From d10aadf472a4596dfc23a4b97239942ab6c4c834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 15:41:14 +0100 Subject: [PATCH 01/60] feat(terraform): upgrade azurerm provider version This commit upgrades the version of the AzureRM provider in our Terraform configuration from 3.114.0 to 4.7.0. The upgrade may introduce new features, improvements, and bug fixes that could enhance our infrastructure management capabilities. Please review any breaking changes or deprecations introduced by this version change to ensure compatibility with existing infrastructure code. --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 62592bce80..840337867f 100644 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.114.0" + version = "~> 4.7.0" configuration_aliases = [ azurerm.vhub ] From 15c1376d0689b198b535633a90ed974d73af40ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 15:42:50 +0100 Subject: [PATCH 02/60] Refactor container registry module: remove unused virtual network dynamic block --- modules/compute/container_registry/registry.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index ca0d8757af..539d025d25 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -32,14 +32,6 @@ resource "azurerm_container_registry" "acr" { ip_range = ip_rule.value.ip_range } } - dynamic "virtual_network" { - for_each = try(network_rule_set.value.virtual_networks, {}) - - content { - action = "Allow" - subnet_id = can(virtual_network.value.subnet_id) ? virtual_network.value.subnet_id : var.vnets[try(virtual_network.value.lz_key, var.client_config.landingzone_key)][virtual_network.value.vnet_key].subnets[virtual_network.value.subnet_key].id - } - } } } From ed565f421d7e26990ddddc57a5be7d1ebc72ad21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 15:43:20 +0100 Subject: [PATCH 03/60] Refactor locals.tf: add support for random suffix and cognitive services enhancements --- locals.tf | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/locals.tf b/locals.tf index e81350b46f..5124ef8942 100644 --- a/locals.tf +++ b/locals.tf @@ -6,6 +6,14 @@ resource "random_string" "prefix" { numeric = false } +resource "random_string" "suffix" { + count = try(var.global_settings.suffix, null) == null ? 1 : 0 + length = 4 + special = false + upper = false + numeric = false +} + locals { aadb2c = { aadb2c_directory = try(var.aadb2c.aadb2c_directory, {}) @@ -225,11 +233,16 @@ locals { default_region = try(var.global_settings.default_region, "region1") environment = try(var.global_settings.environment, var.environment) inherit_tags = try(var.global_settings.inherit_tags, false) - passthrough = try(var.global_settings.passthrough, false) prefix = try(var.global_settings.prefix, null) - prefix_with_hyphen = try(var.global_settings.prefix_with_hyphen, format("%s-", try(var.global_settings.prefix, try(var.global_settings.prefixes[0], random_string.prefix[0].result)))) - prefixes = try(var.global_settings.prefix, null) == "" ? null : try([var.global_settings.prefix], try(var.global_settings.prefixes, [random_string.prefix[0].result])) + suffix = try(var.global_settings.suffix, null) + prefix_with_hyphen = try(var.global_settings.prefix_with_hyphen, format("%s-", try(var.global_settings.prefix, try(var.global_settings.prefixes[0], random_string.prefix.0.result)))) + prefixes = try(var.global_settings.prefix, null) == "" ? null : try([var.global_settings.prefix], try(var.global_settings.prefixes, [random_string.prefix.0.result])) + suffixes = try(var.global_settings.suffixes, null) == "" ? null : try([var.global_settings.suffix], try(var.global_settings.suffixes, [random_string.suffix.0.result])) random_length = try(var.global_settings.random_length, 0) + random_seed = try(var.global_settings.random_seed, null) + resource_types = try(var.global_settings.resource_types, []) + separator = try(var.global_settings.separator, "-") + passthrough = try(var.global_settings.passthrough, false) regions = try(var.global_settings.regions, null) tags = try(var.global_settings.tags, null) use_slug = try(var.global_settings.use_slug, true) @@ -249,6 +262,8 @@ locals { cognitive_services = { cognitive_services_account = try(var.cognitive_services.cognitive_services_account, {}) + cognitive_account_customer_managed_key = try(var.cognitive_services.cognitive_account_customer_managed_key, {}) + cognitive_deployment = try(var.cognitive_services.cognitive_deployment, {}) } search_services = { search_services = try(var.search_services.search_services, {}) From 1a6089cc7c265de1257202a4d03e363213465d1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 15:49:27 +0100 Subject: [PATCH 04/60] refactor(subnet): :recycle: upgrade private_endpoint_network_policies_enabled to private_endpoint_network_policies refact(subnet): upgrade private_endpoint_network_policies_enabled to private_endpoint_network_policies upgrade private_endpoint_network_policies_enabled deprecated, use private_endpoint_network_policies --- .../cd-agents/agents-with-private-endpoints/networking.tfvars | 2 +- modules/networking/virtual_network/module.tf | 4 ++-- modules/networking/virtual_network/subnet/subnet.tf | 2 +- modules/networking/virtual_network/subnet/variables.tf | 4 ++-- networking.tf | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/compute/cd-agents/agents-with-private-endpoints/networking.tfvars b/examples/compute/cd-agents/agents-with-private-endpoints/networking.tfvars index ca924fd2ab..5aa46b0590 100644 --- a/examples/compute/cd-agents/agents-with-private-endpoints/networking.tfvars +++ b/examples/compute/cd-agents/agents-with-private-endpoints/networking.tfvars @@ -51,7 +51,7 @@ virtual_subnets = { vnet = { key = "bootstrap" } - private_endpoint_network_policies_enabled = true + private_endpoint_network_policies = true } } diff --git a/modules/networking/virtual_network/module.tf b/modules/networking/virtual_network/module.tf index ca759c09fb..4bb9f374d0 100644 --- a/modules/networking/virtual_network/module.tf +++ b/modules/networking/virtual_network/module.tf @@ -50,7 +50,7 @@ module "special_subnets" { address_prefixes = lookup(each.value, "cidr", []) service_endpoints = lookup(each.value, "service_endpoints", []) resource_group_name = local.resource_group_name - private_endpoint_network_policies_enabled = try(each.value.private_endpoint_network_policies_enabled, each.value.enforce_private_link_endpoint_network_policies, null) + private_endpoint_network_policies = try(each.value.private_endpoint_network_policies, each.value.enforce_private_link_endpoint_network_policies, null) private_link_service_network_policies_enabled = try(each.value.private_link_service_network_policies_enabled, each.value.enforce_private_link_service_network_policies, null) settings = each.value } @@ -65,7 +65,7 @@ module "subnets" { address_prefixes = lookup(each.value, "cidr", []) service_endpoints = lookup(each.value, "service_endpoints", []) virtual_network_name = azurerm_virtual_network.vnet.name - private_endpoint_network_policies_enabled = try(each.value.private_endpoint_network_policies_enabled, each.value.enforce_private_link_endpoint_network_policies, null) + private_endpoint_network_policies = try(each.value.private_endpoint_network_policies, each.value.enforce_private_link_endpoint_network_policies, null) private_link_service_network_policies_enabled = try(each.value.private_link_service_network_policies_enabled, each.value.enforce_private_link_service_network_policies, null) settings = each.value } diff --git a/modules/networking/virtual_network/subnet/subnet.tf b/modules/networking/virtual_network/subnet/subnet.tf index ef377099e8..d90825a57d 100644 --- a/modules/networking/virtual_network/subnet/subnet.tf +++ b/modules/networking/virtual_network/subnet/subnet.tf @@ -16,7 +16,7 @@ resource "azurerm_subnet" "subnet" { virtual_network_name = var.virtual_network_name address_prefixes = var.address_prefixes service_endpoints = var.service_endpoints - private_endpoint_network_policies_enabled = try(var.private_endpoint_network_policies_enabled, null) + private_endpoint_network_policies = try(var.private_endpoint_network_policies, null) private_link_service_network_policies_enabled = try(var.private_link_service_network_policies_enabled, null) dynamic "delegation" { diff --git a/modules/networking/virtual_network/subnet/variables.tf b/modules/networking/virtual_network/subnet/variables.tf index 56dd0a9004..b09182e9c1 100644 --- a/modules/networking/virtual_network/subnet/variables.tf +++ b/modules/networking/virtual_network/subnet/variables.tf @@ -12,8 +12,8 @@ variable "address_prefixes" { description = "(Optional) The address prefixes to use for the subnet." default = [] } -variable "private_endpoint_network_policies_enabled" { - description = "(Optional) Enable or Disable network policies for the private endpoint on the subnet. Setting this to true will Enable the policy and setting this to false will Disable the policy. Defaults to true." +variable "private_endpoint_network_policies" { + description = "(Optional) Enable or Disable network policies for the private endpoint on the subnet. Possible values are Disabled, Enabled, NetworkSecurityGroupEnabled and RouteTableEnabled. Defaults to Disabled." nullable = true } variable "private_link_service_network_policies_enabled" { diff --git a/networking.tf b/networking.tf index f906002385..39721f8a46 100644 --- a/networking.tf +++ b/networking.tf @@ -72,7 +72,7 @@ module "virtual_subnets" { name = each.value.name address_prefixes = try(each.value.cidr, []) service_endpoints = try(each.value.service_endpoints, []) - private_endpoint_network_policies_enabled = try(each.value.private_endpoint_network_policies_enabled, each.value.enforce_private_link_endpoint_network_policies, null) + private_endpoint_network_policies = try(each.value.private_endpoint_network_policies, each.value.enforce_private_link_endpoint_network_policies, null) private_link_service_network_policies_enabled = try(each.value.private_link_service_network_policies_enabled, each.value.enforce_private_link_service_network_policies, null) resource_group_name = can(each.value.vnet.key) ? local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][each.value.vnet.key].resource_group_name : split("/", each.value.vnet.id)[4] From d52caa813a5f5d42e3b11f551bf681f63b606fd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:09:12 +0100 Subject: [PATCH 05/60] refactor(storage): replace storage_account_name with storage_share_id Description: This commit replaces the use of `storage_account_name` with `storage_share_id` in the `file_share_directory`, `directory`, and `variables` modules. This change is made to improve the referencing mechanism within these modules. The `storage_share_id` provides a more direct and efficient way to reference the Azure Storage Share, eliminating the need for the `storage_account_name`. --- modules/storage_account/file_share/share_directory.tf | 3 +-- modules/storage_account/file_share_directory/directory.tf | 3 +-- modules/storage_account/file_share_directory/variables.tf | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/modules/storage_account/file_share/share_directory.tf b/modules/storage_account/file_share/share_directory.tf index 5f3310531b..89c8d6dee1 100644 --- a/modules/storage_account/file_share/share_directory.tf +++ b/modules/storage_account/file_share/share_directory.tf @@ -1,8 +1,7 @@ module "file_share_directory" { source = "../file_share_directory" for_each = try(var.settings.directories, {}) - - storage_account_name = var.storage_account_name + storage_share_id = azurerm_storage_share.fs.id share_name = azurerm_storage_share.fs.name settings = each.value } \ No newline at end of file diff --git a/modules/storage_account/file_share_directory/directory.tf b/modules/storage_account/file_share_directory/directory.tf index 3119425c6e..196e350a7e 100644 --- a/modules/storage_account/file_share_directory/directory.tf +++ b/modules/storage_account/file_share_directory/directory.tf @@ -1,6 +1,5 @@ resource "azurerm_storage_share_directory" "share_directory" { name = var.settings.name - share_name = var.share_name - storage_account_name = var.storage_account_name + storage_share_id = var.storage_share_id metadata = try(var.settings.metadata, null) } \ No newline at end of file diff --git a/modules/storage_account/file_share_directory/variables.tf b/modules/storage_account/file_share_directory/variables.tf index db1436f686..6037960b39 100644 --- a/modules/storage_account/file_share_directory/variables.tf +++ b/modules/storage_account/file_share_directory/variables.tf @@ -1,3 +1,3 @@ -variable "storage_account_name" {} +variable "storage_share_id" {} variable "share_name" {} variable "settings" {} \ No newline at end of file From 1829b23adeebe5d499ccc0726e2bf460b9fc028e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:09:56 +0100 Subject: [PATCH 06/60] refactor(storage_account): rename https traffic control variable and remove unused variable This commit renames the variable `enable_https_traffic_only` to `https_traffic_only_enabled` in various configuration files, providing a clearer understanding of its function. The change is applied in the nfsv3 and file-share-nfs storage account examples as well as the main storage_account module. Additionally, the unused variable `share_name` has been removed from the `file_share_directory` module's variables. This reduction in code clutter should make the module easier to maintain and understand. Please note that these changes may require updates to any scripts or configurations that reference the old variable names. --- examples/storage_accounts/105-nfsv3/configuration.tfvars | 2 +- .../storage_accounts/108-file-share-nfs/configuration.tfvars | 2 +- modules/storage_account/file_share_directory/variables.tf | 1 - modules/storage_account/storage_account.tf | 2 +- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/examples/storage_accounts/105-nfsv3/configuration.tfvars b/examples/storage_accounts/105-nfsv3/configuration.tfvars index 7a4157fc2e..75f47dfd56 100644 --- a/examples/storage_accounts/105-nfsv3/configuration.tfvars +++ b/examples/storage_accounts/105-nfsv3/configuration.tfvars @@ -20,7 +20,7 @@ storage_accounts = { account_tier = "Standard" #Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid account_replication_type = "LRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy min_tls_version = "TLS1_2" # Possible values are TLS1_0, TLS1_1, and TLS1_2. Defaults to TLS1_0 for new storage accounts. - #enable_https_traffic_only = false #not needed as toggled automatically when nfsv3_enabled is selected. + #https_traffic_only_enabled = false #not needed as toggled automatically when nfsv3_enabled is selected. is_hns_enabled = true nfsv3_enabled = true diff --git a/examples/storage_accounts/108-file-share-nfs/configuration.tfvars b/examples/storage_accounts/108-file-share-nfs/configuration.tfvars index ab99851203..9b73479e08 100644 --- a/examples/storage_accounts/108-file-share-nfs/configuration.tfvars +++ b/examples/storage_accounts/108-file-share-nfs/configuration.tfvars @@ -19,7 +19,7 @@ storage_accounts = { account_kind = "FileStorage" #Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2 account_tier = "Premium" #Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid account_replication_type = "LRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy - enable_https_traffic_only = false + https_traffic_only_enabled = true tags = { diff --git a/modules/storage_account/file_share_directory/variables.tf b/modules/storage_account/file_share_directory/variables.tf index 6037960b39..e6c99f4797 100644 --- a/modules/storage_account/file_share_directory/variables.tf +++ b/modules/storage_account/file_share_directory/variables.tf @@ -1,3 +1,2 @@ variable "storage_share_id" {} -variable "share_name" {} variable "settings" {} \ No newline at end of file diff --git a/modules/storage_account/storage_account.tf b/modules/storage_account/storage_account.tf index 17701d7039..0e96eb8e89 100644 --- a/modules/storage_account/storage_account.tf +++ b/modules/storage_account/storage_account.tf @@ -26,7 +26,7 @@ resource "azurerm_storage_account" "stg" { allow_nested_items_to_be_public = try(var.storage_account.allow_nested_items_to_be_public, var.storage_account.allow_blob_public_access, false) cross_tenant_replication_enabled = try(var.storage_account.cross_tenant_replication_enabled, null) edge_zone = try(var.storage_account.edge_zone, null) - enable_https_traffic_only = try(var.storage_account.enable_https_traffic_only, true) + https_traffic_only_enabled = try(var.storage_account.https_traffic_only_enabled, true) infrastructure_encryption_enabled = try(var.storage_account.infrastructure_encryption_enabled, null) large_file_share_enabled = try(var.storage_account.large_file_share_enabled, null) location = local.location From 4a9274024fffd024e4849afea3ee872b81b4fbb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:10:48 +0100 Subject: [PATCH 07/60] feat(cognitive_services): enhance Cognitive Services module - Add support for customer managed keys in Cognitive Service Account - Add support for cognitive deployments - Update Cognitive Services account with new optional parameters - Add OpenAI scenario to standalone scenarios - Update Visual Studio Code settings with new scope "subnet" - Refactor private endpoint configuration for Cognitive Services - Remove unused example "101-cognitive-services-account-managed-identity" - Rename and update example "100-cognitive-services-account" to "200-cognitive-services-account-OpenAI" - Add new examples for OpenAI configuration, including VNet and private endpoint configurations - Update local and combined objects for cognitive services This commit introduces several enhancements to the Cognitive Services module, including the ability to configure customer managed keys and cognitive deployments. It also updates the standalone scenarios and Visual Studio Code settings, refactors the private endpoint configuration, and adds new examples for OpenAI configuration. --- .github/workflows/standalone-scenarios.json | 1 + .vscode/settings.json | 5 +- cognitive_service.tf | 54 ++++-- .../configuration.tfvars | 33 ++++ .../configuration.tfvars | 37 ++++ .../configuration.tfvars | 71 -------- .../configuration.tfvars | 36 ++-- .../configuration.tfvars | 161 ++++++++++++++++ .../configuration.tfvars | 105 +++++++++++ local.remote_objects.tf | 2 + locals.combined_objects.tf | 2 + .../cognitive_account_customer_managed_key.tf | 5 + .../main.tf | 7 + .../output.tf | 5 + .../variables.tf | 15 ++ .../cognitive_deployment.tf | 29 +++ .../cognitive_deployment/main.tf | 0 .../cognitive_deployment/output.tf | 5 + .../cognitive_deployment/provider.tf | 7 + .../cognitive_deployment/variables.tf | 73 ++++++++ .../cognitive_service_account.tf | 75 +++++--- .../cognitive_services_account/diagnostics.tf | 9 +- .../cognitive_services_account/locals.tf | 19 ++ .../cognitive_services_account/main.tf | 11 +- .../managed_identities.tf | 17 ++ .../cognitive_services_account/output.tf | 28 +-- .../private_endpoint.tf | 21 +++ .../private_endpoints.tf | 20 -- .../cognitive_services_account/variables.tf | 172 +++++++++++++++--- 29 files changed, 827 insertions(+), 198 deletions(-) create mode 100644 examples/cognitive_services/100-cognitive-services-account-CognitiveServices/configuration.tfvars create mode 100644 examples/cognitive_services/100-cognitive-services-account-OpenAI/configuration.tfvars delete mode 100644 examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars rename examples/cognitive_services/{100-cognitive-services-account => 200-cognitive-services-account-OpenAI}/configuration.tfvars (56%) create mode 100644 examples/cognitive_services/300-cognitive-services-account-OpenAI-private-endpoint/configuration.tfvars create mode 100644 examples/cognitive_services/300-cognitive-services-account-OpenAI-vnet/configuration.tfvars create mode 100644 modules/cognitive_services/cognitive_account_customer_managed_key/cognitive_account_customer_managed_key.tf create mode 100644 modules/cognitive_services/cognitive_account_customer_managed_key/main.tf create mode 100644 modules/cognitive_services/cognitive_account_customer_managed_key/output.tf create mode 100644 modules/cognitive_services/cognitive_account_customer_managed_key/variables.tf create mode 100644 modules/cognitive_services/cognitive_deployment/cognitive_deployment.tf create mode 100644 modules/cognitive_services/cognitive_deployment/main.tf create mode 100644 modules/cognitive_services/cognitive_deployment/output.tf create mode 100644 modules/cognitive_services/cognitive_deployment/provider.tf create mode 100644 modules/cognitive_services/cognitive_deployment/variables.tf create mode 100644 modules/cognitive_services/cognitive_services_account/locals.tf create mode 100644 modules/cognitive_services/cognitive_services_account/managed_identities.tf create mode 100644 modules/cognitive_services/cognitive_services_account/private_endpoint.tf delete mode 100644 modules/cognitive_services/cognitive_services_account/private_endpoints.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 2bd6a3da02..36faf3aa48 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -29,6 +29,7 @@ "automation/102-automation-msi", "automation/103-automation-private-endpoints", "automation/104-automation-schedule-runbook", + "cognitive_services/100-cognitive-services-account-OpenAI", "communication/communication_services/101-communication_service", "diagnostics_profiles/100-multiple-destinations", "diagnostics_profiles/100-multiple-destinations", diff --git a/.vscode/settings.json b/.vscode/settings.json index 9eeb1dca8a..7219e9efed 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -19,5 +19,8 @@ "MD025": { "front_matter_title": "" } - } + }, + "conventionalCommits.scopes": [ + "subnet" + ] } \ No newline at end of file diff --git a/cognitive_service.tf b/cognitive_service.tf index b920b21464..723cd8425c 100644 --- a/cognitive_service.tf +++ b/cognitive_service.tf @@ -1,24 +1,54 @@ module "cognitive_services_account" { - source = "./modules/cognitive_services/cognitive_services_account" - for_each = local.cognitive_services.cognitive_services_account - + source = "./modules/cognitive_services/cognitive_services_account" + for_each = local.cognitive_services.cognitive_services_account client_config = local.client_config global_settings = local.global_settings + settings = each.value + location = try(each.value.location, null) base_tags = local.global_settings.inherit_tags - resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)] resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name - location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] - settings = each.value - resource_groups = local.combined_objects_resource_groups - vnets = local.combined_objects_networking private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - diagnostics = local.combined_diagnostics - diagnostic_profiles = try(each.value.diagnostic_profiles, {}) - managed_identities = local.combined_objects_managed_identities + remote_objects = { + # Depurar en algún moment para pasar la logica de la subnet_id a remote_objects, error: The given key does not identify an element in this collection value. + #subnet_id = can(each.value.network_acls.virtual_network_rules.subnet_key) ? local.combined_objects_networking[try(each.value.network_acls.virtual_network_rules.lz_key, local.client_config.landingzone_key)][each.value.network_acls.virtual_network_rules.vnet_key].subnets[each.value.network_acls.virtual_network_rules.subnet_key].id : null + #subnet_id = can(each.value.vnet.subnet_key) ? local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][each.value.vnet.key].subnets[each.value.vnet.subnet_key].id : null + vnets = local.combined_objects_networking + virtual_subnets = local.combined_objects_virtual_subnets + private_dns_zone_id = can(each.value.private_dns_zone.key) ? local.combined_objects_private_dns[try(each.value.private_dns_zone.lz_key, local.client_config.landingzone_key)][each.value.private_dns_zone.key].id : null + diagnostics = local.combined_diagnostics + resource_groups = local.combined_objects_resource_groups + private_dns = local.combined_objects_private_dns + } } + output "cognitive_services_account" { value = module.cognitive_services_account } + +module "cognitive_account_customer_managed_key" { + source = "./modules/cognitive_services/cognitive_account_customer_managed_key" + for_each = local.cognitive_services.cognitive_account_customer_managed_key + cognitive_account_id = can(each.value.cognitive_account_id) || can(each.value.cognitive_account.id) ? try(each.value.cognitive_account_id, each.value.cognitive_account.id) : local.combined_objects_cognitive_services_accounts[try(each.value.cognitive_account.lz_key, local.client_config.landingzone_key)][try(each.value.cognitive_account_key, each.value.cognitive_account_key.key)].id + key_vault_key_id = can(each.value.key_vault_key_id) || can(each.value.key_vault_key.id) ? try(each.value.key_vault_key_id, each.value.key_vault_key.id) : local.combined_objects_keyvault_keys[try(each.value.keyvault_key.lz_key, local.client_config.landingzone_key)][try(each.value.key_vault_key_key, each.value.key_vault_key.key)].id + identity_client_id = try(can(each.value.identity_client_id) || can(each.value.identity_client.id) ? try(each.value.identity_client_id, each.value.identity_client.id) : local.combined_objects_managed_identities[try(each.value.identity_client.lz_key, local.client_config.landingzone_key)][try(each.value.identity_client_key, each.value.identity_client.key)].id, null) + + +} + +output "cognitive_account_customer_managed_key" { + value = module.cognitive_account_customer_managed_key +} + +module "cognitive_deployment" { + source = "./modules/cognitive_services/cognitive_deployment" + for_each = local.cognitive_services.cognitive_deployment + settings = each.value + cognitive_account_id = can(each.value.cognitive_account_id) || can(each.value.cognitive_account.id) ? try(each.value.cognitive_account_id, each.value.cognitive_account.id) : local.combined_objects_cognitive_services_accounts[try(each.value.cognitive_account.lz_key, local.client_config.landingzone_key)][try(each.value.cognitive_account_key, each.value.cognitive_account_key.key)].id +} + +output "cognitive_deployment" { + value = module.cognitive_deployment +} \ No newline at end of file diff --git a/examples/cognitive_services/100-cognitive-services-account-CognitiveServices/configuration.tfvars b/examples/cognitive_services/100-cognitive-services-account-CognitiveServices/configuration.tfvars new file mode 100644 index 0000000000..7e9c5544ea --- /dev/null +++ b/examples/cognitive_services/100-cognitive-services-account-CognitiveServices/configuration.tfvars @@ -0,0 +1,33 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "westus" + } + random_length = 5 + #pass_through = true +} + +resource_groups = { + test-rg = { + name = "rg-alz-caf-test-1" + } +} + +cognitive_services_account = { + test_account-2 = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + name = "cs-alz-caf-test-2" + kind = "CognitiveServices" + sku_name = "S0" + tags = { + env = "test" + } + + } +} + diff --git a/examples/cognitive_services/100-cognitive-services-account-OpenAI/configuration.tfvars b/examples/cognitive_services/100-cognitive-services-account-OpenAI/configuration.tfvars new file mode 100644 index 0000000000..d1ae90ec17 --- /dev/null +++ b/examples/cognitive_services/100-cognitive-services-account-OpenAI/configuration.tfvars @@ -0,0 +1,37 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "westus" + } + random_length = 5 + #pass_through = true +} + +resource_groups = { + test-rg = { + name = "rg-alz-caf-test-1" + } +} + +cognitive_services_account = { + openai_account-1 = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + name = "cs-alz-caf-test-1" + kind = "OpenAI" + sku_name = "S0" + + tags = { + env = "test" + } + # custom_subdomain_name = "cs-alz-caf-test-1" + # network_acls = { + # default_action = "Allow" + # ip_rules = ["10.10.10.0/16"] + # } + } +} diff --git a/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars b/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars deleted file mode 100644 index 62c98ec3e1..0000000000 --- a/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars +++ /dev/null @@ -1,71 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "westus" - } - random_length = 5 -} - -resource_groups = { - test-rg = { - name = "rg-cognitive-test" - } -} - -managed_identities = { - cognitive_msi = { - name = "cognitive-msi" - resource_group_key = "test-rg" - } -} - -cognitive_services_account = { - test_account-1 = { - resource_group = { - # accepts either id or key to get resource group id - # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" - # lz_key = "examples" - key = "test-rg" - } - name = "cs-test-1" - kind = "OpenAI" - sku_name = "S0" - public_network_access_enabled = true - - identity = { - type = "SystemAssigned, UserAssigned" // Can be "SystemAssigned, UserAssigned" or "SystemAssigned" or "UserAssigned" - key = "cognitive_msi" // A must with "SystemAssigned, UserAssigned" and "UserAssigned" - } - - tags = { - env = "test" - } - # custom_subdomain_name = "cs-test-1" - # network_acls = { - # default_action = "Allow" - # ip_rules = ["10.10.10.0/16"] - # } - } - test_account-2 = { - resource_group = { - # accepts either id or key to get resource group id - # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" - # lz_key = "examples" - key = "test-rg" - } - name = "cs-test-2" - kind = "QnAMaker" - sku_name = "F0" - - identity = { - type = "SystemAssigned" - } - - tags = { - env = "test" - } - qna_runtime_endpoint = "https://cs-alz-caf-test-2.azurewebsites.net" - - } -} - diff --git a/examples/cognitive_services/100-cognitive-services-account/configuration.tfvars b/examples/cognitive_services/200-cognitive-services-account-OpenAI/configuration.tfvars similarity index 56% rename from examples/cognitive_services/100-cognitive-services-account/configuration.tfvars rename to examples/cognitive_services/200-cognitive-services-account-OpenAI/configuration.tfvars index 8a4fb6d01d..3c517b2583 100644 --- a/examples/cognitive_services/100-cognitive-services-account/configuration.tfvars +++ b/examples/cognitive_services/200-cognitive-services-account-OpenAI/configuration.tfvars @@ -4,6 +4,7 @@ global_settings = { region1 = "westus" } random_length = 5 + #pass_through = true } resource_groups = { @@ -13,7 +14,7 @@ resource_groups = { } cognitive_services_account = { - test_account-1 = { + openai_account-1 = { resource_group = { # accepts either id or key to get resource group id # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" @@ -21,8 +22,8 @@ cognitive_services_account = { key = "test-rg" } name = "cs-alz-caf-test-1" - kind = "ComputerVision" - sku_name = "F0" + kind = "OpenAI" + sku_name = "S0" tags = { env = "test" } @@ -31,22 +32,21 @@ cognitive_services_account = { # default_action = "Allow" # ip_rules = ["10.10.10.0/16"] # } - } - test_account-2 = { - resource_group = { - # accepts either id or key to get resource group id - # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" - # lz_key = "examples" - key = "test-rg" + } +} + +cognitive_deployment = { + openai_deployment-1 = { + name = "gpt4-listillo" + cognitive_account_key = "openai_account-1" + #cognitive_account_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.CognitiveServices/accounts/accountValue" + model = { + format = "OpenAI" + name = "gpt-4" + version = "1106-Preview" } - name = "cs-alz-caf-test-2" - kind = "QnAMaker" - sku_name = "F0" - tags = { - env = "test" + scale = { + type = "Standard" } - qna_runtime_endpoint = "https://cs-alz-caf-test-2.azurewebsites.net" - } } - diff --git a/examples/cognitive_services/300-cognitive-services-account-OpenAI-private-endpoint/configuration.tfvars b/examples/cognitive_services/300-cognitive-services-account-OpenAI-private-endpoint/configuration.tfvars new file mode 100644 index 0000000000..6226ff196b --- /dev/null +++ b/examples/cognitive_services/300-cognitive-services-account-OpenAI-private-endpoint/configuration.tfvars @@ -0,0 +1,161 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "westus" + } + random_length = 5 + #pass_through = true +} + +resource_groups = { + test-rg = { + name = "rg-alz-caf-test-1" + } +} + +cognitive_services_account = { + openai_account-1 = { + name = "cs-alz-caf-test-1" + kind = "OpenAI" + sku_name = "S0" + custom_subdomain_name = "cs-alz-caf-test-1" + identity = { + type = "SystemAssigned" + } + + tags = { + env = "test" + } + + network_acls = { + default_action = "Deny" + # ip_rules = ["10.10.10.0/16"] + } + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + + private_endpoints = { + pe1 = { + name = "pe1" + vnet_key = "vnet1" + subnet_key = "private_endpoints" + resource_group_key = "test-rg" + + tags = { + networking = "private endpoint" + } + + private_service_connection = { + name = "pe1" + is_manual_connection = false + subresource_names = ["account"] + } + + private_dns = { + zone_group_name = "privatelink.openai.azure.com" + keys = ["openai_dns"] + } + } + } + + + + + } +} + +cognitive_deployment = { + openai_deployment-1 = { + name = "gpt4-listillo" + cognitive_account_key = "openai_account-1" + #cognitive_account_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.CognitiveServices/accounts/accountValue" + model = { + format = "OpenAI" + name = "gpt-4" + version = "1106-Preview" + } + scale = { + type = "Standard" + } + } +} + +vnets = { + vnet1 = { + resource_group_key = "test-rg" + vnet = { + name = "test-vnet" + address_space = ["172.33.0.0/16"] + } + } +} + + +virtual_subnets = { + subnet1 = { + name = "test" + cidr = ["172.33.1.0/24"] + nsg_key = "empty_nsg" + service_endpoints = ["Microsoft.CognitiveServices"] + vnet = { + # id = "/subscriptions/xxxx-xxxx-xxxx-xxx/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-vnet" + # lz_key = "" + key = "vnet1" + } + }, + private_endpoints = { + name = "private-endpoint" + cidr = ["172.33.2.0/24"] + enforce_private_link_endpoint_network_policies = true + vnet = { + # id = "/subscriptions/xxxx-xxxx-xxxx-xxx/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-vnet" + # lz_key = "" + key = "vnet1" + } + } + +} + + +# +# Definition of the networking security groups +# +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = { + nsg = [] + } +} + + + + + + +## DNS configuration + +private_dns = { + openai_dns = { + name = "privatelink.openai.azure.com" + resource_group_key = "test-rg" + + tags = { + resource = "private dns" + } + + vnet_links = { + vnlk1 = { + name = "auto-vnet-link" + # lz_key = "" + vnet_key = "vnet1" + tags = { + net_team = "noc1" + } + } + } + } +} \ No newline