaults = { kv1 = { name = "vmsecretskv" From ae0959953ec35c9a286b3baedc7a1bc48c12186b Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Fri, 10 Sep 2021 05:21:53 +0000 Subject: [PATCH 38/91] Allow input of resource id in private link --- .../endpoints/centralized/private_endpoints.tfvars | 13 +++++++++++++ .../subnet/diagnostic_event_hub_namespaces.tf | 5 ++++- .../endpoints/subnet/diagnostic_storage_accounts.tf | 5 ++++- .../endpoints/subnet/eventhub_namespaces.tf | 6 +++++- .../private_links/endpoints/subnet/keyvaults.tf | 6 +++++- .../private_links/endpoints/subnet/mssql_servers.tf | 6 +++++- .../private_links/endpoints/subnet/mysql_servers.tf | 6 +++++- .../endpoints/subnet/recovery_vaults.tf | 6 +++++- .../private_links/endpoints/subnet/redis_cache.tf | 6 +++++- .../endpoints/subnet/storage_accounts.tf | 6 +++++- networking_private_links.tf | 10 +++++++++- 11 files changed, 65 insertions(+), 10 deletions(-) diff --git a/examples/networking/private_links/endpoints/centralized/private_endpoints.tfvars b/examples/networking/private_links/endpoints/centralized/private_endpoints.tfvars index 5aff5d8b21..a05d81dc6e 100644 --- a/examples/networking/private_links/endpoints/centralized/private_endpoints.tfvars +++ b/examples/networking/private_links/endpoints/centralized/private_endpoints.tfvars @@ -3,6 +3,7 @@ private_endpoints = { # lz_key = "" # Landingzone key when deployed in remote landing zone vnet_key = "vnet_01" subnet_keys = ["subnet_01"] + # resource_group_key = "" # Key of resource group of the vnet storage_accounts = { level0 = { @@ -23,6 +24,18 @@ private_endpoints = { keys = ["dns1"] } } + # level1custom = { + # resource_id = "" # Using the created resource id if resource are created outside of CAF + # + # private_service_connection = { + # name = "" + # } + # private_dns = { + # zone_group_name = "default" + # # lz_key = "" # If the DNS keys are deployed in a remote landingzone + # keys = ["dns1"] + # } + # } } # Diagnostics objects are global and inherit from base core landing zones diff --git a/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf b/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf index 000c61c181..9dac89074f 100644 --- a/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf +++ b/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf @@ -5,7 +5,10 @@ module "diagnostic_event_hub_namespaces" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = var.remote_objects.diagnostic_event_hub_namespaces[each.key].id + resource_id = coalesce( + try(var.remote_objects.diagnostic_event_hub_namespaces[each.key].id, null), + try(each.value.resource_id) + ) subresource_names = ["namespace"] subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf b/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf index 47e516cf5b..36ddf9cfde 100644 --- a/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf +++ b/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf @@ -5,7 +5,10 @@ module "diagnostic_storage_account" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = var.remote_objects.diagnostic_storage_accounts[each.key].id + resource_id = coalesce( + try(var.remote_objects.diagnostic_storage_accounts[each.key].id, null), + try(each.value.resource_id) + ) subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["blob"])) subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/modules/networking/private_links/endpoints/subnet/eventhub_namespaces.tf b/modules/networking/private_links/endpoints/subnet/eventhub_namespaces.tf index be6802191f..30649f1490 100644 --- a/modules/networking/private_links/endpoints/subnet/eventhub_namespaces.tf +++ b/modules/networking/private_links/endpoints/subnet/eventhub_namespaces.tf @@ -5,7 +5,11 @@ module "event_hub_namespaces" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = try(var.remote_objects.event_hub_namespaces[each.value.lz_key][each.key].id, var.remote_objects.event_hub_namespaces[var.client_config.landingzone_key][each.key].id) + resource_id = coalesce( + try(var.remote_objects.event_hub_namespaces[each.value.lz_key][each.key].id, null), + try(var.remote_objects.event_hub_namespaces[var.client_config.landingzone_key][each.key].id, null), + try(each.value.resource_id, null) + ) subresource_names = ["namespace"] subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/modules/networking/private_links/endpoints/subnet/keyvaults.tf b/modules/networking/private_links/endpoints/subnet/keyvaults.tf index e6167c8cb1..cb2298d7f4 100644 --- a/modules/networking/private_links/endpoints/subnet/keyvaults.tf +++ b/modules/networking/private_links/endpoints/subnet/keyvaults.tf @@ -5,7 +5,11 @@ module "keyvault" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = try(var.remote_objects.keyvaults[each.value.lz_key][each.key].id, var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id) + resource_id = coalesce( + try(var.remote_objects.keyvaults[each.value.lz_key][each.key].id, null), + try(var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id, null), + try(each.value.resource_id, null) + ) subresource_names = ["vault"] subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/modules/networking/private_links/endpoints/subnet/mssql_servers.tf b/modules/networking/private_links/endpoints/subnet/mssql_servers.tf index 08a694380c..402d6581e4 100644 --- a/modules/networking/private_links/endpoints/subnet/mssql_servers.tf +++ b/modules/networking/private_links/endpoints/subnet/mssql_servers.tf @@ -5,7 +5,11 @@ module "mssql_servers" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = try(var.remote_objects.mssql_servers[each.value.lz_key][each.key].id, var.remote_objects.mssql_servers[var.client_config.landingzone_key][each.key].id) + resource_id = coalesce( + try(var.remote_objects.mssql_servers[each.value.lz_key][each.key].id, null), + try(var.remote_objects.mssql_servers[var.client_config.landingzone_key][each.key].id, null), + try(each.value.resource_id, null) + ) subresource_names = ["sqlServer"] subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/modules/networking/private_links/endpoints/subnet/mysql_servers.tf b/modules/networking/private_links/endpoints/subnet/mysql_servers.tf index 83265ca04b..9c77f5e47c 100644 --- a/modules/networking/private_links/endpoints/subnet/mysql_servers.tf +++ b/modules/networking/private_links/endpoints/subnet/mysql_servers.tf @@ -5,7 +5,11 @@ module "mysql_servers" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = try(var.remote_objects.mysql_servers[each.value.lz_key][each.key].id, var.remote_objects.mysql_servers[var.client_config.landingzone_key][each.key].id) + resource_id = coalesce( + try(var.remote_objects.mysql_servers[each.value.lz_key][each.key].id, null), + try(var.remote_objects.mysql_servers[var.client_config.landingzone_key][each.key].id, null), + try(each.value.resource_id, null) + ) subresource_names = ["mysqlServer"] subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/modules/networking/private_links/endpoints/subnet/recovery_vaults.tf b/modules/networking/private_links/endpoints/subnet/recovery_vaults.tf index 2136612d8f..969f313dae 100644 --- a/modules/networking/private_links/endpoints/subnet/recovery_vaults.tf +++ b/modules/networking/private_links/endpoints/subnet/recovery_vaults.tf @@ -5,7 +5,11 @@ module "recovery_vault" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = try(var.remote_objects.recovery_vaults[each.value.lz_key][each.key].id, var.remote_objects.recovery_vaults[var.client_config.landingzone_key][each.key].id) + resource_id = coalesce( + try(var.remote_objects.recovery_vaults[each.value.lz_key][each.key].id, null), + try(var.remote_objects.recovery_vaults[var.client_config.landingzone_key][each.key].id, null), + try(each.value.resource_id, null) + ) subresource_names = ["AzureSiteRecovery"] subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/modules/networking/private_links/endpoints/subnet/redis_cache.tf b/modules/networking/private_links/endpoints/subnet/redis_cache.tf index 67a469dd71..4fc4410903 100644 --- a/modules/networking/private_links/endpoints/subnet/redis_cache.tf +++ b/modules/networking/private_links/endpoints/subnet/redis_cache.tf @@ -5,7 +5,11 @@ module "redis_caches" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = try(var.remote_objects.redis_caches[each.value.lz_key][each.key].redis_cache.id, var.remote_objects.redis_caches[var.client_config.landingzone_key][each.key].redis_cache.id) + resource_id = coalesce( + try(var.remote_objects.redis_caches[each.value.lz_key][each.key].redis_cache.id, null), + try(var.remote_objects.redis_caches[var.client_config.landingzone_key][each.key].redis_cache.id,null), + try(each.value.resource_id,null) + ) subresource_names = ["redisCache"] subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/modules/networking/private_links/endpoints/subnet/storage_accounts.tf b/modules/networking/private_links/endpoints/subnet/storage_accounts.tf index 47edad5aed..78cc64bc7d 100644 --- a/modules/networking/private_links/endpoints/subnet/storage_accounts.tf +++ b/modules/networking/private_links/endpoints/subnet/storage_accounts.tf @@ -5,7 +5,11 @@ module "storage_account" { global_settings = var.global_settings client_config = var.client_config settings = each.value - resource_id = try(var.remote_objects.storage_accounts[each.value.lz_key][each.key].id, var.remote_objects.storage_accounts[var.client_config.landingzone_key][each.key].id) + resource_id = coalesce( + try(var.remote_objects.storage_accounts[each.value.lz_key][each.key].id, null), + try(var.remote_objects.storage_accounts[var.client_config.landingzone_key][each.key].id, null), + try(each.value.resource_id, null) + ) subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["blob"])) subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/networking_private_links.tf b/networking_private_links.tf index 6d40ce7824..44534d4e8a 100755 --- a/networking_private_links.tf +++ b/networking_private_links.tf @@ -9,7 +9,15 @@ module "private_endpoints" { private_endpoints = var.networking.private_endpoints private_dns = local.combined_objects_private_dns vnet = try(local.combined_objects_networking[each.value.lz_key][each.value.vnet_key], local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key]) - base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + #base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( + try(local.resource_groups[each.value.resource_group_key].tags,null), + try(local.resource_groups[each.value.lz_key][each.value.resource_group_key].tags,null), + try(local.combined_objects_resource_groups[each.value.lz_key][each.value.resource_group.key].tags,null), + try(local.combined_objects_resource_groups[each.value.lz_key][each.value.resource_group_key].tags,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags,null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags,null) + ) : {} remote_objects = { diagnostic_storage_accounts = local.combined_diagnostics.storage_accounts From a5deee7fcad4250972a0cc0d9187e5c5df23ff10 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Fri, 10 Sep 2021 05:23:08 +0000 Subject: [PATCH 39/91] update try value --- .../endpoints/subnet/diagnostic_event_hub_namespaces.tf | 2 +- .../endpoints/subnet/diagnostic_storage_accounts.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf b/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf index 9dac89074f..0599545439 100644 --- a/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf +++ b/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf @@ -7,7 +7,7 @@ module "diagnostic_event_hub_namespaces" { settings = each.value resource_id = coalesce( try(var.remote_objects.diagnostic_event_hub_namespaces[each.key].id, null), - try(each.value.resource_id) + try(each.value.resource_id, null) ) subresource_names = ["namespace"] subnet_id = var.subnet_id diff --git a/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf b/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf index 36ddf9cfde..00a7eaf6d3 100644 --- a/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf +++ b/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf @@ -7,7 +7,7 @@ module "diagnostic_storage_account" { settings = each.value resource_id = coalesce( try(var.remote_objects.diagnostic_storage_accounts[each.key].id, null), - try(each.value.resource_id) + try(each.value.resource_id, null) ) subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["blob"])) subnet_id = var.subnet_id From 0fca19edb78d8372ca230be1630a569ca71f14d5 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Fri, 10 Sep 2021 05:32:26 +0000 Subject: [PATCH 40/91] remove comment --- .../compute/virtual_machine/108-mssql-vm/configuration.tfvars | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars index ddf2836d61..2da2db8da4 100644 --- a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars +++ b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars @@ -267,7 +267,6 @@ virtual_machines = { } } - # key_vault_credentials = {} # not supported yet } } From fa2382ad9bc2a4e52dd40d74ae407695439b9278 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 14 Sep 2021 09:05:22 +0000 Subject: [PATCH 41/91] Adding CI scenario and update to 2.76 --- .github/workflows/standalone-scenarios.json | 1 + main.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index fa6a63dc32..2f96bf888b 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -104,6 +104,7 @@ "networking/load_balancers/104-load-balancer-diagnostics", "networking/nat_gateways/100-nat-gateways-with-public-ip", "networking/private_dns/100-private-dns-vnet-links", + "networking/private_dns_vnet_link/100_pvtdns_vnetlink", "networking/private_links/endpoints/centralized", "networking/virtual_network_gateway/100-expressroute-gateway", "networking/virtual_network_gateway/101-vpn-site-to-site", diff --git a/main.tf b/main.tf index c989c948ed..146c7412f8 100755 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.75.0" + version = "~> 2.76.0" } azuread = { source = "hashicorp/azuread" From 8ea304cf4cb82664e951dfc23d76c529ba5c6c2b Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 14 Sep 2021 09:07:29 +0000 Subject: [PATCH 42/91] Wrong variables for #677 --- azuread_groups.tf | 1 + modules/azuread/groups/group.tf | 2 +- modules/azuread/groups/variables.tf | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/azuread_groups.tf b/azuread_groups.tf index 36b4765efb..9e4cfeca49 100644 --- a/azuread_groups.tf +++ b/azuread_groups.tf @@ -10,6 +10,7 @@ module "azuread_groups" { global_settings = local.global_settings azuread_groups = each.value tenant_id = local.client_config.tenant_id + client_config = local.client_config } output "azuread_groups" { diff --git a/modules/azuread/groups/group.tf b/modules/azuread/groups/group.tf index 6aeccb83f1..df62929b54 100755 --- a/modules/azuread/groups/group.tf +++ b/modules/azuread/groups/group.tf @@ -4,7 +4,7 @@ resource "azuread_group" "group" { description = lookup(var.azuread_groups, "description", null) prevent_duplicate_names = lookup(var.azuread_groups, "prevent_duplicate_names", null) owners = coalescelist( - try(var.settings.owners, []), + try(var.azuread_groups.owners, []), [ var.client_config.object_id ] diff --git a/modules/azuread/groups/variables.tf b/modules/azuread/groups/variables.tf index 289aca87c9..4e81775e96 100755 --- a/modules/azuread/groups/variables.tf +++ b/modules/azuread/groups/variables.tf @@ -7,4 +7,7 @@ variable "azuread_groups" { variable "tenant_id" { description = "The tenant ID of the Azure AD environment where to create the groups." type = string +} +variable "client_config" { + description = "Client configuration object (see module README.md)." } \ No newline at end of file From 6f5c7ea60c4a8044b817bce5ba92762a06665c9d Mon Sep 17 00:00:00 2001 From: Chun Saen Sean Lok Date: Tue, 14 Sep 2021 18:26:15 +0800 Subject: [PATCH 43/91] Support remote kv for sql --- .../102-private-endpoint-mysql/configuration.tfvars | 5 +++++ mssql_servers.tf | 7 ++++++- msssql_managed_instances.tf | 7 ++++++- mysql_servers.tf | 7 ++++++- 4 files changed, 23 insertions(+), 3 deletions(-) diff --git a/examples/mysql_server/102-private-endpoint-mysql/configuration.tfvars b/examples/mysql_server/102-private-endpoint-mysql/configuration.tfvars index d05afc7f45..790f06e289 100644 --- a/examples/mysql_server/102-private-endpoint-mysql/configuration.tfvars +++ b/examples/mysql_server/102-private-endpoint-mysql/configuration.tfvars @@ -30,6 +30,11 @@ mysql_servers = { # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. # administrator_login_password = "ComplxP@ssw0rd!" keyvault_key = "mysql-re1" + # If your keyvault is on remote lz use this: + # keyvault = { + # lz_key = "" #lz which the keyvault is located + # key = "" #keyvault resource key + # } system_msi = true public_network_access_enabled = true auto_grow_enabled = true diff --git a/mssql_servers.tf b/mssql_servers.tf index 0df767b1e0..eacd36a5e5 100755 --- a/mssql_servers.tf +++ b/mssql_servers.tf @@ -21,7 +21,12 @@ module "mssql_servers" { resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} private_dns = local.combined_objects_private_dns - keyvault_id = try(each.value.administrator_login_password, null) == null ? module.keyvaults[each.value.keyvault_key].id : null + keyvault_id = coalesce( + try(each.value.administrator_login_password, null), + try(module.keyvaults[each.value.keyvault_key].id, null), + try(local.combined_objects_keyvaults[each.value.keyvault.lz_key][each.value.keyvault.key].id, null), + try(local.combined_objects_keyvaults[local.client_config.landingzone_key][each.value.keyvault.key].id, null) + ) } data "azurerm_storage_account" "mssql_auditing" { diff --git a/msssql_managed_instances.tf b/msssql_managed_instances.tf index 47091b86d7..08f8d6377b 100755 --- a/msssql_managed_instances.tf +++ b/msssql_managed_instances.tf @@ -18,7 +18,12 @@ module "mssql_managed_instances" { location = try(local.global_settings.regions[each.value.region], local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].location) subnet_id = local.combined_objects_networking[try(each.value.networking.lz_key, local.client_config.landingzone_key)][each.value.networking.vnet_key].subnets[each.value.networking.subnet_key].id base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} - keyvault_id = try(each.value.administratorLoginPassword, null) == null ? module.keyvaults[each.value.keyvault_key].id : null + keyvault_id = coalesce( + try(each.value.administrator_login_password, null), + try(module.keyvaults[each.value.keyvault_key].id, null), + try(local.combined_objects_keyvaults[each.value.keyvault.lz_key][each.value.keyvault.key].id, null), + try(local.combined_objects_keyvaults[local.client_config.landingzone_key][each.value.keyvault.key].id, null) + ) } module "mssql_managed_instances_secondary" { diff --git a/mysql_servers.tf b/mysql_servers.tf index 6478394e80..494f676832 100755 --- a/mysql_servers.tf +++ b/mysql_servers.tf @@ -14,7 +14,12 @@ module "mysql_servers" { client_config = local.client_config resource_group_name = local.resource_groups[each.value.resource_group_key].name location = lookup(each.value, "region", null) == null ? local.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region] - keyvault_id = try(each.value.administrator_login_password, null) == null ? module.keyvaults[each.value.keyvault_key].id : null + keyvault_id = coalesce( + try(each.value.administrator_login_password, null), + try(module.keyvaults[each.value.keyvault_key].id, null), + try(local.combined_objects_keyvaults[each.value.keyvault.lz_key][each.value.keyvault.key].id, null), + try(local.combined_objects_keyvaults[local.client_config.landingzone_key][each.value.keyvault.key].id, null) + ) storage_accounts = module.storage_accounts azuread_groups = module.azuread_groups vnets = local.combined_objects_networking From ba9baad73603dcf05ef31b4f109ea41cd9447676 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 14 Sep 2021 13:15:33 +0000 Subject: [PATCH 44/91] Fixing #671 --- examples/module.tf | 1 + .../100_pvtdns_vnetlink/configuration.tfvars | 84 +++++++++++++++++-- examples/variables.tf | 3 + .../private_dns_vnet_link/module.tf | 5 +- .../private_dns_vnet_link/variables.tf | 4 + networking_private_dns.tf | 16 ++-- 6 files changed, 95 insertions(+), 18 deletions(-) diff --git a/examples/module.tf b/examples/module.tf index 824918ed03..4c97fd8cd6 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -151,6 +151,7 @@ module "example" { network_security_group_definition = var.network_security_group_definition network_watchers = var.network_watchers private_dns = var.private_dns + private_dns_vnet_links = var.private_dns_vnet_links private_endpoints = var.private_endpoints public_ip_addresses = var.public_ip_addresses route_tables = var.route_tables diff --git a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars index 4638f2883c..2404b542e8 100644 --- a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars +++ b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars @@ -1,20 +1,35 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + private_dns_region1 = { + name = "private-dns-rg" + region = "region1" + } +} + private_dns_vnet_links = { - vnet_pvtdns_link1 = { - vnet_key = "vnet_key1" + vnet_pvtdns_link1 = { + resource_group_key = "private_dns_region1" + vnet_key = "vnet_test" #lz_key = "remote landing zone key for vnet" - private_dns_zones = { + private_dns_zones = { dns_zone1 = { - name = "vnet1-link1" - key = "dnszone1_key" - lz_key = "provide the landing zone key of private dns zone" + name = "dns1-lnk" + key = "dns1" + #lz_key = "provide the landing zone key of private dns zone" } # dns_zone2 = { # name = "vnet1-link2" # key = "dnszone2_key" # } } - } - # vnet_pvtdns_link2 = { + } + # vnet_pvtdns_link2 = { # vnet_key = "vnet_key2" # private_dns_zones = { # dns_zone1 = { @@ -23,4 +38,57 @@ private_dns_vnet_links = { # } # } # } +} + +vnets = { + vnet_test = { + resource_group_key = "private_dns_region1" + vnet = { + name = "test-vnet" + address_space = ["10.10.100.0/24"] + } + specialsubnets = { + + } + subnets = { + + } + } +} + +private_dns = { + dns1 = { + name = "test-dns.mysite.com" + resource_group_key = "private_dns_region1" + + records = { + a_records = { + testa1 = { + name = "*" + ttl = 3600 + records = ["1.1.1.1", "2.2.2.2"] + } + testa2 = { + name = "@" + ttl = 3600 + records = ["1.1.1.1", "2.2.2.2"] + } + } + + txt_records = { + testtxt1 = { + name = "testtxt1" + ttl = 3600 + records = { + r1 = { + value = "testing txt 1" + } + r2 = { + value = "testing txt 2" + } + } + } + } + } + } } \ No newline at end of file diff --git a/examples/variables.tf b/examples/variables.tf index 00d0455df4..4156bf6d11 100755 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -597,4 +597,7 @@ variable "logic_app_trigger_recurrence" { } variable "logic_app_trigger_custom" { default = {} +} +variable "private_dns_vnet_links" { + default = {} } \ No newline at end of file diff --git a/modules/networking/private_dns_vnet_link/module.tf b/modules/networking/private_dns_vnet_link/module.tf index afd0ec0f47..3481ecf9f9 100644 --- a/modules/networking/private_dns_vnet_link/module.tf +++ b/modules/networking/private_dns_vnet_link/module.tf @@ -14,10 +14,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnet_links" { for_each = var.settings.private_dns_zones name = azurecaf_name.pnetlk[each.key].result - resource_group_name = coalesce( - try(var.private_dns[each.value.lz_key][each.value.key].resource_group_name, null), - try(var.private_dns[var.client_config.landingzone_key][each.value.key].resource_group_name, null) - ) + resource_group_name = var.resource_group_name