add complete

Azure · Sep 22, 2023 · 8f65c66 · 8f65c66
1 parent 89bd15d
commit 8f65c66
Show file tree

Hide file tree

Showing 7 changed files with 220 additions and 11 deletions.
diff --git a/bootstrap/.config/ALZ-Powershell.config.json b/bootstrap/.config/ALZ-Powershell.config.json
@@ -1,5 +1,5 @@
 {
-    "parameters": { },
+    "parameters": {},
     "validators": {
         "starter_module": {
             "Type": "AllowedValues",
@@ -9,11 +9,12 @@
                 "Values": [
                     ".test",
                     "basic",
-                    "hubnetworking"
+                    "hubnetworking",
+                    "complete"
                 ]
             }
         },
-        "auth_scheme" : {
+        "auth_scheme": {
             "Type": "AllowedValues",
             "Description": "A valid authentication scheme e.g. 'WorkloadIdentityFederation'",
             "AllowedValues": {
@@ -24,7 +25,7 @@
                 ]
             }
         },
-        "azure_location" : {
+        "azure_location": {
             "Type": "AllowedValues",
             "Description": "An Azure deployment location e.g. 'uksouth'",
             "AllowedValues": {
@@ -82,27 +83,27 @@
                 ]
             }
         },
-        "azure_subscription_id" : {
+        "azure_subscription_id": {
             "Type": "Valid",
             "Description": "A valid subscription id GUID e.g. '12345678-1234-1234-1234-123456789012'",
             "Valid": "^( {){0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}(}){0,1}$"
         },
-        "azure_name" : {
+        "azure_name": {
             "Type": "Valid",
             "Description": "A valid Azure name e.g. 'my-azure-name'",
             "Valid": "^[a-zA-Z0-9]{2,10}(-[a-zA-Z0-9]{2,10}){0,1}(-[a-zA-Z0-9]{2,10})?$"
         },
-        "azure_name_section" : {
+        "azure_name_section": {
             "Type": "Valid",
             "Description": "A valid Azure name with no hyphens and limited length e.g. 'mgmt'",
             "Valid": "^[a-zA-Z0-9]{2,10}$"
         },
-        "guid" : {
+        "guid": {
             "Type": "Valid",
             "Description": "A valid GUID e.g. '12345678-1234-1234-1234-123456789012'",
             "Valid": "^( {){0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}(}){0,1}$"
         },
-        "bool" : {
+        "bool": {
             "Type": "AllowedValues",
             "Description": "A boolean value e.g. 'true'",
             "AllowedValues": {
@@ -113,7 +114,7 @@
                 ]
             }
         },
-        "number" : {
+        "number": {
             "Type": "Valid",
             "Description": "A number e.g. '123'",
             "Valid": "^(0|[1-9][0-9]*)$"
@@ -129,7 +130,7 @@
                 ]
             }
         },
-        "cidr_range" : {
+        "cidr_range": {
             "Type": "Valid",
             "Description": "A valid CIDR range e.g '10.0.0.0/16'",
             "Valid": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(/(3[0-2]|[1-2][0-9]|[0-9]))$"

diff --git a/templates/complete/config.yaml b/templates/complete/config.yaml
@@ -0,0 +1,44 @@
+archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary.
+  root_name: es
+  root_id: Enterprise-Scale
+  deploy_corp_landing_zones: true
+  deploy_online_landing_zones: true
+  default_location: uksouth
+  deploy_management_resources: true
+  configure_management_resources:
+    location: uksouth
+    settings:
+      security_center:
+        config:
+          email_security_contact: "security_contact@replace_me"
+    advanced:
+      asc_export_resource_group_name: rg-asc-export
+      custom_settings_by_resource_type:
+        azurerm_resource_group:
+          management:
+            name: rg-management
+        azurerm_log_analytics_workspace:
+          management:
+            name: log-management
+        azurerm_automation_account:
+          management:
+            name: aa-management
+connectivity:
+  hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary.
+    hub_virtual_networks:
+      primary:
+        name: vnet-hub
+        resource_group_name: rg-connectivity
+        location: uksouth
+        address_space:
+          - 10.0.0.0/16
+        firewall:
+          name: fw-hub
+          sku_name: AZFW_VNet
+          sku_tier: Standard
+          subnet_address_prefix: 10.0.1.0/24
+        virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary.