at end of file diff --git a/examples/cognitive_services/300-cognitive-services-account-OpenAI-vnet/configuration.tfvars b/examples/cognitive_services/300-cognitive-services-account-OpenAI-vnet/configuration.tfvars new file mode 100644 index 0000000000..ad540882b0 --- /dev/null +++ b/examples/cognitive_services/300-cognitive-services-account-OpenAI-vnet/configuration.tfvars @@ -0,0 +1,105 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "westus" + } + random_length = 5 + #pass_through = true +} + +resource_groups = { + test-rg = { + name = "rg-alz-caf-test-1" + } +} + +cognitive_services_account = { + openai_account-1 = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + name = "cs-alz-caf-test-1" + kind = "OpenAI" + sku_name = "S0" + custom_subdomain_name = "cs-alz-caf-test-1" + identity = { + type = "SystemAssigned" + } + + tags = { + env = "test" + } + + network_acls = { + default_action = "Deny" + # ip_rules = ["10.10.10.0/16"] + virtual_network_rules = { + # subnet_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/subnet1" + # lz_key = "" + vnet_key = "vnet1" + subnet_key = "subnet1" + ignore_missing_vnet_service_endpoint = false + } + } + } +} + +cognitive_deployment = { + openai_deployment-1 = { + name = "gpt4-listillo" + cognitive_account_key = "openai_account-1" + #cognitive_account_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.CognitiveServices/accounts/accountValue" + model = { + format = "OpenAI" + name = "gpt-4" + version = "1106-Preview" + } + scale = { + type = "Standard" + } + } +} + +vnets = { + vnet1 = { + resource_group_key = "test-rg" + vnet = { + name = "test-vnet" + address_space = ["172.33.0.0/16"] + } + } +} + + +virtual_subnets = { + subnet1 = { + name = "test" + cidr = ["172.33.1.0/24"] + nsg_key = "empty_nsg" + service_endpoints = ["Microsoft.CognitiveServices"] + vnet = { + # id = "/subscriptions/xxxx-xxxx-xxxx-xxx/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-vnet" + # lz_key = "" + key = "vnet1" + } + } +} + + +# +# Definition of the networking security groups +# +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = { + nsg = [] + } + + + +} + + diff --git a/local.remote_objects.tf b/local.remote_objects.tf index 76de44f2cd..337db99627 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -36,6 +36,8 @@ locals { batch_pools = try(local.combined_objects_batch_pools, null) cdn_profile = try(local.combined_objects_cdn_profile, null) cognitive_services_accounts = try(local.combined_objects_cognitive_services_accounts, null) + cognitive_account_customer_managed_key = try(local.combined_objects_cognitive_account_customer_managed_key, null) + cognitive_deployment = try(local.combined_objects_cognitive_deployment, null) consumption_budgets_resource_groups = try(local.combined_objects_consumption_budgets_resource_groups, null) consumption_budgets_subscriptions = try(local.combined_objects_consumption_budgets_subscriptions, null) container_registry = try(local.combined_objects_container_registry, null) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 8c2f27186a..5f4bf53d00 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -44,6 +44,8 @@ locals { combined_objects_batch_pools = merge(tomap({ (local.client_config.landingzone_key) = module.batch_pools }), lookup(var.remote_objects, "batch_pools", {})) combined_objects_cdn_profile = merge(tomap({ (local.client_config.landingzone_key) = module.cdn_profile }), lookup(var.remote_objects, "cdn_profile", {}), lookup(var.data_sources, "cdn_profile", {})) combined_objects_cognitive_services_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_services_account }), lookup(var.remote_objects, "cognitive_services_account", {}), lookup(var.data_sources, "cognitive_services_account", {})) + combined_objects_cognitive_account_customer_managed_key = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_account_customer_managed_key }), try(var.remote_objects.cognitive_account_customer_managed_key, {})) + combined_objects_cognitive_deployment = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_deployment }), try(var.remote_objects.cognitive_deployment, {})) combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), lookup(var.remote_objects, "consumption_budgets_resource_groups", {}), lookup(var.data_sources, "consumption_budgets_resource_groups", {})) combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), lookup(var.remote_objects, "consumption_budgets_subscriptions", {}), lookup(var.data_sources, "consumption_budgets_subscriptions", {})) combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), lookup(var.remote_objects, "container_registry", {}), lookup(var.data_sources, "container_registry", {})) diff --git a/modules/cognitive_services/cognitive_account_customer_managed_key/cognitive_account_customer_managed_key.tf b/modules/cognitive_services/cognitive_account_customer_managed_key/cognitive_account_customer_managed_key.tf new file mode 100644 index 0000000000..0df5fcf8bd --- /dev/null +++ b/modules/cognitive_services/cognitive_account_customer_managed_key/cognitive_account_customer_managed_key.tf @@ -0,0 +1,5 @@ +resource "azurerm_cognitive_account_customer_managed_key" "service" { + cognitive_account_id = var.cognitive_account_id + key_vault_key_id = var.key_vault_key_id + identity_client_id = try(var.identity_client_id,null) +} \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_account_customer_managed_key/main.tf b/modules/cognitive_services/cognitive_account_customer_managed_key/main.tf new file mode 100644 index 0000000000..b34ed51903 --- /dev/null +++ b/modules/cognitive_services/cognitive_account_customer_managed_key/main.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_account_customer_managed_key/output.tf b/modules/cognitive_services/cognitive_account_customer_managed_key/output.tf new file mode 100644 index 0000000000..c42ab1b7c5 --- /dev/null +++ b/modules/cognitive_services/cognitive_account_customer_managed_key/output.tf @@ -0,0 +1,5 @@ +output "id" { + description = "The ID of the Cognitive Service Account." + value = azurerm_cognitive_account_customer_managed_key.service.id +} + diff --git a/modules/cognitive_services/cognitive_account_customer_managed_key/variables.tf b/modules/cognitive_services/cognitive_account_customer_managed_key/variables.tf new file mode 100644 index 0000000000..fa36063b76 --- /dev/null +++ b/modules/cognitive_services/cognitive_account_customer_managed_key/variables.tf @@ -0,0 +1,15 @@ +# This file contains the input variables for the cognitive_account_customer_managed_key module. +variable "cognitive_account_id" { + description = "The ID of the Cognitive Service Account." + type = string +} + +variable "key_vault_key_id" { + description = "The ID of the Key Vault Key." + type = string +} + +variable "identity_client_id" { + description = "The Client ID of the Managed Identity." + type = string +} \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_deployment/cognitive_deployment.tf b/modules/cognitive_services/cognitive_deployment/cognitive_deployment.tf new file mode 100644 index 0000000000..ad80045d09 --- /dev/null +++ b/modules/cognitive_services/cognitive_deployment/cognitive_deployment.tf @@ -0,0 +1,29 @@ +// resource "azurecaf_name" "service" { +// name = var.settings.name +// prefixes = var.global_settings.prefixes +// resource_type = "azurerm_cognitive_deployment" +// random_length = var.global_settings.random_length +// clean_input = true +// passthrough = var.global_settings.passthrough +// use_slug = var.global_settings.use_slug +// } + +resource "azurerm_cognitive_deployment" "service" { + name = var.settings.name + cognitive_account_id = var.cognitive_account_id + model { + format = var.settings.model.format + name = var.settings.model.name + version = try(var.settings.model.version, null) + } + scale { + type = var.settings.scale.type + tier = try(var.settings.scale.tier, null) + size = try(var.settings.scale.size, null) + family = try(var.settings.scale.family, null) + capacity = try(var.settings.scale.capacity, null) + } + + rai_policy_name = try(var.settings.rai_policy_name, null) + version_upgrade_option = try(var.settings.version_upgrade_option, null) +} diff --git a/modules/cognitive_services/cognitive_deployment/main.tf b/modules/cognitive_services/cognitive_deployment/main.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/modules/cognitive_services/cognitive_deployment/output.tf b/modules/cognitive_services/cognitive_deployment/output.tf new file mode 100644 index 0000000000..bc43a43b94 --- /dev/null +++ b/modules/cognitive_services/cognitive_deployment/output.tf @@ -0,0 +1,5 @@ +output "id" { + description = " The ID of the Deployment for Azure Cognitive Services Account." + value = azurerm_cognitive_deployment.service.id +} + diff --git a/modules/cognitive_services/cognitive_deployment/provider.tf b/modules/cognitive_services/cognitive_deployment/provider.tf new file mode 100644 index 0000000000..b34ed51903 --- /dev/null +++ b/modules/cognitive_services/cognitive_deployment/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_deployment/variables.tf b/modules/cognitive_services/cognitive_deployment/variables.tf new file mode 100644 index 0000000000..b4ed105694 --- /dev/null +++ b/modules/cognitive_services/cognitive_deployment/variables.tf @@ -0,0 +1,73 @@ +variable "settings" { + description = < 0 ? var.settings.custom_subdomain_name : null + dynamic_throttling_enabled = try(var.settings.dynamic_throttling_enabled, null) + #checkov:skip=CKV2_AZURE_22:Ensure that Cognitive Services enables customer-managed key for encryption. This is a conditional resource + dynamic "customer_managed_key" { + for_each = can(var.settings.customer_managed_key) ? [var.settings.customer_managed_key] : [] + content { + key_vault_key_id = customer_managed_key.value.key_vault_key_id + identity_client_id = try(customer_managed_key.value.identity_client_id, null) + } + } + fqdns = try(var.settings.fqdns, []) dynamic "identity" { - for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] + for_each = can(var.settings.identity) ? [var.settings.identity] : [] content { - type = lookup(var.settings.identity, "type", null) - identity_ids = can(var.settings.identity.ids) ? var.settings.identity.ids : can(var.settings.identity.key) ? [var.managed_identities[try(var.settings.identity.lz_key, var.client_config.landingzone_key)][var.settings.identity.key].id] : null + type = identity.value.type + identity_ids = concat(local.managed_identities, try(identity.value.identity_ids, [])) } } - + local_auth_enabled = try(var.settings.local_auth_enabled, true) + metrics_advisor_aad_client_id = (var.settings.kind == "MetricsAdvisor" || var.settings.kind == "QnAMaker") ? try(var.settings.metrics_advisor_aad_client_id, null) : null + metrics_advisor_super_user_name = (var.settings.kind == "MetricsAdvisor" || var.settings.kind == "QnAMaker") ? try(var.settings.metrics_advisor_super_user_name, null) : null + metrics_advisor_website_name = (var.settings.kind == "MetricsAdvisor" || var.settings.kind == "QnAMaker") ? try(var.settings.metrics_advisor_website_name, null) : null dynamic "network_acls" { for_each = can(var.settings.network_acls) ? [var.settings.network_acls] : [] content { default_action = network_acls.value.default_action ip_rules = try(network_acls.value.ip_rules, null) - - # to support migration from 2.99.0 to 3.7.0 dynamic "virtual_network_rules" { - for_each = can(network_acls.value.virtual_network_subnet_ids) ? toset(network_acls.value.virtual_network_subnet_ids) : [] - + for_each = can(network_acls.value.virtual_network_rules) ? [network_acls.value.virtual_network_rules] : [] content { - subnet_id = virtual_network_rules.value - } - } - - dynamic "virtual_network_rules" { - for_each = try(network_acls.value.virtual_network_rules, {}) - - content { - subnet_id = virtual_network_rules.value.subnet_id + subnet_id = can(virtual_network_rules.value.subnet_id) || can(virtual_network_rules.value.subnet_key) ? try(virtual_network_rules.value.subnet_id, var.remote_objects.virtual_subnets[try(virtual_network_rules.value.lz_key, var.client_config.landingzone_key)][virtual_network_rules.value.subnet_key].id) : var.remote_objects.vnets[try(virtual_network_rules.value.lz_key, var.client_config.landingzone_key)][virtual_network_rules.value.vnet_key].subnets[virtual_network_rules.value.subnet_key].id + # Depurar en algún moment, error: The given key does not identify an element in this collection value. + # subnet_id = var.remote_objects.subnet_id + # Try virtual_network_rules.value.subnet_id and if it is null, try to get the subnet_id from the remote_objects and if it is null, use null + # subnet_id = try(virtual_network_rules.value.subnet_id, try(var.remote_objects.subnet_id, null)) ignore_missing_vnet_service_endpoint = try(virtual_network_rules.value.ignore_missing_vnet_service_endpoint, null) } } } } + outbound_network_access_restricted = try(var.settings.outbound_network_access_restricted, false) + public_network_access_enabled = try(var.settings.public_network_access_enabled, true) + qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null) + custom_question_answering_search_service_id = var.settings.kind == "TextAnalytics" ? var.settings.custom_question_answering_search_service_id : try(var.settings.custom_question_answering_search_service_id, null) + custom_question_answering_search_service_key = var.settings.kind == "TextAnalytics" ? var.settings.custom_question_answering_search_service_key : try(var.settings.custom_question_answering_search_service_key, null) + dynamic "storage" { + for_each = can(var.settings.storage) ? [var.settings.storage] : [] + + content { + storage_account_id = storage.value.storage_account_id + identity_client_id = try(storage.value.identity_client_id, null) + } + } + + tags = try(var.settings.tags, {}) } \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/diagnostics.tf b/modules/cognitive_services/cognitive_services_account/diagnostics.tf index 3d7118951f..1d57eb2f5d 100644 --- a/modules/cognitive_services/cognitive_services_account/diagnostics.tf +++ b/modules/cognitive_services/cognitive_services_account/diagnostics.tf @@ -1,9 +1,8 @@ module "diagnostics" { source = "../../diagnostics" - count = var.diagnostic_profiles == null ? 0 : 1 - + for_each = try(var.settings.diagnostic_profiles, {}) resource_id = azurerm_cognitive_account.service.id - resource_location = local.location - diagnostics = var.diagnostics - profiles = var.diagnostic_profiles + resource_location = azurerm_cognitive_account.service.location + diagnostics = var.remote_objects.diagnostics + profiles = try(var.settings.diagnostic_profiles, {}) } diff --git a/modules/cognitive_services/cognitive_services_account/locals.tf b/modules/cognitive_services/cognitive_services_account/locals.tf new file mode 100644 index 0000000000..9508cef662 --- /dev/null +++ b/modules/cognitive_services/cognitive_services_account/locals.tf @@ -0,0 +1,19 @@ + +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.resource_group.tags, null), + local.module_tag, + try(var.settings.tags, null) + ) : merge( + local.module_tag, + try(var.settings.tags, + null) + ) +location = coalesce(var.location, var.resource_group.location) +resource_group_name = coalesce(var.resource_group_name, var.resource_group.name) + +} \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/main.tf b/modules/cognitive_services/cognitive_services_account/main.tf index e2fd2ccc7f..b34ed51903 100644 --- a/modules/cognitive_services/cognitive_services_account/main.tf +++ b/modules/cognitive_services/cognitive_services_account/main.tf @@ -4,13 +4,4 @@ terraform { source = "aztfmod/azurecaf" } } -} - -locals { - location = coalesce(var.location, var.resource_group.location) - tags = var.base_tags ? merge( - var.global_settings.tags, - try(var.resource_group.tags, null), - try(var.settings.tags, null) - ) : try(var.settings.tags, null) -} +} \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/managed_identities.tf b/modules/cognitive_services/cognitive_services_account/managed_identities.tf new file mode 100644 index 0000000000..4257d2d09d --- /dev/null +++ b/modules/cognitive_services/cognitive_services_account/managed_identities.tf @@ -0,0 +1,17 @@ +locals { + managed_local_identities = flatten([ + for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ + var.remote_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + ] + ]) + + managed_remote_identities = flatten([ + for lz_key, value in try(var.settings.identity.remote, []) : [ + for managed_identity_key in value.managed_identity_keys : [ + var.remote_objects.managed_identities[lz_key][managed_identity_key].id + ] + ] + ]) + + managed_identities = concat(local.managed_local_identities, local.managed_remote_identities) +} \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/output.tf b/modules/cognitive_services/cognitive_services_account/output.tf index c548874b0b..800afcb843 100644 --- a/modules/cognitive_services/cognitive_services_account/output.tf +++ b/modules/cognitive_services/cognitive_services_account/output.tf @@ -8,21 +8,27 @@ output "endpoint" { value = azurerm_cognitive_account.service.endpoint } -output "primary_access_key" { - description = "The primary_access_key used to connect to the Cognitive Service Account." - value = azurerm_cognitive_account.service.primary_access_key +output "identity" { + description = "The identity associated with the Cognitive Service Account." + value = azurerm_cognitive_account.service.identity } -output "secondary_access_key" { - description = "The secondary_access_key used to connect to the Cognitive Service Account." - value = azurerm_cognitive_account.service.secondary_access_key +output "identity_principal_id" { + description = "The Principal ID associated with the identity of the Cognitive Service Account." + value = try(azurerm_cognitive_account.service.identity[0].principal_id, null) } -output "rbac_id" { - description = "The Principal ID of the Cognetive Services for Role Mapping" - value = try(azurerm_cognitive_account.service.identity[0].principal_id, null) +output "identity_tenant_id" { + description = "The Tenant ID associated with the identity of the Cognitive Service Account." + value = try(azurerm_cognitive_account.service.identity[0].tenant_id, null) } -output "identity" { - value = try(azurerm_cognitive_account.service.identity, null) +output "primary_access_key" { + description = "The primary access key associated with the Cognitive Service Account." + value = azurerm_cognitive_account.service.primary_access_key } + +output "secondary_access_key" { + description = "The secondary access key associated with the Cognitive Service Account." + value = azurerm_cognitive_account.service.secondary_access_key +} \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/private_endpoint.tf b/modules/cognitive_services/cognitive_services_account/private_endpoint.tf new file mode 100644 index 0000000000..7e7dad4ed3 --- /dev/null +++ b/modules/cognitive_services/cognitive_services_account/private_endpoint.tf @@ -0,0 +1,21 @@ +# +# Private endpoint +# + +module "private_endpoint" { + source = "../../../modules/networking/private_endpoint/" + for_each = var.private_endpoints + + resource_id = azurerm_cognitive_account.service.id + name = each.value.name + location = local.location + resource_group_name = local.resource_group_name + #subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.remote_objects.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + subnet_id = can(each.value.subnet_id) || can(each.value.subnet_key) ? try(each.value.subnet_id, var.remote_objects.virtual_subnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.subnet_key].id) : var.remote_objects.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + settings = each.value + global_settings = var.global_settings + tags = local.tags + base_tags = var.base_tags + private_dns = var.remote_objects.private_dns + client_config = var.client_config +} diff --git a/modules/cognitive_services/cognitive_services_account/private_endpoints.tf b/modules/cognitive_services/cognitive_services_account/private_endpoints.tf deleted file mode 100644 index 9c34adb305..0000000000 --- a/modules/cognitive_services/cognitive_services_account/private_endpoints.tf +++ /dev/null @@ -1,20 +0,0 @@ -# -# Private endpoint -# - -module "private_endpoint" { - source = "../../networking/private_endpoint" - for_each = var.private_endpoints - - resource_id = azurerm_cognitive_account.service.id - name = each.value.name - location = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location - resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name - subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id - settings = each.value - global_settings = var.global_settings - base_tags = var.base_tags - tags = local.tags - private_dns = var.private_dns - client_config = var.client_config -} diff --git a/modules/cognitive_services/cognitive_services_account/variables.tf b/modules/cognitive_services/cognitive_services_account/variables.tf index 87b5679e0d..38f1e5590a 100644 --- a/modules/cognitive_services/cognitive_services_account/variables.tf +++ b/modules/cognitive_services/cognitive_services_account/variables.tf @@ -1,47 +1,173 @@ variable "global_settings" { - description = "Global settings object (see module README.md)" + description = < Date: Tue, 29 Oct 2024 16:22:33 +0100 Subject: [PATCH 08/60] feat(databases): update MSSQL failover group resource configuration This commit updates the MSSQL failover group resource configuration in Terraform. The changes include: - Replacing "azurerm_sql_failover_group" with "azurerm_mssql_failover_group". - Removing "resource_group_name" as it's no longer required. - Changing "server_name" to "server_id". - Modifying "partner_servers" block to "partner_server". These changes align with the updated Azure provider for Terraform and improve the accuracy of server identification by using server ID instead of name. --- .../mssql_server/failover_group/failover_group.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/databases/mssql_server/failover_group/failover_group.tf b/modules/databases/mssql_server/failover_group/failover_group.tf index aab7af982f..f7590dde91 100644 --- a/modules/databases/mssql_server/failover_group/failover_group.tf +++ b/modules/databases/mssql_server/failover_group/failover_group.tf @@ -8,13 +8,12 @@ resource "azurecaf_name" "failover_group" { passthrough = var.global_settings.passthrough } -resource "azurerm_sql_failover_group" "failover_group" { +resource "azurerm_mssql_failover_group" "failover_group" { name = azurecaf_name.failover_group.result - resource_group_name = var.resource_group_name - server_name = var.primary_server_name + server_id = var.primary_server_name databases = local.databases - partner_servers { + partner_server { id = var.secondary_server_id } From a1b5859b68938b7c353fca93dded92da931b93fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:23:11 +0100 Subject: [PATCH 09/60] refactor(networking): invert BGP route propagation variable The disable_bgp_route_propagation variable has been renamed to bgp_route_propagation_enabled, and its logic has been inverted. This change is made to provide a more intuitive understanding of the configuration. Now, when bgp_route_propagation_enabled is true, it means that BGP route propagation is enabled, and vice versa. This change affects the modules.tf, variables.tf, and networking.tf files in the networking/route_tables module. Make sure to update any dependent configurations accordingly. --- modules/networking/route_tables/modules.tf | 2 +- modules/networking/route_tables/variables.tf | 2 +- networking.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/networking/route_tables/modules.tf b/modules/networking/route_tables/modules.tf index 0a694695ac..10e27b4c10 100644 --- a/modules/networking/route_tables/modules.tf +++ b/modules/networking/route_tables/modules.tf @@ -2,6 +2,6 @@ resource "azurerm_route_table" "rt" { name = var.name resource_group_name = var.resource_group_name location = var.location - disable_bgp_route_propagation = var.disable_bgp_route_propagation + bgp_route_propagation_enabled = var.bgp_route_propagation_enabled tags = local.tags } diff --git a/modules/networking/route_tables/variables.tf b/modules/networking/route_tables/variables.tf index 19d527a38f..391a3c1148 100644 --- a/modules/networking/route_tables/variables.tf +++ b/modules/networking/route_tables/variables.tf @@ -7,7 +7,7 @@ variable "location" { description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." type = string } -variable "disable_bgp_route_propagation" {} +variable "bgp_route_propagation_enabled" {} variable "tags" { description = "(Required) Map of tags to be applied to the resource" type = map(any) diff --git a/networking.tf b/networking.tf index 39721f8a46..eb13533a07 100644 --- a/networking.tf +++ b/networking.tf @@ -271,7 +271,7 @@ module "route_tables" { location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} - disable_bgp_route_propagation = try(each.value.disable_bgp_route_propagation, null) + bgp_route_propagation_enabled = try(each.value.bgp_route_propagation_enabled, null) tags = try(each.value.tags, null) } From 146a2d95ded99c0e6a063ba7f51e63f27b896900 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:43:09 +0100 Subject: [PATCH 10/60] refactor(maps): add default location for maps account --- modules/maps/maps_account/maps_account.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/maps/maps_account/maps_account.tf b/modules/maps/maps_account/maps_account.tf index eca12979a8..cf499e36db 100644 --- a/modules/maps/maps_account/maps_account.tf +++ b/modules/maps/maps_account/maps_account.tf @@ -14,7 +14,7 @@ resource "azurerm_maps_account" "map" { resource_group_name = local.resource_group_name sku_name = var.settings.sku_name tags = local.tags - + location = try(var.settings.location, "global") } # Store the primary_access_key into keyvault if the attribute keyvault{} is defined. From 77add0a673a60466782e1e894c6caa797b607ffc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:43:39 +0100 Subject: [PATCH 11/60] refactor(storage_account): remove unused variable and update file_share_directory module --- modules/storage_account/file_share/share_directory.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/storage_account/file_share/share_directory.tf b/modules/storage_account/file_share/share_directory.tf index 89c8d6dee1..6abbf83b48 100644 --- a/modules/storage_account/file_share/share_directory.tf +++ b/modules/storage_account/file_share/share_directory.tf @@ -2,6 +2,5 @@ module "file_share_directory" { source = "../file_share_directory" for_each = try(var.settings.directories, {}) storage_share_id = azurerm_storage_share.fs.id - share_name = azurerm_storage_share.fs.name settings = each.value } \ No newline at end of file From 356297974a7b930ebc184f93a477fb14ef83df02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:44:25 +0100 Subject: [PATCH 12/60] refactor(logic_app): remove integration service environment module --- .../integration_service_environment/main.tf | 15 ------- .../integration_service_environment/module.tf | 23 ----------- .../integration_service_environment/output.tf | 24 ----------- .../variables.tf | 40 ------------------- .../monitor_action_group.tf | 13 ++++-- 5 files changed, 10 insertions(+), 105 deletions(-) delete mode 100644 modules/logic_app/integration_service_environment/main.tf delete mode 100644 modules/logic_app/integration_service_environment/module.tf delete mode 100644 modules/logic_app/integration_service_environment/output.tf delete mode 100644 modules/logic_app/integration_service_environment/variables.tf diff --git a/modules/logic_app/integration_service_environment/main.tf b/modules/logic_app/integration_service_environment/main.tf deleted file mode 100644 index 8477f12301..0000000000 --- a/modules/logic_app/integration_service_environment/main.tf +++ /dev/null @@ -1,15 +0,0 @@ -terraform { - required_providers { - azurecaf = { - source = "aztfmod/azurecaf" - } - } - -} - -locals { - module_tag = { - "module" = basename(abspath(path.module)) - } - tags = merge(var.base_tags, local.module_tag, try(var.tags, null)) -} \ No newline at end of file diff --git a/modules/logic_app/integration_service_environment/module.tf b/modules/logic_app/integration_service_environment/module.tf deleted file mode 100644 index 65e9e2a423..0000000000 --- a/modules/logic_app/integration_service_environment/module.tf +++ /dev/null @@ -1,23 +0,0 @@ -resource "azurecaf_name" "ise" { - name = var.settings.name - resource_type = "azurerm_integration_service_environment" - prefixes = var.global_settings.prefixes - random_length = var.global_settings.random_length - clean_input = true - passthrough = var.global_settings.passthrough - use_slug = var.global_settings.use_slug -} -# Last review : AzureRM version 2.74.0 -# Ref : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/integration_service_environment -resource "azurerm_integration_service_environment" "ise" { - name = azurecaf_name.ise.result - resource_group_name = var.resource_group_name - location = var.location - sku_name = var.settings.sku_name - access_endpoint_type = var.settings.access_endpoint_type - tags = merge(local.tags, lookup(var.settings, "tags", {})) - virtual_network_subnet_ids = try(var.settings.subnets, null) == null ? null : [ - for key, value in var.settings.subnets : var.vnets[try(value.lz_key, var.client_config.landingzone_key)][value.vnet_key].subnets[value.subnet_key].id - ] -} - diff --git a/modules/logic_app/integration_service_environment/output.tf b/modules/logic_app/integration_service_environment/output.tf deleted file mode 100644 index 022c514b06..0000000000 --- a/modules/logic_app/integration_service_environment/output.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "id" { - value = azurerm_integration_service_environment.ise.id - description = "The ID of the Integration Service Environment." -} - -output "connector_endpoint_ip_addresses" { - value = azurerm_integration_service_environment.ise.connector_endpoint_ip_addresses - description = "The list of access endpoint ip addresses of connector." -} - -output "connector_outbound_ip_addresses" { - value = azurerm_integration_service_environment.ise.connector_outbound_ip_addresses - description = "The list of outgoing ip addresses of connector." -} - -output "workflow_endpoint_ip_addresses" { - value = azurerm_integration_service_environment.ise.workflow_endpoint_ip_addresses - description = "The list of access endpoint ip addresses of workflow." -} - -output "workflow_outbound_ip_addresses" { - value = azurerm_integration_service_environment.ise.workflow_outbound_ip_addresses - description = "The list of outgoing ip addresses of workflow." -} diff --git a/modules/logic_app/integration_service_environment/variables.tf b/modules/logic_app/integration_service_environment/variables.tf deleted file mode 100644 index c8fd150149..0000000000 --- a/modules/logic_app/integration_service_environment/variables.tf +++ /dev/null @@ -1,40 +0,0 @@ -variable "global_settings" { - description = "Global settings object (see module README.md)" -} -variable "client_config" { - description = "Client configuration object (see module README.md)." -} -variable "location" { - description = "(Required) The Azure Region where the Integration Service Environment should exist" -} -variable "resource_group_name" { - description = "(Required) The name of the Resource Group where the Integration Service Environment should exist" -} -variable "base_tags" { - description = "Base tags for the resource to be inherited from the resource group." - type = map(any) -} - -variable "settings" {} -#variable "name" { -# description = "(Required) The name of the Integration Service Environment" -#} - - - - -#variable "sku_name" { -# description = "(Required) The sku name and capacity of the Integration Service Environment" -#} - -#variable "access_endpoint_type" { -# description = "(Required) The type of access endpoint to use for the Integration Service Environment" -#} -variable "vnets" { - default = {} - description = "(Required) A list of virtual network subnet ids to be used by Integration Service Environment" -} -variable "tags" { - description = "(Required) map of tags for the deployment" - default = null -} \ No newline at end of file diff --git a/modules/monitoring/monitor_action_group/monitor_action_group.tf b/modules/monitoring/monitor_action_group/monitor_action_group.tf index 79efdf1f0b..a58ef172e3 100644 --- a/modules/monitoring/monitor_action_group/monitor_action_group.tf +++ b/modules/monitoring/monitor_action_group/monitor_action_group.tf @@ -67,11 +67,18 @@ resource "azurerm_monitor_action_group" "this" { for_each = try(var.settings.event_hub_receiver, {}) content { name = event_hub_receiver.value.name - event_hub_id = coalesce( - try(var.remote_objects.event_hub_namespaces[event_hub_receiver.value.event_hub.lz_key][event_hub_receiver.value.event_hub.key].id, null), - try(var.remote_objects.event_hub_namespaces[var.client_config.landingzone_key][event_hub_receiver.value.event_hub.key].id, null), + event_hub_name = coalesce( + try( + var.remote_objects.event_hubs[event_hub_receiver.value.event_hub.lz_key][event_hub_receiver.value.event_hub.key].name, null), + try(var.remote_objects.event_hubs[var.client_config.landingzone_key][event_hub_receiver.value.event_hub.key].name, null), + try(event_hub_receiver.value.event_hub.name, null) + ) + event_hub_namespace = coalesce( + try(var.remote_objects.event_hub_namespaces[event_hub_receiver.value.event_hub.lz_key][event_hub_receiver.value.event_hub.key].name, null), + try(var.remote_objects.event_hub_namespaces[var.client_config.landingzone_key][event_hub_receiver.value.event_hub.key].name, null), try(event_hub_receiver.value.event_hub.key, null) ) + subscription_id = try(event_hub_receiver.value.subscription_id, null) tenant_id = try(event_hub_receiver.value.tenant_id, null) use_common_alert_schema = try(event_hub_receiver.value.use_common_alert_schema, null) } From 43ce722f51b3c22d740067acf6b78e750439d7d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:44:38 +0100 Subject: [PATCH 13/60] refactor(logic_app): remove integration service environment module and update file_share_directory module --- logic_app.tf | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/logic_app.tf b/logic_app.tf index 47d15f8b1e..0054a9e669 100644 --- a/logic_app.tf +++ b/logic_app.tf @@ -1,22 +1,3 @@ -##### azurerm_integration_service_environment -module "integration_service_environment" { - source = "./modules/logic_app/integration_service_environment" - - for_each = local.logic_app.integration_service_environment - - global_settings = local.global_settings - client_config = local.client_config - settings = each.value - location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location - resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name - base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} - vnets = local.combined_objects_networking -} - -output "integration_service_environment" { - value = module.integration_service_environment -} - ##### azurerm_logic_app_action_custom module "logic_app_action_custom" { source = "./modules/logic_app/action_custom" From 8ae453d241f23e85973bced69153e1cbb9fc36f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:44:48 +0100 Subject: [PATCH 14/60] refactor(networking): update waf_policy.tf to support rule overrides --- .../application_gateway_waf_policies/waf_policy.tf | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/modules/networking/application_gateway_waf_policies/waf_policy.tf b/modules/networking/application_gateway_waf_policies/waf_policy.tf index ab0da3fa8a..6c2a6dece5 100644 --- a/modules/networking/application_gateway_waf_policies/waf_policy.tf +++ b/modules/networking/application_gateway_waf_policies/waf_policy.tf @@ -83,7 +83,17 @@ resource "azurerm_web_application_firewall_policy" "wafpolicy" { for_each = try(managed_rule_set.value.rule_group_override, {}) content { rule_group_name = rule_group_override.value.rule_group_name - disabled_rules = try(rule_group_override.value.disabled_rules, null) + #The rule block supports the following: + #id - (Required) Identifier for the managed rule. + #enabled - (Optional) Describes if the managed rule is in enabled state or disabled state. Defaults to false. + #action - (Optional) Describes the override action to be applied when rule matches. Possible values are Allow, AnomalyScoring, Block, JSChallenge and Log. JSChallenge is only valid for rulesets of type Microsoft_BotManagerRuleSet. + dynamic "rule" { + for_each = try(rule_group_override.value.rules, {}) + content { + id = rule.value.id + enabled = try(rule.value.enabled, false) + action = try(rule.value.action, null) + } } } } @@ -91,3 +101,4 @@ resource "azurerm_web_application_firewall_policy" "wafpolicy" { } } } +} From 476aad1e9fe0c69dbdcd86b0b7879fc62f5f1a5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:55:32 +0100 Subject: [PATCH 15/60] Title: refactor(cosmos_db): rename configuration variables for clarity Body: Renamed several configuration variables in the `cosmos_db` module and examples to improve readability and consistency. The changes include: 1. Renamed `enable_automatic_failover` to `automatic_failover_enabled`. 