private_dns_zone_name = coalesce( try(var.private_dns[each.value.lz_key][each.value.key].name, null), try(var.private_dns[var.client_config.landingzone_key][each.value.key].name, null) diff --git a/modules/networking/private_dns_vnet_link/variables.tf b/modules/networking/private_dns_vnet_link/variables.tf index c8a6ee6d65..dcd28b76c7 100755 --- a/modules/networking/private_dns_vnet_link/variables.tf +++ b/modules/networking/private_dns_vnet_link/variables.tf @@ -20,4 +20,8 @@ variable "base_tags" { } variable "tags" { default = {} +} + +variable "resource_group_name" { + description = "Name of the existing resource group to deploy the resource." } \ No newline at end of file diff --git a/networking_private_dns.tf b/networking_private_dns.tf index c354b01dfd..fffc1b4a8c 100644 --- a/networking_private_dns.tf +++ b/networking_private_dns.tf @@ -24,13 +24,17 @@ output "private_dns" { # module "private_dns_vnet_links" { - source = "./modules/networking/private_dns_vnet_link" - for_each = try(local.networking.private_dns_vnet_links, {}) - depends_on = [module.private_dns] + source = "./modules/networking/private_dns_vnet_link" + for_each = try(local.networking.private_dns_vnet_links, {}) + depends_on = [module.private_dns] - base_tags = {} - global_settings = local.global_settings - client_config = local.client_config + base_tags = {} + global_settings = local.global_settings + resource_group_name = coalesce( + try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].name, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name, null) + ) + client_config = local.client_config virtual_network_id = coalesce( try(local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].id, null), try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].id, null) From b8b7ac711fae2743d0e64c57e28b53ea78bd4239 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Tue, 14 Sep 2021 13:31:45 +0000 Subject: [PATCH 45/91] update ACR to support public access flag --- container_registry.tf | 2 ++ .../container_registry/200-acr-vnet/configuration.tfvars | 3 +++ modules/compute/container_registry/registry.tf | 2 ++ modules/compute/container_registry/variables.tf | 4 ++++ 4 files changed, 11 insertions(+) diff --git a/container_registry.tf b/container_registry.tf index 89abb02e60..cd7cc87d26 100755 --- a/container_registry.tf +++ b/container_registry.tf @@ -19,6 +19,8 @@ module "container_registry" { resource_groups = local.resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} private_dns = local.combined_objects_private_dns + + public_network_access_enabled = try(each.value.public_network_access_enabled, "true") } output "azure_container_registries" { diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 4223422c33..7628660195 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -24,6 +24,9 @@ azure_container_registries = { name = "acr-test" resource_group_key = "acr_region1" sku = "Premium" + + #public_network_access_enabled = "false" #Only able to control when sku = "premium" + georeplications = { region2 = { tags = { diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index 8abd39b3f5..ffcd7d1930 100755 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -16,6 +16,8 @@ resource "azurerm_container_registry" "acr" { admin_enabled = var.admin_enabled tags = local.tags + public_network_access_enabled = var.public_network_access_enabled + dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index c6ee4d5052..1337657286 100755 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -71,4 +71,8 @@ variable "base_tags" { variable "private_dns" { default = {} +} + +variable "public_network_access_enabled" { + default = "true" } \ No newline at end of file From 4071b0c0cc03994398f743eefdadc05cd6e54d29 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 14 Sep 2021 13:35:01 +0000 Subject: [PATCH 46/91] Updating to rover preview and scenarios --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/master-standalone-tf100-longrunners.yaml | 4 ++-- .github/workflows/master-standalone-tf100.yaml | 4 ++-- .github/workflows/standalone-scenarios-additional.json | 7 +------ .github/workflows/standalone-scenarios.json | 6 ++++++ rover_on_ssh_host.yml | 2 +- 6 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index e0068590f4..d662261ad7 100755 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.0.4-2108.1802 + image: aztfmod/rover-preview:1.0.6-2109.070742 user: vscode labels: diff --git a/.github/workflows/master-standalone-tf100-longrunners.yaml b/.github/workflows/master-standalone-tf100-longrunners.yaml index 0c93118777..ab1d2706b4 100755 --- a/.github/workflows/master-standalone-tf100-longrunners.yaml +++ b/.github/workflows/master-standalone-tf100-longrunners.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.0.4-2108.1802 + image: aztfmod/rover-preview:1.0.6-2109.070742 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover:1.0.4-2108.1802 + image: aztfmod/rover-preview:1.0.6-2109.070742 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf100.yaml b/.github/workflows/master-standalone-tf100.yaml index e1da26255c..a9de8b5535 100755 --- a/.github/workflows/master-standalone-tf100.yaml +++ b/.github/workflows/master-standalone-tf100.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.0.4-2108.1802 + image: aztfmod/rover-preview:1.0.6-2109.070742 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover:1.0.4-2108.1802 + image: aztfmod/rover-preview:1.0.6-2109.070742 options: --user 0 steps: diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json index c4bc24069f..657565bbac 100644 --- a/.github/workflows/standalone-scenarios-additional.json +++ b/.github/workflows/standalone-scenarios-additional.json @@ -1,11 +1,6 @@ { "config_files": [ - "consumption_budget/100-consumption-budget-rg", - "consumption_budget/101-consumption-budget-subscription", - "consumption_budget/102-consumption-budget-rg-alerts", - "consumption_budget/103-consumption-budget-subscription-alerts", - "consumption_budget/104-consumption-budget-subscription-vm", - "consumption_budget/105-consumption-budget-subscription-aks" + // Waiting for support to register arm provider - https://github.com/Azure/caf-terraform-landingzones/pull/238 diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 2f96bf888b..8da2a4d9aa 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -39,6 +39,12 @@ "compute/virtual_machine_scale_set/100-linux-win-vmss-lb", "compute/virtual_machine_scale_set/101-linux-win-vmss-agw", "compute/windows_virtual_desktop/wvd_resources", + "consumption_budget/100-consumption-budget-rg", + "consumption_budget/101-consumption-budget-subscription", + "consumption_budget/102-consumption-budget-rg-alerts", + "consumption_budget/103-consumption-budget-subscription-alerts", + "consumption_budget/104-consumption-budget-subscription-vm", + "consumption_budget/105-consumption-budget-subscription-aks" "cosmos_db/100-simple-cosmos-db-cassandra", "cosmos_db/100-simple-cosmos-db-gremlin", "cosmos_db/100-simple-cosmos-db-mongo", diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml index bf116e6316..7cbbb0bc22 100644 --- a/rover_on_ssh_host.yml +++ b/rover_on_ssh_host.yml @@ -11,7 +11,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.0.4-2108.1802 + image: aztfmod/rover-preview:1.0.6-2109.070742 user: vscode From 89f338d4066ec6f29eca81f7841f875e34254cfa Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 14 Sep 2021 13:37:39 +0000 Subject: [PATCH 47/91] Formatting --- .../master-standalone-tf14-longrunners.yaml | 2 +- .../standalone-scenarios-additional.json | 4 +- .../301-agw-v1/certificates.tfvars | 46 ++++++------ .../108-mssql-vm/configuration.tfvars | 70 +++++++++---------- examples/compute/vmware_cluster/README.md | 10 +-- .../100-logic_app_workflow/README.md | 6 +- .../configuration.tfvars | 6 +- .../103-logic_app_action_http/README.md | 6 +- .../configuration.tfvars | 6 +- .../104-logic_app_action_custom/README.md | 6 +- .../configuration.tfvars | 6 +- .../README.md | 6 +- .../configuration.tfvars | 6 +- .../README.md | 6 +- .../configuration.tfvars | 6 +- .../107-logic_app_trigger_custom/README.md | 6 +- .../configuration.tfvars | 6 +- .../configuration.tfvars | 6 +- .../100_pvtdns_vnetlink/configuration.tfvars | 2 +- .../virtual_wan.tfvars | 4 +- .../configuration.tfvars | 2 +- modules/compute/virtual_machine/mssql_vm.tf | 30 ++++---- .../compute/vmware_private_clouds/output.tf | 2 +- .../scripts/delete_resource.sh | 2 +- .../scripts/set_resource.sh | 8 +-- .../private_dns_vnet_link/module.tf | 2 +- modules/subscriptions/subscriptions.tf | 4 +- networking_private_dns.tf | 6 +- storage_accounts.tf | 42 +++++------ virtual_machines.tf | 26 +++---- 30 files changed, 170 insertions(+), 170 deletions(-) diff --git a/.github/workflows/master-standalone-tf14-longrunners.yaml b/.github/workflows/master-standalone-tf14-longrunners.yaml index 040a1699ce..32fa880355 100755 --- a/.github/workflows/master-standalone-tf14-longrunners.yaml +++ b/.github/workflows/master-standalone-tf14-longrunners.yaml @@ -31,7 +31,7 @@ jobs: cases=$(( cat ./.github/workflows/standalone-scenarios.json) | jq -c .) echo "::set-output name=matrix::${cases}" - + examples: name: examples runs-on: ubuntu-latest diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json index 657565bbac..a051e89e8f 100644 --- a/.github/workflows/standalone-scenarios-additional.json +++ b/.github/workflows/standalone-scenarios-additional.json @@ -17,8 +17,8 @@ "networking/virtual_wan/103-vwan-hub-gw", "networking/virtual_wan/104-vwan-hub-gw-spp", "networking/virtual_wan/105-vwan-hub-route-table", - "networking/virtual_wan/106-vwan-hub-routes", - + "networking/virtual_wan/106-vwan-hub-routes", + "mssql_mi/200-mi-two-regions", "compute/vmware_cluster/102-vmware_express_route_authorization" diff --git a/examples/app_gateway/301-agw-v1/certificates.tfvars b/examples/app_gateway/301-agw-v1/certificates.tfvars index 47fbc593b2..e2773cfec8 100644 --- a/examples/app_gateway/301-agw-v1/certificates.tfvars +++ b/examples/app_gateway/301-agw-v1/certificates.tfvars @@ -10,17 +10,17 @@ keyvault_certificates = { validity_in_months = 12 subject_alternative_names = { - # A list of alternative DNS names (FQDNs) identified by the Certificate. + # A list of alternative DNS names (FQDNs) identified by the Certificate. # Changing this forces a new resource to be created. dns_names = [ "demoapp1.cafsandpit.com" ] - # A list of email addresses identified by this Certificate. + # A list of email addresses identified by this Certificate. # Changing this forces a new resource to be created. # emails = [] - # A list of User Principal Names identified by the Certificate. + # A list of User Principal Names identified by the Certificate. # Changing this forces a new resource to be created. # upns = [] } @@ -29,49 +29,49 @@ keyvault_certificates = { type = "SelfSigned" } - # Possible values include Self (for self-signed certificate), - # or Unknown (for a certificate issuing authority like Let's Encrypt - # and Azure direct supported ones). + # Possible values include Self (for self-signed certificate), + # or Unknown (for a certificate issuing authority like Let's Encrypt + # and Azure direct supported ones). # Changing this forces a new resource to be created issuer_parameters = "Self" exportable = true - # Possible values include 2048 and 4096. + # Possible values include 2048 and 4096. # Changing this forces a new resource to be created. key_size = 4096 key_type = "RSA" reuse_key = true - # The Type of action to be performed when the lifetime trigger is triggered. - # Possible values include AutoRenew and EmailContacts. + # The Type of action to be performed when the lifetime trigger is triggered. + # Possible values include AutoRenew and EmailContacts. # Changing this forces a new resource to be created. action_type = "AutoRenew" - # The number of days before the Certificate expires that the action - # associated with this Trigger should run. - # Changing this forces a new resource to be created. + # The number of days before the Certificate expires that the action + # associated with this Trigger should run. + # Changing this forces a new resource to be created. # Conflicts with lifetime_percentage days_before_expiry = 30 - # The percentage at which during the Certificates Lifetime the action - # associated with this Trigger should run. - # Changing this forces a new resource to be created. + # The percentage at which during the Certificates Lifetime the action + # associated with this Trigger should run. + # Changing this forces a new resource to be created. # Conflicts with days_before_expiry # lifetime_percentage = 90 - # The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX - # or application/x-pem-file for a PEM. + # The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX + # or application/x-pem-file for a PEM. # Changing this forces a new resource to be created. content_type = "application/x-pkcs12" - # A list of uses associated with this Key. - # Possible values include - # cRLSign, dataEncipherment, decipherOnly, - # digitalSignature, encipherOnly, keyAgreement, keyCertSign, - # keyEncipherment and nonRepudiation - # and are case-sensitive. + # A list of uses associated with this Key. + # Possible values include + # cRLSign, dataEncipherment, decipherOnly, + # digitalSignature, encipherOnly, keyAgreement, keyCertSign, + # keyEncipherment and nonRepudiation + # and are case-sensitive. # Changing this forces a new resource to be created key_usage = [ "cRLSign", diff --git a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars index 2da2db8da4..428dc8ddd7 100644 --- a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars +++ b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars @@ -84,25 +84,25 @@ dynamic_keyvault_secrets = { } sql-username = { secret_name = "sql-username" - value = "sqllogin" + value = "sqllogin" } sql-password = { secret_name = "sql-password" - value = "Very@Str5ngP!44w0rdToChaNge#" + value = "Very@Str5ngP!44w0rdToChaNge#" } encryption-password = { secret_name = "encryption-password" - value = "Very@Str5ngP!44w0rdToChaNge#" + value = "Very@Str5ngP!44w0rdToChaNge#" } } sp_secrets = { sp-client-id = { secret_name = "sp-client-id" - value = "" + value = "" } sp-client-secret = { secret_name = "sp-client-secret" - value = "" + value = "" } } } @@ -185,27 +185,27 @@ virtual_machines = { network_interface_keys = ["nic0"] os_disk = { - name = "osdisk" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - managed_disk_type = "StandardSSD_LRS" - disk_size_gb = "128" - create_option = "FromImage" + name = "osdisk" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + managed_disk_type = "StandardSSD_LRS" + disk_size_gb = "128" + create_option = "FromImage" } source_image_reference = { publisher = "MicrosoftSQLServer" offer = "SQL2017-WS2016" # offer = "sql2019-ws2019" - sku = "SQLDEV" - version = "latest" + sku = "SQLDEV" + version = "latest" } mssql_settings = { # requires SQL Image in source_image_reference - sql_license_type = "PAYG" - r_services_enabled = true - sql_connectivity_port = 1433 - sql_connectivity_type = "PRIVATE" - + sql_license_type = "PAYG" + r_services_enabled = true + sql_connectivity_port = 1433 + sql_connectivity_type = "PRIVATE" + # sql credentials is the same as the one for vm sql_authentication = { sql_credential = { @@ -218,15 +218,15 @@ virtual_machines = { keyvault_credential = { name = "sqlkv_credentials" # lz_key = "" - keyvault_key = "sql_cred_kv" # get url from here + keyvault_key = "sql_cred_kv" # get url from here service_principal_secrets = { # sp secret to access the kv above # lz_key = "" - keyvault_key = "sp_secrets" # get url from here - sp_client_id_key = "sp-client-id" + keyvault_key = "sp_secrets" # get url from here + sp_client_id_key = "sp-client-id" sp_client_secret_key = "sp-client-secret" } } - + } auto_patching = { @@ -237,9 +237,9 @@ virtual_machines = { auto_backup = { encryption_enabled = false # uses the vmadmin password # ERROR: unable to locate password as the secret has not been created yet - encryption_password = { + encryption_password = { # lz_key = "" - keyvault_key = "kv1" + keyvault_key = "kv1" encryption_password_key = "encryption-password" } retention_period_in_days = 7 @@ -248,22 +248,22 @@ virtual_machines = { key = "sa1" } manual_schedule = { - full_backup_frequency = "Weekly" # Daily / Weekly - full_backup_start_hour = 0 # 0 - 23 - full_backup_window_in_hours = 1 # 1 - 23 - log_backup_frequency_in_minutes = 60 # 5 - 60f + full_backup_frequency = "Weekly" # Daily / Weekly + full_backup_start_hour = 0 # 0 - 23 + full_backup_window_in_hours = 1 # 1 - 23 + log_backup_frequency_in_minutes = 60 # 5 - 60f } } - + storage_configuration = { - disk_type = "NEW" # NEW, EXTEND, ADD + disk_type = "NEW" # NEW, EXTEND, ADD storage_workload_type = "GENERAL" # GENERAL, OLTP, DW data_settings = { default_file_path = "F:\\data" - luns = [1] + luns = [1] } } @@ -275,10 +275,10 @@ virtual_machines = { data1 = { name = "datadisk1" storage_account_type = "Premium_LRS" - create_option = "Empty" - disk_size_gb = "10" - lun = 1 - zones = ["1"] + create_option = "Empty" + disk_size_gb = "10" + lun = 1 + zones = ["1"] } } diff --git a/examples/compute/vmware_cluster/README.md b/examples/compute/vmware_cluster/README.md index 9b110516e5..3742f8e655 100644 --- a/examples/compute/vmware_cluster/README.md +++ b/examples/compute/vmware_cluster/README.md @@ -74,7 +74,7 @@ vmware_private_clouds = { #password = "123#sadd$saASD" keyvault_key = "kv_rg1" #lzKey= "ejkle" (optional) - secret_key = "secret_key1" + secret_key = "secret_key1" } vcenter_password = { keyvault_key = "kv_rg1" @@ -142,7 +142,7 @@ vmware_express_route_authorizations = { |vcenter_password |The password of the vCenter admin. Changing this forces a new Vmware Private Cloud to be created. [see below](#vcenter_password-input-values)| `block` | | false | |tags |A mapping of tags which should be assigned to the Vmware Private Cloud. | `object` | | false | -### nsxt_password input block +### nsxt_password input block | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| |password | Password in plain string | `string` | | false| @@ -152,7 +152,7 @@ vmware_express_route_authorizations = { |secret_key | The Secret Key of your Key Vault that holds your secret_name, this also requires the `keyvault_key` to be defined. | `string` | | false| -### vcenter_password input block +### vcenter_password input block | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| |password | Password in plain string | `string` | | false | @@ -161,13 +161,13 @@ vmware_express_route_authorizations = { |secret_name | Secret name of your key Vault in plain string, this also requires the `keyvault_key` to be defined. | `string` | |false| |secret_key | The Secret Key of your Key Vault that holds your secret_name, this also requires the `keyvault_key` to be defined. | `string` | | false| -### management_cluster input block +### management_cluster input block | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| |size |The size of the management cluster. This field can not updated with `internet_connection_enabled` together. | `number` | | false | -### sku_name input values +### sku_name input values | Name | Description | |------|-------------| |av20|| diff --git a/examples/logic_app/100-logic_app_workflow/README.md b/examples/logic_app/100-logic_app_workflow/README.md index 94636d8531..a99d713e22 100644 --- a/examples/logic_app/100-logic_app_workflow/README.md +++ b/examples/logic_app/100-logic_app_workflow/README.md @@ -38,10 +38,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } ``` diff --git a/examples/logic_app/100-logic_app_workflow/configuration.tfvars b/examples/logic_app/100-logic_app_workflow/configuration.tfvars index a46c460360..01c80cd700 100644 --- a/examples/logic_app/100-logic_app_workflow/configuration.tfvars +++ b/examples/logic_app/100-logic_app_workflow/configuration.tfvars @@ -19,9 +19,9 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } \ No newline at end of file diff --git a/examples/logic_app/103-logic_app_action_http/README.md b/examples/logic_app/103-logic_app_action_http/README.md index e67990b8ff..026804ae85 100644 --- a/examples/logic_app/103-logic_app_action_http/README.md +++ b/examples/logic_app/103-logic_app_action_http/README.md @@ -38,10 +38,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/103-logic_app_action_http/configuration.tfvars b/examples/logic_app/103-logic_app_action_http/configuration.tfvars index b49805acf9..a942549162 100644 --- a/examples/logic_app/103-logic_app_action_http/configuration.tfvars +++ b/examples/logic_app/103-logic_app_action_http/configuration.tfvars @@ -19,10 +19,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/104-logic_app_action_custom/README.md b/examples/logic_app/104-logic_app_action_custom/README.md index 51930fe0c8..b2de471828 100644 --- a/examples/logic_app/104-logic_app_action_custom/README.md +++ b/examples/logic_app/104-logic_app_action_custom/README.md @@ -26,10 +26,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/104-logic_app_action_custom/configuration.tfvars b/examples/logic_app/104-logic_app_action_custom/configuration.tfvars index c84ab23355..3a16403c15 100644 --- a/examples/logic_app/104-logic_app_action_custom/configuration.tfvars +++ b/examples/logic_app/104-logic_app_action_custom/configuration.tfvars @@ -19,10 +19,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/105-logic_app_trigger_http_request/README.md b/examples/logic_app/105-logic_app_trigger_http_request/README.md index 8724c083d4..a460eec70c 100644 --- a/examples/logic_app/105-logic_app_trigger_http_request/README.md +++ b/examples/logic_app/105-logic_app_trigger_http_request/README.md @@ -26,10 +26,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/105-logic_app_trigger_http_request/configuration.tfvars b/examples/logic_app/105-logic_app_trigger_http_request/configuration.tfvars index e394357d86..2b31067994 100644 --- a/examples/logic_app/105-logic_app_trigger_http_request/configuration.tfvars +++ b/examples/logic_app/105-logic_app_trigger_http_request/configuration.tfvars @@ -19,10 +19,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/106-logic_app_trigger_recurrence/README.md b/examples/logic_app/106-logic_app_trigger_recurrence/README.md index 54f529be4a..350e2cc994 100644 --- a/examples/logic_app/106-logic_app_trigger_recurrence/README.md +++ b/examples/logic_app/106-logic_app_trigger_recurrence/README.md @@ -26,10 +26,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/106-logic_app_trigger_recurrence/configuration.tfvars b/examples/logic_app/106-logic_app_trigger_recurrence/configuration.tfvars index 94315ee098..e368db1f8b 100644 --- a/examples/logic_app/106-logic_app_trigger_recurrence/configuration.tfvars +++ b/examples/logic_app/106-logic_app_trigger_recurrence/configuration.tfvars @@ -19,10 +19,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/107-logic_app_trigger_custom/README.md b/examples/logic_app/107-logic_app_trigger_custom/README.md index 1677e9b920..6e2144d4c5 100644 --- a/examples/logic_app/107-logic_app_trigger_custom/README.md +++ b/examples/logic_app/107-logic_app_trigger_custom/README.md @@ -26,10 +26,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } diff --git a/examples/logic_app/107-logic_app_trigger_custom/configuration.tfvars b/examples/logic_app/107-logic_app_trigger_custom/configuration.tfvars index 5295980a42..dd28c4d8cd 100644 --- a/examples/logic_app/107-logic_app_trigger_custom/configuration.tfvars +++ b/examples/logic_app/107-logic_app_trigger_custom/configuration.tfvars @@ -18,10 +18,10 @@ logic_app_workflow = { resource_group_key = "rgwflow1" #integration_service_environment_key #logic_app_integration_account_key - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } logic_app_trigger_custom = { diff --git a/examples/logic_app/108-logic_app_complex/configuration.tfvars b/examples/logic_app/108-logic_app_complex/configuration.tfvars index 43269185a6..d2e31787d6 100644 --- a/examples/logic_app/108-logic_app_complex/configuration.tfvars +++ b/examples/logic_app/108-logic_app_complex/configuration.tfvars @@ -92,9 +92,9 @@ logic_app_workflow = { resource_group_key = "rgwflow1" integration_service_environment_key = "ise1" logic_app_integration_account_key = "laia1" - #workflow_parameters - #workflow_schema + #workflow_parameters + #workflow_schema workflow_version = "1.0.0.0" - #parameters + #parameters } } \ No newline at end of file diff --git a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars index 2404b542e8..c38ed4cf25 100644 --- a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars +++ b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars @@ -20,7 +20,7 @@ private_dns_vnet_links = { private_dns_zones = { dns_zone1 = { name = "dns1-lnk" - key = "dns1" + key = "dns1" #lz_key = "provide the landing zone key of private dns zone" } # dns_zone2 = { diff --git a/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars b/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars index a50d98168c..e225801f16 100644 --- a/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars +++ b/examples/networking/virtual_wan/105-vwan-hub-route-table/virtual_wan.tfvars @@ -66,7 +66,7 @@ virtual_hub_route_tables = { # # Will be covered in the landingzone starter production configuration in future releases. # # # next_hop = { - # lz_key = "" # + # lz_key = "" # # resource_type = "virtual_hub_connection" # Only supported value. # resource_key = "egress-fw" # } @@ -127,7 +127,7 @@ virtual_hub_connections = { # Either next_hop or next_hop_ip_address can be used next_hop = { - # lz_key = "" # + # lz_key = "" # key = "egress-fw" interface_index = 0 # Required. } diff --git a/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars b/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars index 1078479385..2171d69ba2 100644 --- a/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars +++ b/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars @@ -19,7 +19,7 @@ resource_groups = { # https://docs.microsoft.com/en-us/azure/storage/ storage_accounts = { sa1 = { - name = "sa1dev" + name = "sa1dev" # This option is to enable remote RG reference # resource_group = { # lz_key = "" diff --git a/modules/compute/virtual_machine/mssql_vm.tf b/modules/compute/virtual_machine/mssql_vm.tf index 2e3acccb0f..8092fc1abb 100644 --- a/modules/compute/virtual_machine/mssql_vm.tf +++ b/modules/compute/virtual_machine/mssql_vm.tf @@ -14,7 +14,7 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { tags = merge(local.tags, try(each.value.tags, null)) dynamic "auto_backup" { - for_each = try(each.value.mssql_settings.auto_backup, null) != null ? [1] : [] + for_each = try(each.value.mssql_settings.auto_backup, null) != null ? [1] : [] content { encryption_enabled = try(each.value.mssql_settings.auto_backup.encryption_enabled, false) @@ -22,7 +22,7 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { retention_period_in_days = each.value.mssql_settings.auto_backup.retention_period_in_days system_databases_backup_enabled = try(each.value.mssql_settings.auto_backup.system_databases_backup_enabled, null) storage_account_access_key = data.azurerm_storage_account.mssqlvm_backup_sa[each.key].primary_access_key - storage_blob_endpoint = coalesce( + storage_blob_endpoint = coalesce( try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].primary_blob_endpoint, null), try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].primary_blob_endpoint, null), ) @@ -57,14 +57,14 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { content { name = each.value.mssql_settings.sql_authentication.keyvault_credential.name key_vault_url = coalesce( - try(var.keyvaults[each.value.mssql_settings.sql_authentication.keyvault_credential.lz_key][each.value.mssql_settings.sql_authentication.keyvault_credential.keyvault_key].vault_uri , null), - try(var.keyvaults[var.client_config.landingzone_key][each.value.mssql_settings.sql_authentication.keyvault_credential.keyvault_key].vault_uri , null), + try(var.keyvaults[each.value.mssql_settings.sql_authentication.keyvault_credential.lz_key][each.value.mssql_settings.sql_authentication.keyvault_credential.keyvault_key].vault_uri, null), + try(var.keyvaults[var.client_config.landingzone_key][each.value.mssql_settings.sql_authentication.keyvault_credential.keyvault_key].vault_uri, null), ) - service_principal_name = try(data.external.sp_client_id[each.key].result.value, null) + service_principal_name = try(data.external.sp_client_id[each.key].result.value, null) service_principal_secret = try(data.external.sp_client_secret[each.key].result.value, null) } } - + dynamic "storage_configuration" { for_each = try(each.value.mssql_settings.storage_configuration, null) != null ? [1] : [] @@ -111,14 +111,14 @@ data "azurerm_storage_account" "mssqlvm_backup_sa" { if try(value.mssql_settings.auto_backup, null) != null } - name = coalesce( - try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].name, null), - try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].name, null), - ) - resource_group_name = coalesce( - try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].resource_group_name, null), - try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].resource_group_name, null), - ) + name = coalesce( + try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].name, null), + try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].name, null), + ) + resource_group_name = coalesce( + try(var.storage_accounts[each.value.mssql_settings.auto_backup.storage_account.lz_key][each.value.mssql_settings.auto_backup.storage_account.key].resource_group_name, null), + try(var.storage_accounts[var.client_config.landingzone_key][each.value.mssql_settings.auto_backup.storage_account.key].resource_group_name, null), + ) } @@ -139,7 +139,7 @@ data "external" "sql_username" { ) ] } - + data "external" "sql_password" { for_each = { for key, value in try(var.settings.virtual_machine_settings, {}) : key => value diff --git a/modules/compute/vmware_private_clouds/output.tf b/modules/compute/vmware_private_clouds/output.tf index a40110ddb1..2e6828a463 100755 --- a/modules/compute/vmware_private_clouds/output.tf +++ b/modules/compute/vmware_private_clouds/output.tf @@ -55,7 +55,7 @@ output "management_cluster" { # for key, value in azurerm_vmware_private_cloud.vwpc.circuit : key => { # express_route_id = azurerm_vmware_private_cloud.vwpc.circuit[key].express_route_id # express_route_private_peering_id = azurerm_vmware_private_cloud.vwpc.circuit[key].express_route_private_peering_id -# primary_subnet_cidr = azurerm_vmware_private_cloud.vwpc.circuit[key].primary_subnet_cidr +# primary_subnet_cidr = azurerm_vmware_private_cloud.vwpc.circuit[key].primary_subnet_cidr # secondary_subnet_cidr = azurerm_vmware_private_cloud.vwpc.circuit[key].secondary_subnet_cidr # } # } diff --git a/modules/networking/application_gateway_application/scripts/delete_resource.sh b/modules/networking/application_gateway_application/scripts/delete_resource.sh index dddf7fc90b..d718d98124 100755 --- a/modules/networking/application_gateway_application/scripts/delete_resource.sh +++ b/modules/networking/application_gateway_application/scripts/delete_resource.sh @@ -2,7 +2,7 @@ echo "rg: ${RG_NAME} gateway: ${APPLICATION_GATEWAY_NAME} name: ${NAME}" case "${RESOURCE}" in - BACKENDPOOL) + BACKENDPOOL) execute_with_backoff az network application-gateway address-pool delete -g ${RG_NAME} --gateway-name ${APPLICATION_GATEWAY_NAME} -n ${NAME} ;; HTTPSETTINGS) diff --git a/modules/networking/application_gateway_application/scripts/set_resource.sh b/modules/networking/application_gateway_application/scripts/set_resource.sh index 26c0207ee9..1db4d1704b 100755 --- a/modules/networking/application_gateway_application/scripts/set_resource.sh +++ b/modules/networking/application_gateway_application/scripts/set_resource.sh @@ -3,9 +3,9 @@ echo "rg: ${RG_NAME} gateway: ${APPLICATION_GATEWAY_NAME} name: ${NAME} resource: ${RESOURCE}" case "${RESOURCE}" in - BACKENDPOOL) + BACKENDPOOL) servers=$([ -z "${ADDRESS_POOL}" ] && echo "" || echo "--servers ${ADDRESS_POOL} ") - + execute_with_backoff az network application-gateway address-pool create -g ${RG_NAME} \ --gateway-name ${APPLICATION_GATEWAY_NAME} -n ${NAME} ${servers} ;; @@ -73,7 +73,7 @@ case "${RESOURCE}" in wafpolicy=$([ -z "${WAF_POLICY}" ] && echo "" || echo "--waf-policy ${WAF_POLICY} ") execute_with_backoff az network application-gateway url-path-map create -g ${RG_NAME} --gateway-name ${APPLICATION_GATEWAY_NAME} \ - -n ${NAME} --paths ${PATHS} ${addresspool}${httpsettings}${redirectconfig}${rewriteruleset}${rulename}${wafpolicy} + -n ${NAME} --paths ${PATHS} ${addresspool}${httpsettings}${redirectconfig}${rewriteruleset}${rulename}${wafpolicy} ;; PATHRULE) addresspool=$([ -z "${ADDRESS_POOL}" ] && echo "" || echo "--address-pool ${ADDRESS_POOL} ") @@ -84,7 +84,7 @@ case "${RESOURCE}" in execute_with_backoff az network application-gateway url-path-map rule create -g ${RG_NAME} \ --gateway-name ${APPLICATION_GATEWAY_NAME} -n ${NAME} --path-map-name ${PATHMAPNAME} \ - --paths ${PATHS} ${addresspool}${httpsettings}${redirectconfig}${rewriteruleset}${wafpolicy} + --paths ${PATHS} ${addresspool}${httpsettings}${redirectconfig}${rewriteruleset}${wafpolicy} ;; esac diff --git a/modules/networking/private_dns_vnet_link/module.tf b/modules/networking/private_dns_vnet_link/module.tf index 3481ecf9f9..9ce62d333d 100644 --- a/modules/networking/private_dns_vnet_link/module.tf +++ b/modules/networking/private_dns_vnet_link/module.tf @@ -13,7 +13,7 @@ resource "azurecaf_name" "pnetlk" { resource "azurerm_private_dns_zone_virtual_network_link" "vnet_links" { for_each = var.settings.private_dns_zones - name = azurecaf_name.pnetlk[each.key].result + name = azurecaf_name.pnetlk[each.key].result resource_group_name = var.resource_group_name private_dns_zone_name = coalesce( try(var.private_dns[each.value.lz_key][each.value.key].name, null), diff --git a/modules/subscriptions/subscriptions.tf b/modules/subscriptions/subscriptions.tf index 56caabbb5e..7da7dd1efc 100644 --- a/modules/subscriptions/subscriptions.tf +++ b/modules/subscriptions/subscriptions.tf @@ -10,8 +10,8 @@ resource "azurerm_subscription" "sub" { alias = var.subscription_key subscription_name = var.settings.name - subscription_id = try(var.settings.subscription_id, null) != null ? var.settings.subscription_id : null - billing_scope_id = try(var.settings.subscription_id, null) == null ? data.azurerm_billing_enrollment_account_scope.sub.0.id : null + subscription_id = try(var.settings.subscription_id, null) != null ? var.settings.subscription_id : null + billing_scope_id = try(var.settings.subscription_id, null) == null ? data.azurerm_billing_enrollment_account_scope.sub.0.id : null workload = try(var.settings.workload, null) } diff --git a/networking_private_dns.tf b/networking_private_dns.tf index fffc1b4a8c..4ca28ecbdd 100644 --- a/networking_private_dns.tf +++ b/networking_private_dns.tf @@ -28,13 +28,13 @@ module "private_dns_vnet_links" { for_each = try(local.networking.private_dns_vnet_links, {}) depends_on = [module.private_dns] - base_tags = {} - global_settings = local.global_settings + base_tags = {} + global_settings = local.global_settings resource_group_name = coalesce( try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].name, null), try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name, null) ) - client_config = local.client_config + client_config = local.client_config virtual_network_id = coalesce( try(local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].id, null), try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].id, null) diff --git a/storage_accounts.tf b/storage_accounts.tf index 787ffa53ff..227646ca9a 100755 --- a/storage_accounts.tf +++ b/storage_accounts.tf @@ -3,33 +3,33 @@ module "storage_accounts" { source = "./modules/storage_account" for_each = var.storage_accounts - global_settings = local.global_settings - client_config = local.client_config - storage_account = each.value - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups - recovery_vaults = local.combined_objects_recovery_vaults - private_dns = local.combined_objects_private_dns + global_settings = local.global_settings + client_config = local.client_config + storage_account = each.value + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups + recovery_vaults = local.combined_objects_recovery_vaults + private_dns = local.combined_objects_private_dns location = coalesce( - try(local.global_settings.regions[each.value.region],null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location,null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location,null) + try(local.global_settings.regions[each.value.region], null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location, null) ) base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags,null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags,null) + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags, null) ) : {} resource_group_name = coalesce( - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name,null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name,null) + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name, null) ) } diff --git a/virtual_machines.tf b/virtual_machines.tf index 0627a30cf4..82f288d524 100755 --- a/virtual_machines.tf +++ b/virtual_machines.tf @@ -37,23 +37,23 @@ module "virtual_machines" { storage_accounts = local.combined_objects_storage_accounts location = coalesce( - try(local.global_settings.regions[each.value.region],null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location,null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location,null) + try(local.global_settings.regions[each.value.region], null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location, null) ) base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags,null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags,null) + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].tags, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags, null) ) : {} resource_group_name = coalesce( - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name,null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name,null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name,null) + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, null), + try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, null), + try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name, null) ) } From 7607351f52059d54211ed730427e261904f5bb87 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 14 Sep 2021 13:40:15 +0000 Subject: [PATCH 48/91] Typo --- .github/workflows/standalone-scenarios.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 8da2a4d9aa..c190a31582 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -44,7 +44,7 @@ "consumption_budget/102-consumption-budget-rg-alerts", "consumption_budget/103-consumption-budget-subscription-alerts", "consumption_budget/104-consumption-budget-subscription-vm", - "consumption_budget/105-consumption-budget-subscription-aks" + "consumption_budget/105-consumption-budget-subscription-aks", "cosmos_db/100-simple-cosmos-db-cassandra", "cosmos_db/100-simple-cosmos-db-gremlin", "cosmos_db/100-simple-cosmos-db-mongo", From a15c2feb8c05d35e0480107c8f4ea3e15cad6d3c Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 14 Sep 2021 14:06:00 +0000 Subject: [PATCH 49/91] Adding try for #677 --- modules/azuread/groups/group.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/azuread/groups/group.tf b/modules/azuread/groups/group.tf index df62929b54..123368382a 100755 --- a/modules/azuread/groups/group.tf +++ b/modules/azuread/groups/group.tf @@ -4,7 +4,7 @@ resource "azuread_group" "group" { description = lookup(var.azuread_groups, "description", null) prevent_duplicate_names = lookup(var.azuread_groups, "prevent_duplicate_names", null) owners = coalescelist( - try(var.azuread_groups.owners, []), + try(tolist(var.azuread_groups.owners), []), [ var.client_config.object_id ] From 372ed5dc059ecf457f2ed7d5080df41b67a4fe17 Mon Sep 17 00:00:00 2001 From: Sean Lok Date: Tue, 14 Sep 2021 14:23:59 +0000 Subject: [PATCH 50/91] Fix Syntax --- modules/compute/container_registry/registry.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index ffcd7d1930..c026892793 100755 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -22,7 +22,7 @@ resource "azurerm_container_registry" "acr" { for_each = try(var.network_rule_set, {}) content { - default_action = try(var.network_rule_set.default_action, "Allow") + default_action = try(network_rule_set.value.default_action, "Allow") dynamic "ip_rule" { for_each = try(network_rule_set.value.ip_rules, {}) From 1bbc747b6c41387943445c725e27d973f395efaf Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 14 Sep 2021 15:04:48 +0000 Subject: [PATCH 51/91] Adding storage account management CI --- .github/workflows/standalone-scenarios.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index c190a31582..bad4d86270 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -142,6 +142,7 @@ "storage_accounts/104-file-share-with-backup", "storage_accounts/105-nfsv3", "storage_accounts/106-storage-account-queue", + "storage_accounts/107-storage-account-management-policy", "synapse_analytics/100-synapse", "synapse_analytics/101-synapse-sparkpool", "webapps/appservice/101-appservice-simple", From ed680dc2ca5fed3aa626a86be652bfe2a73523e3 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Wed, 15 Sep 2021 03:47:35 +0000 Subject: [PATCH 52/91] add msi group membership example --- .github/workflows/standalone-scenarios.json | 1 + .../configuration.tfvars | 54 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 examples/azuread/104-azuread-group-membership/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index ecd2435754..a85aaa68e6 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -15,6 +15,7 @@ "azuread/100-azuread-application-with-sevice-principle-with-builtin-roles", "azuread/101-azuread-application-with-service-principle-with-custom-roles", "azuread/103-service-principal-only", + "azuread/104-azuread-group-membership", "compute/availability_set/100-simple-availabilityset", "compute/availability_set/101-availabilityset-with-proximity-placement-group", "compute/container_groups/101-aci-rover", diff --git a/examples/azuread/104-azuread-group-membership/configuration.tfvars b/examples/azuread/104-azuread-group-membership/configuration.tfvars new file mode 100644 index 0000000000..dcf8f00070 --- /dev/null +++ b/examples/azuread/104-azuread-group-membership/configuration.tfvars @@ -0,0 +1,54 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } + random_length = 5 +} + +resource_groups = { + rg1 = { + name = "example-msi-rg" + } +} + + +managed_identities = { + msi1 = { + name = "example-msi1" + resource_group_key = "rg1" + } +} + +azuread_groups = { + ad_group1 = { + name = "example-group1" + description = "Provide read and write access" + members = { + user_principal_names = [] + group_names = [] + object_ids = [] + group_keys = [] + + service_principal_keys = [] + + } + owners = { + user_principal_names = [] + } + prevent_duplicate_name = false + } +} + + +azuread_groups_membership = { + ad_group1 = { # ad group key + # lz_key = "" # lz_key for ad group + managed_identities = { + launchpad = { + # lz_key = "" + keys = ["msi1"] + } + } + } +} \ No newline at end of file From dd6075c056865daaf5a67aa6fb641773d845f7d1 Mon Sep 17 00:00:00 2001 From: lolorol Date: Wed, 15 Sep 2021 07:05:56 +0000 Subject: [PATCH 53/91] Fix a merge issue --- modules/compute/virtual_machine/variables.tf | 4 ---- virtual_machines.tf | 20 ++++++++++---------- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/modules/compute/virtual_machine/variables.tf b/modules/compute/virtual_machine/variables.tf index 924387d2fe..f1cc7fa778 100755 --- a/modules/compute/virtual_machine/variables.tf +++ b/modules/compute/virtual_machine/variables.tf @@ -88,7 +88,3 @@ variable "network_security_groups" { variable "dedicated_hosts" { default = {} } - -variable "storage_accounts" { - default = {} -} \ No newline at end of file diff --git a/virtual_machines.tf b/virtual_machines.tf index 25766a69b9..b4bafe31a5 100755 --- a/virtual_machines.tf +++ b/virtual_machines.tf @@ -14,14 +14,8 @@ module "virtual_machines" { application_security_groups = local.combined_objects_application_security_groups availability_sets = local.combined_objects_availability_sets - # if boot_diagnostics_storage_account_key is points to a valid storage account, pass the endpoint - # if boot_diagnostics_storage_account_key is empty string, pass empty string - # if boot_diagnostics_storage_account_key not defined, pass null - # otherwise, boot_diagnostics_storage_account_key is a non-empty string that does not reference a valid storage account, so blow-up - boot_diagnostics_storage_account = try(local.combined_diagnostics.storage_accounts[each.value.boot_diagnostics_storage_account_key].primary_blob_endpoint, - each.value.boot_diagnostics_storage_account_key == "" ? "" : each.value.throw_error, - can(tostring(each.value.boot_diagnostics_storage_account_key)) ? each.value.throw_error : null) client_config = local.client_config + dedicated_hosts = local.combined_objects_dedicated_hosts diagnostics = local.combined_diagnostics disk_encryption_sets = local.combined_objects_disk_encryption_sets global_settings = local.global_settings @@ -31,11 +25,17 @@ module "virtual_machines" { proximity_placement_groups = local.combined_objects_proximity_placement_groups public_ip_addresses = local.combined_objects_public_ip_addresses recovery_vaults = local.combined_objects_recovery_vaults - storage_accounts = local.combined_objects_storage_accounts settings = each.value - vnets = local.combined_objects_networking - dedicated_hosts = local.combined_objects_dedicated_hosts storage_accounts = local.combined_objects_storage_accounts + vnets = local.combined_objects_networking + + # if boot_diagnostics_storage_account_key is points to a valid storage account, pass the endpoint + # if boot_diagnostics_storage_account_key is empty string, pass empty string + # if boot_diagnostics_storage_account_key not defined, pass null + # otherwise, boot_diagnostics_storage_account_key is a non-empty string that does not reference a valid storage account, so blow-up + boot_diagnostics_storage_account = try(local.combined_diagnostics.storage_accounts[each.value.boot_diagnostics_storage_account_key].primary_blob_endpoint, + each.value.boot_diagnostics_storage_account_key == "" ? "" : each.value.throw_error, + can(tostring(each.value.boot_diagnostics_storage_account_key)) ? each.value.throw_error : null) location = coalesce( try(local.global_settings.regions[each.value.region], null), From fa03e6cbd0679d773d7a075dd47eb97b6f21504e Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 16 Sep 2021 02:34:44 +0000 Subject: [PATCH 54/91] Update instructions --- examples/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/README.md b/examples/README.md index bd5254b4cb..ce666f80a4 100755 --- a/examples/README.md +++ b/examples/README.md @@ -48,9 +48,9 @@ The current folder contains an example of module with the whole features set of cd /tf/caf/examples az login terraform init -terraform plan -var-file -terraform apply -terraform destroy +terraform plan -var-file +terraform apply -var-file +terraform destroy -var-file ``` ## Deploying examples within a landing zone From 6109e5bcb4d9b92b9fe4d3d4b84aa9d20f4694e3 Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 16 Sep 2021 02:36:42 +0000 Subject: [PATCH 55/91] Update vm custom_data --- .../100-single-linux-vm/configuration.tfvars | 7 ++- .../application_security_group.tf | 2 +- .../compute/virtual_machine/diagnostics.tf | 2 +- .../virtual_machine/dynamic_custom_data.tf | 9 ++++ .../virtual_machine/network_interface.tf | 6 +-- modules/compute/virtual_machine/output.tf | 14 +++--- modules/compute/virtual_machine/vm_linux.tf | 47 +++++++------------ modules/compute/virtual_machine/vm_windows.tf | 30 +++++++----- 8 files changed, 60 insertions(+), 57 deletions(-) create mode 100644 modules/compute/virtual_machine/dynamic_custom_data.tf diff --git a/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars b/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars index b2381443cc..2aa0e108bc 100755 --- a/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars +++ b/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars @@ -37,8 +37,8 @@ virtual_machines = { keyvault_key = "example_vm_rg1" # Define the number of networking cards to attach the virtual machine - # Option to use when BYOI (Bring your Own Interface) - # networking_interface_ids = ["/subscriptions//resourceGroups//providers/Microsoft.Network/networkInterfaces/"] + # Option to use when BYOI (Bring your Own Interface) + # networking_interface_ids = ["/subscriptions//resourceGroups//providers/Microsoft.Network/networkInterfaces/"] networking_interfaces = { nic0 = { @@ -66,8 +66,7 @@ virtual_machines = { disable_password_authentication = true #custom_data - Users can either reference a local file path or a block of code as seen below. - #custom_data = "scripts/cloud-init/install-rover-tools.config" - #custom_data = "compute/virtual_machine/100-single-linux-vm/scripts/cloud-init/install-rover-tools.config" + # custom_data = "scripts/cloud-init/install-rover-tools.config" custom_data = < base64encode("storage-account=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].name}, access-key=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].primary_access_key}, file-share=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].name}, share-directory=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].file_share_directories[item.palo_alto_connection_string.file_share_directory].name}") + if try(item.palo_alto_connection_string, null) != null + } + } +} diff --git a/modules/compute/virtual_machine/network_interface.tf b/modules/compute/virtual_machine/network_interface.tf index c5ef7fb115..5a8b3aa552 100755 --- a/modules/compute/virtual_machine/network_interface.tf +++ b/modules/compute/virtual_machine/network_interface.tf @@ -2,13 +2,13 @@ locals { nic_ids = flatten( [ local.network_interface_ids, - try(var.settings.networking_interface_ids,[]) + try(var.settings.networking_interface_ids, []) ] ) - + network_interface_ids = flatten( [ - for nic_key in try(var.settings.virtual_machine_settings[var.settings.os_type].network_interface_keys,[]) : [ + for nic_key in try(var.settings.virtual_machine_settings[var.settings.os_type].network_interface_keys, []) : [ azurerm_network_interface.nic[nic_key].id ] ] diff --git a/modules/compute/virtual_machine/output.tf b/modules/compute/virtual_machine/output.tf index a66777017d..68fd5d8b36 100755 --- a/modules/compute/virtual_machine/output.tf +++ b/modules/compute/virtual_machine/output.tf @@ -11,8 +11,8 @@ output "os_type" { } output "internal_fqdns" { - value = try(var.settings.networking_interfaces,null) != null ? flatten([ - for nic_key in try(var.settings.virtual_machine_settings[local.os_type].network_interface_keys,[]) : format("%s.%s", try(azurerm_network_interface.nic[nic_key].internal_dns_name_label, try(azurerm_linux_virtual_machine.vm["linux"].name, azurerm_windows_virtual_machine.vm["windows"].name)), azurerm_network_interface.nic[nic_key].internal_domain_name_suffix) + value = try(var.settings.networking_interfaces, null) != null ? flatten([ + for nic_key in try(var.settings.virtual_machine_settings[local.os_type].network_interface_keys, []) : format("%s.%s", try(azurerm_network_interface.nic[nic_key].internal_dns_name_label, try(azurerm_linux_virtual_machine.vm["linux"].name, azurerm_windows_virtual_machine.vm["windows"].name)), azurerm_network_interface.nic[nic_key].internal_domain_name_suffix) ]) : null } @@ -45,11 +45,11 @@ output "ssh_keys" { output "nic_id" { value = coalescelist( flatten( - [ - for nic_key in try(var.settings.virtual_machine_settings[local.os_type].network_interface_keys,[]) : format("%s.%s", try(azurerm_network_interface.nic[nic_key].id, try(azurerm_linux_virtual_machine.vm["linux"].name, azurerm_windows_virtual_machine.vm["windows"].name)), azurerm_network_interface.nic[nic_key].id) - ] - ), - try(var.settings.networking_interface_ids,[]) + [ + for nic_key in try(var.settings.virtual_machine_settings[local.os_type].network_interface_keys, []) : format("%s.%s", try(azurerm_network_interface.nic[nic_key].id, try(azurerm_linux_virtual_machine.vm["linux"].name, azurerm_windows_virtual_machine.vm["windows"].name)), azurerm_network_interface.nic[nic_key].id) + ] + ), + try(var.settings.networking_interface_ids, []) ) } diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index bf8281547d..48ad158e9b 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -1,12 +1,3 @@ -locals { - dynamic_custom_data = { - palo_alto_connection_string = { - for item in var.settings.virtual_machine_settings: - item.name => base64encode("storage-account=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].name}, access-key=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].primary_access_key}, file-share=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].name}, share-directory=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].file_share_directories[item.palo_alto_connection_string.file_share_directory].name}") - } - } -} - resource "tls_private_key" "ssh" { for_each = local.create_sshkeys ? var.settings.virtual_machine_settings : {} @@ -65,33 +56,31 @@ resource "azurecaf_name" "os_disk_linux" { resource "azurerm_linux_virtual_machine" "vm" { for_each = local.os_type == "linux" ? var.settings.virtual_machine_settings : {} - name = azurecaf_name.linux[each.key].result - location = var.location - resource_group_name = var.resource_group_name - size = each.value.size - admin_username = each.value.admin_username - admin_password = each.value.disable_password_authentication == false ? each.value.admin_password : null - network_interface_ids = local.nic_ids - tags = merge(local.tags, try(each.value.tags, null)) - + admin_password = each.value.disable_password_authentication == false ? each.value.admin_password : null + admin_username = each.value.admin_username allow_extension_operations = try(each.value.allow_extension_operations, null) + availability_set_id = try(var.availability_sets[var.client_config.landingzone_key][each.value.availability_set_key].id, var.availability_sets[each.value.availability_sets].id, null) computer_name = azurecaf_name.linux_computer_name[each.key].result + disable_password_authentication = try(each.value.disable_password_authentication, true) eviction_policy = try(each.value.eviction_policy, null) + location = var.location max_bid_price = try(each.value.max_bid_price, null) + name = azurecaf_name.linux[each.key].result + network_interface_ids = local.nic_ids priority = try(each.value.priority, null) provision_vm_agent = try(each.value.provision_vm_agent, true) - zone = try(each.value.zone, null) - disable_password_authentication = try(each.value.disable_password_authentication, true) - custom_data = ( - try(each.value.custom_data, null) == null - ? null - : (can(local.dynamic_custom_data[each.value.custom_data][each.value.name]) == true - ? local.dynamic_custom_data[each.value.custom_data][each.value.name] - : null - ) - ) - availability_set_id = try(var.availability_sets[var.client_config.landingzone_key][each.value.availability_set_key].id, var.availability_sets[each.value.availability_sets].id, null) proximity_placement_group_id = try(var.proximity_placement_groups[var.client_config.landingzone_key][each.value.proximity_placement_group_key].id, var.proximity_placement_groups[each.value.proximity_placement_groups].id, null) + resource_group_name = var.resource_group_name + size = each.value.size + tags = merge(local.tags, try(each.value.tags, null)) + zone = try(each.value.zone, null) + + custom_data = try( + try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)), + local.dynamic_custom_data[each.value.custom_data][each.value.name], + null + ) + dedicated_host_id = try(coalesce( try(each.value.dedicated_host.id, null), var.dedicated_hosts[try(each.value.dedicated_host.lz_key, var.client_config.landingzone_key)][each.value.dedicated_host.key].id, diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 4d9cad521a..36f42673e5 100755 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -47,27 +47,33 @@ resource "azurerm_windows_virtual_machine" "vm" { depends_on = [azurerm_network_interface.nic, azurerm_network_interface_security_group_association.nic_nsg] for_each = local.os_type == "windows" ? var.settings.virtual_machine_settings : {} - name = azurecaf_name.windows[each.key].result - location = var.location - resource_group_name = var.resource_group_name - size = each.value.size - admin_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username admin_password = try(each.value.admin_password_key, null) == null ? random_password.admin[local.os_type].result : local.admin_password - network_interface_ids = local.nic_ids + admin_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username allow_extension_operations = try(each.value.allow_extension_operations, null) + availability_set_id = try(var.availability_sets[var.client_config.landingzone_key][each.value.availability_set_key].id, var.availability_sets[each.value.availability_sets].id, null) computer_name = azurecaf_name.windows_computer_name[each.key].result - provision_vm_agent = try(each.value.provision_vm_agent, true) - zone = try(each.value.zone, null) - custom_data = try(each.value.custom_data, null) == null ? null : filebase64(format("%s/%s", path.cwd, each.value.custom_data)) enable_automatic_updates = try(each.value.enable_automatic_updates, null) eviction_policy = try(each.value.eviction_policy, null) + license_type = try(each.value.license_type, null) + location = var.location max_bid_price = try(each.value.max_bid_price, null) + name = azurecaf_name.windows[each.key].result + network_interface_ids = local.nic_ids priority = try(each.value.priority, null) - license_type = try(each.value.license_type, null) + provision_vm_agent = try(each.value.provision_vm_agent, true) + proximity_placement_group_id = try(var.proximity_placement_groups[var.client_config.landingzone_key][each.value.proximity_placement_group_key].id, var.proximity_placement_groups[each.value.proximity_placement_groups].id, null) + resource_group_name = var.resource_group_name + size = each.value.size tags = merge(local.tags, try(each.value.tags, null)) timezone = try(each.value.timezone, null) - availability_set_id = try(var.availability_sets[var.client_config.landingzone_key][each.value.availability_set_key].id, var.availability_sets[each.value.availability_sets].id, null) - proximity_placement_group_id = try(var.proximity_placement_groups[var.client_config.landingzone_key][each.value.proximity_placement_group_key].id, var.proximity_placement_groups[each.value.proximity_placement_groups].id, null) + zone = try(each.value.zone, null) + + custom_data = try( + try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)), + local.dynamic_custom_data[each.value.custom_data][each.value.name], + null + ) + dedicated_host_id = try(coalesce( try(each.value.dedicated_host.id, null), var.dedicated_hosts[try(each.value.dedicated_host.lz_key, var.client_config.landingzone_key)][each.value.dedicated_host.key].id, From dacef9fe12925751ba32dd1c2ffba32e9cf4a771 Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 16 Sep 2021 03:04:43 +0000 Subject: [PATCH 56/91] Terraform fmt --- .../configuration.tfvars | 6 +-- .../200-acr-vnet/configuration.tfvars | 2 +- .../configuration.tfvars | 13 ++--- .../configuration.tfvars | 2 +- .../configuration.tfvars | 48 +++++++++---------- .../azuread_groups_membership.tf | 6 +-- .../groups_members/membership/membership.tf | 2 +- .../firewall_policies/firewall_policy.tf | 14 +++--- .../subnet/diagnostic_event_hub_namespaces.tf | 8 ++-- .../subnet/diagnostic_storage_accounts.tf | 8 ++-- .../endpoints/subnet/eventhub_namespaces.tf | 8 ++-- .../endpoints/subnet/keyvaults.tf | 10 ++-- .../endpoints/subnet/mssql_servers.tf | 8 ++-- .../endpoints/subnet/mysql_servers.tf | 8 ++-- .../endpoints/subnet/recovery_vaults.tf | 8 ++-- .../endpoints/subnet/redis_cache.tf | 12 ++--- .../endpoints/subnet/storage_accounts.tf | 8 ++-- modules/storage_account/storage_account.tf | 8 ++-- mssql_servers.tf | 2 +- msssql_managed_instances.tf | 2 +- mysql_servers.tf | 18 +++---- networking_private_links.tf | 14 +++--- virtual_machines.tf | 28 +++++------ 23 files changed, 122 insertions(+), 121 deletions(-) diff --git a/examples/azuread/104-azuread-group-membership/configuration.tfvars b/examples/azuread/104-azuread-group-membership/configuration.tfvars index dcf8f00070..d9b53fb6a0 100644 --- a/examples/azuread/104-azuread-group-membership/configuration.tfvars +++ b/examples/azuread/104-azuread-group-membership/configuration.tfvars @@ -26,9 +26,9 @@ azuread_groups = { description = "Provide read and write access" members = { user_principal_names = [] - group_names = [] - object_ids = [] - group_keys = [] + group_names = [] + object_ids = [] + group_keys = [] service_principal_keys = [] diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 7628660195..d0e78f5f0b 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -26,7 +26,7 @@ azure_container_registries = { sku = "Premium" #public_network_access_enabled = "false" #Only able to control when sku = "premium" - + georeplications = { region2 = { tags = { diff --git a/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars b/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars index 1badab5c1c..a38b5a11d5 100755 --- a/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars +++ b/examples/compute/virtual_machine/108-single-linux-storage-connect-custom-data/configuration.tfvars @@ -62,14 +62,15 @@ virtual_machines = { disable_password_authentication = true #custom_data = "scripts/cloud-init/install-rover-tools.config" -# custom_data = < Date: Thu, 16 Sep 2021 03:53:32 +0000 Subject: [PATCH 57/91] Fix KV policy --- .../azuread/103-service-principal-only/configuration.tfvars | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/azuread/103-service-principal-only/configuration.tfvars b/examples/azuread/103-service-principal-only/configuration.tfvars index 10f25da129..0e7f58768b 100644 --- a/examples/azuread/103-service-principal-only/configuration.tfvars +++ b/examples/azuread/103-service-principal-only/configuration.tfvars @@ -31,8 +31,8 @@ keyvaults = { keyvault_access_policies_azuread_apps = { test_client = { test_client = { - azuread_app_key = "test_client" - secret_permissions = ["Set", "Get", "List", "Delete"] + azuread_application_key = "test_client" + secret_permissions = ["Set", "Get", "List", "Delete"] } } } From 528252b0e5f588c11f7149737e214b97fecca81e Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 16 Sep 2021 05:28:15 +0000 Subject: [PATCH 58/91] Update config --- .../108-mssql-vm/configuration.tfvars | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars index 428dc8ddd7..e04601c8b2 100644 --- a/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars +++ b/examples/compute/virtual_machine/108-mssql-vm/configuration.tfvars @@ -215,17 +215,18 @@ virtual_machines = { sql_password_key = "sql-password" } - keyvault_credential = { - name = "sqlkv_credentials" - # lz_key = "" - keyvault_key = "sql_cred_kv" # get url from here - service_principal_secrets = { # sp secret to access the kv above - # lz_key = "" - keyvault_key = "sp_secrets" # get url from here - sp_client_id_key = "sp-client-id" - sp_client_secret_key = "sp-client-secret" - } - } + # To be implemented in 5.5. Do not uncomment + # keyvault_credential = { + # name = "sqlkv_credentials" + # # lz_key = "" + # keyvault_key = "sql_cred_kv" # get url from here + # service_principal_secrets = { # sp secret to access the kv above + # # lz_key = "" + # keyvault_key = "sp_secrets" # get url from here + # sp_client_id_key = "sp-client-id" + # sp_client_secret_key = "sp-client-secret" + # } + # } } From afe364bfe0cbec5a4d50fcc8716c260f90fd461d Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 16 Sep 2021 07:01:26 +0000 Subject: [PATCH 59/91] comment until solution to remove lock in CI --- .../configuration.tfvars | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars index 7a31be827b..145b641370 100755 --- a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars +++ b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars @@ -115,10 +115,11 @@ storage_accounts = { } } - backup = { - vault_key = "asr1" - # lz_key = "" - } + # commented for CI as Azure backup put a lock on the storage account that prevent it to be deleted. + # backup = { + # vault_key = "asr1" + # # lz_key = "" + # } tags = { environment = "dev" From bf16c184ea40c3acfed657a83f64d9f327a4beb9 Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 16 Sep 2021 16:25:36 +0800 Subject: [PATCH 60/91] Remove backup --- .../configuration.tfvars | 32 ------------------- 1 file changed, 32 deletions(-) diff --git a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars index 145b641370..6b3e2658fc 100755 --- a/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars +++ b/examples/storage_accounts/107-storage-account-management-policy/configuration.tfvars @@ -115,12 +115,6 @@ storage_accounts = { } } - # commented for CI as Azure backup put a lock on the storage account that prevent it to be deleted. - # backup = { - # vault_key = "asr1" - # # lz_key = "" - # } - tags = { environment = "dev" team = "IT" @@ -128,29 +122,3 @@ storage_accounts = { } } -recovery_vaults = { - asr1 = { - name = "asr-container-protection" - resource_group_key = "test" - - region = "region1" - backup_policies = { - - fs = { - policy1 = { - name = "FSBackupPolicy1" - vault_key = "asr1" - rg_key = "primary" - timezone = "UTC" - backup = { - frequency = "Daily" - time = "23:00" - } - retention_daily = { - count = 10 - } - } - } - } - } -} \ No newline at end of file From 77a1b199a55637e55e877dee691a9239effcbf7e Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Mon, 20 Sep 2021 17:08:24 -0400 Subject: [PATCH 61/91] Support for legacy VM creation --- .../configuration.tfvars | 294 ++++++++++++++++++ modules/compute/virtual_machine/main.tf | 2 +- modules/compute/virtual_machine/vm_legacy.tf | 225 ++++++++++++++ modules/compute/virtual_machine/vm_linux.tf | 6 +- modules/compute/virtual_machine/vm_windows.tf | 8 +- .../virtual_machine/vm_windows_winrm_self.tf | 4 +- 6 files changed, 529 insertions(+), 10 deletions(-) create mode 100644 examples/compute/virtual_machine/109-legacy-vm-creation/configuration.tfvars create mode 100644 modules/compute/virtual_machine/vm_legacy.tf diff --git a/examples/compute/virtual_machine/109-legacy-vm-creation/configuration.tfvars b/examples/compute/virtual_machine/109-legacy-vm-creation/configuration.tfvars new file mode 100644 index 0000000000..6d61bd748b --- /dev/null +++ b/examples/compute/virtual_machine/109-legacy-vm-creation/configuration.tfvars @@ -0,0 +1,294 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "eastus2" + } +} + + +resource_groups = { + vm_sg = { + name = "test-vm-sg" + location = "eastus2" + useprefix = true + } + vnet_sg = { + name = "test-networking-sg" + location = "eastus2" + useprefix = true + } +} + +# Virtual machines +virtual_machines = { + + vm_1 = { + tags = { + env = "dev" + } + resource_group_key = "vm_sg" + + os_type = "legacy" + keyvault_key = "example_vm_rg1" + + networking_interfaces = { + nic0 = { + # Value of the keys from networking.tfvars + vnet_key = "hub_sg" + subnet_key = "jumpbox" + # public_address_key = "" + name = "nic0" + enable_ip_forwarding = false + internal_dns_name_label = "nic0" + } + } + + virtual_machine_settings = { + legacy = { + name = "vm_1" + resource_group_key = "vm_sg" + size = "Standard_E48s_v3" + admin_username = "cloud-user" + #zones = "" + delete_os_disk_on_termination = true + delete_data_disks_on_termination = true + + # Value of the nic keys to attach the VM. The first one in the list is the default nic + network_interface_keys = ["nic0"] + + os_disk = { + name = "vm_1-os" + caching = "ReadWrite" + disk_size_gb = "64" + create_option = "FromImage" + operating_system_type = "Linux" + } + + os_profile_linux_config = { + disable_password_authentication = true + } + + source_image_reference = { + #publisher = "Canonical" + #offer = "UbuntuServer" + #sku = "16.04-LTS" + #version = "latest" + custom_image_id = "some_image_id" + } + + plan = { + name = "rhel-lvm84-gen2" + product = "rhel-byos" + publisher = "redhat" + } + + storage_data_disk = { + lun0 = { + name = "vm_1-lun0" + create_option = "FromImage" + disk_size_gb = "65" + lun = 0 + caching = "ReadWrite" + } + lun1 = { + name = "vm_1-lun1" + create_option = "FromImage" + disk_size_gb = "65" + lun = 1 + caching = "ReadWrite" + managed_disk_type = "Premium_LRS" + } + lun2 = { + name = "vm_1-lun2" + create_option = "FromImage" + disk_size_gb = "65" + lun = 2 + caching = "ReadWrite" + } + } + } + } + }, + vm_2 = { + tags = { + env = "dev" + } + resource_group_key = "vm_sg" + + os_type = "legacy" + keyvault_key = "example_vm_rg1" + + networking_interfaces = { + nic1 = { + # Value of the keys from networking.tfvars + vnet_key = "hub_sg" + subnet_key = "jumpbox" + # public_address_key = "" + name = "nic1" + enable_ip_forwarding = false + internal_dns_name_label = "nic1" + } + } + + virtual_machine_settings = { + legacy = { + name = "vm_2" + resource_group_key = "vm_sg" + size = "Standard_E48s_v3" + admin_username_key = "vmadmin-username" + admin_password_key = "vmadmin-password" + delete_os_disk_on_termination = true + delete_data_disks_on_termination = true + license_type = "Windows_Server" + + # Value of the nic keys to attach the VM. The first one in the list is the default nic + network_interface_keys = ["nic1"] + + os_disk = { + name = "vm_2-os" + caching = "ReadWrite" + disk_size_gb = "127" + create_option = "FromImage" + operating_system_type = "Windows" + } + + os_profile_windows_config = { + provision_vm_agent = true + enable_automatic_upgrades = true + timezone = "Central Standard Time" + #winrm = { + # winrm_1 = { + # protocol = "HTTPS" + # } + #} + #additional_unattend_config = { + # additional_unattend_config_1 = { + # pass = "oobeSystem" + # component = "Microsoft-Windows-Shell-Setup" + # setting_name = "FirstLogonCommands" + # content = "idk" + # } + #} + } + + #additional_capabilities = { + # ultra_ssd_enabled = true + #} + + #winrm = { + # enable_self_signed = true + #} + + storage_image_reference = { + #publisher = "MicrosoftWindowsServer" + #offer = "WindowsServer" + #sku = "2019-Datacenter" + #version = "latest" + custom_image_id = "some_image_id" + } + + storage_data_disk = { + lun0 = { + name = "vm_2-lun0" + create_option = "Empty" + disk_size_gb = "65" + lun = 0 + caching = "ReadWrite" + } + lun1 = { + name = "vm_2-lun1" + create_option = "Empty" + disk_size_gb = "65" + lun = 1 + caching = "ReadWrite" + managed_disk_type = "Premium_LRS" + } + lun2 = { + name = "vm_2-lun2" + create_option = "Empty" + disk_size_gb = "65" + lun = 2 + caching = "ReadWrite" + } + lun3 = { + name = "vm_2-lun3" + create_option = "Empty" + disk_size_gb = "65" + lun = 2 + caching = "ReadWrite" + } + } + } + } + } +} + +## Networking configuration +vnets = { + hub_sg = { + resource_group_key = "vnet_sg" + location = "eastus2" + vnet = { + name = "hub" + address_space = ["10.10.100.0/24"] + } + specialsubnets = { + } + subnets = { + jumpbox = { + name = "jumpbox" + cidr = ["10.10.100.0/25"] + nsg_name = "jumpbox_nsg" + nsg = [] + } + + } + diags = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } + } +} + +dynamic_keyvault_secrets = { + example_vm_rg1 = { # Key of the keyvault + vmadmin-username = { + secret_name = "vmadmin-username" + value = "vmadmin" + } + vmadmin-password = { + secret_name = "vmadmin-password" + value = "Very@Str5ngP!44w0rdToChaNge#" + } + domain-join-username = { + secret_name = "domain-join-username" + value = "domainjoinuser@contoso.com" + } + domain-join-password = { + secret_name = "domain-join-password" + value = "MyDoma1nVery@Str5ngP!44w0rdToChaNge#" + } + } +} + +keyvaults = { + example_vm_rg1 = { + name = "vmsecrets" + resource_group_key = "vm_sg" + sku_name = "standard" + creation_policies = { + logged_in_user = { + certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Purge", "Recover"] + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + } + } + } +} + + diff --git a/modules/compute/virtual_machine/main.tf b/modules/compute/virtual_machine/main.tf index 1b230731da..b7739331b2 100755 --- a/modules/compute/virtual_machine/main.tf +++ b/modules/compute/virtual_machine/main.tf @@ -11,7 +11,7 @@ terraform { locals { os_type = lower(var.settings.os_type) # Generate SSH Keys only if a public one is not provided - create_sshkeys = local.os_type == "linux" && try(var.settings.public_key_pem_file == "", true) + create_sshkeys = (local.os_type == "linux" || local.os_type == "legacy") && try(var.settings.public_key_pem_file == "", true) module_tag = { "module" = basename(abspath(path.module)) } diff --git a/modules/compute/virtual_machine/vm_legacy.tf b/modules/compute/virtual_machine/vm_legacy.tf new file mode 100644 index 0000000000..455bf67cf7 --- /dev/null +++ b/modules/compute/virtual_machine/vm_legacy.tf @@ -0,0 +1,225 @@ +# Name of the VM in the Azure Control Plane +resource "azurecaf_name" "legacy" { + for_each = local.os_type == "legacy" ? var.settings.virtual_machine_settings : {} + + name = each.value.name + resource_type = "azurerm_virtual_machine" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + + +# Name of the Linux computer name +resource "azurecaf_name" "legacy_computer_name" { + depends_on = [azurerm_network_interface.nic, azurerm_network_interface_security_group_association.nic_nsg] + for_each = local.os_type == "legacy" ? var.settings.virtual_machine_settings : {} + + name = try(each.value.computer_name, each.value.name) + resource_type = "azurerm_virtual_machine" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_virtual_machine" "vm" { + for_each = local.os_type == "legacy" ? var.settings.virtual_machine_settings : {} + + name = each.value.name + location = var.location + resource_group_name = var.resource_group_name + vm_size = each.value.size + network_interface_ids = local.nic_ids + zones = try([each.value.zones], null) + tags = merge(local.tags, try(each.value.tags, null)) + delete_os_disk_on_termination = try(each.value.delete_os_disk_on_termination, null) + delete_data_disks_on_termination = try(each.value.delete_data_disks_on_termination, null) + + # dynamic + os_profile { + computer_name = azurecaf_name.legacy_computer_name[each.key].result + admin_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username + admin_password = try(each.value.admin_password_key, null) == null ? random_password.legacy[local.os_type].result : local.admin_password + } + + # os_profile_secrets + + dynamic "os_profile_linux_config" { + for_each = try(each.value.os_profile_linux_config, null) == null ? [] : [1] + + content { + disable_password_authentication = try(each.value.os_profile_linux_config.disable_password_authentication, true) + + dynamic "ssh_keys" { + for_each = each.value.os_profile_linux_config.disable_password_authentication == false ? [] : [1] + + content { + key_data = local.create_sshkeys ? tls_private_key.ssh[each.key].public_key_openssh : file(var.settings.public_key_pem_file) + path = "/home/${each.value.admin_username}/.ssh/authorized_keys" + } + } + } + } + + dynamic "os_profile_secrets" { + for_each = try(each.value.winrm.enable_self_signed, false) == false ? [] : [1] + + content { + + source_vault_id = local.keyvault.id + + # WinRM certificate + dynamic "vault_certificates" { + for_each = try(each.value.winrm.enable_self_signed, false) == false ? [] : [1] + + content { + certificate_url = azurerm_key_vault_certificate.self_signed_winrm[each.key].secret_id + certificate_store = "My" + } + } + } + } + + dynamic "os_profile_windows_config" { + for_each = try(each.value.os_profile_windows_config, null) == null ? [] : [1] + + content { + provision_vm_agent = try(each.value.os_profile_windows_config.provision_vm_agent, null) + enable_automatic_upgrades = try(each.value.os_profile_windows_config.enable_automatic_upgrades, null) + timezone = try(each.value.os_profile_windows_config.timezone, null) + + dynamic "winrm" { + for_each = { + for key, value in try(each.value.os_profile_windows_config.winrm, {}) : key => value + } + + content { + protocol = winrm.value.protocol + certificate_url = try(winrm.value.certificate_url, null) + } + + } + + dynamic "additional_unattend_config" { + for_each = { + for key, value in try(each.value.os_profile_windows_config.additional_unattend_config, {}) : key => value + } + + content { + pass = additional_unattend_config.value.pass + component = additional_unattend_config.value.component + setting_name = additional_unattend_config.value.setting_name + content = additional_unattend_config.value.content + } + } + } + } + + availability_set_id = try(var.availability_sets[var.client_config.landingzone_key][each.value.availability_set_key].id, var.availability_sets[each.value.availability_sets].id, null) + + dynamic "boot_diagnostics" { + for_each = try(var.boot_diagnostics_storage_account != null ? [1] : var.global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics == true ? [1] : [], []) + + content { + storage_uri = var.boot_diagnostics_storage_account == "" ? null : var.boot_diagnostics_storage_account + enabled = true + } + } + + dynamic "additional_capabilities" { + for_each = try(each.value.additional_capabilities, null) == null ? [] : [1] + + content { + ultra_ssd_enabled = each.value.additional_capabilities.ultra_ssd_enabled + } + + } + + proximity_placement_group_id = try(var.proximity_placement_groups[var.client_config.landingzone_key][each.value.proximity_placement_group_key].id, var.proximity_placement_groups[each.value.proximity_placement_groups].id, null) + + storage_os_disk { + caching = try(each.value.os_disk.caching, null) + disk_size_gb = try(each.value.os_disk.disk_size_gb, null) + name = try(each.value.os_disk.name, null) + write_accelerator_enabled = try(each.value.os_disk.write_accelerator_enabled, false) + create_option = each.value.os_disk.create_option + image_uri = try("${each.value.storage_image_reference.publisher}:${each.value.storage_image_reference.offer}:${each.value.storage_image_reference.sku}:${each.value.storage_image_reference.version}", null) + os_type = try(each.value.os_disk.operating_system, null) + managed_disk_id = try(each.value.os_disk.managed_disk_id, null) + managed_disk_type = try(each.value.os_disk.managed_disk_type, null) + vhd_uri = try(each.value.os_disk.vhd_uri, null) + } + + dynamic "storage_image_reference" { + for_each = try(each.value.storage_image_reference, false) == false ? [] : [1] + + content { + publisher = try(each.value.storage_image_reference.publisher, null) + offer = try(each.value.storage_image_reference.offer, null) + sku = try(each.value.storage_image_reference.sku, null) + version = try(each.value.storage_image_reference.version, null) + id = try(each.value.storage_image_reference.custom_image_id, var.custom_image_ids[each.value.lz_key][each.value.custom_image_key].id, null) + } + } + + dynamic "plan" { + for_each = try(each.value.plan, false) == false ? [] : [1] + + content { + name = each.value.plan.name + product = each.value.plan.product + publisher = each.value.plan.publisher + } + } + + dynamic "storage_data_disk" { + for_each = { + for key, value in try(var.settings.storage_data_disk, {}) : key => value + } + content { + name = storage_data_disk.value.name + caching = try(storage_data_disk.value.caching, null) + create_option = storage_data_disk.value.create_option + disk_size_gb = try(storage_data_disk.value.disk_size_gb) + lun = storage_data_disk.value.name + write_accelerator_enabled = try(storage_data_disk.value.write_accelerator_enabled, null) + managed_disk_type = try(storage_data_disk.value.managed_disk_type, null) + managed_disk_id = try(storage_data_disk.value.managed_disk_id, null) + vhd_uri = try(storage_data_disk.value.vhd_uri, null) + } + } + + + dynamic "identity" { + for_each = try(each.value.identity, false) == false ? [] : [1] + + content { + type = each.value.identity.type + identity_ids = local.managed_identities + } + } + + license_type = try(each.value.license_type, null) + + lifecycle { + ignore_changes = [ + storage_os_disk[0].name + ] + } + +} + +resource "random_password" "legacy" { + for_each = (local.os_type == "legacy") && (try(var.settings.virtual_machine_settings["legacy"].admin_password_key, null) == null) ? var.settings.virtual_machine_settings : {} + length = 123 + min_upper = 2 + min_lower = 2 + min_special = 2 + number = true + special = true + override_special = "!@#$%&" +} \ No newline at end of file diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index bf8281547d..aa1970f13a 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -2,7 +2,7 @@ locals { dynamic_custom_data = { palo_alto_connection_string = { for item in var.settings.virtual_machine_settings: - item.name => base64encode("storage-account=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].name}, access-key=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].primary_access_key}, file-share=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].name}, share-directory=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].file_share_directories[item.palo_alto_connection_string.file_share_directory].name}") + item.name => try(base64encode("storage-account=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].name}, access-key=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].primary_access_key}, file-share=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].name}, share-directory=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].file_share_directories[item.palo_alto_connection_string.file_share_directory].name}"), null) } } } @@ -172,7 +172,7 @@ resource "azurerm_linux_virtual_machine" "vm" { resource "azurerm_key_vault_secret" "ssh_private_key" { for_each = local.create_sshkeys ? var.settings.virtual_machine_settings : {} - name = format("%s-ssh-private-key", azurecaf_name.linux_computer_name[each.key].result) + name = try(format("%s-ssh-private-key", azurecaf_name.linux_computer_name[each.key].result), format("%s-ssh-private-key", azurecaf_name.legacy_computer_name[each.key].result)) value = tls_private_key.ssh[each.key].private_key_pem key_vault_id = local.keyvault.id @@ -187,7 +187,7 @@ resource "azurerm_key_vault_secret" "ssh_private_key" { resource "azurerm_key_vault_secret" "ssh_public_key_openssh" { for_each = local.create_sshkeys ? var.settings.virtual_machine_settings : {} - name = format("%s-ssh-public-key-openssh", azurecaf_name.linux_computer_name[each.key].result) + name = try(format("%s-ssh-public-key-openssh", azurecaf_name.linux_computer_name[each.key].result), format("%s-ssh-public-key-openssh", azurecaf_name.legacy_computer_name[each.key].result)) value = tls_private_key.ssh[each.key].public_key_openssh key_vault_id = local.keyvault.id diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 4d9cad521a..881d3e30b7 100755 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -225,24 +225,24 @@ locals { # With for_each it is not possible to change the provider's subscription at runtime so using the following pattern. # data "external" "windows_admin_username" { - count = try(var.settings.virtual_machine_settings["windows"].admin_username_key, null) == null ? 0 : 1 + count = try(var.settings.virtual_machine_settings["windows"].admin_username_key, var.settings.virtual_machine_settings["legacy"].admin_password_key, null) == null ? 0 : 1 program = [ "bash", "-c", format( "az keyvault secret show --name '%s' --vault-name '%s' --query '{value: value }' -o json", - var.settings.virtual_machine_settings["windows"].admin_username_key, + try(var.settings.virtual_machine_settings["windows"].admin_username_key, var.settings.virtual_machine_settings["legacy"].admin_username_key, null), local.keyvault.name ) ] } data "external" "windows_admin_password" { - count = try(var.settings.virtual_machine_settings["windows"].admin_password_key, null) == null ? 0 : 1 + count = try(var.settings.virtual_machine_settings["windows"].admin_password_key, var.settings.virtual_machine_settings["legacy"].admin_password_key, null) == null ? 0 : 1 program = [ "bash", "-c", format( "az keyvault secret show -n '%s' --vault-name '%s' --query '{value: value }' -o json", - var.settings.virtual_machine_settings["windows"].admin_password_key, + try(var.settings.virtual_machine_settings["windows"].admin_password_key, var.settings.virtual_machine_settings["legacy"].admin_password_key), local.keyvault.name ) ] diff --git a/modules/compute/virtual_machine/vm_windows_winrm_self.tf b/modules/compute/virtual_machine/vm_windows_winrm_self.tf index 1607a2971d..371b83c666 100755 --- a/modules/compute/virtual_machine/vm_windows_winrm_self.tf +++ b/modules/compute/virtual_machine/vm_windows_winrm_self.tf @@ -5,7 +5,7 @@ resource "azurerm_key_vault_certificate" "self_signed_winrm" { if try(value.winrm.enable_self_signed, false) == true } - name = format("%s-winrm-cert", azurecaf_name.windows[each.key].result) + name = try(format("%s-winrm-cert", azurecaf_name.windows[each.key].result), format("%s-winrm-cert", azurecaf_name.legacy[each.key].result)) key_vault_id = local.keyvault.id tags = try(merge(var.base_tags, try(each.value.tags, null)), null) @@ -45,7 +45,7 @@ resource "azurerm_key_vault_certificate" "self_signed_winrm" { "keyEncipherment", ] - subject = format("CN=%s", azurecaf_name.windows[each.key].result) + subject = try(format("CN=%s", azurecaf_name.windows[each.key].result), format("CN=%s", azurecaf_name.legacy[each.key].result)) validity_in_months = 12 subject_alternative_names { From de5e4558667c29496d746d857abc887f562c8d3d Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Tue, 21 Sep 2021 02:26:48 +0000 Subject: [PATCH 62/91] add instant_restore_retention_days support and example --- modules/recovery_vault/backup_policies_vm.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/recovery_vault/backup_policies_vm.tf b/modules/recovery_vault/backup_policies_vm.tf index 2bf21ed6ff..18f18aae15 100644 --- a/modules/recovery_vault/backup_policies_vm.tf +++ b/modules/recovery_vault/backup_policies_vm.tf @@ -4,11 +4,11 @@ resource "azurerm_backup_policy_vm" "vm" { for_each = try(var.settings.backup_policies.vms, {}) - name = each.value.name - resource_group_name = var.resource_group_name - recovery_vault_name = azurerm_recovery_services_vault.asr.name - - timezone = try(each.value.timezone, null) + name = each.value.name + resource_group_name = var.resource_group_name + recovery_vault_name = azurerm_recovery_services_vault.asr.name + instant_restore_retention_days = try(each.value.instant_restore_retention_days, null) + timezone = try(each.value.timezone, null) dynamic "backup" { for_each = lookup(each.value, "backup", null) == null ? [] : [1] From 29ff4903914ab89df05fbbf3533d3ad9cd1829a3 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Tue, 21 Sep 2021 02:29:50 +0000 Subject: [PATCH 63/91] update config example rsv --- examples/recovery_vault/101-simple-asrv/configuration.tfvars | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/recovery_vault/101-simple-asrv/configuration.tfvars b/examples/recovery_vault/101-simple-asrv/configuration.tfvars index a86389bc75..93ae7a33c5 100644 --- a/examples/recovery_vault/101-simple-asrv/configuration.tfvars +++ b/examples/recovery_vault/101-simple-asrv/configuration.tfvars @@ -35,6 +35,7 @@ recovery_vaults = { vault_key = "asr1" rg_key = "primary" timezone = "UTC" + instant_restore_retention_days = 5 backup = { frequency = "Daily" time = "23:00" From a9c3357b968b76513daca5a1b375f153cf90bcbb Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 22 Sep 2021 09:18:34 +0000 Subject: [PATCH 64/91] Update to custom data order --- modules/compute/virtual_machine/vm_linux.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 48ad158e9b..bbab4e8e30 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -76,8 +76,8 @@ resource "azurerm_linux_virtual_machine" "vm" { zone = try(each.value.zone, null) custom_data = try( - try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)), local.dynamic_custom_data[each.value.custom_data][each.value.name], + try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)), null ) From 7a2391490409516cfdcf33367cc5bbe5af2f6f7c Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 22 Sep 2021 11:16:59 +0000 Subject: [PATCH 65/91] rover preview update --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/master-standalone-tf100-longrunners.yaml | 4 ++-- .github/workflows/master-standalone-tf100.yaml | 4 ++-- rover_on_ssh_host.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index d662261ad7..63acc30e56 100755 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover-preview:1.0.6-2109.070742 + image: aztfmod/rover-preview:1.0.7-2109.210406 user: vscode labels: diff --git a/.github/workflows/master-standalone-tf100-longrunners.yaml b/.github/workflows/master-standalone-tf100-longrunners.yaml index ab1d2706b4..2c17eaf6a5 100755 --- a/.github/workflows/master-standalone-tf100-longrunners.yaml +++ b/.github/workflows/master-standalone-tf100-longrunners.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover-preview:1.0.6-2109.070742 + image: aztfmod/rover-preview:1.0.7-2109.210406 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover-preview:1.0.6-2109.070742 + image: aztfmod/rover-preview:1.0.7-2109.210406 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf100.yaml b/.github/workflows/master-standalone-tf100.yaml index a9de8b5535..864aa2cee2 100755 --- a/.github/workflows/master-standalone-tf100.yaml +++ b/.github/workflows/master-standalone-tf100.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover-preview:1.0.6-2109.070742 + image: aztfmod/rover-preview:1.0.7-2109.210406 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover-preview:1.0.6-2109.070742 + image: aztfmod/rover-preview:1.0.7-2109.210406 options: --user 0 steps: diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml index 7cbbb0bc22..85769d0275 100644 --- a/rover_on_ssh_host.yml +++ b/rover_on_ssh_host.yml @@ -11,7 +11,7 @@ version: '3.7' services: rover: - image: aztfmod/rover-preview:1.0.6-2109.070742 + image: aztfmod/rover-preview:1.0.7-2109.210406 user: vscode From d66701949b75cbc80cb91da7e17a852a5d13c3f9 Mon Sep 17 00:00:00 2001 From: Abdul Rabbani Date: Wed, 22 Sep 2021 12:00:27 -0400 Subject: [PATCH 66/91] Update the lun value One value update did not make the previous PR --- modules/compute/virtual_machine/vm_legacy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/compute/virtual_machine/vm_legacy.tf b/modules/compute/virtual_machine/vm_legacy.tf index 455bf67cf7..c85828a3e0 100644 --- a/modules/compute/virtual_machine/vm_legacy.tf +++ b/modules/compute/virtual_machine/vm_legacy.tf @@ -185,7 +185,7 @@ resource "azurerm_virtual_machine" "vm" { caching = try(storage_data_disk.value.caching, null) create_option = storage_data_disk.value.create_option disk_size_gb = try(storage_data_disk.value.disk_size_gb) - lun = storage_data_disk.value.name + lun = storage_data_disk.value.lun write_accelerator_enabled = try(storage_data_disk.value.write_accelerator_enabled, null) managed_disk_type = try(storage_data_disk.value.managed_disk_type, null) managed_disk_id = try(storage_data_disk.value.managed_disk_id, null) From 5390842b37bb5fc4332f920ade94c44118b8e236 Mon Sep 17 00:00:00 2001 From: gaofei88 Date: Thu, 23 Sep 2021 20:50:14 +1200 Subject: [PATCH 67/91] Setting correct value of url --- modules/networking/application_gateway/application_gateway.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index 6effc46c39..1845fbe132 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -322,7 +322,7 @@ resource "azurerm_application_gateway" "agw" { } } dynamic "url" { - for_each = try(rewrite_rule.value.url, null) == null ? [] : [1] + for_each = try(rewrite_rule.value.url, null) == null ? [] : [rewrite_rule.value.url] content { path = try(url.value.path, null) query_string = try(url.value.query_string, null) @@ -337,4 +337,4 @@ resource "azurerm_application_gateway" "agw" { output "certificate_keys" { value = local.certificate_keys -} \ No newline at end of file +} From d1624f96b4b902a89cf68a68bb433a28a1f24f04 Mon Sep 17 00:00:00 2001 From: gaofei88 Date: Thu, 23 Sep 2021 21:02:04 +1200 Subject: [PATCH 68/91] simplify code --- modules/networking/application_gateway/application_gateway.