+          name: vgw-hub
+          sku: VpnGw1
+          type: Vpn
+          subnet_address_prefix: 10.0.2.0/24
diff --git a/templates/complete/data.tf b/templates/complete/data.tf
@@ -0,0 +1 @@
+data "azurerm_client_config" "core" {}
diff --git a/templates/complete/locals.tf b/templates/complete/locals.tf
@@ -0,0 +1,27 @@
+locals {
+  config     = yamldecode(file("${path.module}/config.yaml"))
+  archetypes = local.config.archetypes
+  hub_virtual_networks = {
+    for k, v in local.config.connectivity.hubnetworking.hub_virtual_networks : k => {
+      for k2, v2 in v : k2 => v2 if k2 != "virtual_network_gateway"
+    }
+  }
+  vritual_network_gateways = {
+    for k, v in local.config.connectivity.hubnetworking.hub_virtual_networks : k => merge(
+      v.virtual_network_gateway,
+      {
+        location                            = v.location
+        virtual_network_name                = v.name
+        virtual_network_resource_group_name = v.resource_group_name
+      }
+    )
+  }
+  dummy_hub_virtual_network = {
+    hub = {
+      name                = "dummy"
+      address_space       = ["0.0.0.0/0"]
+      location            = "dummy"
+      resource_group_name = "dummy"
+    }
+  }
+}
diff --git a/templates/complete/main.tf b/templates/complete/main.tf
@@ -0,0 +1,99 @@
+module "enterprise-scale" {
+  source  = "Azure/caf-enterprise-scale/azurerm"
+  version = "4.2.0"
+
+  default_location = local.archetypes.default_location
+  root_parent_id   = try(local.archetypes.root_parent_id, data.azurerm_client_config.core.tenant_id)
+
+  archetype_config_overrides                              = try(local.archetypes.archetype_config_overrides, {})
+  configure_connectivity_resources                        = try(local.archetypes.configure_connectivity_resources, {})
+  configure_identity_resources                            = try(local.archetypes.configure_identity_resources, {})
+  configure_management_resources                          = try(local.archetypes.configure_management_resources, {})
+  create_duration_delay                                   = try(local.archetypes.create_duration_delay, {})
+  custom_landing_zones                                    = try(local.archetypes.custom_landing_zones, {})
+  custom_policy_roles                                     = try(local.archetypes.custom_policy_roles, {})
+  default_tags                                            = try(local.archetypes.default_tags, {})
+  deploy_connectivity_resources                           = try(local.archetypes.deploy_connectivity_resources, false)
+  deploy_core_landing_zones                               = try(local.archetypes.deploy_core_landing_zones, true)
+  deploy_corp_landing_zones                               = try(local.archetypes.deploy_corp_landing_zones, false)
+  deploy_demo_landing_zones                               = try(local.archetypes.deploy_demo_landing_zones, false)
+  deploy_diagnostics_for_mg                               = try(local.archetypes.deploy_diagnostics_for_mg, false)
+  deploy_identity_resources                               = try(local.archetypes.deploy_identity_resources, false)
+  deploy_management_resources                             = try(local.archetypes.deploy_management_resources, false)
+  deploy_online_landing_zones                             = try(local.archetypes.deploy_online_landing_zones, false)
+  deploy_sap_landing_zones                                = try(local.archetypes.deploy_sap_landing_zones, false)
+  destroy_duration_delay                                  = try(local.archetypes.destroy_duration_delay, {})
+  disable_base_module_tags                                = try(local.archetypes.disable_base_module_tags, false)
+  disable_telemetry                                       = try(local.archetypes.disable_telemetry, false)
+  library_path                                            = try(local.archetypes.library_path, "")
+  policy_non_compliance_message_default                   = try(local.archetypes.policy_non_compliance_message_default, "This resource {enforcementMode} be compliant with the assigned policy.")