2. Renamed `enable_free_tier` to `free_tier_enabled`. 3. Renamed `enable_multiple_write_locations` to `multiple_write_locations_enabled`. These changes apply to all Cosmos DB configurations and should make the settings more intuitive to understand. As this is a breaking change, users need to update their configuration files accordingly. --- .../100-cosmos-db-sql-role-mapping/configuration.tfvars | 2 +- .../100-simple-cosmos-db-cassandra/cassandra.tfvars | 6 +++--- .../100-simple-cosmos-db-gremlin/gremlin_databases.tfvars | 6 +++--- .../100-simple-cosmos-db-mongo/mongodb_databases.tfvars | 6 +++--- .../cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars | 6 +++--- examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars | 6 +++--- .../101-decomposed-cosmosdb-sql/sql_databases.tfvars | 6 +++--- .../101-private-endpoint-cosmos-db/configuration.tfvars | 6 +++--- modules/databases/cosmos_dbs/cosmosdb_account.tf | 6 +++--- 9 files changed, 25 insertions(+), 25 deletions(-) diff --git a/examples/cosmos_db/100-cosmos-db-sql-role-mapping/configuration.tfvars b/examples/cosmos_db/100-cosmos-db-sql-role-mapping/configuration.tfvars index 6449ac73e9..5094152f83 100644 --- a/examples/cosmos_db/100-cosmos-db-sql-role-mapping/configuration.tfvars +++ b/examples/cosmos_db/100-cosmos-db-sql-role-mapping/configuration.tfvars @@ -25,7 +25,7 @@ cosmos_dbs = { resource_group_key = "cosmosdb_region1" offer_type = "Standard" kind = "GlobalDocumentDB" - enable_automatic_failover = "true" + automatic_failover_enabled = "true" #This parameter needs for more correct work with Cosmos custom roles access_key_metadata_writes_enabled = false diff --git a/examples/cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars b/examples/cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars index 4d4774a75d..310c10ac62 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars @@ -19,7 +19,7 @@ cosmos_dbs = { resource_group_key = "cosmosdb_region1" offer_type = "Standard" kind = "GlobalDocumentDB" - enable_automatic_failover = "true" + automatic_failover_enabled = "true" consistency_policy = { consistency_level = "BoundedStaleness" @@ -44,9 +44,9 @@ cosmos_dbs = { } # optional - enable_free_tier = false + free_tier_enabled = false ip_range_filter = "" - enable_multiple_write_locations = false + multiple_write_locations_enabled = false tags = { "project" = "EDH" } diff --git a/examples/cosmos_db/100-simple-cosmos-db-gremlin/gremlin_databases.tfvars b/examples/cosmos_db/100-simple-cosmos-db-gremlin/gremlin_databases.tfvars index 14719c716b..4fd9e76b9a 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-gremlin/gremlin_databases.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-gremlin/gremlin_databases.tfvars @@ -19,7 +19,7 @@ cosmos_dbs = { resource_group_key = "cosmosdb_region1" offer_type = "Standard" kind = "GlobalDocumentDB" - enable_automatic_failover = "true" + automatic_failover_enabled = "true" consistency_policy = { consistency_level = "BoundedStaleness" @@ -45,9 +45,9 @@ cosmos_dbs = { } # optional - enable_free_tier = false + free_tier_enabled = false ip_range_filter = "" - enable_multiple_write_locations = false + multiple_write_locations_enabled = false tags = { "project" = "EDH" } diff --git a/examples/cosmos_db/100-simple-cosmos-db-mongo/mongodb_databases.tfvars b/examples/cosmos_db/100-simple-cosmos-db-mongo/mongodb_databases.tfvars index 2a542b98dc..fa0ca4ca4d 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-mongo/mongodb_databases.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-mongo/mongodb_databases.tfvars @@ -19,7 +19,7 @@ cosmos_dbs = { resource_group_key = "cosmosdb_region1" offer_type = "Standard" kind = "MongoDB" - enable_automatic_failover = "true" + automatic_failover_enabled = "true" consistency_policy = { consistency_level = "BoundedStaleness" @@ -44,9 +44,9 @@ cosmos_dbs = { } # optional - enable_free_tier = false + free_tier_enabled = false ip_range_filter = "" - enable_multiple_write_locations = false + multiple_write_locations_enabled = false tags = { "project" = "EDH" } diff --git a/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars b/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars index 49c449ab41..aab832639e 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars @@ -19,7 +19,7 @@ cosmos_dbs = { resource_group_key = "cosmosdb_region1" offer_type = "Standard" kind = "GlobalDocumentDB" - enable_automatic_failover = "true" + automatic_failover_enabled = "true" consistency_policy = { consistency_level = "BoundedStaleness" @@ -42,10 +42,10 @@ cosmos_dbs = { } # Optional - enable_free_tier = false + free_tier_enabled = false ip_range_filter = "116.88.85.63,116.88.85.64" #capabilities = ["EnableTable"] - enable_multiple_write_locations = false + multiple_write_locations_enabled = false tags = { "project" = "EDH" } diff --git a/examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars b/examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars index 2182624021..c5eee71f4e 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars @@ -19,7 +19,7 @@ cosmos_dbs = { resource_group_key = "cosmosdb_region1" offer_type = "Standard" kind = "GlobalDocumentDB" - enable_automatic_failover = "true" + automatic_failover_enabled = "true" consistency_policy = { consistency_level = "BoundedStaleness" @@ -44,9 +44,9 @@ cosmos_dbs = { } # optional - enable_free_tier = false + free_tier_enabled = false ip_range_filter = "" - enable_multiple_write_locations = false + multiple_write_locations_enabled = false tags = { "project" = "EDH" } diff --git a/examples/cosmos_db/101-decomposed-cosmosdb-sql/sql_databases.tfvars b/examples/cosmos_db/101-decomposed-cosmosdb-sql/sql_databases.tfvars index 545d40c8c8..faa440aac3 100644 --- a/examples/cosmos_db/101-decomposed-cosmosdb-sql/sql_databases.tfvars +++ b/examples/cosmos_db/101-decomposed-cosmosdb-sql/sql_databases.tfvars @@ -19,7 +19,7 @@ cosmos_dbs = { resource_group_key = "cosmosdb_region1" offer_type = "Standard" kind = "GlobalDocumentDB" - enable_automatic_failover = "true" + automatic_failover_enabled = "true" consistency_policy = { consistency_level = "BoundedStaleness" @@ -42,10 +42,10 @@ cosmos_dbs = { } # Optional - enable_free_tier = false + free_tier_enabled = false ip_range_filter = "116.88.85.63,116.88.85.64" #capabilities = ["EnableTable"] - enable_multiple_write_locations = false + multiple_write_locations_enabled = false tags = { "project" = "EDH" } diff --git a/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars b/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars index 092b6930a5..b6bb33be72 100644 --- a/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars +++ b/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars @@ -26,7 +26,7 @@ cosmos_dbs = { resource_group_key = "cosmosdb_region1" offer_type = "Standard" kind = "GlobalDocumentDB" - enable_automatic_failover = "true" + automatic_failover_enabled = "true" public_network_access_enabled = false consistency_policy = { @@ -50,10 +50,10 @@ cosmos_dbs = { } # Optional - enable_free_tier = false + free_tier_enabled = false ip_range_filter = "116.88.85.63,116.88.85.64" #capabilities = ["EnableTable"] - enable_multiple_write_locations = false + multiple_write_locations_enabled = false tags = { "project" = "EDH" } diff --git a/modules/databases/cosmos_dbs/cosmosdb_account.tf b/modules/databases/cosmos_dbs/cosmosdb_account.tf index 5a15e538b4..28ff1b9d42 100644 --- a/modules/databases/cosmos_dbs/cosmosdb_account.tf +++ b/modules/databases/cosmos_dbs/cosmosdb_account.tf @@ -17,10 +17,10 @@ resource "azurerm_cosmosdb_account" "cosmos_account" { kind = try(var.settings.kind, "GlobalDocumentDB") tags = local.tags - enable_free_tier = try(var.settings.enable_free_tier, false) + free_tier_enabled = try(var.settings.free_tier_enabled, false) ip_range_filter = try(var.settings.ip_range_filter, null) - enable_multiple_write_locations = try(var.settings.enable_multiple_write_locations, false) - enable_automatic_failover = try(var.settings.enable_automatic_failover, null) + multiple_write_locations_enabled = try(var.settings.multiple_write_locations_enabled, false) + automatic_failover_enabled = try(var.settings.automatic_failover_enabled, null) is_virtual_network_filter_enabled = try(var.settings.is_virtual_network_filter_enabled, null) create_mode = try(var.settings.create_mode, null) public_network_access_enabled = try(var.settings.public_network_access_enabled, true) From 53cf7219288c52c45911e56a155a2bd525f054b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:56:03 +0100 Subject: [PATCH 16/60] Refactor(conbined_objects): Remove integration service environment module and update file_share_directory module --- locals.combined_objects.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 5f4bf53d00..95383a9360 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -88,7 +88,6 @@ locals { combined_objects_front_door_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.front_door_waf_policies }), lookup(var.remote_objects, "front_door_waf_policies", {})) combined_objects_function_apps = merge(tomap({ (local.client_config.landingzone_key) = module.function_apps }), lookup(var.remote_objects, "function_apps", {})) combined_objects_image_definitions = merge(tomap({ (local.client_config.landingzone_key) = module.image_definitions }), lookup(var.remote_objects, "image_definitions", {})) - combined_objects_integration_service_environment = merge(tomap({ (local.client_config.landingzone_key) = module.integration_service_environment }), lookup(var.remote_objects, "integration_service_environment", {})) combined_objects_iot_central_application = merge(tomap({ (local.client_config.landingzone_key) = module.iot_central_application }), lookup(var.remote_objects, "iot_central_application", {})) combined_objects_iot_dps_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_certificate }), lookup(var.remote_objects, "iot_dps_certificate", {})) combined_objects_iot_dps_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_shared_access_policy }), lookup(var.remote_objects, "iot_dps_shared_access_policy", {})) From 5335f573a2291fb7e42cb9eb5bb8c41cb41458b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 16:56:20 +0100 Subject: [PATCH 17/60] Refactor: Remove zone_redundant setting from event hub and service bus namespaces --- modules/event_hubs/namespaces/event_hub_namespaces.tf | 1 - modules/messaging/servicebus/namespace/namespace.tf | 1 - 2 files changed, 2 deletions(-) diff --git a/modules/event_hubs/namespaces/event_hub_namespaces.tf b/modules/event_hubs/namespaces/event_hub_namespaces.tf index 20b6ee3788..9a234cb734 100644 --- a/modules/event_hubs/namespaces/event_hub_namespaces.tf +++ b/modules/event_hubs/namespaces/event_hub_namespaces.tf @@ -18,7 +18,6 @@ resource "azurerm_eventhub_namespace" "evh" { auto_inflate_enabled = try(var.settings.auto_inflate_enabled, null) dedicated_cluster_id = try(var.settings.dedicated_cluster_id, null) maximum_throughput_units = try(var.settings.maximum_throughput_units, null) - zone_redundant = try(var.settings.zone_redundant, null) dynamic "identity" { for_each = try(var.settings.identity, {}) diff --git a/modules/messaging/servicebus/namespace/namespace.tf b/modules/messaging/servicebus/namespace/namespace.tf index 18d1a7541f..d20da06b6f 100644 --- a/modules/messaging/servicebus/namespace/namespace.tf +++ b/modules/messaging/servicebus/namespace/namespace.tf @@ -19,7 +19,6 @@ resource "azurerm_servicebus_namespace" "namespace" { name = azurecaf_name.namespace.result sku = var.settings.sku capacity = try(var.settings.capacity, null) - zone_redundant = try(var.settings.zone_redundant, null) tags = merge(try(var.settings.tags, null), local.caf_tags) premium_messaging_partitions = try(var.settings.premium_messaging_partitions, null) location = local.location From 481a41baff0e8157b51d29682032a60a9a4b3c8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 17:27:47 +0100 Subject: [PATCH 18/60] feat(analytics): remove location property from machine learning compute instance The commit removes the 'location' property from the Azure Machine Learning Compute Instance configuration in Terraform. This change is done to rely on the default location setting provided by Azure, instead of explicitly setting it in the Terraform configuration. It simplifies our configuration and relies more heavily on Azure's defaults, reducing potential points of failure. --- modules/analytics/machine_learning_compute_instance/module.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/analytics/machine_learning_compute_instance/module.tf b/modules/analytics/machine_learning_compute_instance/module.tf index e41e153399..120e79d9fa 100644 --- a/modules/analytics/machine_learning_compute_instance/module.tf +++ b/modules/analytics/machine_learning_compute_instance/module.tf @@ -11,7 +11,6 @@ resource "azurecaf_name" "mlci" { resource "azurerm_machine_learning_compute_instance" "mlci" { name = azurecaf_name.mlci.result - location = var.location machine_learning_workspace_id = var.remote_objects.machine_learning_workspace_id virtual_machine_size = var.settings.virtual_machine_size authorization_type = try(var.settings.authorization_type, null) From b911bcd004c795db19b1cc4ca3d00279dac2dc09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 17:28:40 +0100 Subject: [PATCH 19/60] Commit message: ``` refactor(redis_cache): update variable naming for clarity Changed the names of two variables in the Azure Redis Cache module for better readability and consistency with other variable names. The 'enable_non_ssl_port' variable has been renamed to 'non_ssl_port_enabled', and the 'enable_authentication' variable has been renamed to 'authentication_enabled'. This change should not affect any functionality, but it might require updates in places where these variables are used. ``` --- modules/redis_cache/module.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/redis_cache/module.tf b/modules/redis_cache/module.tf index 0eb91e2196..dc6434eb34 100644 --- a/modules/redis_cache/module.tf +++ b/modules/redis_cache/module.tf @@ -20,7 +20,7 @@ resource "azurerm_redis_cache" "redis" { sku_name = var.redis.sku_name tags = merge(local.tags, try(var.tags, null)) - enable_non_ssl_port = lookup(var.redis, "enable_non_ssl_port", null) + non_ssl_port_enabled = lookup(var.redis, "non_ssl_port_enabled", null) minimum_tls_version = lookup(var.redis, "minimum_tls_version", "1.2") private_static_ip_address = lookup(var.redis, "private_static_ip_address", null) public_network_access_enabled = lookup(var.redis, "public_network_access_enabled", null) @@ -38,7 +38,7 @@ resource "azurerm_redis_cache" "redis" { aof_backup_enabled = lookup(redis_configuration.value, "aof_backup_enabled", null) aof_storage_connection_string_0 = lookup(redis_configuration.value, "aof_storage_connection_string_0", null) aof_storage_connection_string_1 = lookup(redis_configuration.value, "aof_storage_connection_string_1", null) - enable_authentication = lookup(redis_configuration.value, "enable_authentication", null) + authentication_enabled = lookup(redis_configuration.value, "authentication_enabled", null) maxfragmentationmemory_reserved = lookup(redis_configuration.value, "maxfragmentationmemory_reserved", null) maxmemory_delta = lookup(redis_configuration.value, "maxmemory_delta", null) maxmemory_policy = lookup(redis_configuration.value, "maxmemory_policy", null) From c282b6dfdd406a61dddd74e41fe1b2e1bf0e1a5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 17:29:13 +0100 Subject: [PATCH 20/60] refactor(logic_app): remove integration_service_environment_id attribute The `integration_service_environment_id` attribute has been removed from the logic app workflow module. This change simplifies the codebase by eliminating an unused attribute, thus improving maintainability. No functional changes are expected as a result of this removal. --- logic_app.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/logic_app.tf b/logic_app.tf index 0054a9e669..902e294f3b 100644 --- a/logic_app.tf +++ b/logic_app.tf @@ -107,8 +107,7 @@ module "logic_app_workflow" { settings = each.value location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name - base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} - integration_service_environment_id = try(local.combined_objects_integration_service_environment[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.integration_service_environment_key].id, null) + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} logic_app_integration_account_id = try(local.combined_objects_logic_app_integration_account[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.logic_app_integration_account_key].id, null) } From d6b619c25cf6eabd832db339e7f4799596359dd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 17:34:51 +0100 Subject: [PATCH 21/60] Title: `refactor(database): remove MariaDB examples and related code` In this commit, we've removed all MariaDB server-related examples and associated code from the project. This includes Terraform files for creating and managing MariaDB servers, configuration files for setting up MariaDB instances, and references to MariaDB in other parts of the codebase. The decision to remove these components was made because they were no longer supported. --- .github/workflows/standalone-dataplat.json | 6 +- .../100-simple-mariadb/configuration.tfvars | 129 ------------- .../configuration.tfvars | 161 ---------------- .../configuration.tfvars | 167 ----------------- .../configuration.tfvars | 173 ------------------ examples/mariadb_server/README.md | 29 --- examples/mariadb_server/main.tf | 2 - examples/module.tf | 6 +- examples/variables.tf | 9 - locals.tf | 7 +- mariadb_servers.tf | 31 ---- modules/databases/mariadb_server/audit.tf | 8 - .../databases/mariadb_server/configuration.tf | 12 -- modules/databases/mariadb_server/database.tf | 11 -- .../databases/mariadb_server/diagnostics.tf | 9 - .../databases/mariadb_server/firewall_rule.tf | 14 -- modules/databases/mariadb_server/main.tf | 19 -- .../databases/mariadb_server/network_rule.tf | 7 - modules/databases/mariadb_server/output.tf | 19 -- .../mariadb_server/private_endpoints.tf | 22 --- modules/databases/mariadb_server/server.tf | 85 --------- .../mariadb_server/threat_detection.tf | 8 - modules/databases/mariadb_server/variables.tf | 38 ---- variables.tf | 3 +- 24 files changed, 5 insertions(+), 970 deletions(-) delete mode 100644 examples/mariadb_server/100-simple-mariadb/configuration.tfvars delete mode 100644 examples/mariadb_server/101-vnet-rule-mariadb/configuration.tfvars delete mode 100644 examples/mariadb_server/102-private-endpoint-mariadb/configuration.tfvars delete mode 100644 examples/mariadb_server/103-private-endpoint-with-fw-rule-mariadb/configuration.tfvars delete mode 100644 examples/mariadb_server/README.md delete mode 100644 examples/mariadb_server/main.tf delete mode 100644 mariadb_servers.tf delete mode 100644 modules/databases/mariadb_server/audit.tf delete mode 100644 modules/databases/mariadb_server/configuration.tf delete mode 100644 modules/databases/mariadb_server/database.tf delete mode 100644 modules/databases/mariadb_server/diagnostics.tf delete mode 100644 modules/databases/mariadb_server/firewall_rule.tf delete mode 100644 modules/databases/mariadb_server/main.tf delete mode 100644 modules/databases/mariadb_server/network_rule.tf delete mode 100644 modules/databases/mariadb_server/output.tf delete mode 100644 modules/databases/mariadb_server/private_endpoints.tf delete mode 100644 modules/databases/mariadb_server/server.tf delete mode 100644 modules/databases/mariadb_server/threat_detection.tf delete mode 100644 modules/databases/mariadb_server/variables.tf diff --git a/.github/workflows/standalone-dataplat.json b/.github/workflows/standalone-dataplat.json index 1a1a565a55..96d40153c9 100644 --- a/.github/workflows/standalone-dataplat.json +++ b/.github/workflows/standalone-dataplat.json @@ -41,11 +41,7 @@ "datalake/101-datalake-storage", "machine_learning/100-aml", "machine_learning/101-aml-vnet", - "machine_learning/102-aml-compute_instance", - "mariadb_server/100-simple-mariadb", - "mariadb_server/101-vnet-rule-mariadb", - "mariadb_server/102-private-endpoint-mariadb", - "mariadb_server/103-private-endpoint-with-fw-rule-mariadb", + "machine_learning/102-aml-compute_instance", "mssql_mi/200-mi", "mssql_server/101-sqlserver-simple", "mssql_server/102-sqlserver-extend", diff --git a/examples/mariadb_server/100-simple-mariadb/configuration.tfvars b/examples/mariadb_server/100-simple-mariadb/configuration.tfvars deleted file mode 100644 index 8a35801d3a..0000000000 --- a/examples/mariadb_server/100-simple-mariadb/configuration.tfvars +++ /dev/null @@ -1,129 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "northeurope" - } -} - -resource_groups = { - mariadb_region1 = { - name = "mariadb-re1" - region = "region1" - tags = { - rgtag = "example" - } - } - security_region1 = { - name = "mariadb-security-re1" - } -} - -mariadb_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "mariadb_region1" - version = "10.2" - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mariadbadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "mariadb-re1" - public_network_access_enabled = true - auto_grow_enabled = true - - tags = { - segment = "sales" - } - - mariadb_firewall_rules = { - mariadb-firewall-rules = { - name = "mariadb-firewallrule" - resource_group_name = "mariadb_region1" - server_name = "sales-rg1" - start_ip_address = "10.0.0.1" - end_ip_address = "10.0.0.3" - } - } - - mariadb_configuration = { - mariadb_configuration = { - name = "interactive_timeout" - resource_group_name = "mariadb_region1" - server_name = "sales-re1" - value = "600" - } - } - - - mariadb_database = { - mariadb_database = { - name = "mariadb_server_sampledb" - resource_group_name = "mariadb_region1" - server_name = "sales-re1" - charset = "utf8" - collation = "utf8_general_ci" - } - } - - extended_auditing_policy = { - storage_account = { - key = "auditing-re1" - } - retention_in_days = 7 - } - - # Optional - threat_detection_policy = { - enabled = true - disabled_alerts = [ - # "Sql_Injection", - # "Sql_Injection_Vulnerability", - # "Access_Anomaly", - # "Data_Exfiltration", - # "Unsafe_Action" - ] - email_account_admins = false - email_addresses = [] - retention_days = 15 - storage_account_key = "security-re1" - } - - } - -} - -storage_accounts = { - auditing-re1 = { - name = "auditingre1" - resource_group_key = "mariadb_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } - security-re1 = { - name = "securityre1" - resource_group_key = "security_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } -} - -keyvaults = { - mariadb-re1 = { - name = "mariadbre1" - resource_group_key = "security_region1" - sku_name = "standard" - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } - } - } -} - - diff --git a/examples/mariadb_server/101-vnet-rule-mariadb/configuration.tfvars b/examples/mariadb_server/101-vnet-rule-mariadb/configuration.tfvars deleted file mode 100644 index fbda30527e..0000000000 --- a/examples/mariadb_server/101-vnet-rule-mariadb/configuration.tfvars +++ /dev/null @@ -1,161 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "northeurope" - } -} - - -resource_groups = { - mariadb_region1 = { - name = "mariadb-re1" - region = "region1" - tags = { - rgtag = "example" - } - } - security_region1 = { - name = "mariadb-security-re1" - } -} - -mariadb_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "mariadb_region1" - version = "10.2" - # MariaDB Virtual Network Rules can only be used with SKU Tiers of GeneralPurpose or MemoryOptimized - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mariadbadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "mariadb-re1" - public_network_access_enabled = true - auto_grow_enabled = true - vnet_key = "vnet_region1" - subnet_key = "mariadb_subnet" - - tags = { - segment = "sales" - } - - mariadb_firewall_rules = { - mariadb-firewall-rules = { - name = "mariadb-firewallrule" - resource_group_name = "mariadb_region1" - server_name = "sales-rg1" - start_ip_address = "10.0.0.1" - end_ip_address = "10.0.0.3" - } - } - - mariadb_configuration = { - mariadb_configuration = { - name = "interactive_timeout" - resource_group_name = "mariadb_region1" - server_name = "sales-re1" - value = "600" - } - } - - mariadb_vnet_rules = { - mariadb_vnet_rules = { - name = "mariadb-vnet-rule" - } - } - - mariadb_database = { - mariadb_database = { - name = "mariadb_server_sampledb" - resource_group_name = "mariadb_region1" - server_name = "sales-re1" - charset = "utf8" - collation = "utf8_general_ci" - } - } - - extended_auditing_policy = { - storage_account = { - key = "auditing-re1" - } - retention_in_days = 7 - } - - # Optional - threat_detection_policy = { - enabled = true - disabled_alerts = [ - # "Sql_Injection", - # "Sql_Injection_Vulnerability", - # "Access_Anomaly", - # "Data_Exfiltration", - # "Unsafe_Action" - ] - email_account_admins = false - email_addresses = [] - retention_days = 15 - storage_account_key = "security-re1" - } - - } - -} - -## Networking configuration -vnets = { - vnet_region1 = { - resource_group_key = "mariadb_region1" - - vnet = { - name = "mariadb-vnet" - address_space = ["10.150.102.0/24"] - - } - #specialsubnets = {} - subnets = { - mariadb_subnet = { - name = "mariadb_subnet" - cidr = ["10.150.102.0/25"] - service_endpoints = ["Microsoft.Sql"] - } - } - - } -} - - -storage_accounts = { - auditing-re1 = { - name = "auditingre1" - resource_group_key = "mariadb_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } - security-re1 = { - name = "securityre1" - resource_group_key = "security_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } -} - -keyvaults = { - mariadb-re1 = { - name = "mariadbre1" - resource_group_key = "security_region1" - sku_name = "standard" - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } - } - } -} - - diff --git a/examples/mariadb_server/102-private-endpoint-mariadb/configuration.tfvars b/examples/mariadb_server/102-private-endpoint-mariadb/configuration.tfvars deleted file mode 100644 index f900306c3b..0000000000 --- a/examples/mariadb_server/102-private-endpoint-mariadb/configuration.tfvars +++ /dev/null @@ -1,167 +0,0 @@ -global_settings = { - default_region = "region1" - inherit_tags = true - tags = { - global_tag = "global_tag" - } - regions = { - region1 = "northeurope" - } -} - -resource_groups = { - mariadb_region1 = { - name = "mariadb-re1" - region = "region1" - tags = { - rg_tag = "rg_tag" - } - } - security_region1 = { - name = "mariadb-security-re1" - } -} - -mariadb_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "mariadb_region1" - version = "10.2" - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mariadbadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "mariadb-re1" - public_network_access_enabled = true - auto_grow_enabled = true - vnet_key = "vnet_region1" - subnet_key = "mariadb_subnet" - - tags = { - server_tag = "server_tag" - } - - mariadb_configuration = { - mariadb_configuration = { - name = "interactive_timeout" - resource_group_name = "mariadb_region1" - server_name = "sales-re1" - value = "600" - } - } - - - mariadb_database = { - mariadb_database = { - name = "mariadb_server_sampledb" - resource_group_name = "mariadb_region1" - server_name = "sales-re1" - charset = "utf8" - collation = "utf8_general_ci" - } - } - - private_endpoints = { - # Require enforce_private_link_endpoint_network_policies set to true on the subnet - private-link-level4 = { - name = "sales-mariadb-re1" - vnet_key = "vnet_region1" - subnet_key = "mariadb_subnet" - resource_group_key = "mariadb_region1" - tags = { - pl_tag = "pl_tag" - } - - private_service_connection = { - name = "sales-mariadb-re1" - is_manual_connection = false - enforce_private_link_endpoint_network_policies = "true" - subresource_names = ["mariadbServer"] - } - } - } - - extended_auditing_policy = { - storage_account = { - key = "auditing-re1" - } - retention_in_days = 7 - } - - # Optional - threat_detection_policy = { - enabled = true - disabled_alerts = [ - # "Sql_Injection", - # "Sql_Injection_Vulnerability", - # "Access_Anomaly", - # "Data_Exfiltration", - # "Unsafe_Action" - ] - email_account_admins = false - email_addresses = [] - retention_days = 15 - storage_account_key = "security-re1" - } - - } - -} - -## Networking configuration -vnets = { - vnet_region1 = { - resource_group_key = "mariadb_region1" - - vnet = { - name = "mariadb-vnet" - address_space = ["10.150.102.0/24"] - - } - #specialsubnets = {} - subnets = { - mariadb_subnet = { - name = "mariadb_subnet" - cidr = ["10.150.102.0/25"] - enforce_private_link_endpoint_network_policies = "true" - service_endpoints = ["Microsoft.Sql"] - } - } - - } -} - -storage_accounts = { - auditing-re1 = { - name = "auditingre1" - resource_group_key = "mariadb_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } - security-re1 = { - name = "securityre1" - resource_group_key = "mariadb_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } -} - -keyvaults = { - mariadb-re1 = { - name = "mariadbre1" - resource_group_key = "mariadb_region1" - sku_name = "standard" - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } - } - } -} - diff --git a/examples/mariadb_server/103-private-endpoint-with-fw-rule-mariadb/configuration.tfvars b/examples/mariadb_server/103-private-endpoint-with-fw-rule-mariadb/configuration.tfvars deleted file mode 100644 index 0a0db2d9fb..0000000000 --- a/examples/mariadb_server/103-private-endpoint-with-fw-rule-mariadb/configuration.tfvars +++ /dev/null @@ -1,173 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "northeurope" - } -} - -resource_groups = { - mariadb_region1 = { - name = "mariadb-re1" - region = "region1" - tags = { - rgtag = "example" - } - } - security_region1 = { - name = "mariadb-security-re1" - } -} - -mariadb_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "mariadb_region1" - version = "10.2" - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mariadbadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "mariadb-re1" - public_network_access_enabled = true - auto_grow_enabled = true - vnet_key = "vnet_region1" - subnet_key = "mariadb_subnet" - - tags = { - segment = "sales" - } - - mariadb_firewall_rules = { - mariadb-firewall-rules = { - name = "mariadb-firewallrule" - resource_group_name = "mariadb_region1" - server_name = "sales-rg1" - start_ip_address = "10.0.0.1" - end_ip_address = "10.0.0.3" - } - } - - mariadb_configuration = { - mariadb_configuration = { - name = "interactive_timeout" - resource_group_name = "mariadb_region1" - server_name = "sales-re1" - value = "600" - } - } - - - mariadb_database = { - mariadb_database = { - name = "mariadb_server_sampledb" - resource_group_name = "mariadb_region1" - server_name = "sales-re1" - charset = "utf8" - collation = "utf8_general_ci" - } - } - - private_endpoints = { - # Require enforce_private_link_endpoint_network_policies set to true on the subnet - private-link-level4 = { - name = "sales-mariadb-re1" - vnet_key = "vnet_region1" - subnet_key = "mariadb_subnet" - resource_group_key = "mariadb_region1" - - private_service_connection = { - name = "sales-mariadb-re1" - is_manual_connection = false - enforce_private_link_endpoint_network_policies = "true" - subresource_names = ["mariadbServer"] - } - } - } - - extended_auditing_policy = { - storage_account = { - key = "auditing-re1" - } - retention_in_days = 7 - } - - # Optional - threat_detection_policy = { - enabled = true - disabled_alerts = [ - # "Sql_Injection", - # "Sql_Injection_Vulnerability", - # "Access_Anomaly", - # "Data_Exfiltration", - # "Unsafe_Action" - ] - email_account_admins = false - email_addresses = [] - retention_days = 15 - storage_account_key = "security-re1" - } - - } - -} - -## Networking configuration -vnets = { - vnet_region1 = { - resource_group_key = "mariadb_region1" - - vnet = { - name = "mariadb-vnet" - address_space = ["10.150.102.0/24"] - - } - #specialsubnets = {} - subnets = { - mariadb_subnet = { - name = "mariadb_subnet" - cidr = ["10.150.102.0/25"] - enforce_private_link_endpoint_network_policies = "true" - service_endpoints = ["Microsoft.Sql"] - } - } - - } -} - -storage_accounts = { - auditing-re1 = { - name = "auditingre1" - resource_group_key = "mariadb_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } - security-re1 = { - name = "securityre1" - resource_group_key = "security_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } -} - -keyvaults = { - mariadb-re1 = { - name = "mariadbre1" - resource_group_key = "security_region1" - sku_name = "standard" - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } - } - } -} - - - - diff --git a/examples/mariadb_server/README.md b/examples/mariadb_server/README.md deleted file mode 100644 index 78a362092a..0000000000 --- a/examples/mariadb_server/README.md +++ /dev/null @@ -1,29 +0,0 @@ -# Azure Maria DB Server - -This module is part of Cloud Adoption Framework landing zones for Azure on Terraform. - -You can instantiate this directly using the following parameters: - -```hcl -module "caf" { - source = "aztfmod/caf/azurerm" - version = "~>5.5.0" - - # Add object as described below -} -``` - -CAF Terraform module is iterative by default, you can instantiate as many objects as needed, using the following structure: - -```hcl -resource_to_be_created = { - object1 = { - #configuration details as below - } - object2 = { - #configuration details as below - } -} -``` - -You can review complete set of examples on the [GitHub repository](https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples/mariadb_server). \ No newline at end of file diff --git a/examples/mariadb_server/main.tf b/examples/mariadb_server/main.tf deleted file mode 100644 index b3c3234b5e..0000000000 --- a/examples/mariadb_server/main.tf +++ /dev/null @@ -1,2 +0,0 @@ -# This is an empty file for Terraform registry visibility. -# For examples on how to consume the CAF module, please refer to https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples \ No newline at end of file diff --git a/examples/module.tf b/examples/module.tf index f2fbbc1c6c..77d8594eac 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -55,8 +55,7 @@ module "example" { # attestationEndpoint = var.attestationEndpoint # azureDatalakeAnalyticsCatalogAndJobEndpoint = var.azureDatalakeAnalyticsCatalogAndJobEndpoint # azureDatalakeStoreFileSystemEndpoint = var.azureDatalakeStoreFileSystemEndpoint - # keyvaultDns = var.keyvaultDns - # mariadbServerEndpoint = var.mariadbServerEndpoint + # keyvaultDns = var.keyvaultDns # mhsmDns = var.mhsmDns # mysqlServerEndpoint = var.mysqlServerEndpoint # postgresqlServerEndpoint = var.postgresqlServerEndpoint @@ -140,11 +139,8 @@ module "example" { cosmosdb_role_definitions = var.cosmosdb_role_definitions databricks_workspaces = var.databricks_workspaces database_migration_services = var.database_migration_services - databricks_workspaces = var.databricks_workspaces databricks_access_connectors = var.databricks_access_connectors machine_learning_workspaces = var.machine_learning_workspaces - mariadb_servers = var.mariadb_servers - mariadb_databases = var.mariadb_databases mssql_databases = var.mssql_databases mssql_elastic_pools = var.mssql_elastic_pools mssql_failover_groups = var.mssql_failover_groups diff --git a/examples/variables.tf b/examples/variables.tf index 53625d0dd2..419cb65301 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -39,9 +39,6 @@ variable "var_folder_path" { # variable "keyvaultDns" { # default = ".vault.azure.net" # } -# variable "mariadbServerEndpoint" { -# default = ".mariadb.database.azure.com" -# } # variable "mhsmDns" { # default = ".managedhsm.azure.net" # } @@ -208,12 +205,6 @@ variable "mssql_managed_databases_backup_ltr" { variable "mssql_elastic_pools" { default = {} } -variable "mariadb_servers" { - default = {} -} -variable "mariadb_databases" { - default = {} -} variable "mssql_failover_groups" { default = {} } diff --git a/locals.tf b/locals.tf index 5124ef8942..3545074e64 100644 --- a/locals.tf +++ b/locals.tf @@ -50,8 +50,7 @@ locals { attestationEndpoint = try(var.cloud.attestationEndpoint, {}) azureDatalakeAnalyticsCatalogAndJobEndpoint = try(var.cloud.azureDatalakeAnalyticsCatalogAndJobEndpoint, {}) azureDatalakeStoreFileSystemEndpoint = try(var.cloud.azureDatalakeStoreFileSystemEndpoint, {}) - keyvaultDns = try(var.cloud.keyvaultDns, {}) - mariadbServerEndpoint = try(var.cloud.mariadbServerEndpoint, {}) + keyvaultDns = try(var.cloud.keyvaultDns, {}) mhsmDns = try(var.cloud.mhsmDns, {}) mysqlServerEndpoint = try(var.cloud.mysqlServerEndpoint, {}) postgresqlServerEndpoint = try(var.cloud.postgresqlServerEndpoint, {}) @@ -131,9 +130,7 @@ locals { database_migration_projects = try(var.database.database_migration_projects, {}) databricks_workspaces = try(var.database.databricks_workspaces, {}) databricks_access_connectors = try(var.database.databricks_access_connectors, {}) - machine_learning_workspaces = try(var.database.machine_learning_workspaces, {}) - mariadb_databases = try(var.database.mariadb_databases, {}) - mariadb_servers = try(var.database.mariadb_servers, {}) + machine_learning_workspaces = try(var.database.machine_learning_workspaces, {}) mssql_databases = try(var.database.mssql_databases, {}) mssql_elastic_pools = try(var.database.mssql_elastic_pools, {}) mssql_failover_groups = try(var.database.mssql_failover_groups, {}) diff --git a/mariadb_servers.tf b/mariadb_servers.tf deleted file mode 100644 index 24d71070ac..0000000000 --- a/mariadb_servers.tf +++ /dev/null @@ -1,31 +0,0 @@ - -output "mariadb_servers" { - value = module.mariadb_servers - -} - -module "mariadb_servers" { - source = "./modules/databases/mariadb_server" - depends_on = [module.keyvault_access_policies] - for_each = local.database.mariadb_servers - - global_settings = local.global_settings - client_config = local.client_config - settings = each.value - keyvault_id = try(each.value.administrator_login_password, null) == null ? module.keyvaults[each.value.keyvault_key].id : null - storage_accounts = module.storage_accounts - vnets = local.combined_objects_networking - subnet_id = can(each.value.subnet_id) || can(each.value.vnet_key) == false ? try(each.value.subnet_id, null) : local.combined_objects_networking[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id - - azuread_groups = local.combined_objects_azuread_groups - private_endpoints = try(each.value.private_endpoints, {}) - resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups - private_dns = local.combined_objects_private_dns - diagnostic_profiles = try(each.value.diagnostic_profiles, {}) - diagnostics = local.combined_diagnostics - - base_tags = local.global_settings.inherit_tags - resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] - resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null - location = try(local.global_settings.regions[each.value.region], null) -} \ No newline at end of file diff --git a/modules/databases/mariadb_server/audit.tf b/modules/databases/mariadb_server/audit.tf deleted file mode 100644 index 1f36332f0b..0000000000 --- a/modules/databases/mariadb_server/audit.tf +++ /dev/null @@ -1,8 +0,0 @@ -# Server auditing - -data "azurerm_storage_account" "mariadb_auditing" { - count = try(var.settings.extended_auditing_policy.storage_account.key, null) == null ? 0 : 1 - - name = var.storage_accounts[var.settings.extended_auditing_policy.storage_account.key].name - resource_group_name = var.storage_accounts[var.settings.extended_auditing_policy.storage_account.key].resource_group_name -} \ No newline at end of file diff --git a/modules/databases/mariadb_server/configuration.tf b/modules/databases/mariadb_server/configuration.tf deleted file mode 100644 index 55fc63d18b..0000000000 --- a/modules/databases/mariadb_server/configuration.tf +++ /dev/null @@ -1,12 +0,0 @@ -# Configuration -# - -resource "azurerm_mariadb_configuration" "mariadb_configuration" { - - for_each = var.settings.mariadb_configuration - - name = each.value.name - resource_group_name = local.resource_group_name - server_name = azurerm_mariadb_server.mariadb.name - value = each.value.value -} \ No newline at end of file diff --git a/modules/databases/mariadb_server/database.tf b/modules/databases/mariadb_server/database.tf deleted file mode 100644 index dc66b7aaa6..0000000000 --- a/modules/databases/mariadb_server/database.tf +++ /dev/null @@ -1,11 +0,0 @@ - -resource "azurerm_mariadb_database" "mariadb_database" { - - for_each = var.settings.mariadb_database - - name = each.value.name - resource_group_name = local.resource_group_name - server_name = azurerm_mariadb_server.mariadb.name - charset = each.value.charset - collation = each.value.collation -} \ No newline at end of file diff --git a/modules/databases/mariadb_server/diagnostics.tf b/modules/databases/mariadb_server/diagnostics.tf deleted file mode 100644 index 264d5a9a32..0000000000 --- a/modules/databases/mariadb_server/diagnostics.tf +++ /dev/null @@ -1,9 +0,0 @@ -module "diagnostics" { - source = "../../diagnostics" - count = var.diagnostic_profiles == null ? 0 : 1 - - resource_id = lookup(azurerm_mariadb_server.mariadb, "id") - resource_location = var.location - diagnostics = var.diagnostics - profiles = var.diagnostic_profiles -} \ No newline at end of file diff --git a/modules/databases/mariadb_server/firewall_rule.tf b/modules/databases/mariadb_server/firewall_rule.tf deleted file mode 100644 index 37c6701ad7..0000000000 --- a/modules/databases/mariadb_server/firewall_rule.tf +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Firewall Rule -# -resource "azurerm_mariadb_firewall_rule" "mariadb_firewall_rules" { - - for_each = try(var.settings.mariadb_firewall_rules, {}) - - name = each.value.name - resource_group_name = local.resource_group_name - server_name = azurerm_mariadb_server.mariadb.name - start_ip_address = each.value.start_ip_address - end_ip_address = each.value.end_ip_address -} \ No newline at end of file diff --git a/modules/databases/mariadb_server/main.tf b/modules/databases/mariadb_server/main.tf deleted file mode 100644 index 50f65e1e7d..0000000000 --- a/modules/databases/mariadb_server/main.tf +++ /dev/null @@ -1,19 +0,0 @@ -terraform { - required_providers { - azurecaf = { - source = "aztfmod/azurecaf" - } - } - -} - -locals { - tags = var.base_tags ? merge( - var.global_settings.tags, - try(var.resource_group.tags, null), - try(var.settings.tags, null) - ) : try(var.settings.tags, null) - - location = coalesce(var.location, var.resource_group.location) - resource_group_name = coalesce(var.resource_group_name, var.resource_group.name) -} \ No newline at end of file diff --git a/modules/databases/mariadb_server/network_rule.tf b/modules/databases/mariadb_server/network_rule.tf deleted file mode 100644 index 257dea7512..0000000000 --- a/modules/databases/mariadb_server/network_rule.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "azurerm_mariadb_virtual_network_rule" "mariadb_vnet_rules" { - for_each = try(var.settings.mariadb_vnet_rules, {}) - name = each.value.name - resource_group_name = local.resource_group_name - server_name = azurerm_mariadb_server.mariadb.name - subnet_id = var.subnet_id -} \ No newline at end of file diff --git a/modules/databases/mariadb_server/output.tf b/modules/databases/mariadb_server/output.tf deleted file mode 100644 index adf5275bf6..0000000000 --- a/modules/databases/mariadb_server/output.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "id" { - value = azurerm_mariadb_server.mariadb.id -} - -output "fqdn" { - value = azurerm_mariadb_server.mariadb.fqdn -} - -output "name" { - value = azurecaf_name.mariadb.result -} - -output "resource_group_name" { - value = local.resource_group_name -} - -output "location" { - value = var.location -} diff --git a/modules/databases/mariadb_server/private_endpoints.tf b/modules/databases/mariadb_server/private_endpoints.tf deleted file mode 100644 index 026a939d91..0000000000 --- a/modules/databases/mariadb_server/private_endpoints.tf +++ /dev/null @@ -1,22 +0,0 @@ - - -# -# Private endpoint -# - -module "private_endpoint" { - source = "../../networking/private_endpoint" - for_each = try(var.private_endpoints, {}) - - resource_id = azurerm_mariadb_server.mariadb.id - name = each.value.name - location = local.location - resource_group_name = local.resource_group_name - subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id - settings = each.value - global_settings = var.global_settings - tags = local.tags - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config -} diff --git a/modules/databases/mariadb_server/server.tf b/modules/databases/mariadb_server/server.tf deleted file mode 100644 index bbf75d2bd6..0000000000 --- a/modules/databases/mariadb_server/server.tf +++ /dev/null @@ -1,85 +0,0 @@ -resource "azurerm_mariadb_server" "mariadb" { - name = azurecaf_name.mariadb.result - location = local.location - resource_group_name = local.resource_group_name - - administrator_login = var.settings.administrator_login - administrator_login_password = try(var.settings.administrator_login_password, azurerm_key_vault_secret.mariadb_admin_password.0.value) - - sku_name = var.settings.sku_name - storage_mb = var.settings.storage_mb - version = var.settings.version - - auto_grow_enabled = try(var.settings.auto_grow_enabled, true) - backup_retention_days = try(var.settings.backup_retention_days, null) - geo_redundant_backup_enabled = try(var.settings.geo_redundant_backup_enabled, null) - public_network_access_enabled = try(var.settings.public_network_access_enabled, false) - ssl_enforcement_enabled = try(var.settings.ssl_enforcement_enabled, true) - ssl_minimal_tls_version_enforced = try(var.settings.ssl_minimal_tls_version_enforced, "TLS1_2") - create_mode = try(var.settings.create_mode, "Default") - creation_source_server_id = try(var.settings.creation_source_server_id, null) - tags = local.tags -} - -# Generate mariadb server random admin password if not provided in the attribute administrator_login_password -resource "random_password" "mariadb_admin" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - length = 32 - special = true - upper = true - numeric = true - override_special = "_%@" - -} - -# Store the generated password into keyvault -resource "azurerm_key_vault_secret" "mariadb_admin_password" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - name = format("%s-password", azurecaf_name.mariadb.result) - value = random_password.mariadb_admin.0.result - key_vault_id = var.keyvault_id - - lifecycle { - ignore_changes = [ - value - ] - } -} - -resource "azurerm_key_vault_secret" "mariadb_admin" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - name = format("%s-username", azurecaf_name.mariadb.result) - value = var.settings.administrator_login - key_vault_id = var.keyvault_id -} - -resource "azurerm_key_vault_secret" "mariadb_admin_login_name" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - name = format("%s-login-name", azurecaf_name.mariadb.result) - value = format("%s@%s", var.settings.administrator_login, azurerm_mariadb_server.mariadb.fqdn) - key_vault_id = var.keyvault_id -} - -resource "azurerm_key_vault_secret" "mariadb_fqdn" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - name = format("%s-fqdn", azurecaf_name.mariadb.result) - value = azurerm_mariadb_server.mariadb.fqdn - key_vault_id = var.keyvault_id -} - -resource "azurecaf_name" "mariadb" { - name = var.settings.name - resource_type = "azurerm_mariadb_server" - prefixes = var.global_settings.prefixes - random_length = var.global_settings.random_length - clean_input = true - passthrough = var.global_settings.passthrough -} - - - - diff --git a/modules/databases/mariadb_server/threat_detection.tf b/modules/databases/mariadb_server/threat_detection.tf deleted file mode 100644 index 2575c2ae1f..0000000000 --- a/modules/databases/mariadb_server/threat_detection.tf +++ /dev/null @@ -1,8 +0,0 @@ -# threat detection policy - -data "azurerm_storage_account" "mariadb_va" { - count = try(var.settings.threat_detection_policy.storage_account_key, null) == null ? 0 : 1 - - name = var.storage_accounts[var.settings.threat_detection_policy.storage_account_key].name - resource_group_name = var.storage_accounts[var.settings.threat_detection_policy.storage_account_key].resource_group_name -} diff --git a/modules/databases/mariadb_server/variables.tf b/modules/databases/mariadb_server/variables.tf deleted file mode 100644 index 6198129952..0000000000 --- a/modules/databases/mariadb_server/variables.tf +++ /dev/null @@ -1,38 +0,0 @@ -variable "global_settings" { - description = "Global settings object (see module README.md)" -} -variable "client_config" { - description = "Client configuration object (see module README.md)." -} -variable "settings" {} -variable "keyvault_id" {} -variable "storage_accounts" {} -variable "azuread_groups" {} -variable "vnets" {} -variable "subnet_id" {} -variable "private_endpoints" {} -variable "resource_groups" {} -variable "diagnostic_profiles" { - default = {} -} -variable "diagnostics" { - default = {} -} -variable "location" { - description = "location of the resource if different from the resource group." - default = null -} -variable "resource_group_name" { - description = "Resource group object to deploy the virtual machine" - default = null -} -variable "resource_group" { - description = "Resource group object to deploy the virtual machine" -} -variable "base_tags" { - description = "Base tags for the resource to be inherited from the resource group." - type = bool -} -variable "private_dns" { - default = {} -} diff --git a/variables.tf b/variables.tf index 4c4d69c4a1..b65993d7b8 100644 --- a/variables.tf +++ b/variables.tf @@ -24,8 +24,7 @@ variable "cloud" { attestationEndpoint = ".attest.azure.net" azureDatalakeAnalyticsCatalogAndJobEndpoint = "azuredatalakeanalytics.net" azureDatalakeStoreFileSystemEndpoint = "azuredatalakestore.net" - keyvaultDns = ".vault.azure.net" - mariadbServerEndpoint = ".mariadb.database.azure.com" + keyvaultDns = ".vault.azure.net" mhsmDns = ".managedhsm.azure.net" mysqlServerEndpoint = ".mysql.database.azure.com" postgresqlServerEndpoint = ".postgres.database.azure.com" From 15872879bd45c627ae4bd55882b8da0503edf4cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 17:37:17 +0100 Subject: [PATCH 22/60] feat(backup_vault_policy): replace retention_duration with operational_default_retention_duration The commit replaces the 'retention_duration' attribute in the 'azurerm_data_protection_backup_policy_blob_storage' resource with 'operational_default_retention_duration'. This change aligns the module with the updated AzureRM provider, ensuring that the backup policy now uses the operational default retention duration specified in the settings. --- .../backup_vault_policy_blob_storage/backup_vault_policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/backup_vault/backup_vault_policy_blob_storage/backup_vault_policy.tf b/modules/backup_vault/backup_vault_policy_blob_storage/backup_vault_policy.tf index 14f6bf2d83..9b75e815ea 100644 --- a/modules/backup_vault/backup_vault_policy_blob_storage/backup_vault_policy.tf +++ b/modules/backup_vault/backup_vault_policy_blob_storage/backup_vault_policy.tf @@ -11,5 +11,5 @@ resource "azurecaf_name" "backup_vault_policy" { resource "azurerm_data_protection_backup_policy_blob_storage" "backup_vault_policy" { name = azurecaf_name.backup_vault_policy.result vault_id = var.vault_id - retention_duration = var.settings.retention_duration + operational_default_retention_duration = var.settings.operational_default_retention_duration } From fb82203efd97aeaed27095b294e0ae7c913efe59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 17:41:15 +0100 Subject: [PATCH 23/60] refactor(sentinel): remove dynamic condition block and replace with condition_json --- modules/security/sentinel/automation_rule/module.tf | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/modules/security/sentinel/automation_rule/module.tf b/modules/security/sentinel/automation_rule/module.tf index 81c9943a64..a6521551c9 100644 --- a/modules/security/sentinel/automation_rule/module.tf +++ b/modules/security/sentinel/automation_rule/module.tf @@ -30,13 +30,5 @@ resource "azurerm_sentinel_automation_rule" "automation_rule" { } } - dynamic "condition" { - for_each = try(var.settings.condition, {}) - - content { - operator = try(condition.value.operator, null) - property = try(condition.value.property, null) - values = try(condition.value.values, null) - } + condition_json = try(var.settings.condition_json, null) } -} From dd5a3682fb467c7294fc3818bf240038a82d1216 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Tue, 29 Oct 2024 17:50:02 +0100 Subject: [PATCH 24/60] refactor(sentinel): rename and restructure incident configuration The "incident_configuration" block has been renamed to "incident", and the "create_incident" field is now "create_incident_enabled". In addition, the "group_by_entities", "group_by_alert_details", and "group_by_custom_details" fields have been simplified to "by_entities", "by_alert_details", and "by_custom_details", respectively. --- .../security/sentinel/ar_scheduled/module.tf | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/security/sentinel/ar_scheduled/module.tf b/modules/security/sentinel/ar_scheduled/module.tf index f49ba2d3d4..56ab07b9ba 100644 --- a/modules/security/sentinel/ar_scheduled/module.tf +++ b/modules/security/sentinel/ar_scheduled/module.tf @@ -23,23 +23,23 @@ resource "azurerm_sentinel_alert_rule_scheduled" "scheduled" { } } - dynamic "incident_configuration" { - for_each = lookup(var.settings, "incident_configuration", {}) != {} ? [1] : [] + dynamic "incident" { + for_each = lookup(var.settings, "incident", {}) != {} ? [1] : [] content { - create_incident = lookup(var.settings.incident_configuration, "create_incident", null) + create_incident_enabled = lookup(var.settings.incident, "create_incident_enabled", null) dynamic "grouping" { - for_each = lookup(var.settings.incident_configuration, "grouping", {}) != {} ? [1] : [] + for_each = lookup(var.settings.incident, "grouping", {}) != {} ? [1] : [] content { - enabled = lookup(var.settings.incident_configuration.grouping, "enabled", true) - lookback_duration = lookup(var.settings.incident_configuration.grouping, "lookback_duration", "PT5M") - reopen_closed_incidents = lookup(var.settings.incident_configuration.grouping, "reopen_closed_incidents", false) - entity_matching_method = lookup(var.settings.incident_configuration.grouping, "entity_matching_method", null) - group_by_entities = lookup(var.settings.incident_configuration.grouping, "group_by_entities", null) - group_by_alert_details = lookup(var.settings.incident_configuration.grouping, "group_by_alert_details", null) - group_by_custom_details = lookup(var.settings.incident_configuration.grouping, "group_by_custom_details", null) + enabled = lookup(var.settings.incident.grouping, "enabled", true) + lookback_duration = lookup(var.settings.incident.grouping, "lookback_duration", "PT5M") + reopen_closed_incidents = lookup(var.settings.incident.grouping, "reopen_closed_incidents", false) + entity_matching_method = lookup(var.settings.incident.grouping, "entity_matching_method", null) + by_entities = lookup(var.settings.incident.grouping, "by_entities", null) + by_alert_details = lookup(var.settings.incident.grouping, "by_alert_details", null) + by_custom_details = lookup(var.settings.incident.grouping, "by_custom_details", null) } } } From bac61e3fcf680012606b4925f4839d72b5d0d19a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:49:17 +0100 Subject: [PATCH 25/60] refactor(mysql): remove MySQL server module and examples to upgrade hashicorp/azurerm to 4.7.0 This commit removes the MySQL server module and related examples. The changes include deletion of various Terraform files associated with setting up a MySQL server, including modules for database configuration, network rules, threat detection, and private endpoints. The standalone data platform workflow file was also updated to reflect these changes. This is a breaking change and will impact any existing infrastructure set up using this module. --- .github/workflows/standalone-dataplat.json | 6 +- examples/module.tf | 1 - .../100-simple-mysql/configuration.tfvars | 123 ------------- .../101-vnet-rule-mysql/configuration.tfvars | 163 ----------------- .../configuration.tfvars | 167 ------------------ .../configuration.tfvars | 165 ----------------- examples/mysql_server/README.md | 29 --- examples/mysql_server/main.tf | 2 - .../centralized/mysql_servers.tfvars | 51 ------ .../centralized/private_endpoints.tfvars | 13 -- examples/variables.tf | 3 - modules/databases/mysql_server/audit.tf | 8 - .../databases/mysql_server/configuration.tf | 12 -- modules/databases/mysql_server/database.tf | 15 -- modules/databases/mysql_server/diagnostics.tf | 9 - .../databases/mysql_server/firewall_rule.tf | 15 -- modules/databases/mysql_server/main.tf | 19 -- .../databases/mysql_server/network_rule.tf | 9 - modules/databases/mysql_server/output.tf | 28 --- .../mysql_server/private_endpoints.tf | 20 --- modules/databases/mysql_server/server.tf | 101 ----------- .../mysql_server/threat_detection.tf | 12 -- modules/databases/mysql_server/variables.tf | 41 ----- mysql_servers.tf | 35 ---- networking_private_links.tf | 2 +- roles.tf | 4 +- 26 files changed, 4 insertions(+), 1049 deletions(-) delete mode 100644 examples/mysql_server/100-simple-mysql/configuration.tfvars delete mode 100644 examples/mysql_server/101-vnet-rule-mysql/configuration.tfvars delete mode 100644 examples/mysql_server/102-private-endpoint-mysql/configuration.tfvars delete mode 100644 examples/mysql_server/103-private-endpoint-with-fw-rule-mysql/configuration.tfvars delete mode 100644 examples/mysql_server/README.md delete mode 100644 examples/mysql_server/main.tf delete mode 100644 examples/networking/private_links/endpoints/centralized/mysql_servers.tfvars delete mode 100644 modules/databases/mysql_server/audit.tf delete mode 100644 modules/databases/mysql_server/configuration.tf delete mode 100644 modules/databases/mysql_server/database.tf delete mode 100644 modules/databases/mysql_server/diagnostics.tf delete mode 100644 modules/databases/mysql_server/firewall_rule.tf delete mode 100644 modules/databases/mysql_server/main.tf delete mode 100644 modules/databases/mysql_server/network_rule.tf delete mode 100644 modules/databases/mysql_server/output.tf delete mode 100644 modules/databases/mysql_server/private_endpoints.tf delete mode 100644 modules/databases/mysql_server/server.tf delete mode 100644 modules/databases/mysql_server/threat_detection.tf delete mode 100644 modules/databases/mysql_server/variables.tf delete mode 100644 mysql_servers.tf diff --git a/.github/workflows/standalone-dataplat.json b/.github/workflows/standalone-dataplat.json index 96d40153c9..652fea3604 100644 --- a/.github/workflows/standalone-dataplat.json +++ b/.github/workflows/standalone-dataplat.json @@ -52,11 +52,7 @@ "mssql_server/109-sqlserver-network-firewall-rule", "mysql_flexible_server/100-simple-mysql-flexible", "mysql_flexible_server/101-delegated-subnet-with-fw-rule", - "mysql_flexible_server/102-advanced-mysql-flexible", - "mysql_server/100-simple-mysql", - "mysql_server/101-vnet-rule-mysql", - "mysql_server/102-private-endpoint-mysql", - "mysql_server/103-private-endpoint-with-fw-rule-mysql", + "mysql_flexible_server/102-advanced-mysql-flexible", "postgresql_flexible_server/100-simple-postgresql-flexible", "postgresql_flexible_server/101-delegated-subnet-with-fw-rule", "postgresql_flexible_server/102-advanced-postgresql-flexible", diff --git a/examples/module.tf b/examples/module.tf index 77d8594eac..88211f2e33 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -155,7 +155,6 @@ module "example" { mssql_mi_tdes = var.mssql_mi_tdes mssql_servers = var.mssql_servers mysql_flexible_server = var.mysql_flexible_server - mysql_servers = var.mysql_servers postgresql_flexible_servers = var.postgresql_flexible_servers postgresql_servers = var.postgresql_servers synapse_workspaces = var.synapse_workspaces diff --git a/examples/mysql_server/100-simple-mysql/configuration.tfvars b/examples/mysql_server/100-simple-mysql/configuration.tfvars deleted file mode 100644 index 628bdb5958..0000000000 --- a/examples/mysql_server/100-simple-mysql/configuration.tfvars +++ /dev/null @@ -1,123 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "northeurope" - } -} - -resource_groups = { - mysql_region1 = { - name = "mysql-re1" - region = "region1" - tags = { - rgtag = "example" - } - } - security_region1 = { - name = "mysql-security-re1" - } -} - -mysql_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "mysql_region1" - version = "5.7" - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mysqlsalesadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "mysql-re1" - system_msi = true - public_network_access_enabled = true - auto_grow_enabled = true - extended_auditing_policy = { - storage_account = { - key = "auditing-re1" - } - retention_in_days = 7 - } - - mysql_firewall_rules = { - mysql-firewall-rule = { - name = "mysql_server_firewallrule" - start_ip_address = "10.0.0.1" - end_ip_address = "10.0.0.3" - } - } - - mysql_configurations = { - mysql_configuration = { - name = "interactive_timeout" - value = "600" - } - } - - mysql_databases = { - mysql_database = { - name = "mysql_server_sampledb" - charset = "UTF8" - collation = "utf8_unicode_ci" - } - } - - - tags = { - segment = "sales" - } - - # Optional - threat_detection_policy = { - enabled = true - disabled_alerts = [ - # "Sql_Injection", - # "Sql_Injection_Vulnerability", - # "Access_Anomaly", - # "Data_Exfiltration", - # "Unsafe_Action" - ] - email_account_admins = false - email_addresses = [] - retention_days = 15 - storage_account_key = "security-re1" - } - - } - -} - -storage_accounts = { - auditing-re1 = { - name = "auditingre1" - resource_group_key = "mysql_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } - security-re1 = { - name = "securityre1" - resource_group_key = "security_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } -} - -keyvaults = { - mysql-re1 = { - name = "mysqlre1" - resource_group_key = "security_region1" - sku_name = "standard" - - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } - } - } -} - diff --git a/examples/mysql_server/101-vnet-rule-mysql/configuration.tfvars b/examples/mysql_server/101-vnet-rule-mysql/configuration.tfvars deleted file mode 100644 index 134b4f6ab8..0000000000 --- a/examples/mysql_server/101-vnet-rule-mysql/configuration.tfvars +++ /dev/null @@ -1,163 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "northeurope" - } -} - -resource_groups = { - mysql_region1 = { - name = "mysql-re1" - region = "region1" - tags = { - rgtag = "example" - } - } - security_region1 = { - name = "mysql-security-re1" - } -} - -mysql_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "mysql_region1" - version = "5.7" - # MySQL Virtual Network Rules can only be used with SKU Tiers of GeneralPurpose or MemoryOptimized - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mysqlsalesadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "mysql-re1" - system_msi = true - public_network_access_enabled = true - auto_grow_enabled = true - vnet_key = "vnet_region1" - subnet_key = "mysql_subnet" - - extended_auditing_policy = { - storage_account = { - key = "auditing-re1" - } - retention_in_days = 7 - } - - mysql_firewall_rules = { - mysql-firewall-rule = { - name = "mysql_server_firewallrule" - start_ip_address = "10.0.0.1" - end_ip_address = "10.0.0.3" - } - } - - mysql_configurations = { - mysql_configuration = { - name = "interactive_timeout" - value = "600" - } - } - - mysql_vnet_rules = { - mysql_vnet_rule = { - name = "mysql-vnet-rule" - } - msql_vnet_rule_two = { - name = "msql-vnet-rule-two" - subnet_key = "mysql_subnet_two" - vnet_key = "vnet_region1" - } - } - - mysql_databases = { - mysql_database = { - name = "mysql_server_sampledb" - charset = "UTF8" - collation = "utf8_unicode_ci" - } - } - - tags = { - segment = "sales" - } - - # Optional - threat_detection_policy = { - enabled = true - disabled_alerts = [ - # "Sql_Injection", - # "Sql_Injection_Vulnerability", - # "Access_Anomaly", - # "Data_Exfiltration", - # "Unsafe_Action" - ] - email_account_admins = false - email_addresses = [] - retention_days = 15 - storage_account_key = "security-re1" - } - - } - -} - -## Networking configuration -vnets = { - vnet_region1 = { - resource_group_key = "mysql_region1" - - vnet = { - name = "mysql-vnet" - address_space = ["10.150.100.0/24"] - - } - #specialsubnets = {} - subnets = { - mysql_subnet = { - name = "mysql_subnet" - cidr = ["10.150.100.0/25"] - service_endpoints = ["Microsoft.Sql"] - } - mysql_subnet_two = { - name = "mysql_subnet_two" - cidr = ["10.150.100.128/25"] - service_endpoints = ["Microsoft.Sql"] - } - } - - } -} - -storage_accounts = { - auditing-re1 = { - name = "auditingre1" - resource_group_key = "mysql_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } - security-re1 = { - name = "securityre1" - resource_group_key = "security_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } -} - -keyvaults = { - mysql-re1 = { - name = "mysqlre1" - resource_group_key = "security_region1" - sku_name = "standard" - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } - } - } -} - diff --git a/examples/mysql_server/102-private-endpoint-mysql/configuration.tfvars b/examples/mysql_server/102-private-endpoint-mysql/configuration.tfvars deleted file mode 100644 index 289858e7c1..0000000000 --- a/examples/mysql_server/102-private-endpoint-mysql/configuration.tfvars +++ /dev/null @@ -1,167 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "northeurope" - } -} - -resource_groups = { - mysql_region1 = { - name = "mysql-re1" - region = "region1" - tags = { - rgtag = "example" - } - } - security_region1 = { - name = "mysql-security-re1" - } -} - -mysql_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "mysql_region1" - version = "5.7" - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mysqlsalesadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "mysql-re1" - # If your keyvault is on remote lz use this: - # keyvault = { - # lz_key = "" #lz which the keyvault is located - # key = "" #keyvault resource key - # } - system_msi = true - public_network_access_enabled = true - auto_grow_enabled = true - vnet_key = "vnet_region1" - subnet_key = "mysql_subnet" - - - extended_auditing_policy = { - storage_account = { - key = "auditing-re1" - } - retention_in_days = 7 - } - - - mysql_configurations = { - mysql_configuration = { - name = "interactive_timeout" - value = "600" - } - } - - - mysql_databases = { - mysql_database = { - name = "mysql_server_sampledb" - charset = "UTF8" - collation = "utf8_unicode_ci" - } - } - - - tags = { - segment = "sales" - } - - # Optional - private_endpoints = { - # Require enforce_private_link_endpoint_network_policies set to true on the subnet - private-link-level4 = { - name = "sales-mysql-re1" - vnet_key = "vnet_region1" - subnet_key = "mysql_subnet" - resource_group_key = "mysql_region1" - - private_service_connection = { - name = "sales-mysql-re1" - is_manual_connection = false - subresource_names = ["mysqlServer"] - } - } - } - - - # Optional - threat_detection_policy = { - enabled = true - disabled_alerts = [ - # "Sql_Injection", - # "Sql_Injection_Vulnerability", - # "Access_Anomaly", - # "Data_Exfiltration", - # "Unsafe_Action" - ] - email_account_admins = false - email_addresses = [] - retention_days = 15 - storage_account_key = "security-re1" - } - - } - -} - - -storage_accounts = { - auditing-re1 = { - name = "auditingre1" - resource_group_key = "mysql_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } - security-re1 = { - name = "securityre1" - resource_group_key = "security_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } -} - -keyvaults = { - mysql-re1 = { - name = "mysqlre1" - resource_group_key = "security_region1" - sku_name = "standard" - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } - } - } -} - -## Networking configuration -vnets = { - vnet_region1 = { - resource_group_key = "mysql_region1" - - vnet = { - name = "mysql-vnet" - address_space = ["10.150.100.0/24"] - - } - #specialsubnets = {} - subnets = { - mysql_subnet = { - name = "mysql_subnet" - cidr = ["10.150.100.0/25"] - enforce_private_link_endpoint_network_policies = "true" - - } - } - - } -} - diff --git a/examples/mysql_server/103-private-endpoint-with-fw-rule-mysql/configuration.tfvars b/examples/mysql_server/103-private-endpoint-with-fw-rule-mysql/configuration.tfvars deleted file mode 100644 index de4aed3d3d..0000000000 --- a/examples/mysql_server/103-private-endpoint-with-fw-rule-mysql/configuration.tfvars +++ /dev/null @@ -1,165 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "northeurope" - } -} - -resource_groups = { - mysql_region1 = { - name = "mysql-re1" - region = "region1" - tags = { - rgtag = "example" - } - } - security_region1 = { - name = "mysql-security-re1" - } -} - -mysql_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "mysql_region1" - version = "5.7" - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mysqlsalesadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "mysql-re1" - system_msi = true - public_network_access_enabled = true - auto_grow_enabled = true - vnet_key = "vnet_region1" - subnet_key = "mysql_subnet" - - - extended_auditing_policy = { - storage_account = { - key = "auditing-re1" - } - retention_in_days = 7 - } - - mysql_firewall_rules = { - mysql-firewall-rule = { - name = "mysql_server_firewallrule" - start_ip_address = "52.163.80.201" - end_ip_address = "52.163.80.201" - } - } - - mysql_configurations = { - mysql_configuration = { - name = "interactive_timeout" - value = "600" - } - } - - mysql_databases = { - mysql_database = { - name = "mysql_server_sampledb" - charset = "UTF8" - collation = "utf8_unicode_ci" - } - } - - tags = { - segment = "sales" - } - - # Optional - private_endpoints = { - # Require enforce_private_link_endpoint_network_policies set to true on the subnet - private-link-level4 = { - name = "sales-mysql-re1" - vnet_key = "vnet_region1" - subnet_key = "mysql_subnet" - resource_group_key = "mysql_region1" - - private_service_connection = { - name = "sales-mysql-re1" - is_manual_connection = false - subresource_names = ["mysqlServer"] - } - } - } - - # Optional - threat_detection_policy = { - enabled = true - disabled_alerts = [ - # "Sql_Injection", - # "Sql_Injection_Vulnerability", - # "Access_Anomaly", - # "Data_Exfiltration", - # "Unsafe_Action" - ] - email_account_admins = false - email_addresses = [] - retention_days = 15 - storage_account_key = "security-re1" - } - - } - -} - -storage_accounts = { - auditing-re1 = { - name = "auditingre1" - resource_group_key = "mysql_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } - security-re1 = { - name = "securityre1" - resource_group_key = "security_region1" - region = "region1" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "RAGRS" - } -} - -keyvaults = { - mysql-re1 = { - name = "mysqlre1" - resource_group_key = "security_region1" - sku_name = "standard" - creation_policies = { - logged_in_user = { - secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] - } - } - } -} - -## Networking configuration -vnets = { - vnet_region1 = { - resource_group_key = "mysql_region1" - - vnet = { - name = "mysql-vnet" - address_space = ["10.150.100.0/24"] - - } - #specialsubnets = {} - subnets = { - mysql_subnet = { - name = "mysql_subnet" - cidr = ["10.150.100.0/25"] - enforce_private_link_endpoint_network_policies = "true" - - } - } - - } -} - diff --git a/examples/mysql_server/README.md b/examples/mysql_server/README.md deleted file mode 100644 index 1433920626..0000000000 --- a/examples/mysql_server/README.md +++ /dev/null @@ -1,29 +0,0 @@ -# Azure MySQL Server - -This module is part of Cloud Adoption Framework landing zones for Azure on Terraform. - -You can instantiate this directly using the following parameters: - -```hcl -module "caf" { - source = "aztfmod/caf/azurerm" - version = "~>5.5.0" - - # Add object as described below -} -``` - -CAF Terraform module is iterative by default, you can instantiate as many objects as needed, using the following structure: - -```hcl -resource_to_be_created = { - object1 = { - #configuration details as below - } - object2 = { - #configuration details as below - } -} -``` - -You can review complete set of examples on the [GitHub repository](https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples/mysql_server). \ No newline at end of file diff --git a/examples/mysql_server/main.tf b/examples/mysql_server/main.tf deleted file mode 100644 index b3c3234b5e..0000000000 --- a/examples/mysql_server/main.tf +++ /dev/null @@ -1,2 +0,0 @@ -# This is an empty file for Terraform registry visibility. -# For examples on how to consume the CAF module, please refer to https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples \ No newline at end of file diff --git a/examples/networking/private_links/endpoints/centralized/mysql_servers.tfvars b/examples/networking/private_links/endpoints/centralized/mysql_servers.tfvars deleted file mode 100644 index 3bbe10a34a..0000000000 --- a/examples/networking/private_links/endpoints/centralized/mysql_servers.tfvars +++ /dev/null @@ -1,51 +0,0 @@ -mysql_servers = { - sales-re1 = { - name = "sales-re1" - region = "region1" - resource_group_key = "rg1" - version = "5.7" - sku_name = "GP_Gen5_2" - storage_mb = 5120 - administrator_login = "mysqlsalesadmin" - # Below password argument is used to set the DB password. If not passed, there will be a random password generated and stored in azure keyvault. - # administrator_login_password = "ComplxP@ssw0rd!" - keyvault_key = "kv_rg1" - system_msi = true - public_network_access_enabled = true - auto_grow_enabled = true - vnet_key = "vnet_01" - subnet_key = "subnet_01" - - - extended_auditing_policy = { - storage_account = { - key = "level0" - } - retention_in_days = 7 - } - - - mysql_configurations = { - mysql_configuration = { - name = "interactive_timeout" - value = "600" - } - } - - - mysql_databases = { - mysql_database = { - name = "mysql_server_sampledb" - charset = "UTF8" - collation = "utf8_unicode_ci" - } - } - - - tags = { - segment = "sales" - } - - } - -} \ No newline at end of file diff --git a/examples/networking/private_links/endpoints/centralized/private_endpoints.tfvars b/examples/networking/private_links/endpoints/centralized/private_endpoints.tfvars index 2df6f717ca..33c80f7d4c 100644 --- a/examples/networking/private_links/endpoints/centralized/private_endpoints.tfvars +++ b/examples/networking/private_links/endpoints/centralized/private_endpoints.tfvars @@ -127,19 +127,6 @@ private_endpoints = { } } - mysql_servers = { - sales-re1 = { - private_service_connection = { - name = "psc-myssql-sales-re1" - } - - private_dns = { - zone_group_name = "default" - keys = ["dns1"] - } - } - } - redis_caches = { sales_rc1 = { private_service_connection = { diff --git a/examples/variables.tf b/examples/variables.tf index 419cb65301..df4005a009 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -385,9 +385,6 @@ variable "application_gateway_applications_v1" { variable "application_gateway_waf_policies" { default = {} } -variable "mysql_servers" { - default = {} -} variable "postgresql_flexible_servers" { default = {} } diff --git a/modules/databases/mysql_server/audit.tf b/modules/databases/mysql_server/audit.tf deleted file mode 100644 index 55bd8115e4..0000000000 --- a/modules/databases/mysql_server/audit.tf +++ /dev/null @@ -1,8 +0,0 @@ -# Server auditing - -data "azurerm_storage_account" "mysql_auditing" { - count = try(var.settings.extended_auditing_policy.storage_account.key, null) == null ? 0 : 1 - - name = var.storage_accounts[var.settings.extended_auditing_policy.storage_account.key].name - resource_group_name = var.storage_accounts[var.settings.extended_auditing_policy.storage_account.key].resource_group_name -} diff --git a/modules/databases/mysql_server/configuration.tf b/modules/databases/mysql_server/configuration.tf deleted file mode 100644 index 24c1f05719..0000000000 --- a/modules/databases/mysql_server/configuration.tf +++ /dev/null @@ -1,12 +0,0 @@ -# Configuration -# - -resource "azurerm_mysql_configuration" "mysql_configuration" { - - for_each = var.settings.mysql_configurations - - name = each.value.name - resource_group_name = local.resource_group_name - server_name = azurerm_mysql_server.mysql.name - value = each.value.value -} \ No newline at end of file diff --git a/modules/databases/mysql_server/database.tf b/modules/databases/mysql_server/database.tf deleted file mode 100644 index 924d518153..0000000000 --- a/modules/databases/mysql_server/database.tf +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Firewall Rule -# - -resource "azurerm_mysql_database" "mysql_database" { - - for_each = var.settings.mysql_databases - - name = each.value.name - resource_group_name = local.resource_group_name - server_name = azurerm_mysql_server.mysql.name - charset = each.value.charset - collation = each.value.collation -} diff --git a/modules/databases/mysql_server/diagnostics.tf b/modules/databases/mysql_server/diagnostics.tf deleted file mode 100644 index 2ab8b1c1bb..0000000000 --- a/modules/databases/mysql_server/diagnostics.tf +++ /dev/null @@ -1,9 +0,0 @@ -module "diagnostics" { - source = "../../diagnostics" - count = var.diagnostic_profiles == null ? 0 : 1 - - resource_id = azurerm_mysql_server.mysql.id - resource_location = local.location - diagnostics = var.diagnostics - profiles = var.diagnostic_profiles -} \ No newline at end of file diff --git a/modules/databases/mysql_server/firewall_rule.tf b/modules/databases/mysql_server/firewall_rule.tf deleted file mode 100644 index 17c3d65cb1..0000000000 --- a/modules/databases/mysql_server/firewall_rule.tf +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Firewall Rule -# - -resource "azurerm_mysql_firewall_rule" "mysql_firewall_rules" { - - for_each = try(var.settings.mysql_firewall_rules, {}) - - name = each.value.name - resource_group_name = local.resource_group_name - server_name = azurerm_mysql_server.mysql.name - start_ip_address = each.value.start_ip_address - end_ip_address = each.value.end_ip_address -} diff --git a/modules/databases/mysql_server/main.tf b/modules/databases/mysql_server/main.tf deleted file mode 100644 index 50f65e1e7d..0000000000 --- a/modules/databases/mysql_server/main.tf +++ /dev/null @@ -1,19 +0,0 @@ -terraform { - required_providers { - azurecaf = { - source = "aztfmod/azurecaf" - } - } - -} - -locals { - tags = var.base_tags ? merge( - var.global_settings.tags, - try(var.resource_group.tags, null), - try(var.settings.tags, null) - ) : try(var.settings.tags, null) - - location = coalesce(var.location, var.resource_group.location) - resource_group_name = coalesce(var.resource_group_name, var.resource_group.name) -} \ No newline at end of file diff --git a/modules/databases/mysql_server/network_rule.tf b/modules/databases/mysql_server/network_rule.tf deleted file mode 100644 index 93807c5007..0000000000 --- a/modules/databases/mysql_server/network_rule.tf +++ /dev/null @@ -1,9 +0,0 @@ - -resource "azurerm_mysql_virtual_network_rule" "mysql_vnet_rules" { - for_each = try(var.settings.mysql_vnet_rules, {}) - name = each.value.name - resource_group_name = local.resource_group_name - server_name = azurerm_mysql_server.mysql.name - subnet_id = can(var.subnet_id) ? var.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id -} - diff --git a/modules/databases/mysql_server/output.tf b/modules/databases/mysql_server/output.tf deleted file mode 100644 index 8768d74689..0000000000 --- a/modules/databases/mysql_server/output.tf +++ /dev/null @@ -1,28 +0,0 @@ -output "id" { - value = azurerm_mysql_server.mysql.id -} - -output "fqdn" { - value = azurerm_mysql_server.mysql.fqdn -} - -output "rbac_id" { - value = try(azurerm_mysql_server.mysql.identity[0].principal_id, null) -} - -output "identity" { - value = try(azurerm_mysql_server.mysql.identity, null) -} - -output "name" { - value = azurecaf_name.mysql.result -} - - -output "resource_group_name" { - value = local.resource_group_name -} - -output "location" { - value = local.location -} \ No newline at end of file diff --git a/modules/databases/mysql_server/private_endpoints.tf b/modules/databases/mysql_server/private_endpoints.tf deleted file mode 100644 index 77467df22d..0000000000 --- a/modules/databases/mysql_server/private_endpoints.tf +++ /dev/null @@ -1,20 +0,0 @@ -# -# Private endpoint -# - -module "private_endpoint" { - source = "../../networking/private_endpoint" - for_each = try(var.private_endpoints, {}) - - resource_id = azurerm_mysql_server.mysql.id - name = each.value.name - location = local.location - resource_group_name = local.resource_group_name - subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id - settings = each.value - global_settings = var.global_settings - tags = local.tags - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config -} diff --git a/modules/databases/mysql_server/server.tf b/modules/databases/mysql_server/server.tf deleted file mode 100644 index 76144a5f68..0000000000 --- a/modules/databases/mysql_server/server.tf +++ /dev/null @@ -1,101 +0,0 @@ -resource "azurerm_mysql_server" "mysql" { - - name = azurecaf_name.mysql.result - resource_group_name = local.resource_group_name - location = local.location - version = var.settings.version - sku_name = var.settings.sku_name - - administrator_login = var.settings.administrator_login - administrator_login_password = try(var.settings.administrator_login_password, azurerm_key_vault_secret.mysql_admin_password.0.value) - - auto_grow_enabled = try(var.settings.auto_grow_enabled, true) - storage_mb = var.settings.storage_mb - backup_retention_days = try(var.settings.backup_retention_days, null) - create_mode = try(var.settings.create_mode, "Default") - creation_source_server_id = try(var.settings.creation_source_server_id, null) - geo_redundant_backup_enabled = try(var.settings.geo_redundant_backup_enabled, null) - infrastructure_encryption_enabled = try(var.settings.infrastructure_encryption_enabled, false) - restore_point_in_time = try(var.settings.restore_point_in_time, null) - public_network_access_enabled = try(var.settings.public_network_access_enabled, true) - ssl_enforcement_enabled = try(var.settings.ssl_enforcement_enabled, true) - ssl_minimal_tls_version_enforced = try(var.settings.ssl_minimal_tls_version_enforced, "TLSEnforcementDisabled") - tags = local.tags - - dynamic "identity" { - for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1] - - content { - type = var.settings.identity.type - } - } - -} - -resource "azurecaf_name" "mysql" { - name = var.settings.name - resource_type = "azurerm_mysql_server" - prefixes = var.global_settings.prefixes - random_length = var.global_settings.random_length - clean_input = true - passthrough = var.global_settings.passthrough -} - -# Generate sql server random admin password if not provided in the attribute administrator_login_password -resource "random_password" "mysql_admin" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - length = 32 - special = true - override_special = "_%@" - -} - -# Store the generated password into keyvault -resource "azurerm_key_vault_secret" "mysql_admin_password" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - name = format("%s-password", azurecaf_name.mysql.result) - value = random_password.mysql_admin.0.result - key_vault_id = var.keyvault_id - - lifecycle { - ignore_changes = [ - value - ] - } -} - -resource "azurerm_key_vault_secret" "sql_admin" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - name = format("%s-username", azurecaf_name.mysql.result) - value = var.settings.administrator_login - key_vault_id = var.keyvault_id -} - -resource "azurerm_key_vault_secret" "mysql_admin_login_name" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - name = format("%s-login-name", azurecaf_name.mysql.result) - value = format("%s@%s", var.settings.administrator_login, azurerm_mysql_server.mysql.fqdn) - key_vault_id = var.keyvault_id -} - -resource "azurerm_key_vault_secret" "mysql_fqdn" { - count = try(var.settings.administrator_login_password, null) == null ? 1 : 0 - - name = format("%s-fqdn", azurecaf_name.mysql.result) - value = azurerm_mysql_server.mysql.fqdn - key_vault_id = var.keyvault_id -} - -resource "azurerm_mysql_active_directory_administrator" "aad_admin" { - count = try(var.settings.azuread_administrator, null) == null ? 0 : 1 - - server_name = azurerm_mysql_server.mysql.name - resource_group_name = local.resource_group_name - login = try(var.settings.azuread_administrator.login_username, var.azuread_groups[var.settings.azuread_administrator.azuread_group_key].name) - tenant_id = try(var.settings.azuread_administrator.tenant_id, var.azuread_groups[var.settings.azuread_administrator.azuread_group_key].tenant_id) - object_id = try(var.settings.azuread_administrator.object_id, var.azuread_groups[var.settings.azuread_administrator.azuread_group_key].id) -} diff --git a/modules/databases/mysql_server/threat_detection.tf b/modules/databases/mysql_server/threat_detection.tf deleted file mode 100644 index 56558a5825..0000000000 --- a/modules/databases/mysql_server/threat_detection.tf +++ /dev/null @@ -1,12 +0,0 @@ - - -# threat detection policy - -data "azurerm_storage_account" "mysql_va" { - count = try(var.settings.threat_detection_policy.storage_account_key, null) == null ? 0 : 1 - - name = var.storage_accounts[var.settings.threat_detection_policy.storage_account_key].name - resource_group_name = var.storage_accounts[var.settings.threat_detection_policy.storage_account_key].resource_group_name -} - - diff --git a/modules/databases/mysql_server/variables.tf b/modules/databases/mysql_server/variables.tf deleted file mode 100644 index efcfe53012..0000000000 --- a/modules/databases/mysql_server/variables.tf +++ /dev/null @@ -1,41 +0,0 @@ -variable "global_settings" { - description = "Global settings object (see module README.md)" -} -variable "settings" {} -variable "client_config" { - description = "Client configuration object (see module README.md)." -} -variable "keyvault_id" {} -variable "storage_accounts" {} -variable "azuread_groups" {} -variable "vnets" {} -variable "subnet_id" {} -variable "private_endpoints" {} -variable "resource_groups" {} -variable "diagnostic_profiles" { - default = {} -} -variable "network_security_group_definition" { - default = null -} -variable "diagnostics" { - default = {} -} -variable "private_dns" { - default = {} -} -variable "location" { - description = "location of the resource if different from the resource group." - default = null -} -variable "resource_group_name" { - description = "Resource group object to deploy the virtual machine" - default = null -} -variable "resource_group" { - description = "Resource group object to deploy the virtual machine" -} -variable "base_tags" { - description = "Base tags for the resource to be inherited from the resource group." - type = bool -} \ No newline at end of file diff --git a/mysql_servers.tf b/mysql_servers.tf deleted file mode 100644 index c993437907..0000000000 --- a/mysql_servers.tf +++ /dev/null @@ -1,35 +0,0 @@ - -output "mysql_servers" { - value = module.mysql_servers - -} - -module "mysql_servers" { - source = "./modules/databases/mysql_server" - depends_on = [module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps] - for_each = local.database.mysql_servers - - global_settings = local.global_settings - settings = each.value - client_config = local.client_config - keyvault_id = coalesce( - try(each.value.administrator_login_password, null), - try(module.keyvaults[each.value.keyvault_key].id, null), - try(local.combined_objects_keyvaults[each.value.keyvault.lz_key][each.value.keyvault.key].id, null), - try(local.combined_objects_keyvaults[local.client_config.landingzone_key][each.value.keyvault.key].id, null) - ) - storage_accounts = module.storage_accounts - azuread_groups = module.azuread_groups - vnets = local.combined_objects_networking - subnet_id = can(each.value.subnet_id) || can(each.value.vnet_key) == false ? try(each.value.subnet_id, null) : local.combined_objects_networking[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id - private_endpoints = try(each.value.private_endpoints, {}) - resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups - private_dns = local.combined_objects_private_dns - diagnostics = local.combined_diagnostics - diagnostic_profiles = try(each.value.diagnostic_profiles, {}) - - base_tags = local.global_settings.inherit_tags - resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] - resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null - location = try(local.global_settings.regions[each.value.region], null) -} \ No newline at end of file diff --git a/networking_private_links.tf b/networking_private_links.tf index 2971f91eb5..0848b65cdb 100644 --- a/networking_private_links.tf +++ b/networking_private_links.tf @@ -26,7 +26,7 @@ module "private_endpoints" { keyvaults = local.combined_objects_keyvaults machine_learning = local.combined_objects_machine_learning mssql_servers = local.combined_objects_mssql_servers - mysql_servers = local.combined_objects_mysql_servers + mysql_flexible_servers = local.combined_objects_mysql_flexible_servers networking = local.combined_objects_networking postgresql_servers = local.combined_objects_postgresql_servers recovery_vaults = local.combined_objects_recovery_vaults diff --git a/roles.tf b/roles.tf index 987f4b8b54..c3299a3653 100644 --- a/roles.tf +++ b/roles.tf @@ -147,8 +147,8 @@ locals { mssql_managed_databases = local.combined_objects_mssql_managed_databases mssql_managed_instances = local.combined_objects_mssql_managed_instances mssql_servers = local.combined_objects_mssql_servers - maintenance_configuration = local.combined_objects_maintenance_configuration - mysql_servers = local.combined_objects_mysql_servers + maintenance_configuration = local.combined_objects_maintenance_configuration + mysql_flexible_servers = local.combined_objects_mysql_flexible_servers network_watchers = local.combined_objects_network_watchers networking = local.combined_objects_networking postgresql_servers = local.combined_objects_postgresql_servers From 22d5f7e6fe37201a8e1163aa758722e393ba0835 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:50:47 +0100 Subject: [PATCH 26/60] feat(synapse): refactor AAD admin settings and add storage account type to upgrade hashicorp/azurerm to 4.7.0 This commit includes changes to the Azure Synapse Terraform modules. 1. The Azure Active Directory (AAD) admin settings have been refactored and moved from the workspace module to a new separate module called `workspace_aad_admin`. This change provides better modularity and isolation of concerns. 2. A new attribute `storage_account_type` has been added to the `sql_pool` resource with a default value of "GRS" (Geo-Redundant Storage). This allows users to specify the type of storage account to be used by the SQL pool in Azure Synapse. --- modules/analytics/synapse/sql_pool/sql_pool.tf | 1 + modules/analytics/synapse/workspace.tf | 17 +++++++++-------- .../workspace_aad_admin/workspace_aad_admin.tf | 9 +++++++++ 3 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 modules/analytics/synapse/workspace_aad_admin/workspace_aad_admin.tf diff --git a/modules/analytics/synapse/sql_pool/sql_pool.tf b/modules/analytics/synapse/sql_pool/sql_pool.tf index bfa49621b6..e82f752fae 100644 --- a/modules/analytics/synapse/sql_pool/sql_pool.tf +++ b/modules/analytics/synapse/sql_pool/sql_pool.tf @@ -13,5 +13,6 @@ resource "azurerm_synapse_sql_pool" "sql_pool" { synapse_workspace_id = var.synapse_workspace_id sku_name = try(var.settings.sku_name, "DW100c") create_mode = try(var.settings.create_mode, "Default") + storage_account_type = try(var.settings.storage_account_type, "GRS") tags = local.tags } diff --git a/modules/analytics/synapse/workspace.tf b/modules/analytics/synapse/workspace.tf index 6195bf8997..77b2642b00 100644 --- a/modules/analytics/synapse/workspace.tf +++ b/modules/analytics/synapse/workspace.tf @@ -28,15 +28,7 @@ resource "azurerm_synapse_workspace" "ws" { type = "SystemAssigned" } - dynamic "aad_admin" { - for_each = try(var.settings.aad_admin, null) != null ? [var.settings.aad_admin] : [] - content { - login = try(aad_admin.value.login, null) - object_id = try(aad_admin.value.object_id, null) - tenant_id = try(aad_admin.value.tenant_id, null) - } - } dynamic "azure_devops_repo" { for_each = try(var.settings.azure_devops_repo, null) != null ? [var.settings.azure_devops_repo] : [] @@ -151,3 +143,12 @@ resource "azurerm_synapse_firewall_rule" "wrkspc_firewalls" { end_ip_address = each.value.end_ip } + + +resource "azurerm_synapse_workspace_aad_admin" "wrkspc_aad_admin" { + for_each = try(var.settings.aad_admin, null) != null ? { for k, v in [var.settings.aad_admin] : k => v } : {} + synapse_workspace_id = azurerm_synapse_workspace.ws.id + login = try(each.value.login, null) + object_id = try(each.value.object_id, null) + tenant_id = try(each.value.tenant_id, null) +} \ No newline at end of file diff --git a/modules/analytics/synapse/workspace_aad_admin/workspace_aad_admin.tf b/modules/analytics/synapse/workspace_aad_admin/workspace_aad_admin.tf new file mode 100644 index 0000000000..c6474e018b --- /dev/null +++ b/modules/analytics/synapse/workspace_aad_admin/workspace_aad_admin.tf @@ -0,0 +1,9 @@ + dynamic "aad_admin" { + for_each = try(var.settings.aad_admin, null) != null ? [var.settings.aad_admin] : [] + + content { + login = try(aad_admin.value.login, null) + object_id = try(aad_admin.value.object_id, null) + tenant_id = try(aad_admin.value.tenant_id, null) + } + } \ No newline at end of file From 01169adc60e43383428e93102815956d87914a7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:52:19 +0100 Subject: [PATCH 27/60] refactor(apim): remove policy block and soap_pass_through attribute to upgrade hashicorp/azurerm to 4.7.0 Removed the dynamic `policy` block from the `azurerm_api_management` resource in the API Management module. This change simplifies the configuration by eliminating unnecessary complexity. Also removed the `soap_pass_through` attribute from the `azurerm_api_management_api` resource. This was redundant as it's not needed for our current use case. BREAKING CHANGE: No --- modules/apim/api_management/module.tf | 9 --------- modules/apim/api_management_api/module.tf | 3 +-- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/modules/apim/api_management/module.tf b/modules/apim/api_management/module.tf index 59e188c6a6..8282cef3b2 100644 --- a/modules/apim/api_management/module.tf +++ b/modules/apim/api_management/module.tf @@ -125,15 +125,6 @@ resource "azurerm_api_management" "apim" { } } notification_sender_email = try(var.settings.notification_sender_email, null) - dynamic "policy" { - for_each = try(var.settings.policy, null) != null ? [var.settings.policy] : [] - - content { - - xml_content = try(policy.value.xml_content, null) - xml_link = try(policy.value.xml_link, null) - } - } dynamic "protocols" { for_each = try(var.settings.protocols, null) != null ? [var.settings.protocols] : [] diff --git a/modules/apim/api_management_api/module.tf b/modules/apim/api_management_api/module.tf index fdbc2f2de3..41200e06bb 100644 --- a/modules/apim/api_management_api/module.tf +++ b/modules/apim/api_management_api/module.tf @@ -54,8 +54,7 @@ resource "azurerm_api_management_api" "apim" { bearer_token_sending_methods = try(openid_authentication.value.bearer_token_sending_methods, null) } } - service_url = try(var.settings.service_url, null) - soap_pass_through = try(var.settings.soap_pass_through, null) + service_url = try(var.settings.service_url, null) dynamic "subscription_key_parameter_names" { for_each = try(var.settings.subscription_key_parameter_names, null) != null ? [var.settings.subscription_key_parameter_names] : [] From 2e859871f9260b687c1bb5a4dfd1e99e55db636b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:53:47 +0100 Subject: [PATCH 28/60] refactor(consumption_budget): remove dynamic condition block and replace with condition_json to upgrade hashicorp/azurerm to 4.7.0 --- .../resource_group/resource_group_budget.tf | 43 ------------------- .../subscription/subscription_budget.tf | 43 ------------------- 2 files changed, 86 deletions(-) diff --git a/modules/consumption_budget/resource_group/resource_group_budget.tf b/modules/consumption_budget/resource_group/resource_group_budget.tf index 69fb0cdaa2..8b39ee3b14 100644 --- a/modules/consumption_budget/resource_group/resource_group_budget.tf +++ b/modules/consumption_budget/resource_group/resource_group_budget.tf @@ -86,50 +86,7 @@ resource "azurerm_consumption_budget_resource_group" "this" { } } - dynamic "not" { - for_each = try(var.settings.filter.not, null) == null ? [] : [1] - content { - dynamic "dimension" { - for_each = { - for key, value in try(var.settings.filter.not.dimension, {}) : key => value - if lower(value.name) != "resource_key" - } - - content { - name = dimension.value.name - operator = try(dimension.value.operator, "In") - values = dimension.value.values - } - } - - dynamic "dimension" { - for_each = { - for key, value in try(var.settings.filter.not.dimension, {}) : key => value - if lower(value.name) == "resource_key" - } - - content { - name = "ResourceId" - operator = try(dimension.value.operator, "In") - values = try(flatten([ - for key, value in var.local_combined_resources[dimension.value.resource_key][try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id - if contains(dimension.value.values, key) - ]), []) - } - } - - dynamic "tag" { - for_each = try(var.settings.filter.not.tag, null) == null ? [] : [1] - - content { - name = var.settings.filter.not.tag.name - operator = try(var.settings.filter.not.tag.operator, "In") - values = var.settings.filter.not.tag.values - } - } - } - } } } } diff --git a/modules/consumption_budget/subscription/subscription_budget.tf b/modules/consumption_budget/subscription/subscription_budget.tf index 142961c7b3..ef445abfec 100644 --- a/modules/consumption_budget/subscription/subscription_budget.tf +++ b/modules/consumption_budget/subscription/subscription_budget.tf @@ -87,50 +87,7 @@ resource "azurerm_consumption_budget_subscription" "this" { } } - dynamic "not" { - for_each = try(var.settings.filter.not, null) == null ? [] : [1] - content { - dynamic "dimension" { - for_each = { - for key, value in try(var.settings.filter.not.dimension, {}) : key => value - if lower(value.name) != "resource_key" - } - - content { - name = dimension.value.name - operator = try(dimension.value.operator, "In") - values = dimension.value.values - } - } - - dynamic "dimension" { - for_each = { - for key, value in try(var.settings.filter.not.dimension, {}) : key => value - if lower(value.name) == "resource_key" - } - - content { - name = "ResourceId" - operator = try(dimension.value.operator, "In") - values = try(flatten([ - for key, value in var.local_combined_resources[dimension.value.resource_key][try(dimension.value.lz_key, var.client_config.landingzone_key)] : value.id - if contains(dimension.value.values, key) - ]), []) - } - } - - dynamic "tag" { - for_each = try(var.settings.filter.not.tag, null) == null ? [] : [1] - - content { - name = var.settings.filter.not.tag.name - operator = try(var.settings.filter.not.tag.operator, "In") - values = var.settings.filter.not.tag.values - } - } - } - } } } } \ No newline at end of file From 3d026e000bb8bbec1d23c3c518e3b5b17714b6fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:54:19 +0100 Subject: [PATCH 29/60] refactor(aks): update default node pool settings to upgrade hashicorp/azurerm to 4.7.0 - Renamed and updated variables for default node pool settings in the AKS module. - Replaced deprecated variable names with new ones to align with the latest version of hashicorp/azurerm. --- modules/compute/aks/aks.tf | 37 ++++++++++--------------------------- 1 file changed, 10 insertions(+), 27 deletions(-) diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 0ace42bb06..038e1a4e96 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -45,9 +45,9 @@ resource "azurerm_kubernetes_cluster" "aks" { default_node_pool { zones = try(var.settings.default_node_pool.zones, var.settings.default_node_pool.availability_zones, null) - enable_auto_scaling = try(var.settings.default_node_pool.enable_auto_scaling, false) - enable_host_encryption = try(var.settings.default_node_pool.enable_host_encryption, false) - enable_node_public_ip = try(var.settings.default_node_pool.enable_node_public_ip, false) + auto_scaling_enabled = try(var.settings.default_node_pool.auto_scaling_enabled, false) + host_encryption_enabled = try(var.settings.default_node_pool.host_encryption_enabled, false) + node_public_ip_enabled = try(var.settings.default_node_pool.node_public_ip_enabled, false) fips_enabled = try(var.settings.default_node_pool.fips_enabled, null) kubelet_disk_type = try(var.settings.default_node_pool.kubelet_disk_type, null) max_count = try(var.settings.default_node_pool.max_count, null) @@ -68,9 +68,7 @@ resource "azurerm_kubernetes_cluster" "aks" { ultra_ssd_enabled = try(var.settings.default_node_pool.ultra_ssd_enabled, false) vm_size = var.settings.default_node_pool.vm_size capacity_reservation_group_id = try(var.settings.capacity_reservation_group_id, null) - custom_ca_trust_enabled = try(var.settings.custom_ca_trust_enabled, null) host_group_id = try(var.settings.host_group_id, null) - pod_subnet_id = can(var.settings.default_node_pool.pod_subnet_key) == false || can(var.settings.default_node_pool.pod_subnet.key) == false || can(var.settings.default_node_pool.pod_subnet_id) || can(var.settings.default_node_pool.pod_subnet.resource_id) ? try(var.settings.default_node_pool.pod_subnet_id, var.settings.default_node_pool.pod_subnet.resource_id, null) : var.vnets[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.vnet_key].subnets[try(var.settings.default_node_pool.pod_subnet_key, var.settings.default_node_pool.pod_subnet.key)].id vnet_subnet_id = can(var.settings.default_node_pool.vnet_subnet_id) || can(var.settings.default_node_pool.subnet.resource_id) ? try(var.settings.default_node_pool.vnet_subnet_id, var.settings.default_node_pool.subnet.resource_id) : var.vnets[try(var.settings.vnet.