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index 1845fbe132..6aa7a32abd 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -322,7 +322,7 @@ resource "azurerm_application_gateway" "agw" { } } dynamic "url" { - for_each = try(rewrite_rule.value.url, null) == null ? [] : [rewrite_rule.value.url] + for_each = try([rewrite_rule.value.url], []) content { path = try(url.value.path, null) query_string = try(url.value.query_string, null) From 345d339e9edefb16a213ec7fcc58ce759aa8cbaa Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 23 Sep 2021 10:01:02 +0000 Subject: [PATCH 69/91] Add lifecycle to prevent destroy-recreate --- .../access_policy/access_policy.tf | 2 +- .../managed_identity/managed_identity.tf | 6 +++++ modules/storage_account/storage_account.tf | 6 +++++ storage_accounts.tf | 22 +++++++++---------- 4 files changed, 24 insertions(+), 12 deletions(-) diff --git a/modules/security/keyvault_access_policies/access_policy/access_policy.tf b/modules/security/keyvault_access_policies/access_policy/access_policy.tf index 449cdc77cf..3a917fe79a 100755 --- a/modules/security/keyvault_access_policies/access_policy/access_policy.tf +++ b/modules/security/keyvault_access_policies/access_policy/access_policy.tf @@ -13,6 +13,6 @@ resource "azurerm_key_vault_access_policy" "policy" { } lifecycle { - ignore_changes = [key_vault_id] + ignore_changes = [key_vault_id, object_id] } } diff --git a/modules/security/managed_identity/managed_identity.tf b/modules/security/managed_identity/managed_identity.tf index 928e0c926e..957ed5b6ce 100644 --- a/modules/security/managed_identity/managed_identity.tf +++ b/modules/security/managed_identity/managed_identity.tf @@ -38,6 +38,12 @@ resource "azurerm_user_assigned_identity" "msi" { ), {} ) + + lifecycle { + ignore_changes = [ + location, resource_group_name + ] + } } resource "time_sleep" "propagate_to_azuread" { diff --git a/modules/storage_account/storage_account.tf b/modules/storage_account/storage_account.tf index 4190d05343..3f65d8b96b 100755 --- a/modules/storage_account/storage_account.tf +++ b/modules/storage_account/storage_account.tf @@ -194,6 +194,12 @@ resource "azurerm_storage_account" "stg" { choice = try(var.storage_account.routing.choice, "MicrosoftRouting") } } + + lifecycle { + ignore_changes = [ + location, resource_group_name + ] + } } module "queue" { diff --git a/storage_accounts.tf b/storage_accounts.tf index 227646ca9a..53fd9b0786 100755 --- a/storage_accounts.tf +++ b/storage_accounts.tf @@ -12,12 +12,12 @@ module "storage_accounts" { recovery_vaults = local.combined_objects_recovery_vaults private_dns = local.combined_objects_private_dns - location = coalesce( - try(local.global_settings.regions[each.value.region], null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location, null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location, null) + location = try( + local.global_settings.regions[each.value.region], + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].location, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].location, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].location, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].location ) base_tags = try(local.global_settings.inherit_tags, false) ? coalesce( try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].tags, null), @@ -25,11 +25,11 @@ module "storage_accounts" { try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].tags, null), try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].tags, null) ) : {} - resource_group_name = coalesce( - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, null), - try(local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name, null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name, null) + resource_group_name = try( + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group.key].name, + local.combined_objects_resource_groups[each.value.resource_group.lz_key][each.value.resource_group_key].name, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group.key].name, + local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name ) } From 236ebe683d5241523e70c1af0e96a17253b09216 Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 23 Sep 2021 10:08:02 +0000 Subject: [PATCH 70/91] Remove - in azure ad app when no prefix is used --- modules/azuread/applications_v1/azuread_application.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/azuread/applications_v1/azuread_application.tf b/modules/azuread/applications_v1/azuread_application.tf index b3700f827b..82258e8d52 100755 --- a/modules/azuread/applications_v1/azuread_application.tf +++ b/modules/azuread/applications_v1/azuread_application.tf @@ -1,6 +1,7 @@ resource "azuread_application" "app" { - display_name = var.global_settings.passthrough || try(var.settings.global_settings.passthrough, false) ? var.settings.application_name : format("%v-%s", try(var.global_settings.prefixes[0], ""), var.settings.application_name) + display_name = var.global_settings.passthrough || try(var.settings.global_settings.passthrough, false) ? var.settings.application_name : format("%v%s", try(format("%s-", var.global_settings.prefixes[0]), ""), var.settings.application_name) + owners = coalescelist( try(var.settings.owners, []), From 48a1d662e7d9d52226a0058a26a45228c38b6be3 Mon Sep 17 00:00:00 2001 From: lolorol Date: Fri, 24 Sep 2021 01:31:17 +0000 Subject: [PATCH 71/91] Update azurerm 2.78.0 + fix --- main.tf | 2 +- modules/analytics/synapse/workspace.tf | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 146c7412f8..6f60ab17d1 100755 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.76.0" + version = "~> 2.78.0" } azuread = { source = "hashicorp/azuread" diff --git a/modules/analytics/synapse/workspace.tf b/modules/analytics/synapse/workspace.tf index 85439034f8..d0ef56a783 100644 --- a/modules/analytics/synapse/workspace.tf +++ b/modules/analytics/synapse/workspace.tf @@ -21,7 +21,6 @@ resource "azurerm_synapse_workspace" "ws" { managed_virtual_network_enabled = try(var.settings.managed_virtual_network_enabled, false) sql_identity_control_enabled = try(var.settings.sql_identity_control_enabled, null) managed_resource_group_name = try(var.settings.managed_resource_group_name, null) - customer_managed_key_versionless_id = try(var.settings.customer_managed_key_versionless_id, null) tags = local.tags dynamic "aad_admin" { @@ -46,6 +45,14 @@ resource "azurerm_synapse_workspace" "ws" { } } + dynamic "customer_managed_key" { + for_each = try(var.settings.customer_managed_key_versionless_id, null) == null ? [] : [1] + + content { + key_versionless_id = try(var.settings.customer_managed_key_versionless_id, null) + } + } + dynamic "github_repo" { for_each = try(var.settings.github_repo, {}) From 74f817ca811305b4f653be846b49d1ab27bd1bda Mon Sep 17 00:00:00 2001 From: Hieu Nguyen Nhu <5441003+hieumoscow@users.noreply.github.com> Date: Fri, 24 Sep 2021 14:04:08 +0800 Subject: [PATCH 72/91] Add private_cluster_public_fqdn_enabled AKS --- .../104-private-cluster/aks.tfvars | 4 ++-- .../104-private-cluster/networking.tfvars | 16 +++++++++------- modules/compute/aks/aks.tf | 7 ++++--- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/examples/compute/kubernetes_services/104-private-cluster/aks.tfvars b/examples/compute/kubernetes_services/104-private-cluster/aks.tfvars index 9f29c0d8a1..efc045cc3c 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/aks.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/aks.tfvars @@ -31,7 +31,7 @@ aks_clusters = { # ids = [] # azuread_group_keys = ["aks_admins"] } - + private_cluster_public_fqdn_enabled = true load_balancer_profile = { # Only one option can be set managed_outbound_ip_count = 1 @@ -70,4 +70,4 @@ aks_clusters = { } } -} \ No newline at end of file +} diff --git a/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars b/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars index b64fc2d494..3e017fcbac 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars @@ -9,14 +9,16 @@ vnets = { specialsubnets = {} subnets = { aks_nodepool_system = { - name = "aks_nodepool_system" - cidr = ["100.64.48.0/24"] - nsg_key = "azure_kubernetes_cluster_nsg" + name = "aks_nodepool_system" + cidr = ["100.64.48.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + enforce_private_link_endpoint_network_policies = true } aks_nodepool_user1 = { - name = "aks_nodepool_user1" - cidr = ["100.64.49.0/24"] - nsg_key = "azure_kubernetes_cluster_nsg" + name = "aks_nodepool_user1" + cidr = ["100.64.49.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + enforce_private_link_endpoint_network_policies = true } aks_nodepool_user2 = { name = "aks_nodepool_user2" @@ -188,4 +190,4 @@ network_security_group_definition = { } ] } -} \ No newline at end of file +} diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index c9d76fd970..20ecfd5292 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -217,9 +217,10 @@ resource "azurerm_kubernetes_cluster" "aks" { } } - node_resource_group = azurecaf_name.rg_node.result - private_cluster_enabled = try(var.settings.private_cluster_enabled, false) - private_dns_zone_id = var.private_dns_zone_id + node_resource_group = azurecaf_name.rg_node.result + private_cluster_enabled = try(var.settings.private_cluster_enabled, false) + private_dns_zone_id = var.private_dns_zone_id + private_cluster_public_fqdn_enabled = try(var.settings.private_cluster_public_fqdn_enabled, false) lifecycle { ignore_changes = [ From cb7b2c4f2c2030a6e0a46589a01732d9d99909c0 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 24 Sep 2021 11:10:16 +0000 Subject: [PATCH 73/91] rover 2109 release --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/master-standalone-tf100-longrunners.yaml | 4 ++-- .github/workflows/master-standalone-tf100.yaml | 4 ++-- .github/workflows/master-standalone-tf14-longrunners.yaml | 4 ++-- .github/workflows/master-standalone-tf14.yaml | 4 ++-- .github/workflows/master-standalone-tf15-longrunners.yaml | 4 ++-- .github/workflows/master-standalone-tf15.yaml | 4 ++-- rover_on_ssh_host.yml | 2 +- 8 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 63acc30e56..c08f608e60 100755 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover-preview:1.0.7-2109.210406 + image: aztfmod/rover:1.0.7-2109.2410 user: vscode labels: diff --git a/.github/workflows/master-standalone-tf100-longrunners.yaml b/.github/workflows/master-standalone-tf100-longrunners.yaml index 2c17eaf6a5..a240511311 100755 --- a/.github/workflows/master-standalone-tf100-longrunners.yaml +++ b/.github/workflows/master-standalone-tf100-longrunners.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover-preview:1.0.7-2109.210406 + image: aztfmod/rover:1.0.7-2109.2410 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover-preview:1.0.7-2109.210406 + image: aztfmod/rover:1.0.7-2109.2410 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf100.yaml b/.github/workflows/master-standalone-tf100.yaml index 864aa2cee2..377cd0317d 100755 --- a/.github/workflows/master-standalone-tf100.yaml +++ b/.github/workflows/master-standalone-tf100.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover-preview:1.0.7-2109.210406 + image: aztfmod/rover:1.0.7-2109.2410 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover-preview:1.0.7-2109.210406 + image: aztfmod/rover:1.0.7-2109.2410 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf14-longrunners.yaml b/.github/workflows/master-standalone-tf14-longrunners.yaml index 32fa880355..aa53c4d50c 100755 --- a/.github/workflows/master-standalone-tf14-longrunners.yaml +++ b/.github/workflows/master-standalone-tf14-longrunners.yaml @@ -41,7 +41,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:0.14.11-2108.1802 + image: aztfmod/rover:0.14.11-2109.2410 options: --user 0 steps: @@ -66,7 +66,7 @@ jobs: needs: examples container: - image: aztfmod/rover:0.14.11-2108.1802 + image: aztfmod/rover:0.14.11-2109.2410 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf14.yaml b/.github/workflows/master-standalone-tf14.yaml index d4ecb026cc..32ac52af15 100755 --- a/.github/workflows/master-standalone-tf14.yaml +++ b/.github/workflows/master-standalone-tf14.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:0.14.11-2108.1802 + image: aztfmod/rover:0.14.11-2109.2410 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover:0.14.11-2108.1802 + image: aztfmod/rover:0.14.11-2109.2410 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf15-longrunners.yaml b/.github/workflows/master-standalone-tf15-longrunners.yaml index 1a7fe543ab..933df06b28 100755 --- a/.github/workflows/master-standalone-tf15-longrunners.yaml +++ b/.github/workflows/master-standalone-tf15-longrunners.yaml @@ -41,7 +41,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:0.15.5-2108.1802 + image: aztfmod/rover:0.15.5-2109.2410 options: --user 0 steps: @@ -66,7 +66,7 @@ jobs: needs: examples container: - image: aztfmod/rover:0.15.5-2108.1802 + image: aztfmod/rover:0.15.5-2109.2410 options: --user 0 steps: diff --git a/.github/workflows/master-standalone-tf15.yaml b/.github/workflows/master-standalone-tf15.yaml index 8203fe4bc0..9783e20e03 100755 --- a/.github/workflows/master-standalone-tf15.yaml +++ b/.github/workflows/master-standalone-tf15.yaml @@ -42,7 +42,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:0.15.5-2108.1802 + image: aztfmod/rover:0.15.5-2109.2410 options: --user 0 steps: @@ -67,7 +67,7 @@ jobs: needs: examples container: - image: aztfmod/rover:0.15.5-2108.1802 + image: aztfmod/rover:0.15.5-2109.2410 options: --user 0 steps: diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml index 85769d0275..8aa3ae361e 100644 --- a/rover_on_ssh_host.yml +++ b/rover_on_ssh_host.yml @@ -11,7 +11,7 @@ version: '3.7' services: rover: - image: aztfmod/rover-preview:1.0.7-2109.210406 + image: aztfmod/rover:1.0.7-2109.2410 user: vscode From 8d2cfaa227c7b8a80e825dd93393935cae26c564 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 24 Sep 2021 11:11:04 +0000 Subject: [PATCH 74/91] Updating scenarios --- .github/workflows/standalone-scenarios-additional.json | 7 ++++++- .github/workflows/standalone-scenarios.json | 6 ------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json index a051e89e8f..2c4ba4fa2d 100644 --- a/.github/workflows/standalone-scenarios-additional.json +++ b/.github/workflows/standalone-scenarios-additional.json @@ -1,7 +1,12 @@ { "config_files": [ - + "consumption_budget/100-consumption-budget-rg", + "consumption_budget/101-consumption-budget-subscription", + "consumption_budget/102-consumption-budget-rg-alerts", + "consumption_budget/103-consumption-budget-subscription-alerts", + "consumption_budget/104-consumption-budget-subscription-vm", + "consumption_budget/105-consumption-budget-subscription-aks", // Waiting for support to register arm provider - https://github.com/Azure/caf-terraform-landingzones/pull/238 "cognitive_services/100-cognitive-services-account" diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 666a83f472..9638d50d11 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -40,12 +40,6 @@ "compute/virtual_machine_scale_set/100-linux-win-vmss-lb", "compute/virtual_machine_scale_set/101-linux-win-vmss-agw", "compute/windows_virtual_desktop/wvd_resources", - "consumption_budget/100-consumption-budget-rg", - "consumption_budget/101-consumption-budget-subscription", - "consumption_budget/102-consumption-budget-rg-alerts", - "consumption_budget/103-consumption-budget-subscription-alerts", - "consumption_budget/104-consumption-budget-subscription-vm", - "consumption_budget/105-consumption-budget-subscription-aks", "cosmos_db/100-simple-cosmos-db-cassandra", "cosmos_db/100-simple-cosmos-db-gremlin", "cosmos_db/100-simple-cosmos-db-mongo", From 9d7695f6ed6102ef8b0e4dce90dc061633d47b5b Mon Sep 17 00:00:00 2001 From: gaofei88 Date: Sun, 26 Sep 2021 11:39:52 +1300 Subject: [PATCH 75/91] ensure single block of url --- .../networking/application_gateway/application_gateway.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index 6aa7a32abd..7c9fdb4602 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -322,11 +322,11 @@ resource "azurerm_application_gateway" "agw" { } } dynamic "url" { - for_each = try([rewrite_rule.value.url], []) + for_each = try(rewrite_rule.value.url, null) == null ? [] : [1] content { - path = try(url.value.path, null) - query_string = try(url.value.query_string, null) - reroute = try(url.value.reroute, null) + path = try(rewrite_rule.value.url.path, null) + query_string = try(rewrite_rule.value.url.query_string, null) + reroute = try(rewrite_rule.value.url.reroute, null) } } } From 8f60d140d0cf0207a630833f20611dbe83cf04cc Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 29 Sep 2021 10:10:17 +0000 Subject: [PATCH 76/91] Revert "Fixing #671" This reverts commit ba9baad73603dcf05ef31b4f109ea41cd9447676. --- .../100_pvtdns_vnetlink/configuration.tfvars | 3 +-- modules/networking/private_dns_vnet_link/module.tf | 7 +++++-- modules/networking/private_dns_vnet_link/variables.tf | 4 ---- networking_private_dns.tf | 10 +++------- 4 files changed, 9 insertions(+), 15 deletions(-) diff --git a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars index c38ed4cf25..8c7c9666dd 100644 --- a/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars +++ b/examples/networking/private_dns_vnet_link/100_pvtdns_vnetlink/configuration.tfvars @@ -14,13 +14,12 @@ resource_groups = { private_dns_vnet_links = { vnet_pvtdns_link1 = { - resource_group_key = "private_dns_region1" vnet_key = "vnet_test" #lz_key = "remote landing zone key for vnet" private_dns_zones = { dns_zone1 = { name = "dns1-lnk" - key = "dns1" + key = "dns1" #lz_key = "provide the landing zone key of private dns zone" } # dns_zone2 = { diff --git a/modules/networking/private_dns_vnet_link/module.tf b/modules/networking/private_dns_vnet_link/module.tf index 9ce62d333d..afd0ec0f47 100644 --- a/modules/networking/private_dns_vnet_link/module.tf +++ b/modules/networking/private_dns_vnet_link/module.tf @@ -13,8 +13,11 @@ resource "azurecaf_name" "pnetlk" { resource "azurerm_private_dns_zone_virtual_network_link" "vnet_links" { for_each = var.settings.private_dns_zones - name = azurecaf_name.pnetlk[each.key].result - resource_group_name = var.resource_group_name + name = azurecaf_name.pnetlk[each.key].result + resource_group_name = coalesce( + try(var.private_dns[each.value.lz_key][each.value.key].resource_group_name, null), + try(var.private_dns[var.client_config.landingzone_key][each.value.key].resource_group_name, null) + ) private_dns_zone_name = coalesce( try(var.private_dns[each.value.lz_key][each.value.key].name, null), try(var.private_dns[var.client_config.landingzone_key][each.value.key].name, null) diff --git a/modules/networking/private_dns_vnet_link/variables.tf b/modules/networking/private_dns_vnet_link/variables.tf index dcd28b76c7..c8a6ee6d65 100755 --- a/modules/networking/private_dns_vnet_link/variables.tf +++ b/modules/networking/private_dns_vnet_link/variables.tf @@ -20,8 +20,4 @@ variable "base_tags" { } variable "tags" { default = {} -} - -variable "resource_group_name" { - description = "Name of the existing resource group to deploy the resource." } \ No newline at end of file diff --git a/networking_private_dns.tf b/networking_private_dns.tf index 4ca28ecbdd..d9c1d40e92 100644 --- a/networking_private_dns.tf +++ b/networking_private_dns.tf @@ -24,16 +24,12 @@ output "private_dns" { # module "private_dns_vnet_links" { - source = "./modules/networking/private_dns_vnet_link" - for_each = try(local.networking.private_dns_vnet_links, {}) - depends_on = [module.private_dns] + source = "./modules/networking/private_dns_vnet_link" + for_each = try(local.networking.private_dns_vnet_links, {}) + depends_on = [module.private_dns] base_tags = {} global_settings = local.global_settings - resource_group_name = coalesce( - try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].name, null), - try(local.combined_objects_resource_groups[local.client_config.landingzone_key][each.value.resource_group_key].name, null) - ) client_config = local.client_config virtual_network_id = coalesce( try(local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].id, null), From eea1c85fbe467efaa38d76aa51bf19a467dbfb32 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Thu, 30 Sep 2021 06:20:30 +0000 Subject: [PATCH 77/91] add depends_on for mssqlvm --- modules/compute/virtual_machine/mssql_vm.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/compute/virtual_machine/mssql_vm.tf b/modules/compute/virtual_machine/mssql_vm.tf index 8092fc1abb..fa73f5f8af 100644 --- a/modules/compute/virtual_machine/mssql_vm.tf +++ b/modules/compute/virtual_machine/mssql_vm.tf @@ -3,6 +3,10 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { for key, value in try(var.settings.virtual_machine_settings, {}) : key => value if try(value.mssql_settings, null) != null } + + depends_on = [ + azurerm_virtual_machine_data_disk_attachment.disk + ] virtual_machine_id = local.os_type == "windows" ? try(azurerm_windows_virtual_machine.vm[each.key].id, null) : try(azurerm_linux_virtual_machine.vm[each.key].id, null) sql_license_type = try(each.value.mssql_settings.sql_license_type, null) From d7613899129ce56b3c08287d40f7dae1730471c8 Mon Sep 17 00:00:00 2001 From: lolorol Date: Fri, 1 Oct 2021 05:44:51 +0000 Subject: [PATCH 78/91] Add support for alias and billing_scope_id for MCA --- modules/subscriptions/subscriptions.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/subscriptions/subscriptions.tf b/modules/subscriptions/subscriptions.tf index 56caabbb5e..3f13c5d2f7 100644 --- a/modules/subscriptions/subscriptions.tf +++ b/modules/subscriptions/subscriptions.tf @@ -8,10 +8,10 @@ data "azurerm_billing_enrollment_account_scope" "sub" { resource "azurerm_subscription" "sub" { count = var.subscription_key != "logged_in_subscription" ? 1 : 0 - alias = var.subscription_key + alias = try(var.settings.alias, null) == null ? var.subscription_key : var.settings.alias subscription_name = var.settings.name - subscription_id = try(var.settings.subscription_id, null) != null ? var.settings.subscription_id : null - billing_scope_id = try(var.settings.subscription_id, null) == null ? data.azurerm_billing_enrollment_account_scope.sub.0.id : null + subscription_id = try(var.settings.subscription_id, null) != null ? var.settings.subscription_id : null + billing_scope_id = try(var.settings.billing_scope_id, null) == null ? data.azurerm_billing_enrollment_account_scope.sub.0.id : var.settings.billing_scope_id workload = try(var.settings.workload, null) } From dbd0a29e955af80b475f2f3f39ded01acad70cf3 Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Wed, 6 Oct 2021 06:58:28 +0000 Subject: [PATCH 79/91] add fix for remote vnet reference in network fule --- modules/databases/mssql_server/server.