+  policy_non_compliance_message_default_enabled           = try(local.archetypes.policy_non_compliance_message_default_enabled, true)
+  policy_non_compliance_message_enabled                   = try(local.archetypes.policy_non_compliance_message_enabled, true)
+  policy_non_compliance_message_enforced_replacement      = try(local.archetypes.policy_non_compliance_message_enforced_replacement, "must")
+  policy_non_compliance_message_enforcement_placeholder   = try(local.archetypes.policy_non_compliance_message_enforcement_placeholder, "{enforcementMode}")
+  policy_non_compliance_message_not_enforced_replacement  = try(local.archetypes.policy_non_compliance_message_not_enforced_replacement, "should")
+  policy_non_compliance_message_not_supported_definitions = try(local.archetypes.policy_non_compliance_message_not_supported_definitions, ["/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4"])
+  resource_custom_timeouts                                = try(local.archetypes.resource_custom_timeouts, {})
+  root_id                                                 = try(local.archetypes.root_id, "es")
+  root_name                                               = try(local.archetypes.root_name, "Enterprise-Scale")
+  strict_subscription_association                         = try(local.archetypes.strict_subscription_association, true)
+  subscription_id_connectivity                            = var.subscription_id_connectivity
+  subscription_id_identity                                = var.subscription_id_identity
+  subscription_id_management                              = var.subscription_id_management
+  subscription_id_overrides                               = try(local.archetypes.subscription_id_overrides, {})
+  template_file_variables                                 = try(local.archetypes.template_file_variables, {})
+
+
+  providers = {
+    azurerm              = azurerm
+    azurerm.connectivity = azurerm.connectivity
+    azurerm.management   = azurerm.management
+  }
+}
+
+module "hubnetworking" {
+  source  = "Azure/hubnetworking/azurerm"
+  version = "1.1.0"
+  count   = length(local.hub_virtual_networks) > 0 ? 1 : 0
+
+  hub_virtual_networks = length(local.hub_virtual_networks) > 0 ? local.hub_virtual_networks : local.dummy_hub_virtual_network
+
+  providers = {
+    azurerm = azurerm.connectivity
+  }
+}
+
+module "vnet-gateway" {
+  source  = "Azure/vnet-gateway/azurerm"
+  version = "0.1.2"
+
+  for_each = local.vritual_network_gateways
+
+  location                            = each.value.location
+  name                                = each.value.name
+  sku                                 = each.value.sku
+  subnet_address_prefix               = each.value.subnet_address_prefix
+  type                                = each.value.type
+  virtual_network_name                = each.value.virtual_network_name
+  virtual_network_resource_group_name = each.value.virtual_network_resource_group_name
+  default_tags                        = try(each.value.default_tags, null)
+  edge_zone                           = try(each.value.edge_zone, null)
+  express_route_circuits              = try(each.value.express_route_circuits, null)
+  ip_configurations                   = try(each.value.ip_configurations, null)
+  local_network_gateways              = try(each.value.local_network_gateways, null)
+  tags                                = try(each.value.tags, null)
+  vpn_active_active_enabled           = try(each.value.vpn_active_active_enabled, null)
+  vpn_bgp_enabled                     = try(each.value.vpn_bgp_enabled, null)
+  vpn_bgp_settings                    = try(each.value.vpn_bgp_settings, null)
+  vpn_generation                      = try(each.value.vpn_generation, null)
+  vpn_point_to_site                   = try(each.value.vpn_point_to_site, null)
+  vpn_type                            = try(each.value.vpn_type, null)
+
+  providers = {
+    azurerm = azurerm.connectivity
+  }
+
+  depends_on = [
+    module.hubnetworking
+  ]
+}
diff --git a/templates/complete/variables.tf b/templates/complete/variables.tf
@@ -0,0 +1,14 @@
+variable "subscription_id_connectivity" {
+  description = "value of the subscription id for the Connectivity subscription"
+  type        = string
+}
+
+variable "subscription_id_identity" {
+  description = "value of the subscription id for the Identity subscription"
+  type        = string
+}
+
+variable "subscription_id_management" {
+  description = "value of the subscription id for the Management subscription"
+  type        = string
+}
diff --git a/templates/complete/versions.tf b/templates/complete/versions.tf
@@ -0,0 +1,23 @@
+terraform {
+  required_version = ">= 0.12"
+  required_providers {
+    azurerm = ">= 3.0.0"
+  }
+  # backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "azurerm" {
+  alias           = "management"
+  subscription_id = var.subscription_id_management
+  features {}
+}
+
+provider "azurerm" {
+  alias           = "connectivity"
+  subscription_id = var.subscription_id_connectivity
+  features {}
+}