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.vnet.key, var.settings.vnet_key)].subnets[try(var.settings.default_node_pool.subnet_key, var.settings.default_node_pool.subnet.key)].id @@ -142,7 +140,7 @@ resource "azurerm_kubernetes_cluster" "aks" { dns_prefix = try(var.settings.dns_prefix, try(var.settings.dns_prefix_private_cluster, random_string.prefix.result)) dns_prefix_private_cluster = try(var.settings.dns_prefix_private_cluster, null) - automatic_channel_upgrade = try(var.settings.automatic_channel_upgrade, null) + automatic_upgrade_channel = try(var.settings.automatic_upgrade_channel, null) dynamic "key_management_service" { for_each = try(var.settings.key_management_service[*], {}) @@ -209,8 +207,6 @@ resource "azurerm_kubernetes_cluster" "aks" { # } # } - api_server_authorized_ip_ranges = try(var.settings.api_server_authorized_ip_ranges, null) - disk_encryption_set_id = try(coalesce( try(var.settings.disk_encryption_set_id, ""), try(var.settings.disk_encryption_set.id, "") @@ -221,8 +217,6 @@ resource "azurerm_kubernetes_cluster" "aks" { content { authorized_ip_ranges = try(api_server_access_profile.value.authorized_ip_ranges, null) - subnet_id = try(can(api_server_access_profile.value.subnet_id) ? api_server_access_profile.value.subnet_id : var.vnets[try(api_server_access_profile.value.subnet.lz_key, var.settings.vnet.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(api_server_access_profile.value.subnet.vnet_key, var.settings.vnet_key)].subnets[try(api_server_access_profile.value.subnet.key, var.settings.subnet_key)].id, null) - vnet_integration_enabled = try(api_server_access_profile.value.vnet_integration_enabled, false) } } @@ -290,7 +284,6 @@ resource "azurerm_kubernetes_cluster" "aks" { content { blob_driver_enabled = try(storage_profile.value.blob_driver_enabled, null) disk_driver_enabled = try(storage_profile.value.disk_driver_enabled, null) - disk_driver_version = try(storage_profile.value.disk_driver_version, null) file_driver_enabled = try(storage_profile.value.file_driver_enabled, null) snapshot_controller_enabled = try(storage_profile.value.snapshot_controller_enabled, null) } @@ -325,13 +318,11 @@ resource "azurerm_kubernetes_cluster" "aks" { network_mode = try(network_profile.value.network_mode, null) network_policy = try(network_profile.value.network_policy, null) dns_service_ip = try(network_profile.value.dns_service_ip, null) - docker_bridge_cidr = try(network_profile.value.docker_bridge_cidr, null) outbound_type = try(network_profile.value.outbound_type, null) pod_cidr = try(network_profile.value.pod_cidr, null) service_cidr = try(network_profile.value.service_cidr, null) service_cidrs = try(network_profile.value.network_cidrs, null) load_balancer_sku = try(network_profile.value.load_balancer_sku, null) - ebpf_data_plane = try(network_profile.value.ebpf_data_plane, null) network_plugin_mode = try(network_profile.value.network_plugin_mode, null) ip_versions = try(network_profile.value.ip_versions, null) @@ -355,6 +346,7 @@ resource "azurerm_kubernetes_cluster" "aks" { mode = try(service_mesh_profile.value.mode, null) internal_ingress_gateway_enabled = try(service_mesh_profile.value.internal_ingress_gateway_enabled, null) external_ingress_gateway_enabled = try(service_mesh_profile.value.external_ingress_gateway_enabled, null) + revisions = try(service_mesh_profile.value.revisions, null) } } @@ -364,23 +356,16 @@ resource "azurerm_kubernetes_cluster" "aks" { private_cluster_enabled = try(var.settings.private_cluster_enabled, null) private_dns_zone_id = try(var.private_dns_zone_id, null) private_cluster_public_fqdn_enabled = try(var.settings.private_cluster_public_fqdn_enabled, null) - public_network_access_enabled = try(var.settings.public_network_access_enabled, true) + #Enabled RBAC dynamic "azure_active_directory_role_based_access_control" { for_each = try(var.settings.role_based_access_control[*], {}) content { - managed = try(azure_active_directory_role_based_access_control.value.azure_active_directory.managed, true) tenant_id = try(azure_active_directory_role_based_access_control.value.azure_active_directory.tenant_id, null) - azure_rbac_enabled = try(azure_active_directory_role_based_access_control.value.enabled, true) admin_group_object_ids = try(azure_active_directory_role_based_access_control.value.azure_active_directory.admin_group_object_ids, try(var.admin_group_object_ids, null)) - - client_app_id = try(azure_active_directory_role_based_access_control.value.azure_active_directory.client_app_id, null) - server_app_id = try(azure_active_directory_role_based_access_control.value.azure_active_directory.server_app_id, null) - server_app_secret = try(azure_active_directory_role_based_access_control.value.azure_active_directory.server_app_secret, null) - } } @@ -441,7 +426,7 @@ resource "azurerm_kubernetes_cluster" "aks" { for_each = try(var.settings.web_app_routing[*], {}) content { - dns_zone_id = try(web_app_routing.value.dns_zone_id, null) + dns_zone_ids = try(web_app_routing.value.dns_zone_ids, null) } } } @@ -464,11 +449,10 @@ resource "azurerm_kubernetes_cluster_node_pool" "nodepools" { kubernetes_cluster_id = azurerm_kubernetes_cluster.aks.id vm_size = each.value.vm_size capacity_reservation_group_id = try(each.value.capacity_reservation_group_id, null) - custom_ca_trust_enabled = try(each.value.custom_ca_trust_enabled, null) zones = try(each.value.zones, each.value.availability_zones, null) - enable_auto_scaling = try(each.value.enable_auto_scaling, false) - enable_host_encryption = try(each.value.enable_host_encryption, false) - enable_node_public_ip = try(each.value.enable_node_public_ip, false) + auto_scaling_enabled = try(each.value.auto_scaling_enabled, false) + host_encryption_enabled = try(each.value.host_encryption_enabled, false) + node_public_ip_enabled = try(each.value.node_public_ip_enabled, false) eviction_policy = try(each.value.eviction_policy, null) host_group_id = try(each.value.host_group_id, null) @@ -533,7 +517,6 @@ resource "azurerm_kubernetes_cluster_node_pool" "nodepools" { fips_enabled = try(each.value.fips_enabled, false) kubelet_disk_type = try(each.value.kubelet_disk_type, null) max_pods = try(each.value.max_pods, null) - message_of_the_day = try(each.value.message_of_the_day, null) dynamic "node_network_profile" { for_each = try(var.settings.node_network_profile[*], {}) From cce837ad5e56d7add6230689a7afa4c6324ead95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:54:37 +0100 Subject: [PATCH 30/60] refactor(compute): remove dynamic GPU block in container_group.tf to upgrade hashicorp/azurerm to 4.7.0 --- modules/compute/container_group/container_group.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/compute/container_group/container_group.tf b/modules/compute/container_group/container_group.tf index 4253f8e2da..8beae1e65e 100644 --- a/modules/compute/container_group/container_group.tf +++ b/modules/compute/container_group/container_group.tf @@ -65,14 +65,6 @@ resource "azurerm_container_group" "acg" { commands = try(container.value.commands, null) - dynamic "gpu" { - for_each = try(container.value.gpu, null) == null ? [] : [1] - - content { - count = gpu.value.count - sku = gpu.value.sku - } - } dynamic "ports" { for_each = try(container.value.ports, {}) From a9b63aef012f51ad8b691c324e9d14b4db90472c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:55:25 +0100 Subject: [PATCH 31/60] refactor(compute): update network_interface.tf to use new IP forwarding and accelerated networking properties to upgrade hashicorp/azurerm to 4.7.0 --- modules/compute/virtual_machine/network_interface.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/compute/virtual_machine/network_interface.tf b/modules/compute/virtual_machine/network_interface.tf index f6d5f0240c..502273edce 100644 --- a/modules/compute/virtual_machine/network_interface.tf +++ b/modules/compute/virtual_machine/network_interface.tf @@ -48,8 +48,8 @@ resource "azurerm_network_interface" "nic" { resource_group_name = local.resource_group_name dns_servers = lookup(each.value, "dns_servers", null) - enable_ip_forwarding = lookup(each.value, "enable_ip_forwarding", false) - enable_accelerated_networking = lookup(each.value, "enable_accelerated_networking", false) + ip_forwarding_enabled = lookup(each.value, "ip_forwarding_enabled", false) + accelerated_networking_enabled = lookup(each.value, "accelerated_networking_enabled", false) internal_dns_name_label = lookup(each.value, "internal_dns_name_label", null) tags = merge(local.tags, try(each.value.tags, null)) @@ -91,7 +91,7 @@ resource "azurerm_network_interface" "nic" { # vnet_key = "hub_rg1" # subnet_key = "jumpbox" # name = "0" -# enable_ip_forwarding = false +# ip_forwarding_enabled = false # internal_dns_name_label = "nic0" # // Prefer network_security_group orver nsg_key. Will be removed in version 6 # nsg_key = "data" // requires a version 1 nsg definition (see compute/vm/210-vm-bastion-winrm example) @@ -107,7 +107,7 @@ resource "azurerm_network_interface" "nic" { # vnet_key = "vnet_region1" # subnet_key = "bastion" # name = "0-bastion_host" -# enable_ip_forwarding = false +# ip_forwarding_enabled = false # internal_dns_name_label = "bastion-host-nic0" # public_ip_address_key = "bastion_host_pip1" # } From 548bd40cfef29d776d384b8e4647266cb8f9790a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:55:38 +0100 Subject: [PATCH 32/60] refactor(compute): update scale_in policy in vmss_linux.tf and vmss_windows.tf to upgrade hashicorp/azurerm to 4.7.0 --- .../virtual_machine_scale_set/vmss_linux.tf | 16 ++++++++++++++-- .../virtual_machine_scale_set/vmss_windows.tf | 8 +++++++- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/modules/compute/virtual_machine_scale_set/vmss_linux.tf b/modules/compute/virtual_machine_scale_set/vmss_linux.tf index 1790b827d3..68c779f1a8 100644 --- a/modules/compute/virtual_machine_scale_set/vmss_linux.tf +++ b/modules/compute/virtual_machine_scale_set/vmss_linux.tf @@ -82,7 +82,13 @@ resource "azurerm_linux_virtual_machine_scale_set" "vmss" { priority = try(each.value.priority, null) provision_vm_agent = try(each.value.provision_vm_agent, true) proximity_placement_group_id = can(each.value.proximity_placement_group_key) || can(each.value.proximity_placement_group.key) ? var.proximity_placement_groups[try(var.client_config.landingzone_key, var.client_config.landingzone_key)][try(each.value.proximity_placement_group_key, each.value.proximity_placement_group.key)].id : try(each.value.proximity_placement_group_id, each.value.proximity_placement_group.id, null) - scale_in_policy = try(each.value.scale_in_policy, null) + dynamic "scale_in" { + for_each = can(each.value.scale_in) ? [1] : [] + content { + rule = each.value.scale_in.rule + force_deletion_enabled = each.value.scale_in.force_deletion_enabled + } + } single_placement_group = try(each.value.single_placement_group, null) upgrade_mode = try(each.value.upgrade_mode, null) zone_balance = try(each.value.zone_balance, null) @@ -273,7 +279,13 @@ resource "azurerm_linux_virtual_machine_scale_set" "vmss_autoscaled" { priority = try(each.value.priority, null) provision_vm_agent = try(each.value.provision_vm_agent, true) proximity_placement_group_id = try(var.proximity_placement_groups[var.client_config.landingzone_key][each.value.proximity_placement_group_key].id, var.proximity_placement_groups[each.value.proximity_placement_groups].id, null) - scale_in_policy = try(each.value.scale_in_policy, null) + dynamic "scale_in" { + for_each = can(each.value.scale_in) ? [1] : [] + content { + rule = each.value.scale_in.rule + force_deletion_enabled = each.value.scale_in.force_deletion_enabled + } + } single_placement_group = try(each.value.single_placement_group, null) upgrade_mode = try(each.value.upgrade_mode, null) zone_balance = try(each.value.zone_balance, null) diff --git a/modules/compute/virtual_machine_scale_set/vmss_windows.tf b/modules/compute/virtual_machine_scale_set/vmss_windows.tf index da89d19529..3f70634d27 100644 --- a/modules/compute/virtual_machine_scale_set/vmss_windows.tf +++ b/modules/compute/virtual_machine_scale_set/vmss_windows.tf @@ -76,7 +76,13 @@ resource "azurerm_windows_virtual_machine_scale_set" "vmss" { priority = try(each.value.priority, null) provision_vm_agent = try(each.value.provision_vm_agent, true) proximity_placement_group_id = can(each.value.proximity_placement_group_key) || can(each.value.proximity_placement_group.key) ? var.proximity_placement_groups[try(var.client_config.landingzone_key, var.client_config.landingzone_key)][try(each.value.proximity_placement_group_key, each.value.proximity_placement_group.key)].id : try(each.value.proximity_placement_group_id, each.value.proximity_placement_group.id, null) - scale_in_policy = try(each.value.scale_in_policy, null) + dynamic "scale_in" { + for_each = can(each.value.scale_in) ? [1] : [] + content { + rule = each.value.scale_in.rule + force_deletion_enabled = each.value.scale_in.force_deletion_enabled + } + } zone_balance = try(each.value.zone_balance, null) zones = try(each.value.zones, null) single_placement_group = try(each.value.single_placement_group, null) From 9b8ed88041366b7cd08522a96cac0956d465a8ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:55:54 +0100 Subject: [PATCH 33/60] refactor(cosmos_dbs): update partition_key_paths in sql_database.tf to upgrade hashicorp/azurerm to 4.7.0 --- modules/databases/cosmos_dbs/sql_database/sql_database.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/databases/cosmos_dbs/sql_database/sql_database.tf b/modules/databases/cosmos_dbs/sql_database/sql_database.tf index 196f51420a..0b0eb22426 100644 --- a/modules/databases/cosmos_dbs/sql_database/sql_database.tf +++ b/modules/databases/cosmos_dbs/sql_database/sql_database.tf @@ -31,7 +31,7 @@ resource "azurerm_cosmosdb_sql_container" "container" { resource_group_name = var.resource_group_name account_name = var.cosmosdb_account_name database_name = azurerm_cosmosdb_sql_database.database.name - partition_key_path = each.value.partition_key_path + partition_key_paths = each.value.partition_key_paths # Note : throughput and autoscale_settings conflict and autoscale_settings will take precedence if set throughput = try(each.value.autoscale_settings, null) != null ? null : each.value.throughput default_ttl = try(each.value.default_ttl, -1) From be25227fd16cdb61e2408483306717c006c06bb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:57:57 +0100 Subject: [PATCH 34/60] refactor(data_explorer): update language_extensions in kusto_clusters/module.tf to upgrade hashicorp/azurerm to 4.7.0 --- .../data_explorer/kusto_clusters/module.tf | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/modules/databases/data_explorer/kusto_clusters/module.tf b/modules/databases/data_explorer/kusto_clusters/module.tf index 4a7ad9ffbf..120e246c54 100644 --- a/modules/databases/data_explorer/kusto_clusters/module.tf +++ b/modules/databases/data_explorer/kusto_clusters/module.tf @@ -43,7 +43,18 @@ resource "azurerm_kusto_cluster" "kusto" { data_management_public_ip_id = try(virtual_network_configuration.value.data_management_public_ip.key, null) == null ? null : try(var.combined_resources.pips[try(virtual_network_configuration.value.data_management_public_ip.lz_key, var.client_config.landingzone_key)][virtual_network_configuration.value.data_management_public_ip.key].id, null) } } - language_extensions = try(var.settings.language_extensions, null) + #language_extensions = try(var.settings.language_extensions, null) + #In v4.0.0 and later version of the AzureRM Provider, language_extensions will be changed to a list of language_extension block. In each block, name and image are required. name is the name of the language extension, possible values are PYTHON, R. image is the image of the language extension, possible values are Python3_6_5, Python3_10_8 and R. + dynamic "language_extensions" { + for_each = try(var.settings.language_extensions, null) != null ? [var.settings.language_extensions] : [] + + content { + name = language_extensions.value.name + image = language_extensions.value.image + } + } + + dynamic "optimized_auto_scale" { for_each = try(var.settings.optimized_auto_scale, null) != null ? [var.settings.optimized_auto_scale] : [] @@ -54,7 +65,6 @@ resource "azurerm_kusto_cluster" "kusto" { } trusted_external_tenants = try(var.settings.trusted_external_tenants, null) zones = try(var.settings.zones, null) - engine = try(var.settings.engine, null) auto_stop_enabled = try(var.settings.auto_stop_enabled, null) public_network_access_enabled = try(var.settings.public_network_access_enabled, null) tags = local.tags From 5a02329cfeafd8226d36123ec4a9f026c93059e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:58:27 +0100 Subject: [PATCH 35/60] refactor(mssql_server): remove unused readonly_endpoint_failover_policy block in failover_group.tf to upgrade hashicorp/azurerm to 4.7.0 --- .../mssql_server/failover_group/failover_group.tf | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/modules/databases/mssql_server/failover_group/failover_group.tf b/modules/databases/mssql_server/failover_group/failover_group.tf index f7590dde91..444c943d4b 100644 --- a/modules/databases/mssql_server/failover_group/failover_group.tf +++ b/modules/databases/mssql_server/failover_group/failover_group.tf @@ -22,11 +22,5 @@ resource "azurerm_mssql_failover_group" "failover_group" { grace_minutes = var.settings.read_write_endpoint_failover_policy.mode == "Automatic" ? var.settings.read_write_endpoint_failover_policy.grace_minutes : null } - dynamic "readonly_endpoint_failover_policy" { - for_each = lookup(var.settings, "readonly_endpoint_failover_policy", {}) == {} ? [] : [1] - - content { - mode = var.settings.readonly_endpoint_failover_policy.mode - } - } + readonly_endpoint_failover_policy_enabled = try(var.settings.readonly_endpoint_failover_policy_enabled,null) } \ No newline at end of file From b449e17cf386dd38398572facdaf54c78b303047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:59:21 +0100 Subject: [PATCH 36/60] refactor(servicebus): remove network rule set configuration to upgrade hashicorp/azurerm to 4.7.0 --- .../namespace/network_rule_set/main.tf | 8 -------- .../network_rule_set/network_rule_set.tf | 16 ---------------- .../namespace/network_rule_set/output.tf | 4 ---- .../namespace/network_rule_set/variables.tf | 13 ------------- 4 files changed, 41 deletions(-) delete mode 100644 modules/messaging/servicebus/namespace/network_rule_set/main.tf delete mode 100644 modules/messaging/servicebus/namespace/network_rule_set/network_rule_set.tf delete mode 100644 modules/messaging/servicebus/namespace/network_rule_set/output.tf delete mode 100644 modules/messaging/servicebus/namespace/network_rule_set/variables.tf diff --git a/modules/messaging/servicebus/namespace/network_rule_set/main.tf b/modules/messaging/servicebus/namespace/network_rule_set/main.tf deleted file mode 100644 index 6c3801cbd3..0000000000 --- a/modules/messaging/servicebus/namespace/network_rule_set/main.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - required_providers { - azurecaf = { - source = "aztfmod/azurecaf" - } - } - -} diff --git a/modules/messaging/servicebus/namespace/network_rule_set/network_rule_set.tf b/modules/messaging/servicebus/namespace/network_rule_set/network_rule_set.tf deleted file mode 100644 index 9baeeda211..0000000000 --- a/modules/messaging/servicebus/namespace/network_rule_set/network_rule_set.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "azurerm_servicebus_namespace_network_rule_set" "rule_set" { - namespace_id = var.remote_objects.servicebus_namespace_id - # resource_group_name = var.remote_objects.resource_group_name - default_action = try(var.settings.default_action, null) - public_network_access_enabled = try(var.settings.public_network_access_enabled, null) - trusted_services_allowed = try(var.settings.trusted_services_allowed, null) - ip_rules = try(var.settings.ip_rules, null) - - dynamic "network_rules" { - for_each = try(var.settings.subnets, {}) - content { - subnet_id = can(network_rules.value.id) ? network_rules.value.id : var.remote_objects.vnets[try(network_rules.value.lz_key, var.client_config.landingzone_key)][network_rules.value.vnet_key].subnets[network_rules.value.subnet_key].id - ignore_missing_vnet_service_endpoint = try(network_rules.value.ignore_missing_vnet_service_endpoint, null) - } - } -} diff --git a/modules/messaging/servicebus/namespace/network_rule_set/output.tf b/modules/messaging/servicebus/namespace/network_rule_set/output.tf deleted file mode 100644 index 52dac51c79..0000000000 --- a/modules/messaging/servicebus/namespace/network_rule_set/output.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "id" { - description = "The ID of the Namespace network rule set" - value = azurerm_servicebus_namespace_network_rule_set.rule_set.id -} diff --git a/modules/messaging/servicebus/namespace/network_rule_set/variables.tf b/modules/messaging/servicebus/namespace/network_rule_set/variables.tf deleted file mode 100644 index a397e1002c..0000000000 --- a/modules/messaging/servicebus/namespace/network_rule_set/variables.tf +++ /dev/null @@ -1,13 +0,0 @@ -variable "global_settings" { - description = "Global settings object (see module README.md)" -} -variable "client_config" { - description = "Client configuration object (see module README.md)." -} -variable "settings" { - description = "(Required) The configuration for each module" -} -variable "remote_objects" { - description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." - default = {} -} From 28d3fe64819f9b4bd39d024f920e923beff7331b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:59:34 +0100 Subject: [PATCH 37/60] refactor(servicebus): remove network rule set configuration to upgrade hashicorp/azurerm to 4.7.0 --- .../messaging/servicebus/namespace/namespace.tf | 16 ++++++++++++++++ .../namespace/namespace_network_rule_sets.tf | 15 --------------- 2 files changed, 16 insertions(+), 15 deletions(-) delete mode 100644 modules/messaging/servicebus/namespace/namespace_network_rule_sets.tf diff --git a/modules/messaging/servicebus/namespace/namespace.tf b/modules/messaging/servicebus/namespace/namespace.tf index d20da06b6f..39829695b3 100644 --- a/modules/messaging/servicebus/namespace/namespace.tf +++ b/modules/messaging/servicebus/namespace/namespace.tf @@ -23,4 +23,20 @@ resource "azurerm_servicebus_namespace" "namespace" { premium_messaging_partitions = try(var.settings.premium_messaging_partitions, null) location = local.location resource_group_name = local.resource_group_name + dynamic "network_rule_set" { + for_each = try(var.settings.network_rule_sets, {}) + content { + default_action = try(network_rule_set.value.default_action, null) + public_network_access_enabled = try(network_rule_set.value.public_network_access_enabled, null) + trusted_services_allowed = try(network_rule_set.value.trusted_services_allowed, null) + ip_rules = try(network_rule_set.value.ip_rules, null) + dynamic "network_rules" { + for_each = try(network_rule_set.value.subnets, {}) + content { + subnet_id = can(network_rules.value.id) ? network_rules.value.id : var.remote_objects.vnets[try(network_rules.value.lz_key, var.client_config.landingzone_key)][network_rules.value.vnet_key].subnets[network_rules.value.subnet_key].id + ignore_missing_vnet_service_endpoint = try(network_rules.value.ignore_missing_vnet_service_endpoint, null) + } + } + } } +} \ No newline at end of file diff --git a/modules/messaging/servicebus/namespace/namespace_network_rule_sets.tf b/modules/messaging/servicebus/namespace/namespace_network_rule_sets.tf deleted file mode 100644 index f7eb1756de..0000000000 --- a/modules/messaging/servicebus/namespace/namespace_network_rule_sets.tf +++ /dev/null @@ -1,15 +0,0 @@ -module "network_rule_sets" { - source = "./network_rule_set" - for_each = try(var.settings.network_rule_sets, {}) - - global_settings = var.global_settings - client_config = var.client_config - settings = each.value - - remote_objects = { - servicebus_namespace_id = azurerm_servicebus_namespace.namespace.id - resource_group_name = local.resource_group_name - vnets = var.remote_objects.vnets - } - -} \ No newline at end of file From 82fdfac020ae255194b94c6beebe5aceb77ea971 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 10:59:50 +0100 Subject: [PATCH 38/60] refactor(servicebus): update queue settings to match new configuration keys to upgrade hashicorp/azurerm to 4.7.0 --- modules/messaging/servicebus/queue/queue.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/messaging/servicebus/queue/queue.tf b/modules/messaging/servicebus/queue/queue.tf index 7000863064..5fa545c605 100644 --- a/modules/messaging/servicebus/queue/queue.tf +++ b/modules/messaging/servicebus/queue/queue.tf @@ -13,9 +13,9 @@ resource "azurerm_servicebus_queue" "queue" { dead_lettering_on_message_expiration = try(var.settings.dead_lettering_on_message_expiration, null) default_message_ttl = try(var.settings.default_message_ttl, null) duplicate_detection_history_time_window = try(var.settings.duplicate_detection_history_time_window, null) - enable_batched_operations = try(var.settings.enable_batched_operations, null) - enable_express = try(var.settings.enable_express, null) - enable_partitioning = try(var.settings.enable_partitioning, null) + batched_operations_enabled = try(var.settings.batched_operations_enabled, null) + express_enabled = try(var.settings.express_enabled, null) + partitioning_enabled = try(var.settings.partitioning_enabled, null) lock_duration = try(var.settings.lock_duration, null) max_delivery_count = try(var.settings.max_delivery_count, null) max_size_in_megabytes = try(var.settings.max_size_in_megabytes, null) From 417f54a6ee9a6b5b6d0d0bfa904e91973e723e5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 11:00:09 +0100 Subject: [PATCH 39/60] refactor(servicebus): update batched operations configuration in subscription and topic modules to upgrade hashicorp/azurerm to 4.7.0 --- .../messaging/servicebus/topic/subscription/subscription.tf | 2 +- modules/messaging/servicebus/topic/topic.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/messaging/servicebus/topic/subscription/subscription.tf b/modules/messaging/servicebus/topic/subscription/subscription.tf index 22bc5dfe04..27a080ceb4 100644 --- a/modules/messaging/servicebus/topic/subscription/subscription.tf +++ b/modules/messaging/servicebus/topic/subscription/subscription.tf @@ -20,7 +20,7 @@ resource "azurerm_servicebus_subscription" "subscription" { lock_duration = try(var.settings.lock_duration, null) dead_lettering_on_message_expiration = try(var.settings.dead_lettering_on_message_expiration, null) dead_lettering_on_filter_evaluation_error = try(var.settings.dead_lettering_on_filter_evaluation_error, null) - enable_batched_operations = try(var.settings.enable_batched_operations, null) + batched_operations_enabled = try(var.settings.batched_operations_enabled, null) requires_session = try(var.settings.requires_session, null) status = try(var.settings.status, null) diff --git a/modules/messaging/servicebus/topic/topic.tf b/modules/messaging/servicebus/topic/topic.tf index f94a2b6fe1..a876515a68 100644 --- a/modules/messaging/servicebus/topic/topic.tf +++ b/modules/messaging/servicebus/topic/topic.tf @@ -12,9 +12,9 @@ resource "azurerm_servicebus_topic" "topic" { auto_delete_on_idle = try(var.settings.auto_delete_on_idle, null) default_message_ttl = try(var.settings.default_message_ttl, null) duplicate_detection_history_time_window = try(var.settings.duplicate_detection_history_time_window, null) - enable_batched_operations = try(var.settings.enable_batched_operations, null) - enable_express = try(var.settings.enable_express, null) - enable_partitioning = try(var.settings.enable_partitioning, null) + batched_operations_enabled = try(var.settings.batched_operations_enabled, null) + express_enabled = try(var.settings.express_enabled, null) + partitioning_enabled = try(var.settings.partitioning_enabled, null) max_size_in_megabytes = try(var.settings.max_size_in_megabytes, null) max_message_size_in_kilobytes = try(var.settings.max_message_size_in_kilobytes, null) name = azurecaf_name.topic.result From 0a82f65e0ad002acb1f9cc63e628026c2f8145ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 11:00:19 +0100 Subject: [PATCH 40/60] refactor(monitoring): update location configuration in activity log alert module to upgrade hashicorp/azurerm to 4.7.0 --- modules/monitoring/monitor_activity_log_alert/main.tf | 1 + modules/monitoring/monitor_activity_log_alert/module.tf | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/monitoring/monitor_activity_log_alert/main.tf b/modules/monitoring/monitor_activity_log_alert/main.tf index 836b88d404..0dfc2e215f 100644 --- a/modules/monitoring/monitor_activity_log_alert/main.tf +++ b/modules/monitoring/monitor_activity_log_alert/main.tf @@ -11,4 +11,5 @@ locals { "module" = basename(abspath(path.module)) } tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null)) + location = coalesce(var.settings.location, var.resource_group_name.location) } diff --git a/modules/monitoring/monitor_activity_log_alert/module.tf b/modules/monitoring/monitor_activity_log_alert/module.tf index a2b2ec515a..c9fca72549 100644 --- a/modules/monitoring/monitor_activity_log_alert/module.tf +++ b/modules/monitoring/monitor_activity_log_alert/module.tf @@ -11,6 +11,7 @@ resource "azurecaf_name" "mala" { resource "azurerm_monitor_activity_log_alert" "mala" { name = azurecaf_name.mala.result resource_group_name = var.resource_group_name + location = local.location scopes = try(flatten([ for key, value in var.settings.scopes : coalesce( try(var.remote_objects[value.resource_type][value.lz_key][value.lz_key][value.key].id, null), From 4a2f91d8c81f4b1405f524603f65dfd0bb73b49e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 11:00:33 +0100 Subject: [PATCH 41/60] refactor(networking): remove resource_group_name from vpn_gateway_nat_rule module to upgrade hashicorp/azurerm to 4.7.0 --- modules/networking/vpn_gateway_nat_rule/module.