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/databases/mssql_server/server.tf b/modules/databases/mssql_server/server.tf index 0c2016d500..6eedbf2816 100755 --- a/modules/databases/mssql_server/server.tf +++ b/modules/databases/mssql_server/server.tf @@ -44,7 +44,11 @@ resource "azurerm_mssql_virtual_network_rule" "network_rules" { name = each.value.name server_id = azurerm_mssql_server.mssql.id - subnet_id = try(each.value.subnet_id, var.vnets[try(var.client_config.landingzone_key, each.value.lz_key)][each.value.vnet_key].subnets[each.value.subnet_key].id) + subnet_id = coalesce( + try(each.value.subnet_id, null), + try(var.vnets[each.value.lz_key][each.value.vnet_key].subnets[each.value.subnet_key].id, null), + try(var.vnets[var.client_config.landingzone_key][each.value.vnet_key].subnets[each.value.subnet_key].id, null) + ) } resource "azurecaf_name" "mssql" { From 2669e71afb70d0cd1e285f6dd51c0469347426de Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 6 Oct 2021 11:25:55 +0000 Subject: [PATCH 80/91] Adding lifecycles --- modules/compute/virtual_machine/mssql_vm.tf | 2 +- .../virtual_machine/network_interface.tf | 4 +- modules/compute/virtual_machine/vm_disk.tf | 6 +- modules/compute/virtual_machine/vm_legacy.tf | 102 +++++++++--------- modules/compute/virtual_machine/vm_linux.tf | 2 +- modules/compute/virtual_machine/vm_windows.tf | 2 +- modules/netapp/account.tf | 4 + modules/netapp/pool/pool.tf | 4 + modules/netapp/volume/volume.tf | 4 + .../private_endpoint/private_endpoint.tf | 6 ++ .../private_endpoint/private_endpoint.tf | 5 + 11 files changed, 83 insertions(+), 58 deletions(-) diff --git a/modules/compute/virtual_machine/mssql_vm.tf b/modules/compute/virtual_machine/mssql_vm.tf index fa73f5f8af..2948adfa15 100644 --- a/modules/compute/virtual_machine/mssql_vm.tf +++ b/modules/compute/virtual_machine/mssql_vm.tf @@ -3,7 +3,7 @@ resource "azurerm_mssql_virtual_machine" "mssqlvm" { for key, value in try(var.settings.virtual_machine_settings, {}) : key => value if try(value.mssql_settings, null) != null } - + depends_on = [ azurerm_virtual_machine_data_disk_attachment.disk ] diff --git a/modules/compute/virtual_machine/network_interface.tf b/modules/compute/virtual_machine/network_interface.tf index 5a8b3aa552..eb61ef775d 100755 --- a/modules/compute/virtual_machine/network_interface.tf +++ b/modules/compute/virtual_machine/network_interface.tf @@ -40,7 +40,9 @@ resource "azurecaf_name" "nic" { resource "azurerm_network_interface" "nic" { for_each = var.settings.networking_interfaces - + lifecycle { + ignore_changes = [resource_group_name, location] + } name = azurecaf_name.nic[each.key].result location = var.location resource_group_name = var.resource_group_name diff --git a/modules/compute/virtual_machine/vm_disk.tf b/modules/compute/virtual_machine/vm_disk.tf index 2106f9339b..2d9e02d5de 100755 --- a/modules/compute/virtual_machine/vm_disk.tf +++ b/modules/compute/virtual_machine/vm_disk.tf @@ -8,13 +8,13 @@ resource "azurecaf_name" "disk" { clean_input = true passthrough = var.global_settings.passthrough use_slug = var.global_settings.use_slug - + lifecycle { ignore_changes = [ name ] } - + } resource "azurerm_managed_disk" "disk" { @@ -31,7 +31,7 @@ resource "azurerm_managed_disk" "disk" { disk_mbps_read_write = try(each.value.disk.disk_mbps_read_write, null) tags = local.tags disk_encryption_set_id = try(each.value.disk_encryption_set_key, null) == null ? null : var.disk_encryption_sets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.disk_encryption_set_key].id - + lifecycle { ignore_changes = [ name diff --git a/modules/compute/virtual_machine/vm_legacy.tf b/modules/compute/virtual_machine/vm_legacy.tf index c85828a3e0..17f846b230 100644 --- a/modules/compute/virtual_machine/vm_legacy.tf +++ b/modules/compute/virtual_machine/vm_legacy.tf @@ -29,21 +29,21 @@ resource "azurecaf_name" "legacy_computer_name" { resource "azurerm_virtual_machine" "vm" { for_each = local.os_type == "legacy" ? var.settings.virtual_machine_settings : {} - name = each.value.name - location = var.location - resource_group_name = var.resource_group_name - vm_size = each.value.size - network_interface_ids = local.nic_ids - zones = try([each.value.zones], null) - tags = merge(local.tags, try(each.value.tags, null)) - delete_os_disk_on_termination = try(each.value.delete_os_disk_on_termination, null) + name = each.value.name + location = var.location + resource_group_name = var.resource_group_name + vm_size = each.value.size + network_interface_ids = local.nic_ids + zones = try([each.value.zones], null) + tags = merge(local.tags, try(each.value.tags, null)) + delete_os_disk_on_termination = try(each.value.delete_os_disk_on_termination, null) delete_data_disks_on_termination = try(each.value.delete_data_disks_on_termination, null) # dynamic os_profile { - computer_name = azurecaf_name.legacy_computer_name[each.key].result - admin_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username - admin_password = try(each.value.admin_password_key, null) == null ? random_password.legacy[local.os_type].result : local.admin_password + computer_name = azurecaf_name.legacy_computer_name[each.key].result + admin_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username + admin_password = try(each.value.admin_password_key, null) == null ? random_password.legacy[local.os_type].result : local.admin_password } # os_profile_secrets @@ -53,13 +53,13 @@ resource "azurerm_virtual_machine" "vm" { content { disable_password_authentication = try(each.value.os_profile_linux_config.disable_password_authentication, true) - + dynamic "ssh_keys" { for_each = each.value.os_profile_linux_config.disable_password_authentication == false ? [] : [1] content { - key_data = local.create_sshkeys ? tls_private_key.ssh[each.key].public_key_openssh : file(var.settings.public_key_pem_file) - path = "/home/${each.value.admin_username}/.ssh/authorized_keys" + key_data = local.create_sshkeys ? tls_private_key.ssh[each.key].public_key_openssh : file(var.settings.public_key_pem_file) + path = "/home/${each.value.admin_username}/.ssh/authorized_keys" } } } @@ -83,63 +83,63 @@ resource "azurerm_virtual_machine" "vm" { } } } - + dynamic "os_profile_windows_config" { for_each = try(each.value.os_profile_windows_config, null) == null ? [] : [1] content { - provision_vm_agent = try(each.value.os_profile_windows_config.provision_vm_agent, null) + provision_vm_agent = try(each.value.os_profile_windows_config.provision_vm_agent, null) enable_automatic_upgrades = try(each.value.os_profile_windows_config.enable_automatic_upgrades, null) - timezone = try(each.value.os_profile_windows_config.timezone, null) - + timezone = try(each.value.os_profile_windows_config.timezone, null) + dynamic "winrm" { - for_each = { - for key, value in try(each.value.os_profile_windows_config.winrm, {}) : key => value + for_each = { + for key, value in try(each.value.os_profile_windows_config.winrm, {}) : key => value } content { - protocol = winrm.value.protocol + protocol = winrm.value.protocol certificate_url = try(winrm.value.certificate_url, null) } } dynamic "additional_unattend_config" { - for_each = { + for_each = { for key, value in try(each.value.os_profile_windows_config.additional_unattend_config, {}) : key => value } content { - pass = additional_unattend_config.value.pass - component = additional_unattend_config.value.component + pass = additional_unattend_config.value.pass + component = additional_unattend_config.value.component setting_name = additional_unattend_config.value.setting_name - content = additional_unattend_config.value.content + content = additional_unattend_config.value.content } } } } - availability_set_id = try(var.availability_sets[var.client_config.landingzone_key][each.value.availability_set_key].id, var.availability_sets[each.value.availability_sets].id, null) + availability_set_id = try(var.availability_sets[var.client_config.landingzone_key][each.value.availability_set_key].id, var.availability_sets[each.value.availability_sets].id, null) dynamic "boot_diagnostics" { for_each = try(var.boot_diagnostics_storage_account != null ? [1] : var.global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics == true ? [1] : [], []) content { storage_uri = var.boot_diagnostics_storage_account == "" ? null : var.boot_diagnostics_storage_account - enabled = true + enabled = true } } dynamic "additional_capabilities" { for_each = try(each.value.additional_capabilities, null) == null ? [] : [1] - content { - ultra_ssd_enabled = each.value.additional_capabilities.ultra_ssd_enabled - } - + content { + ultra_ssd_enabled = each.value.additional_capabilities.ultra_ssd_enabled + } + } - proximity_placement_group_id = try(var.proximity_placement_groups[var.client_config.landingzone_key][each.value.proximity_placement_group_key].id, var.proximity_placement_groups[each.value.proximity_placement_groups].id, null) + proximity_placement_group_id = try(var.proximity_placement_groups[var.client_config.landingzone_key][each.value.proximity_placement_group_key].id, var.proximity_placement_groups[each.value.proximity_placement_groups].id, null) storage_os_disk { caching = try(each.value.os_disk.caching, null) @@ -147,22 +147,22 @@ resource "azurerm_virtual_machine" "vm" { name = try(each.value.os_disk.name, null) write_accelerator_enabled = try(each.value.os_disk.write_accelerator_enabled, false) create_option = each.value.os_disk.create_option - image_uri = try("${each.value.storage_image_reference.publisher}:${each.value.storage_image_reference.offer}:${each.value.storage_image_reference.sku}:${each.value.storage_image_reference.version}", null) - os_type = try(each.value.os_disk.operating_system, null) - managed_disk_id = try(each.value.os_disk.managed_disk_id, null) - managed_disk_type = try(each.value.os_disk.managed_disk_type, null) - vhd_uri = try(each.value.os_disk.vhd_uri, null) + image_uri = try("${each.value.storage_image_reference.publisher}:${each.value.storage_image_reference.offer}:${each.value.storage_image_reference.sku}:${each.value.storage_image_reference.version}", null) + os_type = try(each.value.os_disk.operating_system, null) + managed_disk_id = try(each.value.os_disk.managed_disk_id, null) + managed_disk_type = try(each.value.os_disk.managed_disk_type, null) + vhd_uri = try(each.value.os_disk.vhd_uri, null) } dynamic "storage_image_reference" { for_each = try(each.value.storage_image_reference, false) == false ? [] : [1] content { - publisher = try(each.value.storage_image_reference.publisher, null) - offer = try(each.value.storage_image_reference.offer, null) - sku = try(each.value.storage_image_reference.sku, null) - version = try(each.value.storage_image_reference.version, null) - id = try(each.value.storage_image_reference.custom_image_id, var.custom_image_ids[each.value.lz_key][each.value.custom_image_key].id, null) + publisher = try(each.value.storage_image_reference.publisher, null) + offer = try(each.value.storage_image_reference.offer, null) + sku = try(each.value.storage_image_reference.sku, null) + version = try(each.value.storage_image_reference.version, null) + id = try(each.value.storage_image_reference.custom_image_id, var.custom_image_ids[each.value.lz_key][each.value.custom_image_key].id, null) } } @@ -181,15 +181,15 @@ resource "azurerm_virtual_machine" "vm" { for key, value in try(var.settings.storage_data_disk, {}) : key => value } content { - name = storage_data_disk.value.name - caching = try(storage_data_disk.value.caching, null) - create_option = storage_data_disk.value.create_option - disk_size_gb = try(storage_data_disk.value.disk_size_gb) - lun = storage_data_disk.value.lun + name = storage_data_disk.value.name + caching = try(storage_data_disk.value.caching, null) + create_option = storage_data_disk.value.create_option + disk_size_gb = try(storage_data_disk.value.disk_size_gb) + lun = storage_data_disk.value.lun write_accelerator_enabled = try(storage_data_disk.value.write_accelerator_enabled, null) - managed_disk_type = try(storage_data_disk.value.managed_disk_type, null) - managed_disk_id = try(storage_data_disk.value.managed_disk_id, null) - vhd_uri = try(storage_data_disk.value.vhd_uri, null) + managed_disk_type = try(storage_data_disk.value.managed_disk_type, null) + managed_disk_id = try(storage_data_disk.value.managed_disk_id, null) + vhd_uri = try(storage_data_disk.value.vhd_uri, null) } } @@ -207,7 +207,7 @@ resource "azurerm_virtual_machine" "vm" { lifecycle { ignore_changes = [ - storage_os_disk[0].name + resource_group_name, location, os_disk[0].name ] } diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index ebc5d98117..d4adce3e27 100755 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -148,7 +148,7 @@ resource "azurerm_linux_virtual_machine" "vm" { lifecycle { ignore_changes = [ - os_disk[0].name + resource_group_name, location, os_disk[0].name ] } diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index ea7991f87a..f804b1c277 100755 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -185,7 +185,7 @@ resource "azurerm_windows_virtual_machine" "vm" { lifecycle { ignore_changes = [ - os_disk[0].name + resource_group_name, location, os_disk[0].name ] } diff --git a/modules/netapp/account.tf b/modules/netapp/account.tf index e44645af3a..d52f08a15e 100644 --- a/modules/netapp/account.tf +++ b/modules/netapp/account.tf @@ -14,4 +14,8 @@ resource "azurerm_netapp_account" "account" { name = var.settings.name resource_group_name = var.resource_group_name location = var.location + lifecycle { + ignore_changes = [resource_group_name, location] + } + } diff --git a/modules/netapp/pool/pool.tf b/modules/netapp/pool/pool.tf index 3ec40f54fd..e665d9e824 100755 --- a/modules/netapp/pool/pool.tf +++ b/modules/netapp/pool/pool.tf @@ -18,6 +18,10 @@ resource "azurerm_netapp_pool" "pool" { service_level = try(var.settings.service_level, "Standard") size_in_tb = try(var.settings.size_in_tb, 4) tags = merge(var.base_tags, try(var.settings.tags, {})) + lifecycle { + ignore_changes = [resource_group_name, location] + } + } module "volumes" { diff --git a/modules/netapp/volume/volume.tf b/modules/netapp/volume/volume.tf index dcb12a66e0..57ee11098e 100644 --- a/modules/netapp/volume/volume.tf +++ b/modules/netapp/volume/volume.tf @@ -35,4 +35,8 @@ resource "azurerm_netapp_volume" "volume" { } } tags = var.tags + lifecycle { + ignore_changes = [resource_group_name, location] + } + } diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index 9b34a433c8..91aebf1f87 100755 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -32,6 +32,12 @@ resource "azurerm_private_endpoint" "pep" { private_dns_zone_ids = local.private_dns_zone_ids } } + + lifecycle { + ignore_changes = [ + resource_group_name, location + ] + } } locals { diff --git a/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf b/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf index 6be05e7bf3..619383286a 100755 --- a/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf @@ -34,6 +34,11 @@ resource "azurerm_private_endpoint" "pep" { private_dns_zone_ids = local.private_dns_zone_ids } } + lifecycle { + ignore_changes = [ + resource_group_name, location + ] + } } locals { From e0b9d507297eeb812d08c4573839452fdb471e97 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 6 Oct 2021 11:33:05 +0000 Subject: [PATCH 81/91] VM update --- modules/compute/virtual_machine/vm_legacy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/compute/virtual_machine/vm_legacy.tf b/modules/compute/virtual_machine/vm_legacy.tf index 17f846b230..269a8e1659 100644 --- a/modules/compute/virtual_machine/vm_legacy.tf +++ b/modules/compute/virtual_machine/vm_legacy.tf @@ -207,7 +207,7 @@ resource "azurerm_virtual_machine" "vm" { lifecycle { ignore_changes = [ - resource_group_name, location, os_disk[0].name + resource_group_name, location ] } From 317db8df13a0bacb1a953e318b70c41b595224c2 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 7 Oct 2021 11:50:34 +0000 Subject: [PATCH 82/91] Update logic for private endpoints --- main.tf | 4 +- .../private_endpoint/private_endpoint.tf | 5 -- .../subnet/diagnostic_event_hub_namespaces.tf | 26 +++++----- .../subnet/diagnostic_storage_accounts.tf | 26 +++++----- .../endpoints/subnet/eventhub_namespaces.tf | 46 ++++++++++++------ .../endpoints/subnet/keyvaults.tf | 46 ++++++++++++------ .../endpoints/subnet/mssql_servers.tf | 46 ++++++++++++------ .../endpoints/subnet/mysql_servers.tf | 46 ++++++++++++------ .../endpoints/subnet/recovery_vaults.tf | 48 ++++++++++++------- .../endpoints/subnet/redis_cache.tf | 48 ++++++++++++------- .../endpoints/subnet/storage_accounts.tf | 38 ++++++++++----- networking_private_dns.tf | 8 ++-- 12 files changed, 244 insertions(+), 143 deletions(-) diff --git a/main.tf b/main.tf index 6f60ab17d1..1c4ed4b7c0 100755 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.78.0" + version = "~> 2.79.1" } azuread = { source = "hashicorp/azuread" @@ -24,6 +24,8 @@ terraform { } provider "azurerm" { + partner_id = "ca4078f8-9bc4-471b-ab5b-3af6b86a42c8" + # partner identifier for CAF Terraform landing zones. features { template_deployment { delete_nested_items_during_deletion = false diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index 91aebf1f87..f241f19613 100755 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -33,11 +33,6 @@ resource "azurerm_private_endpoint" "pep" { } } - lifecycle { - ignore_changes = [ - resource_group_name, location - ] - } } locals { diff --git a/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf b/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf index 81534e6888..890046247c 100644 --- a/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf +++ b/modules/networking/private_links/endpoints/subnet/diagnostic_event_hub_namespaces.tf @@ -1,19 +1,15 @@ module "diagnostic_event_hub_namespaces" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.diagnostic_event_hub_namespaces, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.diagnostic_event_hub_namespaces[each.key].id, null), - try(each.value.resource_id, null) - ) - subresource_names = ["namespace"] - subnet_id = var.subnet_id - private_dns = var.private_dns + source = "../private_endpoint" + for_each = try(var.private_endpoints.diagnostic_event_hub_namespaces, {}) + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. name = try(each.value.name, each.key) + private_dns = var.private_dns resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) - location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. - base_tags = var.base_tags + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.diagnostic_event_hub_namespaces[each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["namespace"] } \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf b/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf index 7f6395fc66..691b4f4c5d 100644 --- a/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf +++ b/modules/networking/private_links/endpoints/subnet/diagnostic_storage_accounts.tf @@ -1,19 +1,15 @@ module "diagnostic_storage_account" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.diagnostic_storage_accounts, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.diagnostic_storage_accounts[each.key].id, null), - try(each.value.resource_id, null) - ) - subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["blob"])) - subnet_id = var.subnet_id - private_dns = var.private_dns + source = "../private_endpoint" + for_each = try(var.private_endpoints.diagnostic_storage_accounts, {}) + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. name = try(each.value.name, each.key) + private_dns = var.private_dns resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) - location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. - base_tags = var.base_tags + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.diagnostic_storage_accounts[each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["blob"])) } \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/subnet/eventhub_namespaces.tf b/modules/networking/private_links/endpoints/subnet/eventhub_namespaces.tf index 6ffd4f630b..8865eb28b6 100644 --- a/modules/networking/private_links/endpoints/subnet/eventhub_namespaces.tf +++ b/modules/networking/private_links/endpoints/subnet/eventhub_namespaces.tf @@ -1,20 +1,36 @@ module "event_hub_namespaces" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.event_hub_namespaces, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.event_hub_namespaces[each.value.lz_key][each.key].id, null), - try(var.remote_objects.event_hub_namespaces[var.client_config.landingzone_key][each.key].id, null), - try(each.value.resource_id, null) - ) - subresource_names = ["namespace"] - subnet_id = var.subnet_id - private_dns = var.private_dns + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.event_hub_namespaces, {}) : key => value + if can(value.lz_key) == false + } + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. name = try(each.value.name, each.key) + private_dns = var.private_dns resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) - location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.event_hub_namespaces[var.client_config.landingzone_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["namespace"] +} +module "event_hub_namespaces_remote" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.event_hub_namespaces, {}) : key => value + if can(value.lz_key) + } base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + name = try(each.value.name, each.key) + private_dns = var.private_dns + resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) + resource_id = var.remote_objects.event_hub_namespaces[each.value.lz_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["namespace"] } \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/subnet/keyvaults.tf b/modules/networking/private_links/endpoints/subnet/keyvaults.tf index 0d621cb085..181e48b358 100644 --- a/modules/networking/private_links/endpoints/subnet/keyvaults.tf +++ b/modules/networking/private_links/endpoints/subnet/keyvaults.tf @@ -1,20 +1,36 @@ module "keyvault" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.keyvaults, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.keyvaults[each.value.lz_key][each.key].id, null), - try(var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id, null), - try(each.value.resource_id, null) - ) - subresource_names = ["vault"] - subnet_id = var.subnet_id - private_dns = var.private_dns + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.keyvaults, {}) : key => value + if can(value.lz_key) == false + } + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. name = try(each.value.name, each.key) + private_dns = var.private_dns resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) - location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["vault"] +} +module "keyvault_remote" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.keyvaults, {}) : key => value + if can(value.lz_key) + } base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + name = try(each.value.name, each.key) + private_dns = var.private_dns + resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) + resource_id = var.remote_objects.keyvaults[each.value.lz_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["vault"] } \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/subnet/mssql_servers.tf b/modules/networking/private_links/endpoints/subnet/mssql_servers.tf index 2474698255..6ca66522bf 100644 --- a/modules/networking/private_links/endpoints/subnet/mssql_servers.tf +++ b/modules/networking/private_links/endpoints/subnet/mssql_servers.tf @@ -1,20 +1,36 @@ module "mssql_servers" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.mssql_servers, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.mssql_servers[each.value.lz_key][each.key].id, null), - try(var.remote_objects.mssql_servers[var.client_config.landingzone_key][each.key].id, null), - try(each.value.resource_id, null) - ) - subresource_names = ["sqlServer"] - subnet_id = var.subnet_id - private_dns = var.private_dns + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.mssql_servers, {}) : key => value + if can(value.lz_key) == false + } + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. name = try(each.value.name, each.key) + private_dns = var.private_dns resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) - location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.mssql_servers[var.client_config.landingzone_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["sqlServer"] +} +module "mssql_servers_remote" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.mssql_servers, {}) : key => value + if can(value.lz_key) + } base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + name = try(each.value.name, each.key) + private_dns = var.private_dns + resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) + resource_id = var.remote_objects.mssql_servers[each.value.lz_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["sqlServer"] } \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/subnet/mysql_servers.tf b/modules/networking/private_links/endpoints/subnet/mysql_servers.tf index 72098bef91..320bfc2e6b 100644 --- a/modules/networking/private_links/endpoints/subnet/mysql_servers.tf +++ b/modules/networking/private_links/endpoints/subnet/mysql_servers.tf @@ -1,20 +1,36 @@ module "mysql_servers" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.mysql_servers, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.mysql_servers[each.value.lz_key][each.key].id, null), - try(var.remote_objects.mysql_servers[var.client_config.landingzone_key][each.key].id, null), - try(each.value.resource_id, null) - ) - subresource_names = ["mysqlServer"] - subnet_id = var.subnet_id - private_dns = var.private_dns + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.mysql_servers, {}) : key => value + if