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/networking/vpn_gateway_nat_rule/module.tf b/modules/networking/vpn_gateway_nat_rule/module.tf index cdd05f3523..558711eabc 100644 --- a/modules/networking/vpn_gateway_nat_rule/module.tf +++ b/modules/networking/vpn_gateway_nat_rule/module.tf @@ -1,6 +1,5 @@ resource "azurerm_vpn_gateway_nat_rule" "vpn_gateway_nat_rule" { name = var.settings.name - resource_group_name = var.resource_group_name vpn_gateway_id = var.vpn_gateway_id ip_configuration_id = try(var.settings.ip_configuration_id, null) From 8bae0e29e65ba39f3a1960b4e6d9a20c0adebed8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 11:01:17 +0100 Subject: [PATCH 42/60] refactor(webapps): update azurerm_app_service_environment to v3 in ase module to upgrade hashicorp/azurerm to 4.7.0 --- modules/webapps/ase/module.tf | 2 +- modules/webapps/ase/output.tf | 6 +++--- modules/webapps/ase/private_dns_records.tf | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/webapps/ase/module.tf b/modules/webapps/ase/module.tf index a1f23731ec..35857d8680 100644 --- a/modules/webapps/ase/module.tf +++ b/modules/webapps/ase/module.tf @@ -46,7 +46,7 @@ resource "null_resource" "destroy_ase" { } -data "azurerm_app_service_environment" "ase" { +data "azurerm_app_service_environment_v3" "ase" { depends_on = [azurerm_resource_group_template_deployment.ase] name = azurecaf_name.ase.result diff --git a/modules/webapps/ase/output.tf b/modules/webapps/ase/output.tf index a956891bf2..f551b29575 100644 --- a/modules/webapps/ase/output.tf +++ b/modules/webapps/ase/output.tf @@ -1,5 +1,5 @@ output "id" { - value = data.azurerm_app_service_environment.ase.id + value = data.azurerm_app_service_environment_v3.ase.id description = "App Service Environment Resource Id" } @@ -8,8 +8,8 @@ output "name" { description = "App Service Environment Name" } -output "ilb_ip" { - value = data.azurerm_app_service_environment.ase.internal_ip_address +output "internal_inbound_ip_addresses" { + value = data.azurerm_app_service_environment_v3.ase.internal_inbound_ip_addresses } output "subnet_id" { diff --git a/modules/webapps/ase/private_dns_records.tf b/modules/webapps/ase/private_dns_records.tf index f445f179ff..8e379f13d7 100644 --- a/modules/webapps/ase/private_dns_records.tf +++ b/modules/webapps/ase/private_dns_records.tf @@ -6,7 +6,7 @@ resource "azurerm_private_dns_a_record" "a_records" { resource_group_name = lookup(each.value, "lz_key", null) == null ? var.private_dns[each.value.private_dns_key].resource_group_name : var.private_dns[each.value.lz_key][each.value.private_dns_key].resource_group_name zone_name = lookup(each.value, "lz_key", null) == null ? var.private_dns[each.value.private_dns_key].name : var.private_dns[each.value.lz_key][each.value.private_dns_key].name ttl = each.value.ttl - records = [data.azurerm_app_service_environment.ase.internal_ip_address] + records = [data.azurerm_app_service_environment_v3.ase.internal_inbound_ip_addresses] tags = merge(try(each.value.tags, {}), local.tags) lifecycle { From f4b2a634d42f91f3406b3075a6055113aa8adf12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 11:02:44 +0100 Subject: [PATCH 43/60] refactor(database): consolidate mysql server configurations The commit consolidates the MySQL flexible server configurations into a single object, `mysql_flexible_servers`, across all Terraform files. This change simplifies the management of MySQL servers and reduces redundancy in configuration. --- local.remote_objects.tf | 4 +--- locals.combined_objects.tf | 3 +-- locals.tf | 4 ++-- mysql_flexible_servers.tf | 8 ++++---- 4 files changed, 8 insertions(+), 11 deletions(-) diff --git a/local.remote_objects.tf b/local.remote_objects.tf index 337db99627..d18c3399f5 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -68,7 +68,6 @@ locals { express_route_circuits = try(local.combined_objects_express_route_circuits, null) front_door = try(local.combined_objects_front_door, null) front_door_waf_policies = try(local.combined_objects_front_door_waf_policies, null) - integration_service_environment = try(local.combined_objects_integration_service_environment, null) iot_security_solution = try(local.combined_objects_iot_security_solution, null) iot_security_device_group = try(local.combined_objects_iot_security_device_group, null) iot_central_application = try(local.combined_objects_iot_central_application, null) @@ -100,8 +99,7 @@ locals { mssql_managed_instances = try(local.combined_objects_mssql_managed_instances, null) mssql_managed_instances_secondary = try(local.combined_objects_mssql_managed_instances_secondary, null) mssql_servers = try(local.combined_objects_mssql_servers, null) - mysql_servers = try(local.combined_objects_mysql_servers, null) - mysql_flexible_server = try(local.combined_objects_mysql_flexible_server, null) + mysql_flexible_servers = try(local.combined_objects_mysql_flexible_servers, null) nat_gateways = try(local.combined_objects_nat_gateways, null) network_security_groups = try(local.combined_objects_network_security_groups, null) network_watchers = try(local.combined_objects_network_watchers, null) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 95383a9360..01bfe161d6 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -125,8 +125,7 @@ locals { combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances, module.mssql_managed_instances_v1, lookup(var.data_sources, "mssql_managed_instances", {})) }), lookup(var.remote_objects, "mssql_managed_instances", {}), lookup(var.data_sources, "mssql_managed_instances", {})) combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances_secondary, module.mssql_managed_instances_secondary_v1, lookup(var.data_sources, "mssql_managed_instances_secondary", {})) }), lookup(var.remote_objects, "mssql_managed_instances_secondary", {}), lookup(var.remote_objects, "mssql_managed_instances_secondary", {})) combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_servers, lookup(var.data_sources, "mssql_servers", {})) }), lookup(var.remote_objects, "mssql_servers", {})) - combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), lookup(var.remote_objects, "mysql_flexible_server", {})) - combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), lookup(var.remote_objects, "mysql_servers", {}), lookup(var.data_sources, "mysql_servers", {})) + combined_objects_mysql_flexible_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_servers }), lookup(var.remote_objects, "mysql_flexible_servers", {})) combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), lookup(var.remote_objects, "nat_gateways", {}), lookup(var.data_sources, "nat_gateways", {})) combined_objects_network_profiles = merge(tomap({ (local.client_config.landingzone_key) = module.network_profiles }), lookup(var.remote_objects, "network_profiles", {})) combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), lookup(var.remote_objects, "network_security_groups", {}), lookup(var.data_sources, "network_security_groups", {})) diff --git a/locals.tf b/locals.tf index 3545074e64..496694fad5 100644 --- a/locals.tf +++ b/locals.tf @@ -145,11 +145,11 @@ locals { mssql_mi_tdes = try(var.database.mssql_mi_tdes, {}) mssql_servers = try(var.database.mssql_servers, {}) mysql_databases = try(var.database.mysql_databases, {}) - mysql_servers = try(var.database.mysql_servers, {}) + mysql_flexible_servers = try(var.database.mysql_flexible_servers, {}) postgresql_flexible_servers = try(var.database.postgresql_flexible_servers, {}) postgresql_servers = try(var.database.postgresql_servers, {}) synapse_workspaces = try(var.database.synapse_workspaces, {}) - mysql_flexible_server = try(var.database.mysql_flexible_server, {}) + data_explorer = { kusto_clusters = try(var.database.data_explorer.kusto_clusters, {}) diff --git a/mysql_flexible_servers.tf b/mysql_flexible_servers.tf index afdcc69bee..2ea51162a1 100644 --- a/mysql_flexible_servers.tf +++ b/mysql_flexible_servers.tf @@ -1,12 +1,12 @@ -output "mysql_flexible_server" { - value = module.mysql_flexible_server +output "mysql_flexible_servers" { + value = module.mysql_flexible_servers } -module "mysql_flexible_server" { +module "mysql_flexible_servers" { source = "./modules/databases/mysql_flexible_server" depends_on = [module.keyvaults, module.networking] - for_each = local.database.mysql_flexible_server + for_each = local.database.mysql_flexible_servers global_settings = local.global_settings client_config = local.client_config From 885784b7d870620144e8c9ca62f505b2b4e08c35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 14:09:03 +0100 Subject: [PATCH 44/60] feat(cognitive_services): update cognitive services configuration and deployment settings This commit updates the cognitive services configuration and deployment settings. The changes include: 1. Renaming of the `scale` object to `sku` in the cognitive deployment settings. 2. Changing the default model name from "gpt4-listillo" to "gpt4". 3. Updating the default model version from "1106-Preview" to "turbo-2024-04-09". 4. Adding new variables for "cognitive_account_customer_managed_key" and "cognitive_deployment" in the module.tf file. 5. Modifying the custom_subdomain_name attribute in the cognitive_service_account.tf file to use a try function. These changes aim to improve the flexibility and configurability of the cognitive services deployment. --- .../configuration.tfvars | 14 ++++++---- .../configuration.tfvars | 19 ++++++++----- examples/module.tf | 4 ++- examples/variables.tf | 7 +++++ .../cognitive_deployment.tf | 12 ++++---- .../cognitive_deployment/variables.tf | 28 +++++++++---------- .../cognitive_service_account.tf | 2 +- 7 files changed, 52 insertions(+), 34 deletions(-) diff --git a/examples/cognitive_services/200-cognitive-services-account-OpenAI/configuration.tfvars b/examples/cognitive_services/200-cognitive-services-account-OpenAI/configuration.tfvars index 3c517b2583..4aa6ebf4ef 100644 --- a/examples/cognitive_services/200-cognitive-services-account-OpenAI/configuration.tfvars +++ b/examples/cognitive_services/200-cognitive-services-account-OpenAI/configuration.tfvars @@ -37,16 +37,20 @@ cognitive_services_account = { cognitive_deployment = { openai_deployment-1 = { - name = "gpt4-listillo" + name = "gpt4" cognitive_account_key = "openai_account-1" - #cognitive_account_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.CognitiveServices/accounts/accountValue" + #cognitive_account_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.CognitiveServices/accounts/accountValue" + #Check https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure%2Cglobal-standard%2Cstandard-chat-completions + #Check https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure%2Cglobal-standard%2Cstandard-chat-completions#global-standard-model-availability model = { format = "OpenAI" name = "gpt-4" - version = "1106-Preview" + version = "turbo-2024-04-09" + } - scale = { - type = "Standard" + sku = { + name = "Standard" + capacity = 1 } } } diff --git a/examples/cognitive_services/300-cognitive-services-account-OpenAI-private-endpoint/configuration.tfvars b/examples/cognitive_services/300-cognitive-services-account-OpenAI-private-endpoint/configuration.tfvars index 6226ff196b..1e72f7d212 100644 --- a/examples/cognitive_services/300-cognitive-services-account-OpenAI-private-endpoint/configuration.tfvars +++ b/examples/cognitive_services/300-cognitive-services-account-OpenAI-private-endpoint/configuration.tfvars @@ -70,16 +70,20 @@ cognitive_services_account = { cognitive_deployment = { openai_deployment-1 = { - name = "gpt4-listillo" + name = "gpt4" cognitive_account_key = "openai_account-1" #cognitive_account_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.CognitiveServices/accounts/accountValue" + #Check https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure%2Cglobal-standard%2Cstandard-chat-completions + #Check https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure%2Cglobal-standard%2Cstandard-chat-completions#global-standard-model-availability model = { - format = "OpenAI" - name = "gpt-4" - version = "1106-Preview" + format = "OpenAI" + name = "gpt-4" + version = "turbo-2024-04-09" + } - scale = { - type = "Standard" + sku = { + name = "Standard" + capacity = 1 } } } @@ -110,7 +114,8 @@ virtual_subnets = { private_endpoints = { name = "private-endpoint" cidr = ["172.33.2.0/24"] - enforce_private_link_endpoint_network_policies = true + #private_endpoint_network_policies = "Enabled" + private_endpoint_network_policies = "Enabled" vnet = { # id = "/subscriptions/xxxx-xxxx-xxxx-xxx/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-vnet" # lz_key = "" diff --git a/examples/module.tf b/examples/module.tf index 88211f2e33..8b2daf5e27 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -86,7 +86,9 @@ module "example" { # } cognitive_services = { - cognitive_services_account = var.cognitive_services_account + cognitive_services_account = var.cognitive_services_account + cognitive_account_customer_managed_key = var.cognitive_account_customer_managed_key + cognitive_deployment = var.cognitive_deployment } communication = { communication_services = var.communication_services diff --git a/examples/variables.tf b/examples/variables.tf index df4005a009..b7d79fabee 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -667,6 +667,13 @@ variable "nat_gateways" { variable "cognitive_services_account" { default = {} } +variable "cognitive_account_customer_managed_key" { + default = {} +} +variable "cognitive_deployment" { + default = {} +} + variable "database_migration_services" { default = {} } diff --git a/modules/cognitive_services/cognitive_deployment/cognitive_deployment.tf b/modules/cognitive_services/cognitive_deployment/cognitive_deployment.tf index ad80045d09..c6ebfd0965 100644 --- a/modules/cognitive_services/cognitive_deployment/cognitive_deployment.tf +++ b/modules/cognitive_services/cognitive_deployment/cognitive_deployment.tf @@ -16,12 +16,12 @@ resource "azurerm_cognitive_deployment" "service" { name = var.settings.model.name version = try(var.settings.model.version, null) } - scale { - type = var.settings.scale.type - tier = try(var.settings.scale.tier, null) - size = try(var.settings.scale.size, null) - family = try(var.settings.scale.family, null) - capacity = try(var.settings.scale.capacity, null) + sku { + name = var.settings.sku.name + tier = try(var.settings.sku.tier, null) + size = try(var.settings.sku.size, null) + family = try(var.settings.sku.family, null) + capacity = try(var.settings.sku.capacity, 1) } rai_policy_name = try(var.settings.rai_policy_name, null) diff --git a/modules/cognitive_services/cognitive_deployment/variables.tf b/modules/cognitive_services/cognitive_deployment/variables.tf index b4ed105694..80ed98c56a 100644 --- a/modules/cognitive_services/cognitive_deployment/variables.tf +++ b/modules/cognitive_services/cognitive_deployment/variables.tf @@ -7,12 +7,12 @@ variable "settings" { - format: The format of the model. - name: The name of the model. - version: The version of the model. - - scale: The scale object is used to define the configuration of the scale. - - type: The type of the scale. - - tier: The tier of the scale. - - size: The size of the scale. - - family: The family of the scale. - - capacity: The capacity of the scale. + - sku: The sku object is used to define the configuration of the sku. + - name: The name of the sku. + - tier: The tier of the sku. + - size: The size of the sku. + - family: The family of the sku. + - capacity: The capacity of the sku. - rai_policy_name: The name of the RAI policy. - version_upgrade_option: The version upgrade option. Example Input: @@ -25,12 +25,12 @@ variable "settings" { name = "model-name" version = "model-version" } - scale = { - type = "scale-type" - tier = "scale-tier" - size = "scale-size" - family = "scale-family" - capacity = "scale-capacity" + sku = { + name = "sku-name" + tier = "sku-tier" + size = "sku-size" + family = "sku-family" + capacity = "sku-capacity" } rai_policy_name = "rai-policy-name" version_upgrade_option = "version-upgrade-option" @@ -47,8 +47,8 @@ DESCRIPTION name = string version = optional(string) }) - scale = object({ - type = string + sku = object({ + name = string tier = optional(string) size = optional(string) family = optional(string) diff --git a/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf b/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf index db66ce9830..d77ea10ca9 100644 --- a/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf +++ b/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf @@ -18,7 +18,7 @@ resource "azurerm_cognitive_account" "service" { sku_name = var.settings.sku_name # all of `custom_subdomain_name,network_acls` must be specified - custom_subdomain_name = var.settings.custom_subdomain_name != null && length(var.settings.network_acls) > 0 ? var.settings.custom_subdomain_name : null + custom_subdomain_name = try(var.settings.custom_subdomain_name, null) dynamic_throttling_enabled = try(var.settings.dynamic_throttling_enabled, null) #checkov:skip=CKV2_AZURE_22:Ensure that Cognitive Services enables customer-managed key for encryption. This is a conditional resource dynamic "customer_managed_key" { From d7da8fa44c65cbdfd3c7b693b42010c019c02f53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 14:09:31 +0100 Subject: [PATCH 45/60] refactor(examples): update private endpoint network policies in configuration.tfvars --- examples/app_config/101-private-link/configuration.tfvars | 2 +- .../103-automation-private-endpoints/configuration.tfvars | 2 +- .../101_basic_private_cluster/vnet.tfvars | 2 +- .../102_basic_public_cluster/vnet.tfvars | 2 +- .../101-single-cluster/networking.tfvars | 2 +- .../102-multi-nodepools/networking.tfvars | 2 +- .../103-multi-clusters/networking.tfvars | 4 ++-- .../104-private-cluster/networking.tfvars | 8 ++++---- .../105-cluster-usermsi/networking.tfvars | 2 +- .../107-agic-brownfield/networking.tfvars | 2 +- .../networking.tfvars | 2 +- .../109-single-cluster-istio/networking.tfvars | 2 +- .../networking.tfvars | 2 +- .../101-private-endpoint-cosmos-db/configuration.tfvars | 2 +- .../107-private-endpoint/configuration.tfvars | 2 +- examples/keyvault/101-keyvault-policies/keyvaults.tfvars | 2 +- .../machine_learning/101-aml-vnet/networking_spoke.tfvars | 2 +- .../configuration.tfvars | 4 ++-- .../102-advanced-mysql-flexible/configuration.tfvars | 4 ++-- .../configuration.tfvars | 2 +- .../endpoints/static_ip/configuration.tfvars | 2 +- .../101-vnet-peering-nsg/virtual_networks.tfvars | 4 ++-- .../103-vnet-peering-v1/configuration.tfvars | 4 ++-- .../200-nsg-flow-logs/configuration.tfvars | 2 +- .../201-nsg-flow-logs-v1/configuration.tfvars | 2 +- .../202-network_watchers/configuration.tfvars | 2 +- .../configurations.tfvars | 4 ++-- .../configurations.tfvars | 4 ++-- .../104-private-endpoint/configuration.tfvars | 2 +- .../101-purview_account_private_link/configuration.tfvars | 2 +- 30 files changed, 40 insertions(+), 40 deletions(-) diff --git a/examples/app_config/101-private-link/configuration.tfvars b/examples/app_config/101-private-link/configuration.tfvars index 877c397bf8..ef5c5fbcf3 100755 --- a/examples/app_config/101-private-link/configuration.tfvars +++ b/examples/app_config/101-private-link/configuration.tfvars @@ -55,7 +55,7 @@ vnets = { private_link = { name = "private-links" cidr = ["10.1.100.128/26"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/automation/103-automation-private-endpoints/configuration.tfvars b/examples/automation/103-automation-private-endpoints/configuration.tfvars index 2dc4b16d10..7969b3e8c4 100644 --- a/examples/automation/103-automation-private-endpoints/configuration.tfvars +++ b/examples/automation/103-automation-private-endpoints/configuration.tfvars @@ -74,7 +74,7 @@ vnets = { auto_subnet = { name = "auto-subnet" cidr = ["10.150.102.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars index 65746d4fa8..1271155462 100644 --- a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars +++ b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/vnet.tfvars @@ -11,7 +11,7 @@ vnets = { cidr = ["10.1.1.0/24"] service_endpoints = ["Microsoft.ContainerRegistry", "Microsoft.Storage"] enforce_private_link_service_network_policies = true - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } subnet2 = { name = "worker" diff --git a/examples/compute/azure_redhat_openshift/102_basic_public_cluster/vnet.tfvars b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/vnet.tfvars index 65746d4fa8..1271155462 100644 --- a/examples/compute/azure_redhat_openshift/102_basic_public_cluster/vnet.tfvars +++ b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/vnet.tfvars @@ -11,7 +11,7 @@ vnets = { cidr = ["10.1.1.0/24"] service_endpoints = ["Microsoft.ContainerRegistry", "Microsoft.Storage"] enforce_private_link_service_network_policies = true - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } subnet2 = { name = "worker" diff --git a/examples/compute/kubernetes_services/101-single-cluster/networking.tfvars b/examples/compute/kubernetes_services/101-single-cluster/networking.tfvars index b8ed1dda00..63152772c6 100644 --- a/examples/compute/kubernetes_services/101-single-cluster/networking.tfvars +++ b/examples/compute/kubernetes_services/101-single-cluster/networking.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" diff --git a/examples/compute/kubernetes_services/102-multi-nodepools/networking.tfvars b/examples/compute/kubernetes_services/102-multi-nodepools/networking.tfvars index b8ed1dda00..63152772c6 100644 --- a/examples/compute/kubernetes_services/102-multi-nodepools/networking.tfvars +++ b/examples/compute/kubernetes_services/102-multi-nodepools/networking.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" diff --git a/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars b/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars index f06ecf97f1..172dacd456 100644 --- a/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars +++ b/examples/compute/kubernetes_services/103-multi-clusters/networking.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" @@ -74,7 +74,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.65.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" diff --git a/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars b/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars index e5d238431d..59746ffc3f 100644 --- a/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars +++ b/examples/compute/kubernetes_services/104-private-cluster/networking.tfvars @@ -12,13 +12,13 @@ vnets = { name = "aks_nodepool_system" cidr = ["100.64.48.0/24"] nsg_key = "azure_kubernetes_cluster_nsg" - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } aks_nodepool_user1 = { name = "aks_nodepool_user1" cidr = ["100.64.49.0/24"] nsg_key = "azure_kubernetes_cluster_nsg" - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } aks_nodepool_user2 = { name = "aks_nodepool_user2" @@ -33,7 +33,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" @@ -55,7 +55,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["10.0.0.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/compute/kubernetes_services/105-cluster-usermsi/networking.tfvars b/examples/compute/kubernetes_services/105-cluster-usermsi/networking.tfvars index b8ed1dda00..63152772c6 100644 --- a/examples/compute/kubernetes_services/105-cluster-usermsi/networking.tfvars +++ b/examples/compute/kubernetes_services/105-cluster-usermsi/networking.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" diff --git a/examples/compute/kubernetes_services/107-agic-brownfield/networking.tfvars b/examples/compute/kubernetes_services/107-agic-brownfield/networking.tfvars index 9d84786bed..32f0c751a0 100644 --- a/examples/compute/kubernetes_services/107-agic-brownfield/networking.tfvars +++ b/examples/compute/kubernetes_services/107-agic-brownfield/networking.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" diff --git a/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/networking.tfvars b/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/networking.tfvars index 4b56cb6bee..7a9351a0ba 100644 --- a/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/networking.tfvars +++ b/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/networking.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" diff --git a/examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars b/examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars index 7707a24d01..2627b3f178 100644 --- a/examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars +++ b/examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" diff --git a/examples/consumption_budget/105-consumption-budget-subscription-aks/networking.tfvars b/examples/consumption_budget/105-consumption-budget-subscription-aks/networking.tfvars index b8ed1dda00..63152772c6 100644 --- a/examples/consumption_budget/105-consumption-budget-subscription-aks/networking.tfvars +++ b/examples/consumption_budget/105-consumption-budget-subscription-aks/networking.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.51.0/27"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } jumpbox = { name = "jumpbox" diff --git a/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars b/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars index b6bb33be72..ff2879e614 100644 --- a/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars +++ b/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars @@ -100,7 +100,7 @@ vnets = { cosmosdb_subnet = { name = "cosmos-subnet" cidr = ["10.150.102.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/data_explorer/107-private-endpoint/configuration.tfvars b/examples/data_explorer/107-private-endpoint/configuration.tfvars index f831afb6e6..87fc526059 100644 --- a/examples/data_explorer/107-private-endpoint/configuration.tfvars +++ b/examples/data_explorer/107-private-endpoint/configuration.tfvars @@ -61,7 +61,7 @@ vnets = { private_endpoints = { name = "private-endpoint" cidr = ["10.10.0.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/keyvault/101-keyvault-policies/keyvaults.tfvars b/examples/keyvault/101-keyvault-policies/keyvaults.tfvars index 70a2b4cad8..f6a6ea70b9 100644 --- a/examples/keyvault/101-keyvault-policies/keyvaults.tfvars +++ b/examples/keyvault/101-keyvault-policies/keyvaults.tfvars @@ -100,7 +100,7 @@ vnets = { private_link = { name = "private-links" cidr = ["10.150.100.128/26"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/machine_learning/101-aml-vnet/networking_spoke.tfvars b/examples/machine_learning/101-aml-vnet/networking_spoke.tfvars index e7d143122c..431010c73a 100644 --- a/examples/machine_learning/101-aml-vnet/networking_spoke.tfvars +++ b/examples/machine_learning/101-aml-vnet/networking_spoke.tfvars @@ -40,7 +40,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.55.0/24"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/mysql_flexible_server/101-delegated-subnet-with-fw-rule/configuration.tfvars b/examples/mysql_flexible_server/101-delegated-subnet-with-fw-rule/configuration.tfvars index c88445af49..5f3d2108a8 100644 --- a/examples/mysql_flexible_server/101-delegated-subnet-with-fw-rule/configuration.tfvars +++ b/examples/mysql_flexible_server/101-delegated-subnet-with-fw-rule/configuration.tfvars @@ -112,13 +112,13 @@ vnets = { private_dns = { name = "private-dns" cidr = ["10.10.0.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" enforce_private_link_service_network_policies = false } mysql = { name = "mysql" cidr = ["10.10.0.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" delegation = { name = "mysql" service_delegation = "Microsoft.DBforMySQL/flexibleServers" diff --git a/examples/mysql_flexible_server/102-advanced-mysql-flexible/configuration.tfvars b/examples/mysql_flexible_server/102-advanced-mysql-flexible/configuration.tfvars index 86d2b2bb09..ebb954a2e0 100644 --- a/examples/mysql_flexible_server/102-advanced-mysql-flexible/configuration.tfvars +++ b/examples/mysql_flexible_server/102-advanced-mysql-flexible/configuration.tfvars @@ -121,13 +121,13 @@ vnets = { private_dns = { name = "private-dns" cidr = ["10.10.0.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" enforce_private_link_service_network_policies = false } mysql = { name = "mysql" cidr = ["10.10.0.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" delegation = { name = "mysql" service_delegation = "Microsoft.DBforMySQL/flexibleServers" diff --git a/examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars b/examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars index f65925a736..bffea7611e 100644 --- a/examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars +++ b/examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars @@ -102,7 +102,7 @@ vnets = { private_dns = { name = "private-dns" cidr = ["10.10.0.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" enforce_private_link_service_network_policies = false } } diff --git a/examples/networking/private_links/endpoints/static_ip/configuration.tfvars b/examples/networking/private_links/endpoints/static_ip/configuration.tfvars index 079c5bd938..68ca7dc861 100644 --- a/examples/networking/private_links/endpoints/static_ip/configuration.tfvars +++ b/examples/networking/private_links/endpoints/static_ip/configuration.tfvars @@ -93,7 +93,7 @@ vnets = { private_link = { name = "private-links" cidr = ["10.150.100.128/26"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/networking/virtual_network/101-vnet-peering-nsg/virtual_networks.tfvars b/examples/networking/virtual_network/101-vnet-peering-nsg/virtual_networks.tfvars index eb6f18d70c..d6808adfd2 100644 --- a/examples/networking/virtual_network/101-vnet-peering-nsg/virtual_networks.tfvars +++ b/examples/networking/virtual_network/101-vnet-peering-nsg/virtual_networks.tfvars @@ -31,7 +31,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.103.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } @@ -58,7 +58,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.65.103.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars b/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars index 4c24cd68dc..358e85a4cf 100644 --- a/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars +++ b/examples/networking/virtual_network/103-vnet-peering-v1/configuration.tfvars @@ -381,7 +381,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.103.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } @@ -408,7 +408,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.65.103.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/networking/virtual_network/200-nsg-flow-logs/configuration.tfvars b/examples/networking/virtual_network/200-nsg-flow-logs/configuration.tfvars index 8bc4e980c9..59d967a43c 100644 --- a/examples/networking/virtual_network/200-nsg-flow-logs/configuration.tfvars +++ b/examples/networking/virtual_network/200-nsg-flow-logs/configuration.tfvars @@ -45,7 +45,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.95.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" nsg_key = "empty_nsg" } } diff --git a/examples/networking/virtual_network/201-nsg-flow-logs-v1/configuration.tfvars b/examples/networking/virtual_network/201-nsg-flow-logs-v1/configuration.tfvars index 8bc4e980c9..59d967a43c 100644 --- a/examples/networking/virtual_network/201-nsg-flow-logs-v1/configuration.tfvars +++ b/examples/networking/virtual_network/201-nsg-flow-logs-v1/configuration.tfvars @@ -45,7 +45,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.95.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" nsg_key = "empty_nsg" } } diff --git a/examples/networking/virtual_network/202-network_watchers/configuration.tfvars b/examples/networking/virtual_network/202-network_watchers/configuration.tfvars index 8bab60720e..208aaeca69 100644 --- a/examples/networking/virtual_network/202-network_watchers/configuration.tfvars +++ b/examples/networking/virtual_network/202-network_watchers/configuration.tfvars @@ -45,7 +45,7 @@ vnets = { private_endpoints = { name = "private_endpoints" cidr = ["100.64.95.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" nsg_key = "empty_nsg" } } diff --git a/examples/postgresql_flexible_server/101-delegated-subnet-with-fw-rule/configurations.tfvars b/examples/postgresql_flexible_server/101-delegated-subnet-with-fw-rule/configurations.tfvars index f5653c0752..34c4825c39 100644 --- a/examples/postgresql_flexible_server/101-delegated-subnet-with-fw-rule/configurations.tfvars +++ b/examples/postgresql_flexible_server/101-delegated-subnet-with-fw-rule/configurations.tfvars @@ -118,13 +118,13 @@ vnets = { private_dns = { name = "private-dns" cidr = ["10.10.0.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" enforce_private_link_service_network_policies = false } postgresql = { name = "postgresql" cidr = ["10.10.0.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" delegation = { name = "postgresql" service_delegation = "Microsoft.DBforPostgreSQL/flexibleServers" diff --git a/examples/postgresql_flexible_server/102-advanced-postgresql-flexible/configurations.tfvars b/examples/postgresql_flexible_server/102-advanced-postgresql-flexible/configurations.tfvars index fc4b97b751..118fa8fba3 100644 --- a/examples/postgresql_flexible_server/102-advanced-postgresql-flexible/configurations.tfvars +++ b/examples/postgresql_flexible_server/102-advanced-postgresql-flexible/configurations.tfvars @@ -123,13 +123,13 @@ vnets = { private_dns = { name = "private-dns" cidr = ["10.10.0.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" enforce_private_link_service_network_policies = false } postgresql = { name = "postgresql" cidr = ["10.10.0.128/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" delegation = { name = "postgresql" service_delegation = "Microsoft.DBforPostgreSQL/flexibleServers" diff --git a/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars b/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars index 97c3107668..8f8a68982d 100644 --- a/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars +++ b/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars @@ -129,7 +129,7 @@ vnets = { private_endpoints = { name = "private-endpoint" cidr = ["10.10.0.0/25"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/purview/101-purview_account_private_link/configuration.tfvars b/examples/purview/101-purview_account_private_link/configuration.tfvars index 3df22efc53..e5278e7618 100644 --- a/examples/purview/101-purview_account_private_link/configuration.tfvars +++ b/examples/purview/101-purview_account_private_link/configuration.tfvars @@ -179,7 +179,7 @@ vnets = { cidr = ["10.1.0.0/24"] nsg_key = "nsg" service_endpoints = ["Microsoft.KeyVault"] - enforce_private_link_endpoint_network_policies = true + private_endpoint_network_policies = "Enabled" } } } From b1acc65fd828570636aaea96c0d3b5d6b944e03f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 14:46:06 +0100 Subject: [PATCH 46/60] refactor(cognitive_services): update GPT-4 model version in cognitive services configuration example --- .../configuration.tfvars | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/examples/cognitive_services/300-cognitive-services-account-OpenAI-vnet/configuration.tfvars b/examples/cognitive_services/300-cognitive-services-account-OpenAI-vnet/configuration.tfvars index ad540882b0..b7bb9f40e5 100644 --- a/examples/cognitive_services/300-cognitive-services-account-OpenAI-vnet/configuration.tfvars +++ b/examples/cognitive_services/300-cognitive-services-account-OpenAI-vnet/configuration.tfvars @@ -49,16 +49,20 @@ cognitive_services_account = { cognitive_deployment = { openai_deployment-1 = { - name = "gpt4-listillo" + name = "gpt4" cognitive_account_key = "openai_account-1" - #cognitive_account_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.CognitiveServices/accounts/accountValue" + #cognitive_account_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.CognitiveServices/accounts/accountValue" + #Check https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure%2Cglobal-standard%2Cstandard-chat-completions + #Check https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure%2Cglobal-standard%2Cstandard-chat-completions#global-standard-model-availability model = { format = "OpenAI" name = "gpt-4" - version = "1106-Preview" + version = "turbo-2024-04-09" + } - scale = { - type = "Standard" + sku = { + name = "Standard" + capacity = 1 } } } From e65f3673a4c047368dc458c556549f74a44eec7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 15:29:58 +0100 Subject: [PATCH 47/60] docs(examples): add ARM_SUBSCRIPTION_ID export instruction in README.md --- examples/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/README.md b/examples/README.md index ce666f80a4..0baeab689f 100644 --- a/examples/README.md +++ b/examples/README.md @@ -47,6 +47,7 @@ The current folder contains an example of module with the whole features set of ```bash cd /tf/caf/examples az login +export ARM_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000 terraform init terraform plan -var-file terraform apply -var-file From 673696007dc9f895343e95863df5e474aad08165 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 15:53:11 +0100 Subject: [PATCH 48/60] refactor(cosmos_db): update partition_key_path and ip_range_filter types in examples configuration files to be consistent with the latest provider version --- .../100-cosmos-db-sql-role-mapping/configuration.tfvars | 3 ++- .../cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars | 2 +- .../100-simple-cosmos-db-gremlin/gremlin_databases.tfvars | 2 +- .../100-simple-cosmos-db-mongo/mongodb_databases.tfvars | 2 +- examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/examples/cosmos_db/100-cosmos-db-sql-role-mapping/configuration.tfvars b/examples/cosmos_db/100-cosmos-db-sql-role-mapping/configuration.tfvars index 5094152f83..fba4d89353 100644 --- a/examples/cosmos_db/100-cosmos-db-sql-role-mapping/configuration.tfvars +++ b/examples/cosmos_db/100-cosmos-db-sql-role-mapping/configuration.tfvars @@ -60,7 +60,8 @@ cosmos_dbs = { containers = { container1 = { name = "container-ex101" - partition_key_path = "/partitionKeyPath" + # Ensure partition_key_paths is a list + partition_key_paths = ["/partitionKeyPath"] autoscale_settings = { max_throughput = 4000 diff --git a/examples/cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars b/examples/cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars index 310c10ac62..62aed38f95 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-cassandra/cassandra.tfvars @@ -45,7 +45,7 @@ cosmos_dbs = { # optional free_tier_enabled = false - ip_range_filter = "" + ip_range_filter = [] multiple_write_locations_enabled = false tags = { "project" = "EDH" diff --git a/examples/cosmos_db/100-simple-cosmos-db-gremlin/gremlin_databases.tfvars b/examples/cosmos_db/100-simple-cosmos-db-gremlin/gremlin_databases.tfvars index 4fd9e76b9a..2019a708f4 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-gremlin/gremlin_databases.