can(value.lz_key) == false + } + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. name = try(each.value.name, each.key) + private_dns = var.private_dns resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) - location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.mysql_servers[var.client_config.landingzone_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["mysqlServer"] +} +module "mysql_servers_remote" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.mysql_servers, {}) : key => value + if can(value.lz_key) + } base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + name = try(each.value.name, each.key) + private_dns = var.private_dns + resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) + resource_id = var.remote_objects.mysql_servers[each.value.lz_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["mysqlServer"] } \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/subnet/recovery_vaults.tf b/modules/networking/private_links/endpoints/subnet/recovery_vaults.tf index 452ee6a827..c5424879d0 100644 --- a/modules/networking/private_links/endpoints/subnet/recovery_vaults.tf +++ b/modules/networking/private_links/endpoints/subnet/recovery_vaults.tf @@ -1,20 +1,36 @@ module "recovery_vault" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.recovery_vaults, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.recovery_vaults[each.value.lz_key][each.key].id, null), - try(var.remote_objects.recovery_vaults[var.client_config.landingzone_key][each.key].id, null), - try(each.value.resource_id, null) - ) - subresource_names = ["AzureSiteRecovery"] - subnet_id = var.subnet_id - private_dns = var.private_dns + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.recovery_vaults, {}) : key => value + if can(value.lz_key) == false + } + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. name = try(each.value.name, each.key) + private_dns = var.private_dns resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) - location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.recovery_vaults[var.client_config.landingzone_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["AzureSiteRecovery"] +} +module "recovery_vault_remote" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.recovery_vaults, {}) : key => value + if can(value.lz_key) + } base_tags = var.base_tags -} \ No newline at end of file + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + name = try(each.value.name, each.key) + private_dns = var.private_dns + resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) + resource_id = var.remote_objects.recovery_vaults[var.client_config.landingzone_key][each.key].id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["AzureSiteRecovery"] +} diff --git a/modules/networking/private_links/endpoints/subnet/redis_cache.tf b/modules/networking/private_links/endpoints/subnet/redis_cache.tf index 43fe372e71..6a9d568854 100644 --- a/modules/networking/private_links/endpoints/subnet/redis_cache.tf +++ b/modules/networking/private_links/endpoints/subnet/redis_cache.tf @@ -1,20 +1,36 @@ module "redis_caches" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.redis_caches, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.redis_caches[each.value.lz_key][each.key].redis_cache.id, null), - try(var.remote_objects.redis_caches[var.client_config.landingzone_key][each.key].redis_cache.id, null), - try(each.value.resource_id, null) - ) - subresource_names = ["redisCache"] - subnet_id = var.subnet_id - private_dns = var.private_dns + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.redis_caches, {}) : key => value + if can(value.lz_key) == false + } + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. name = try(each.value.name, each.key) + private_dns = var.private_dns resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) - location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. - base_tags = var.base_tags + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.redis_caches[var.client_config.landingzone_key][each.key].redis_cache.id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["redisCache"] } +module "redis_caches_remote" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.redis_caches, {}) : key => value + if can(value.lz_key) + } + base_tags = var.base_tags + client_config = var.client_config + global_settings = var.global_settings + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + name = try(each.value.name, each.key) + private_dns = var.private_dns + resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) + resource_id = var.remote_objects.redis_caches[each.value.lz_key][each.key].redis_cache.id + settings = each.value + subnet_id = var.subnet_id + subresource_names = ["redisCache"] +} \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/subnet/storage_accounts.tf b/modules/networking/private_links/endpoints/subnet/storage_accounts.tf index 301e2017ee..34a80b6a65 100644 --- a/modules/networking/private_links/endpoints/subnet/storage_accounts.tf +++ b/modules/networking/private_links/endpoints/subnet/storage_accounts.tf @@ -1,15 +1,31 @@ module "storage_account" { - source = "../private_endpoint" - for_each = try(var.private_endpoints.storage_accounts, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - resource_id = coalesce( - try(var.remote_objects.storage_accounts[each.value.lz_key][each.key].id, null), - try(var.remote_objects.storage_accounts[var.client_config.landingzone_key][each.key].id, null), - try(each.value.resource_id, null) - ) + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.storage_accounts, {}) : key => value + if can(value.lz_key) == false + } + global_settings = var.global_settings + client_config = var.client_config + settings = each.value + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.storage_accounts[var.client_config.landingzone_key][each.key].id + subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["blob"])) + subnet_id = var.subnet_id + private_dns = var.private_dns + name = try(each.value.name, each.key) + resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name) + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + base_tags = var.base_tags +} +module "storage_account_remote" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.storage_accounts, {}) : key => value + if can(value.lz_key) + } + global_settings = var.global_settings + client_config = var.client_config + settings = each.value + resource_id = var.remote_objects.storage_accounts[each.value.lz_key][each.key].id subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["blob"])) subnet_id = var.subnet_id private_dns = var.private_dns diff --git a/networking_private_dns.tf b/networking_private_dns.tf index d9c1d40e92..09922e843a 100644 --- a/networking_private_dns.tf +++ b/networking_private_dns.tf @@ -24,13 +24,13 @@ output "private_dns" { # module "private_dns_vnet_links" { - source = "./modules/networking/private_dns_vnet_link" - for_each = try(local.networking.private_dns_vnet_links, {}) - depends_on = [module.private_dns] + source = "./modules/networking/private_dns_vnet_link" + for_each = try(local.networking.private_dns_vnet_links, {}) + depends_on = [module.private_dns] base_tags = {} global_settings = local.global_settings - client_config = local.client_config + client_config = local.client_config virtual_network_id = coalesce( try(local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].id, null), try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].id, null) From 09235385f25b21715135305ff985fde909c1b445 Mon Sep 17 00:00:00 2001 From: lolorol Date: Thu, 7 Oct 2021 14:38:00 +0000 Subject: [PATCH 83/91] Patch vnet peering to vhub cross sub and tenant --- UPGRADE.md | 42 ++++++++++++++++++++++++++++ main.tf | 11 +++++++- networking_virtual_hub_connection.tf | 2 ++ variables.tf | 5 ++++ 4 files changed, 59 insertions(+), 1 deletion(-) diff --git a/UPGRADE.md b/UPGRADE.md index c82ac2061c..c86161575a 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -2,6 +2,48 @@ When ugrading to a newer version of the CAF module, some configuration structures must be updated before applying the modifications. +## 5.4.3 to 5.4.4 + +### virtual_hub_connections +There is a requirement for the virtual hub connection to work cross susbcriptions and cross tenant to have the azurerm provider to be connected to the virtual hub. In this release we are adding an alias to the azurerm provider to support the peering cross-subscriptions. + +Limitations - Only one virtual hub can be targeted per deployed. If you need to peer to different virtual hubs, split the peering into different deployemnts. + +```hcl +# Before + +virtual_hub_connections = { + vnet_to_dev = { + name = "vnet-it-dna-artemis-dev-TO-dev" + virtual_hub = { + lz_key = "connectivity_virtual_hub_dev" + key = "dev" + } + vnet = { + vnet_key = "vnet" + } + } +} + +# To move to 5.4.4 +virtual_hub_lz_key = "connectivity_virtual_hub_dev" + +virtual_hub_connections = { + vnet_to_dev = { + name = "vnet-dev-TO-vhub_dev" + virtual_hub = { + lz_key = "connectivity_virtual_hub_dev" + key = "dev" + } + vnet = { + vnet_key = "vnet" + } + } +} + + +``` + ## 5.4.0 Upgrade to 5.4.0 includes support azurerm 2.64.0 provider and implements the following changes: diff --git a/main.tf b/main.tf index 6f60ab17d1..cb355d27e4 100755 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.78.0" + version = "~> 2.79.0" } azuread = { source = "hashicorp/azuread" @@ -31,6 +31,15 @@ provider "azurerm" { } } +provider "azurerm" { + alias = "vhub" + skip_provider_registration = true + features {} + subscription_id = can(var.tfstates[var.virtual_hub_lz_key].subscription_id) ? var.tfstates[var.virtual_hub_lz_key].subscription_id : local.client_config.subscription_id + tenant_id = can(var.tfstates[var.virtual_hub_lz_key].tenant_id) ? var.tfstates[var.virtual_hub_lz_key].tenant_id : local.client_config.tenant_id +} + + data "azurerm_subscription" "primary" {} data "azurerm_client_config" "current" {} diff --git a/networking_virtual_hub_connection.tf b/networking_virtual_hub_connection.tf index e62d03f8bd..49d8f08a9e 100644 --- a/networking_virtual_hub_connection.tf +++ b/networking_virtual_hub_connection.tf @@ -15,6 +15,8 @@ resource "azurerm_virtual_hub_connection" "vhub_connection" { depends_on = [azurerm_virtual_hub_route_table.route_table, module.azurerm_firewalls] for_each = local.networking.virtual_hub_connections + provider = azurerm.vhub + name = each.value.name virtual_hub_id = local.azurerm_virtual_hub_connection[each.key].virtual_hub_id remote_virtual_network_id = coalesce( diff --git a/variables.tf b/variables.tf index 4e7f5f9204..ae5056070e 100755 --- a/variables.tf +++ b/variables.tf @@ -220,6 +220,11 @@ variable "networking" { default = {} } +variable "virtual_hub_lz_key" { + description = "Key name of the landinzone when the virtual hub is deployed. Required when peering in multi-subscription and/or different Azure AD tenants." + default = null +} + ## Security variables variable "security" { description = "Configuration object - security resources" From 6892f239b058ae8e355f61a75cac875c07e0f64d Mon Sep 17 00:00:00 2001 From: Jor Seng Date: Tue, 12 Oct 2021 04:24:27 +0000 Subject: [PATCH 84/91] add lifecycle for vnet peering --- networking.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/networking.tf b/networking.tf index 9cd3a67fea..368a981ac6 100755 --- a/networking.tf +++ b/networking.tf @@ -124,6 +124,14 @@ resource "azurerm_virtual_network_peering" "peering" { allow_forwarded_traffic = try(each.value.allow_forwarded_traffic, false) allow_gateway_transit = try(each.value.allow_gateway_transit, false) use_remote_gateways = try(each.value.use_remote_gateways, false) + + lifecycle { + ignore_changes = [ + remote_virtual_network_id, + resource_group_name, + virtual_network_name + ] + } } # From b16c6cc6de86c07bdbd4e68cc3e7fc91a7f6568a Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 12 Oct 2021 04:26:48 +0000 Subject: [PATCH 85/91] Update for logged_in_app data source --- main.tf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 9d777c7886..ed0f1cfa04 100755 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.79.1" + version = "~> 2.80.0" } azuread = { source = "hashicorp/azuread" @@ -53,8 +53,16 @@ data "azurerm_client_config" "current" {} # 2 - deploying a landing zone or a solution from vscode # Step 1 has been executed. The rover is still connected to a logged in user azure session. The rover use the user's credentials to connect the default azure subscription to identity the storage account and the keyvault holding the tfstate and the launchpad_app_level0 credentials. The rover set the terraform ARM_* variables to change the terraform provider Azure context (client id, secret, tenant and subscription). The logged_aad_app_objectId is set to the launchpad_app_level0's client_id. Note in that scenario the azure session does not change. Meaning when terraform execute some local execution scripts they are executed in the context of the logged_in_user and not the azure ad application. To simulate from vscode the execution of a local exec with the launchpad_app_level0 credentials, the rover must be executed with the parameter --impersonate (cannot be used during the launchpad initial deployment and destruciton) +# If you are runnign the module as standalone, with a service principal: +# Set the security context for Azure Terraform providers: + +# session=$(az account show --sdk-auth -o json 2> /dev/null) +# export ARM_CLIENT_ID=$(echo $session | jq -r .clientId) +# export ARM_CLIENT_SECRET=$(echo $session | jq -r .clientSecret) +# export ARM_TENANT_ID=$(echo $session | jq -r .tenantId) +# export ARM_SUBSCRIPTION_ID=$(echo $session | jq -r .subscriptionId) data "azuread_service_principal" "logged_in_app" { - count = try(data.azurerm_client_config.current.object_id, null) == null ? 1 : 0 + count = var.logged_aad_app_objectId == null ? 0 : 1 application_id = data.azurerm_client_config.current.client_id } From a5c7790e5ac763c3fe0df09e6fc711f5221cba48 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 12 Oct 2021 04:59:47 +0000 Subject: [PATCH 86/91] Adding aks_registration_preview feature registration for azurerm 2.80 --- modules/compute/aks/aks.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 20ecfd5292..ac45316429 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -35,10 +35,19 @@ resource "azurecaf_name" "rg_node" { use_slug = var.global_settings.use_slug } + +# Needed as introduced in >2.79.1 - https://github.com/hashicorp/terraform-provider-azurerm/issues/13585 + resource "null_resource" "aks_registration_preview" { + provisioner "local-exec" { + command = "az feature register --namespace Microsoft.ContainerService -n AutoUpgradePreview" + } +} ### AKS cluster resource resource "azurerm_kubernetes_cluster" "aks" { - + depends_on = [ + null_resource.aks_registration_preview + ] name = azurecaf_name.aks.result location = var.resource_group.location resource_group_name = var.resource_group.name From ea073555eb9b22c397fc69f64005dbff2e10f738 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 12 Oct 2021 05:56:43 +0000 Subject: [PATCH 87/91] Adding diagnostics for postgressql --- modules/databases/postgresql_server/diagnostics.tf | 9 +++++++++ modules/databases/postgresql_server/variables.tf | 4 +++- postgresql_servers.tf | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100755 modules/databases/postgresql_server/diagnostics.tf diff --git a/modules/databases/postgresql_server/diagnostics.tf b/modules/databases/postgresql_server/diagnostics.tf new file mode 100755 index 0000000000..8c35e4a470 --- /dev/null +++ b/modules/databases/postgresql_server/diagnostics.tf @@ -0,0 +1,9 @@ + +module "diagnostics" { + source = "../../diagnostics" + count = lookup(var.settings, "diagnostic_profiles", null) == null ? 0 : 1 + + resource_id = azurerm_postgresql_server.postgresql.id + diagnostics = var.diagnostics + profiles = var.settings.diagnostic_profiles +} \ No newline at end of file diff --git a/modules/databases/postgresql_server/variables.tf b/modules/databases/postgresql_server/variables.tf index a8f90a50b4..a53436dc84 100755 --- a/modules/databases/postgresql_server/variables.tf +++ b/modules/databases/postgresql_server/variables.tf @@ -27,4 +27,6 @@ variable "base_tags" { variable "private_dns" { default = {} } - +variable "diagnostics" { + default = {} +} \ No newline at end of file diff --git a/postgresql_servers.tf b/postgresql_servers.tf index 0909e14538..844dfe94c5 100755 --- a/postgresql_servers.tf +++ b/postgresql_servers.tf @@ -24,4 +24,5 @@ module "postgresql_servers" { resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} private_dns = local.combined_objects_private_dns + diagnostics = local.combined_diagnostics } \ No newline at end of file From 37cd7db87742520fb05101a85093caff459eb251 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 12 Oct 2021 06:18:52 +0000 Subject: [PATCH 88/91] Adding diagnostics for mysql --- modules/databases/postgresql_server/diagnostics.tf | 1 + mysql_servers.tf | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/databases/postgresql_server/diagnostics.tf b/modules/databases/postgresql_server/diagnostics.tf index 8c35e4a470..a09bbd2c18 100755 --- a/modules/databases/postgresql_server/diagnostics.tf +++ b/modules/databases/postgresql_server/diagnostics.tf @@ -4,6 +4,7 @@ module "diagnostics" { count = lookup(var.settings, "diagnostic_profiles", null) == null ? 0 : 1 resource_id = azurerm_postgresql_server.postgresql.id + resource_location = azurerm_postgresql_server.postgresql.location diagnostics = var.diagnostics profiles = var.settings.diagnostic_profiles } \ No newline at end of file diff --git a/mysql_servers.tf b/mysql_servers.tf index 8ce32acd74..1a32155b6d 100755 --- a/mysql_servers.tf +++ b/mysql_servers.tf @@ -28,4 +28,5 @@ module "mysql_servers" { resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} private_dns = local.combined_objects_private_dns + diagnostics = local.combined_diagnostics } \ No newline at end of file From 867fdf2dc5233934f63c8ace5476f4bf36f13006 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 12 Oct 2021 13:05:44 +0000 Subject: [PATCH 89/91] Revert "Patch vnet peering to vhub cross sub and tenant" This reverts commit 09235385f25b21715135305ff985fde909c1b445. --- UPGRADE.md | 42 ---------------------------- main.tf | 9 ------ networking_virtual_hub_connection.tf | 2 -- variables.tf | 5 ---- 4 files changed, 58 deletions(-) diff --git a/UPGRADE.md b/UPGRADE.md index c86161575a..c82ac2061c 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -2,48 +2,6 @@ When ugrading to a newer version of the CAF module, some configuration structures must be updated before applying the modifications. -## 5.4.3 to 5.4.4 - -### virtual_hub_connections -There is a requirement for the virtual hub connection to work cross susbcriptions and cross tenant to have the azurerm provider to be connected to the virtual hub. In this release we are adding an alias to the azurerm provider to support the peering cross-subscriptions. - -Limitations - Only one virtual hub can be targeted per deployed. If you need to peer to different virtual hubs, split the peering into different deployemnts. - -```hcl -# Before - -virtual_hub_connections = { - vnet_to_dev = { - name = "vnet-it-dna-artemis-dev-TO-dev" - virtual_hub = { - lz_key = "connectivity_virtual_hub_dev" - key = "dev" - } - vnet = { - vnet_key = "vnet" - } - } -} - -# To move to 5.4.4 -virtual_hub_lz_key = "connectivity_virtual_hub_dev" - -virtual_hub_connections = { - vnet_to_dev = { - name = "vnet-dev-TO-vhub_dev" - virtual_hub = { - lz_key = "connectivity_virtual_hub_dev" - key = "dev" - } - vnet = { - vnet_key = "vnet" - } - } -} - - -``` - ## 5.4.0 Upgrade to 5.4.0 includes support azurerm 2.64.0 provider and implements the following changes: diff --git a/main.tf b/main.tf index ed0f1cfa04..23bfbb0f4c 100755 --- a/main.tf +++ b/main.tf @@ -33,15 +33,6 @@ provider "azurerm" { } } -provider "azurerm" { - alias = "vhub" - skip_provider_registration = true - features {} - subscription_id = can(var.tfstates[var.virtual_hub_lz_key].subscription_id) ? var.tfstates[var.virtual_hub_lz_key].subscription_id : local.client_config.subscription_id - tenant_id = can(var.tfstates[var.virtual_hub_lz_key].tenant_id) ? var.tfstates[var.virtual_hub_lz_key].tenant_id : local.client_config.tenant_id -} - - data "azurerm_subscription" "primary" {} data "azurerm_client_config" "current" {} diff --git a/networking_virtual_hub_connection.tf b/networking_virtual_hub_connection.tf index 49d8f08a9e..e62d03f8bd 100644 --- a/networking_virtual_hub_connection.tf +++ b/networking_virtual_hub_connection.tf @@ -15,8 +15,6 @@ resource "azurerm_virtual_hub_connection" "vhub_connection" { depends_on = [azurerm_virtual_hub_route_table.route_table, module.azurerm_firewalls] for_each = local.networking.virtual_hub_connections - provider = azurerm.vhub - name = each.value.name virtual_hub_id = local.azurerm_virtual_hub_connection[each.key].virtual_hub_id remote_virtual_network_id = coalesce( diff --git a/variables.tf b/variables.tf index ae5056070e..4e7f5f9204 100755 --- a/variables.tf +++ b/variables.tf @@ -220,11 +220,6 @@ variable "networking" { default = {} } -variable "virtual_hub_lz_key" { - description = "Key name of the landinzone when the virtual hub is deployed. Required when peering in multi-subscription and/or different Azure AD tenants." - default = null -} - ## Security variables variable "security" { description = "Configuration object - security resources" From 26482639fc0dc67d31d33097bec196c73c60241e Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 13 Oct 2021 01:36:28 +0000 Subject: [PATCH 90/91] Updating upgrade notes --- UPGRADE.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/UPGRADE.md b/UPGRADE.md index c82ac2061c..dd71fb6f76 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -1,7 +1,10 @@ # Upgrade notes -When ugrading to a newer version of the CAF module, some configuration structures must be updated before applying the modifications. +When upgrading to a newer version of the CAF module, some configuration structures must be updated before applying the modifications. +## 5.4.4 + +Due to a regression in the Terraform provider >2.78, this update is not capable of cross-tenant, cross-subscriptions peering between vhub and vwans. This is available in 5.4.3 and will be fixed in 5.4.x. ## 5.4.0 Upgrade to 5.4.0 includes support azurerm 2.64.0 provider and implements the following changes: From 3f6b4b7ec0d501509fb8eae276dc5f2fedd27586 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 13 Oct 2021 19:00:59 +0800 Subject: [PATCH 91/91] Update UPGRADE.md --- UPGRADE.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/UPGRADE.md b/UPGRADE.md index dd71fb6f76..6334c1de1f 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -4,7 +4,8 @@ When upgrading to a newer version of the CAF module, some configuration structur ## 5.4.4 -Due to a regression in the Terraform provider >2.78, this update is not capable of cross-tenant, cross-subscriptions peering between vhub and vwans. This is available in 5.4.3 and will be fixed in 5.4.x. +Due to a regression in the Terraform provider >2.78, this update is not capable of cross-tenant, cross-subscriptions peering between vhub and vwans. This is available in 5.4.3 and will be fixed in 5.5.0. + ## 5.4.0 Upgrade to 5.4.0 includes support azurerm 2.64.0 provider and implements the following changes: @@ -88,4 +89,4 @@ admin_user_key = "vm-win-admin-username" by ```hcl admin_username_key = "vm-win-admin-username" -``` \ No newline at end of file +```