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-gremlin/gremlin_databases.tfvars @@ -46,7 +46,7 @@ cosmos_dbs = { # optional free_tier_enabled = false - ip_range_filter = "" + ip_range_filter = [] multiple_write_locations_enabled = false tags = { "project" = "EDH" diff --git a/examples/cosmos_db/100-simple-cosmos-db-mongo/mongodb_databases.tfvars b/examples/cosmos_db/100-simple-cosmos-db-mongo/mongodb_databases.tfvars index fa0ca4ca4d..c7b7f2f598 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-mongo/mongodb_databases.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-mongo/mongodb_databases.tfvars @@ -45,7 +45,7 @@ cosmos_dbs = { # optional free_tier_enabled = false - ip_range_filter = "" + ip_range_filter = [] multiple_write_locations_enabled = false tags = { "project" = "EDH" diff --git a/examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars b/examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars index c5eee71f4e..8e819582df 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-table/tables.tfvars @@ -45,7 +45,7 @@ cosmos_dbs = { # optional free_tier_enabled = false - ip_range_filter = "" + ip_range_filter = [] multiple_write_locations_enabled = false tags = { "project" = "EDH" From 98e565614957fc9bebf63eded8cefd851f289472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 15:53:28 +0100 Subject: [PATCH 49/60] refactor(cosmos_db): update ip_range_filter and partition_key_path types to arrays in configuration files --- .../cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars | 2 +- .../101-decomposed-cosmosdb-sql/sql_databases.tfvars | 4 ++-- .../101-private-endpoint-cosmos-db/configuration.tfvars | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars b/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars index aab832639e..584fefb9f8 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars @@ -43,7 +43,7 @@ cosmos_dbs = { # Optional free_tier_enabled = false - ip_range_filter = "116.88.85.63,116.88.85.64" + ip_range_filter = ["116.88.85.63","116.88.85.64"] #capabilities = ["EnableTable"] multiple_write_locations_enabled = false tags = { diff --git a/examples/cosmos_db/101-decomposed-cosmosdb-sql/sql_databases.tfvars b/examples/cosmos_db/101-decomposed-cosmosdb-sql/sql_databases.tfvars index faa440aac3..af83759465 100644 --- a/examples/cosmos_db/101-decomposed-cosmosdb-sql/sql_databases.tfvars +++ b/examples/cosmos_db/101-decomposed-cosmosdb-sql/sql_databases.tfvars @@ -43,7 +43,7 @@ cosmos_dbs = { # Optional free_tier_enabled = false - ip_range_filter = "116.88.85.63,116.88.85.64" + ip_range_filter = ["116.88.85.63", "116.88.85.64"] #capabilities = ["EnableTable"] multiple_write_locations_enabled = false tags = { @@ -70,7 +70,7 @@ cosmosdb_sql_databases = { containers = { container_re1 = { name = "container-ex101" - partition_key_path = "/definition/id" + partition_key_paths = ["/definition/id"] throughput = 400 unique_key = { paths = ["/definition/idlong", "/definition/idshort"] diff --git a/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars b/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars index ff2879e614..bbbdfd4606 100644 --- a/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars +++ b/examples/cosmos_db/101-private-endpoint-cosmos-db/configuration.tfvars @@ -51,7 +51,7 @@ cosmos_dbs = { # Optional free_tier_enabled = false - ip_range_filter = "116.88.85.63,116.88.85.64" + ip_range_filter = ["116.88.85.63", "116.88.85.64"] #capabilities = ["EnableTable"] multiple_write_locations_enabled = false tags = { From 7d46c0ff5c7175424d7adfa75f03ed1d1a1db796 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 16:05:41 +0100 Subject: [PATCH 50/60] refactor(cosmos_db): change partition_key_path to partition_key_paths as an array in sql_databases.tfvars --- .../cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars b/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars index 584fefb9f8..27dc55ff8d 100644 --- a/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars +++ b/examples/cosmos_db/100-simple-cosmos-db-sql/sql_databases.tfvars @@ -62,7 +62,7 @@ cosmos_dbs = { containers = { container1 = { name = "container-ex101" - partition_key_path = "/partitionKeyPath" + partition_key_paths = ["/partitionKeyPath"] unique_key = { paths = ["/uniquePath1", "/uniquePath2"] From 95d0221bf20856f66c8e2c19d374edc651d69b6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 16:12:41 +0100 Subject: [PATCH 51/60] refactor(examples): update 'enforce_private_link_endpoint_network_policies' to 'private_endpoint_network_policies' in configuration example files --- .../200-batch-account-private-endpoint/configuration.tfvars | 2 +- .../200-acr-private-link/configuration.tfvars | 2 +- .../100-backup-vault-blob-storage/configuration.tfvars | 2 +- .../101-backup-vault-disk/configuration.tfvars | 2 +- .../configuration.tfvars | 4 ++-- .../configuration.tfvars | 2 +- .../configuration.tfvars | 2 +- .../200-servicebus-privatelink/configuration.tfvars | 2 +- .../messaging/signalr/100-signalr-simple/configuration.tfvars | 4 ++-- .../111-sqlserver_private_endpoint/configurations.tfvars | 2 +- .../endpoints/centralized/virtual_networks.tfvars | 2 +- .../102-private-endpoint-postgresql/configuration.tfvars | 2 +- .../103-private-endpoint-with-fw-rule/configuration.tfvars | 2 +- .../103-asr-with-private-endpoint/virtual_networks.tfvars | 2 +- .../virtual_networks.tfvars | 2 +- .../105-asr-with-network-mapping/virtual_networks.tfvars | 4 ++-- .../103-redis-private-endpoints/configuration.tfvars | 2 +- 17 files changed, 20 insertions(+), 20 deletions(-) diff --git a/examples/compute/batch/batch_account/200-batch-account-private-endpoint/configuration.tfvars b/examples/compute/batch/batch_account/200-batch-account-private-endpoint/configuration.tfvars index aaf20eea53..caf53d00d8 100644 --- a/examples/compute/batch/batch_account/200-batch-account-private-endpoint/configuration.tfvars +++ b/examples/compute/batch/batch_account/200-batch-account-private-endpoint/configuration.tfvars @@ -54,7 +54,7 @@ vnets = { name = "pep" cidr = ["100.64.103.0/27"] service_endpoints = ["Microsoft.Storage"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/compute/container_registry/200-acr-private-link/configuration.tfvars b/examples/compute/container_registry/200-acr-private-link/configuration.tfvars index b8debd3da6..8ae58a9d98 100644 --- a/examples/compute/container_registry/200-acr-private-link/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-private-link/configuration.tfvars @@ -79,7 +79,7 @@ vnets = { name = "jumphost" cidr = ["100.64.103.0/27"] service_endpoint = ["Microsoft.ContainerRegistry"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/data_protection/100-backup-vault-blob-storage/configuration.tfvars b/examples/data_protection/100-backup-vault-blob-storage/configuration.tfvars index 9d29aeb608..405ba8995f 100644 --- a/examples/data_protection/100-backup-vault-blob-storage/configuration.tfvars +++ b/examples/data_protection/100-backup-vault-blob-storage/configuration.tfvars @@ -52,7 +52,7 @@ backup_vault_policies = { type = "blob_storage" # policy type, blob_storage and disk supported backup_vault_key = "bv0" policy_name = "backup-policy-lvl0" - retention_duration = "P50D" #Specific ISO 8601 format + operational_default_retention_duration = "P50D" #Specific ISO 8601 format } } diff --git a/examples/data_protection/101-backup-vault-disk/configuration.tfvars b/examples/data_protection/101-backup-vault-disk/configuration.tfvars index 22ceb62d04..9068e7ffd7 100644 --- a/examples/data_protection/101-backup-vault-disk/configuration.tfvars +++ b/examples/data_protection/101-backup-vault-disk/configuration.tfvars @@ -50,7 +50,7 @@ backup_vault_policies = { type = "disk" backup_vault_key = "bv0" policy_name = "backup-policy-lvl0" - retention_duration = "P7D" #Specific ISO 8601 format + operational_default_retention_duration = = "P7D" #Specific ISO 8601 format backup_repeating_time_intervals = ["R/2022-04-20T00:00:00+00:00/PT4H"] # ISO 8601 repeating time interval retention_rules = { Daily = { diff --git a/examples/databricks/102-premium-databricks-vnet-private-endpoint/configuration.tfvars b/examples/databricks/102-premium-databricks-vnet-private-endpoint/configuration.tfvars index 65e47eaabc..50520707f4 100644 --- a/examples/databricks/102-premium-databricks-vnet-private-endpoint/configuration.tfvars +++ b/examples/databricks/102-premium-databricks-vnet-private-endpoint/configuration.tfvars @@ -33,7 +33,7 @@ databricks_workspaces = { name = "sales_workspace" resource_group_key = "databricks_re1" sku = "premium" - public_network_access_enabled = false + private_endpoint_network_policies = "Enabled" network_security_group_rules_required = "NoAzureDatabricksRules" tags = { ws = "ws" @@ -78,7 +78,7 @@ vnets = { pep = { name = "pep" cidr = ["10.100.100.0/28"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } databricks_public = { nsg_key = "databricks_public" diff --git a/examples/eventhub/101-evh-namespace-with-private-endpoint/configuration.tfvars b/examples/eventhub/101-evh-namespace-with-private-endpoint/configuration.tfvars index dd24500f3c..55739ba4f0 100644 --- a/examples/eventhub/101-evh-namespace-with-private-endpoint/configuration.tfvars +++ b/examples/eventhub/101-evh-namespace-with-private-endpoint/configuration.tfvars @@ -68,7 +68,7 @@ vnets = { evh_subnet = { name = "evh_subnet" cidr = ["10.150.120.0/25"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/messaging/eventgrid/101-simple-eventgrid-topic-private-endpoint/configuration.tfvars b/examples/messaging/eventgrid/101-simple-eventgrid-topic-private-endpoint/configuration.tfvars index 1cc444494c..c1da27e81e 100644 --- a/examples/messaging/eventgrid/101-simple-eventgrid-topic-private-endpoint/configuration.tfvars +++ b/examples/messaging/eventgrid/101-simple-eventgrid-topic-private-endpoint/configuration.tfvars @@ -24,7 +24,7 @@ vnets = { example = { name = "example-subnet" cidr = ["10.0.1.0/24"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/messaging/servicebus/200-servicebus-privatelink/configuration.tfvars b/examples/messaging/servicebus/200-servicebus-privatelink/configuration.tfvars index cc7639392c..9c8ed5e6a1 100644 --- a/examples/messaging/servicebus/200-servicebus-privatelink/configuration.tfvars +++ b/examples/messaging/servicebus/200-servicebus-privatelink/configuration.tfvars @@ -29,7 +29,7 @@ vnets = { name = "subnet2" cidr = ["172.33.101.0/24"] service_endpoint = ["Microsoft.ServiceBus"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/messaging/signalr/100-signalr-simple/configuration.tfvars b/examples/messaging/signalr/100-signalr-simple/configuration.tfvars index 866107820e..13c4374260 100644 --- a/examples/messaging/signalr/100-signalr-simple/configuration.tfvars +++ b/examples/messaging/signalr/100-signalr-simple/configuration.tfvars @@ -24,7 +24,7 @@ vnets = { subnet1 = { name = "signalr-pr-subnet" cidr = ["10.100.100.0/29"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } @@ -40,7 +40,7 @@ vnets = { subnet1 = { name = "signalr-pr-subnet" cidr = ["10.100.100.8/29"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/mssql_server/111-sqlserver_private_endpoint/configurations.tfvars b/examples/mssql_server/111-sqlserver_private_endpoint/configurations.tfvars index 69b08879fc..0f902d1bc3 100644 --- a/examples/mssql_server/111-sqlserver_private_endpoint/configurations.tfvars +++ b/examples/mssql_server/111-sqlserver_private_endpoint/configurations.tfvars @@ -38,7 +38,7 @@ vnets = { web = { name = "web-subnet" cidr = ["10.0.1.0/24"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } } diff --git a/examples/networking/private_links/endpoints/centralized/virtual_networks.tfvars b/examples/networking/private_links/endpoints/centralized/virtual_networks.tfvars index dd85f38feb..a4c47107fb 100644 --- a/examples/networking/private_links/endpoints/centralized/virtual_networks.tfvars +++ b/examples/networking/private_links/endpoints/centralized/virtual_networks.tfvars @@ -13,7 +13,7 @@ vnets = { subnet_01 = { name = "subnet-01" cidr = ["10.100.1.128/25"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/postgresql_server/102-private-endpoint-postgresql/configuration.tfvars b/examples/postgresql_server/102-private-endpoint-postgresql/configuration.tfvars index a39e064b06..7d517a04ee 100644 --- a/examples/postgresql_server/102-private-endpoint-postgresql/configuration.tfvars +++ b/examples/postgresql_server/102-private-endpoint-postgresql/configuration.tfvars @@ -151,7 +151,7 @@ vnets = { postgresql_subnet = { name = "postgresql_subnet" cidr = ["10.150.102.0/25"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/postgresql_server/103-private-endpoint-with-fw-rule/configuration.tfvars b/examples/postgresql_server/103-private-endpoint-with-fw-rule/configuration.tfvars index dc7cbf25f7..51b32e4f08 100644 --- a/examples/postgresql_server/103-private-endpoint-with-fw-rule/configuration.tfvars +++ b/examples/postgresql_server/103-private-endpoint-with-fw-rule/configuration.tfvars @@ -170,7 +170,7 @@ vnets = { postgresql_subnet = { name = "postgresql_subnet" cidr = ["10.150.102.0/25"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/recovery_vault/103-asr-with-private-endpoint/virtual_networks.tfvars b/examples/recovery_vault/103-asr-with-private-endpoint/virtual_networks.tfvars index 00c54f0e8a..27848fa54e 100644 --- a/examples/recovery_vault/103-asr-with-private-endpoint/virtual_networks.tfvars +++ b/examples/recovery_vault/103-asr-with-private-endpoint/virtual_networks.tfvars @@ -13,7 +13,7 @@ vnets = { asr_subnet = { name = "asr_subnet" cidr = ["10.150.105.0/25"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/recovery_vault/104-backupvault-with-private-endpoint/virtual_networks.tfvars b/examples/recovery_vault/104-backupvault-with-private-endpoint/virtual_networks.tfvars index 181ba5b862..0c2f5132a5 100644 --- a/examples/recovery_vault/104-backupvault-with-private-endpoint/virtual_networks.tfvars +++ b/examples/recovery_vault/104-backupvault-with-private-endpoint/virtual_networks.tfvars @@ -13,7 +13,7 @@ vnets = { subnet_001 = { name = "privatelink_subnet" cidr = ["10.150.105.0/25"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/recovery_vault/105-asr-with-network-mapping/virtual_networks.tfvars b/examples/recovery_vault/105-asr-with-network-mapping/virtual_networks.tfvars index 759d820400..94704aa058 100644 --- a/examples/recovery_vault/105-asr-with-network-mapping/virtual_networks.tfvars +++ b/examples/recovery_vault/105-asr-with-network-mapping/virtual_networks.tfvars @@ -13,7 +13,7 @@ vnets = { asr_subnet = { name = "asr_subnet" cidr = ["10.150.105.0/25"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } @@ -32,7 +32,7 @@ vnets = { asr_subnet = { name = "asr_subnet" cidr = ["10.150.106.0/25"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } diff --git a/examples/redis_cache/103-redis-private-endpoints/configuration.tfvars b/examples/redis_cache/103-redis-private-endpoints/configuration.tfvars index 5fd028349e..2f64ad099f 100644 --- a/examples/redis_cache/103-redis-private-endpoints/configuration.tfvars +++ b/examples/redis_cache/103-redis-private-endpoints/configuration.tfvars @@ -65,7 +65,7 @@ vnets = { pep = { name = "pep" cidr = ["10.1.0.0/28"] - enforce_private_link_endpoint_network_policies = "true" + private_endpoint_network_policies = "Enabled" } } } From df0e2c086496e3eecbc982c11c87517ff7484375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 16:48:42 +0100 Subject: [PATCH 52/60] refactor(dns_zone): improve regex comment and handle empty soa_record case in output --- modules/networking/dns_zone/output.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/dns_zone/output.tf b/modules/networking/dns_zone/output.tf index 4d65f6c862..63ff7683f2 100644 --- a/modules/networking/dns_zone/output.tf +++ b/modules/networking/dns_zone/output.tf @@ -6,8 +6,8 @@ output "id" { output "name" { description = "The fully qualified domain name of the Record Set." - # This regex remove the last dot as the end - value = regex("(.+).", azurerm_dns_zone.dns_zone.soa_record[0].fqdn)[0] + # This regex removes the last dot at the end + value = length(azurerm_dns_zone.dns_zone.soa_record) > 0 ? regex("(.+).", azurerm_dns_zone.dns_zone.soa_record[0].fqdn)[0] : "" } output "resource_group_name" { From 289bd96c1eec0bcd6ba8e861e868f48f819bd1a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 17:23:22 +0100 Subject: [PATCH 53/60] refactor(aks): handle empty kubelet_identity case in output for rbac_id --- modules/compute/aks/output.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/compute/aks/output.tf b/modules/compute/aks/output.tf index 4a0511459c..8604c6d9db 100644 --- a/modules/compute/aks/output.tf +++ b/modules/compute/aks/output.tf @@ -37,9 +37,10 @@ output "kube_config" { } output "rbac_id" { - value = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id + value = length(azurerm_kubernetes_cluster.aks.kubelet_identity) > 0 ? azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id : "" } + output "node_resource_group" { value = azurerm_kubernetes_cluster.aks.node_resource_group } From d537d468e148174acd0cd48c1907b9f1396ecdfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 17:23:44 +0100 Subject: [PATCH 54/60] refactor(virtual_machine): update file paths for linux diagnostic extensions to use other relative paths --- .../216-vm-linux_diagnostic_extensions/configurations.tfvars | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/configurations.tfvars b/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/configurations.tfvars index 8e14922276..6d010412c6 100644 --- a/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/configurations.tfvars +++ b/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/configurations.tfvars @@ -56,8 +56,8 @@ virtual_machines = { } virtual_machine_extensions = { linux_diagnostic = { - ladcfg_file_path = "./diagnostics/ladcfg.json" - filelogs_file_path = "./diagnostics/filelogs.json" + ladcfg_file_path = "./compute/virtual_machine/216-vm-linux_diagnostic_extensions/diagnostics/ladcfg.json" + filelogs_file_path = "./compute/virtual_machine/216-vm-linux_diagnostic_extensions/diagnostics/filelogs.json" diagnostic_storage_account_key = "bootdiag_region1" } } From 2fbb9038f2e2da676d52d3f0485a4f6dbcf554af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 21:58:25 +0100 Subject: [PATCH 55/60] refactor(aks): modify role-based access control settings to use `azure_active_directory_role_based_access_control` block. --- .../101-single-cluster/aks.tfvars | 12 ++++++------ .../106-agic-greenfield/aks.tfvars | 12 +++++------- .../107-agic-brownfield/aks.tfvars | 11 +++++------ .../aks.tfvars | 11 +++++------ .../109-single-cluster-istio/aks.tfvars | 13 ++++++------- modules/compute/aks/aks.tf | 6 +++--- 6 files changed, 30 insertions(+), 35 deletions(-) diff --git a/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars b/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars index 87218b10ff..a453bd1a01 100644 --- a/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars +++ b/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars @@ -32,12 +32,12 @@ aks_clusters = { } # enable_rbac = true - role_based_access_control = { - enabled = true - azure_active_directory = { - managed = true - } - } + #azure_active_directory_role_based_access_control = { + # enabled = true + # tenant_id = "00000000-0000-0000-0000-000000000000" + # admin_group_object_ids = ["00000000-0000-0000-0000-000000000000"] + #} + oms_agent = { log_analytics_key = "central_logs_region1" diff --git a/examples/compute/kubernetes_services/106-agic-greenfield/aks.tfvars b/examples/compute/kubernetes_services/106-agic-greenfield/aks.tfvars index 81015e43c4..b0db74522a 100644 --- a/examples/compute/kubernetes_services/106-agic-greenfield/aks.tfvars +++ b/examples/compute/kubernetes_services/106-agic-greenfield/aks.tfvars @@ -38,13 +38,11 @@ aks_clusters = { load_balancer_sku = "standard" } - role_based_access_control = { - enabled = true - azure_active_directory = { - managed = true - azure_rbac_enabled = true - } - } + #azure_active_directory_role_based_access_control = { + # enabled = true + # tenant_id = "00000000-0000-0000-0000-000000000000" + # admin_group_object_ids = ["00000000-0000-0000-0000-000000000000"] + #} addon_profile = { oms_agent = { diff --git a/examples/compute/kubernetes_services/107-agic-brownfield/aks.tfvars b/examples/compute/kubernetes_services/107-agic-brownfield/aks.tfvars index 8327f0ee6f..0890af81df 100644 --- a/examples/compute/kubernetes_services/107-agic-brownfield/aks.tfvars +++ b/examples/compute/kubernetes_services/107-agic-brownfield/aks.tfvars @@ -38,12 +38,11 @@ aks_clusters = { } # enable_rbac = true - role_based_access_control = { - enabled = true - azure_active_directory = { - managed = true - } - } + #azure_active_directory_role_based_access_control = { + # enabled = true + # tenant_id = "00000000-0000-0000-0000-000000000000" + # admin_group_object_ids = ["00000000-0000-0000-0000-000000000000"] + #} addon_profile = { oms_agent = { diff --git a/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars b/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars index da406c0403..816f322de8 100644 --- a/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars +++ b/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars @@ -30,12 +30,11 @@ aks_clusters = { } # enable_rbac = true - role_based_access_control = { - enabled = true - azure_active_directory = { - managed = true - } - } + #azure_active_directory_role_based_access_control = { + # enabled = true + # tenant_id = "00000000-0000-0000-0000-000000000000" + # admin_group_object_ids = ["00000000-0000-0000-0000-000000000000"] + #} addon_profile = { oms_agent = { diff --git a/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars b/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars index 89661ee997..5bf522232c 100644 --- a/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars +++ b/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars @@ -30,13 +30,12 @@ aks_clusters = { } # enable_rbac = true - role_based_access_control = { - enabled = true - azure_active_directory = { - managed = true - } - } - + #azure_active_directory_role_based_access_control = { + # enabled = true + # tenant_id = "00000000-0000-0000-0000-000000000000" + # admin_group_object_ids = ["00000000-0000-0000-0000-000000000000"] + #} + oms_agent = { log_analytics_key = "central_logs_region1" } diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 038e1a4e96..4deaf01719 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -360,12 +360,12 @@ resource "azurerm_kubernetes_cluster" "aks" { #Enabled RBAC dynamic "azure_active_directory_role_based_access_control" { - for_each = try(var.settings.role_based_access_control[*], {}) + for_each = can(var.settings.azure_active_directory_role_based_access_control) ? [var.settings.azure_active_directory_role_based_access_control] : [] content { - tenant_id = try(azure_active_directory_role_based_access_control.value.azure_active_directory.tenant_id, null) + tenant_id = try(azure_active_directory_role_based_access_control.value.tenant_id, null) azure_rbac_enabled = try(azure_active_directory_role_based_access_control.value.enabled, true) - admin_group_object_ids = try(azure_active_directory_role_based_access_control.value.azure_active_directory.admin_group_object_ids, try(var.admin_group_object_ids, null)) + admin_group_object_ids = try(azure_active_directory_role_based_access_control.value.admin_group_object_ids, []) } } From fa6f3bb1349c27250b03dc12331a59259cd0d5d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 22:07:57 +0100 Subject: [PATCH 56/60] refactor(examples): update script source paths to use absolute paths in configuration files --- .../configuration.tfvars | 4 ++-- .../configuration.tfvars | 2 +- .../configuration.tfvars | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/compute/virtual_machine/110-win-linuxvm-custom-script-extension/configuration.tfvars b/examples/compute/virtual_machine/110-win-linuxvm-custom-script-extension/configuration.tfvars index 90a6c5f65f..2aa43535a7 100644 --- a/examples/compute/virtual_machine/110-win-linuxvm-custom-script-extension/configuration.tfvars +++ b/examples/compute/virtual_machine/110-win-linuxvm-custom-script-extension/configuration.tfvars @@ -50,14 +50,14 @@ storage_account_blobs = { name = "helloworld.sh" storage_account_key = "sa1" storage_container_name = "files" - source = "scripts/helloworld.sh" + source = "example/compute/virtual_machine/110-win-linuxvm-custom-script-extension/scripts/helloworld.sh" parallelism = 1 } script2 = { name = "helloworld.ps1" storage_account_key = "sa1" storage_container_name = "files" - source = "scripts/helloworld.ps1" + source = "example/compute/virtual_machine/110-win-linuxvm-custom-script-extension/scripts/helloworld.ps1" parallelism = 1 } } diff --git a/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars b/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars index 42b9ea57b3..e5094a5282 100644 --- a/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars +++ b/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars @@ -63,7 +63,7 @@ virtual_machines = { disable_password_authentication = true custom_data = { - templatefile = "compute/virtual_machine/113-single-linux-custom-data-template/custom_data.tpl" + templatefile = "example/compute/virtual_machine/113-single-linux-custom-data-template/custom_data.tpl" my_value = "my_value" } dynamic_custom_data = { diff --git a/examples/compute/virtual_machine_scale_set/102-linux-win-vmss-custom-script-extension/configuration.tfvars b/examples/compute/virtual_machine_scale_set/102-linux-win-vmss-custom-script-extension/configuration.tfvars index 2b3af092ab..d2c1034be0 100644 --- a/examples/compute/virtual_machine_scale_set/102-linux-win-vmss-custom-script-extension/configuration.tfvars +++ b/examples/compute/virtual_machine_scale_set/102-linux-win-vmss-custom-script-extension/configuration.tfvars @@ -54,14 +54,14 @@ storage_account_blobs = { name = "helloworld.sh" storage_account_key = "sa1" storage_container_name = "files" - source = "scripts/helloworld.sh" + source = "example/compute/virtual_machine_scale_set/102-linux-win-vmss-custom-script-extension/scripts/helloworld.sh" parallelism = 1 } script2 = { name = "helloworld.ps1" storage_account_key = "sa1" storage_container_name = "files" - source = "scripts/helloworld.ps1" + source = "example/compute/virtual_machine_scale_set/102-linux-win-vmss-custom-script-extension/scripts/helloworld.ps1" parallelism = 1 } } From f60517dc7f19c42ce882a87cfd5a476054d4c729 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 22:16:48 +0100 Subject: [PATCH 57/60] refactor(aks): add revisions to service mesh profile and update admin group object IDs fallback --- .../kubernetes_services/109-single-cluster-istio/aks.tfvars | 3 ++- modules/compute/aks/aks.tf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars b/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars index 5bf522232c..93b6d18154 100644 --- a/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars +++ b/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars @@ -35,7 +35,7 @@ aks_clusters = { # tenant_id = "00000000-0000-0000-0000-000000000000" # admin_group_object_ids = ["00000000-0000-0000-0000-000000000000"] #} - + oms_agent = { log_analytics_key = "central_logs_region1" } @@ -43,6 +43,7 @@ aks_clusters = { service_mesh_profile = { internal_ingress_gateway_enabled = true mode = "Istio" + revisions = ["asm-1-20"] } # admin_groups = { diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 4deaf01719..e04fe17918 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -365,7 +365,7 @@ resource "azurerm_kubernetes_cluster" "aks" { content { tenant_id = try(azure_active_directory_role_based_access_control.value.tenant_id, null) azure_rbac_enabled = try(azure_active_directory_role_based_access_control.value.enabled, true) - admin_group_object_ids = try(azure_active_directory_role_based_access_control.value.admin_group_object_ids, []) + admin_group_object_ids = try(azure_active_directory_role_based_access_control.value.admin_group_object_ids, var.admin_group_object_ids, []) } } From b7bccaea982f0a91b5d57ce2a347608e57ee640b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 22:23:20 +0100 Subject: [PATCH 58/60] fix(configuration): correct syntax error in operational_default_retention_duration assignment --- .../data_protection/101-backup-vault-disk/configuration.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/data_protection/101-backup-vault-disk/configuration.tfvars b/examples/data_protection/101-backup-vault-disk/configuration.tfvars index 9068e7ffd7..bd6d3d3372 100644 --- a/examples/data_protection/101-backup-vault-disk/configuration.tfvars +++ b/examples/data_protection/101-backup-vault-disk/configuration.tfvars @@ -50,7 +50,7 @@ backup_vault_policies = { type = "disk" backup_vault_key = "bv0" policy_name = "backup-policy-lvl0" - operational_default_retention_duration = = "P7D" #Specific ISO 8601 format + operational_default_retention_duration = "P7D" #Specific ISO 8601 format backup_repeating_time_intervals = ["R/2022-04-20T00:00:00+00:00/PT4H"] # ISO 8601 repeating time interval retention_rules = { Daily = { From 8b1a7247a4d5e6d49167a97b5af2f1b9d8f1f342 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 23:14:22 +0100 Subject: [PATCH 59/60] refactor(locals): enhance mysql_flexible_servers merge logic to include data sources --- locals.combined_objects.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 01bfe161d6..f4ea361f95 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -125,7 +125,7 @@ locals { combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances, module.mssql_managed_instances_v1, lookup(var.data_sources, "mssql_managed_instances", {})) }), lookup(var.remote_objects, "mssql_managed_instances", {}), lookup(var.data_sources, "mssql_managed_instances", {})) combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances_secondary, module.mssql_managed_instances_secondary_v1, lookup(var.data_sources, "mssql_managed_instances_secondary", {})) }), lookup(var.remote_objects, "mssql_managed_instances_secondary", {}), lookup(var.remote_objects, "mssql_managed_instances_secondary", {})) combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_servers, lookup(var.data_sources, "mssql_servers", {})) }), lookup(var.remote_objects, "mssql_servers", {})) - combined_objects_mysql_flexible_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_servers }), lookup(var.remote_objects, "mysql_flexible_servers", {})) + combined_objects_mysql_flexible_servers = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mysql_flexible_servers, lookup(var.data_sources, "mysql_flexible_servers", {})) }), lookup(var.remote_objects, "mysql_flexible_servers", {})) combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), lookup(var.remote_objects, "nat_gateways", {}), lookup(var.data_sources, "nat_gateways", {})) combined_objects_network_profiles = merge(tomap({ (local.client_config.landingzone_key) = module.network_profiles }), lookup(var.remote_objects, "network_profiles", {})) combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), lookup(var.remote_objects, "network_security_groups", {}), lookup(var.data_sources, "network_security_groups", {})) From f098e9cd08b4fdc0c5cf8548cd81af7a2574ca62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez?= Date: Wed, 30 Oct 2024 23:14:29 +0100 Subject: [PATCH 60/60] fix(monitoring): resolve scope list issue in mysql-cpu-utilization metric alert configuration --- .../configuration.tfvars | 74 +++++++++++-------- 1 file changed, 44 insertions(+), 30 deletions(-) diff --git a/examples/mysql_flexible_server/102-advanced-mysql-flexible/configuration.tfvars b/examples/mysql_flexible_server/102-advanced-mysql-flexible/configuration.tfvars index ebb954a2e0..1e4da39626 100644 --- a/examples/mysql_flexible_server/102-advanced-mysql-flexible/configuration.tfvars +++ b/examples/mysql_flexible_server/102-advanced-mysql-flexible/configuration.tfvars @@ -174,34 +174,48 @@ monitor_action_groups = { } } -monitor_metric_alert = { - mysql-cpu-utilization = { - name = "mysql-cpu-utilization" - resource_group = { key = "mysql_region1" } - description = "Action will be triggered when cpu utilization is greater than 90% in the last 30 min." - severity = 2 - frequency = "PT15M" - window_size = "PT30M" - - criteria = { - metric_namespace = "Microsoft.DBforMySQL/flexibleServers" - metric_name = "cpu_percent" - aggregation = "Average" - operator = "GreaterThan" - threshold = 90 - } - - scopes = { - scope1 = { - resource_type = "mysql_flexible_server" - key = "primary_re1" - } - } - action = { - action_group = { - key = "example" - } - } - } -} \ No newline at end of file +# Debug, fail with: +#│ Error: Not enough list items +#│ +#│ with module.example.module.monitor_metric_alert["mysql-cpu-utilization"].azurerm_monitor_metric_alert.mma, +#│ on ../modules/monitoring/monitor_metric_alert/module.tf line 14, in resource "azurerm_monitor_metric_alert" "mma": +#│ 14: scopes = try(flatten([ +#│ 15: for key, value in var.settings.scopes : coalesce( +#│ 16: try(var.remote_objects[value.resource_type][value.lz_key][value.lz_key][value.key].id, null), +#│ 17: try(var.remote_objects[value.resource_type][var.client_config.landingzone_key][value.key].id, null), +#│ 18: try(value.id, null), +#│ 19: [] +#│ 20: ) +#│ 21: ]), []) +#monitor_metric_alert = { +# mysql-cpu-utilization = { +# name = "mysql-cpu-utilization" +# resource_group = { key = "mysql_region1" } +# description = "Action will be triggered when cpu utilization is greater than 90% in the last 30 min." +# severity = 2 +# frequency = "PT15M" +# window_size = "PT30M" +# +# criteria = { +# metric_namespace = "Microsoft.DBforMySQL/flexibleServers" +# metric_name = "cpu_percent" +# aggregation = "Average" +# operator = "GreaterThan" +# threshold = 90 +# } +# +# scopes = { +# scope1 = { +# resource_type = "mysql_flexible_servers" +# key = "primary_re1" +# } +# } +# +# action = { +# action_group = { +# key = "example" +# } +# } +# } +#} \ No newline at end of file