From 657db79310329a0fe9307fff8518f9c044eb60af Mon Sep 17 00:00:00 2001 From: khaman-pet <118238939+khaman-pet@users.noreply.github.com> Date: Thu, 5 Oct 2023 15:55:16 +0800 Subject: [PATCH 001/244] add keyvault_uri; fix the keyvault request that gets data from keyvault secrets --- keyvault_certificate_requests.tf | 3 ++- modules/security/keyvault_certificate_request/global_sign.tf | 2 +- modules/security/keyvault_certificate_request/output.tf | 3 +++ modules/security/keyvault_certificate_request/variables.tf | 1 + 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/keyvault_certificate_requests.tf b/keyvault_certificate_requests.tf index eef12534d1..0cf9cc3e0a 100644 --- a/keyvault_certificate_requests.tf +++ b/keyvault_certificate_requests.tf @@ -6,8 +6,9 @@ module "keyvault_certificate_requests" { depends_on = [module.keyvault_certificate_issuers, module.domain_name_registrations] source = "./modules/security/keyvault_certificate_request" for_each = local.security.keyvault_certificate_requests - + keyvault_id = can(each.value.keyvault_id) ? each.value.keyvault_id : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].id + keyvault_uri = can(each.value.keyvault_uri) ? each.value.keyvault_uri : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].vault_uri cert_secret_name = can(each.value.cert_secret_name) || can(each.value.cert_password_key) == false ? try(each.value.cert_secret_name, null) : var.security.dynamic_keyvault_secrets[each.value.keyvault_key][each.value.cert_password_key].secret_name certificate_issuers = try(var.security.keyvault_certificate_issuers, {}) settings = each.value diff --git a/modules/security/keyvault_certificate_request/global_sign.tf b/modules/security/keyvault_certificate_request/global_sign.tf index 4d37d173f1..ab89721e1e 100644 --- a/modules/security/keyvault_certificate_request/global_sign.tf +++ b/modules/security/keyvault_certificate_request/global_sign.tf @@ -5,7 +5,7 @@ data "external" "password" { "bash", "-c", format( "az keyvault secret show --id '%s'secrets/'%s' --query '{value: value}' -o json", - var.keyvault_id, + var.keyvault_uri, var.cert_secret_name ) ] diff --git a/modules/security/keyvault_certificate_request/output.tf b/modules/security/keyvault_certificate_request/output.tf index be939cec82..306e00551f 100644 --- a/modules/security/keyvault_certificate_request/output.tf +++ b/modules/security/keyvault_certificate_request/output.tf @@ -4,6 +4,9 @@ output "id" { output "keyvault_id" { value = var.keyvault_id } +output "keyvault_uri" { + value = var.keyvault_uri +} output "secret_id" { value = azurerm_key_vault_certificate.csr.secret_id } diff --git a/modules/security/keyvault_certificate_request/variables.tf b/modules/security/keyvault_certificate_request/variables.tf index 5f3a19f4c3..df115d8202 100644 --- a/modules/security/keyvault_certificate_request/variables.tf +++ b/modules/security/keyvault_certificate_request/variables.tf @@ -2,6 +2,7 @@ variable "certificate_issuers" { default = {} } variable "keyvault_id" {} +variable "keyvault_uri" {} variable "settings" {} variable "domain_name_registrations" { default = {} From 48459262860397d3e7827242c0a3630b430ef92f Mon Sep 17 00:00:00 2001 From: Marco Mansi Date: Thu, 12 Oct 2023 15:26:04 +0200 Subject: [PATCH 002/244] add secure_boot_enabled and vtpm_enabled options --- modules/compute/virtual_machine/vm_linux.tf | 7 +++++-- modules/compute/virtual_machine/vm_windows.tf | 3 +++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index cf8ca67bd9..a791462a52 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -76,13 +76,16 @@ resource "azurerm_linux_virtual_machine" "vm" { size = each.value.size tags = merge(local.tags, try(each.value.tags, null)) zone = try(each.value.zone, null) + secure_boot_enabled = try(each.value.secure_boot_enabled, null) + vtpm_enabled = try(each.value.vtpm_enabled, null) + custom_data = try( try( try(local_sensitive_file.custom_data[each.key].content_base64, local.dynamic_custom_data[each.value.custom_data][each.value.name]), - try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data))), + try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data))), null) - + dedicated_host_id = can(each.value.dedicated_host.key) ? var.dedicated_hosts[try(each.value.dedicated_host.lz_key, var.client_config.landingzone_key)][each.value.dedicated_host.key].id : try(each.value.dedicated_host.id, null) diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 979bb89ddc..6d1d37ee14 100644 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -63,6 +63,9 @@ resource "azurerm_windows_virtual_machine" "vm" { tags = merge(local.tags, try(each.value.tags, null)) timezone = try(each.value.timezone, null) zone = try(each.value.zone, null) + secure_boot_enabled = try(each.value.secure_boot_enabled, null) + vtpm_enabled = try(each.value.vtpm_enabled, null) + custom_data = try( try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)), From ce2346b1c0fa72b5e56bbf43be495c6c106289c9 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Wed, 25 Oct 2023 15:09:29 +0000 Subject: [PATCH 003/244] feat(virtual_hubs): p2s_config keyvault secret --- .../standalone-scenarios-longrunners.json | 1 + .../virtual_wan.tfvars | 98 +++++++++++++++++++ modules/networking/virtual_wan/variables.tf | 5 +- .../virtual_hub/point_to_site_gateway.tf | 10 +- .../virtual_wan/virtual_hub/variables.tf | 5 +- modules/networking/virtual_wan/virtual_wan.tf | 1 + networking_virtual_hubs.tf | 1 + networking_virtual_wan.tf | 1 + 8 files changed, 119 insertions(+), 3 deletions(-) create mode 100644 examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json index 653d5955ce..dc0d12268f 100644 --- a/.github/workflows/standalone-scenarios-longrunners.json +++ b/.github/workflows/standalone-scenarios-longrunners.json @@ -30,6 +30,7 @@ "networking/virtual_wan/104-vwan-hub-gw-spp", "networking/virtual_wan/105-vwan-hub-route-table", "networking/virtual_wan/109-vwan-vpn-gateway-connection", + "networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert", "redis_cache/100-redis-standard", "redis_cache/101-redis-diagnostics", "redis_cache/102-redis-private", diff --git a/examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars b/examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars new file mode 100644 index 0000000000..6dea339306 --- /dev/null +++ b/examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars @@ -0,0 +1,98 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "australiaeast" + } +} + +provider_azurerm_features_keyvault = { + // set to true to cleanup the CI + purge_soft_delete_on_destroy = true +} + +resource_groups = { + hub_re1 = { + name = "vnet-hub-re1" + region = "region1" + } +} + +keyvaults = { + vwan-kv = { + name = "vwan-kv" + resource_group_key = "hub_re1" + sku_name = "standard" + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + } + secrets = { + ca_cert = { + name = "ca-cert" + value = < Date: Mon, 6 Nov 2023 15:53:37 +0100 Subject: [PATCH 004/244] Added tags to eventgrid resources --- eventgrid.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/eventgrid.tf b/eventgrid.tf index c030458b28..c26e4a05d2 100755 --- a/eventgrid.tf +++ b/eventgrid.tf @@ -5,6 +5,7 @@ module "eventgrid_domain" { global_settings = local.global_settings client_config = local.client_config settings = each.value + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location @@ -25,6 +26,7 @@ module "eventgrid_topic" { global_settings = local.global_settings client_config = local.client_config settings = each.value + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location @@ -44,7 +46,6 @@ module "eventgrid_event_subscription" { client_config = local.client_config settings = each.value - remote_objects = { all = local.remote_objects, functions = local.combined_objects_function_apps, @@ -75,4 +76,4 @@ module "eventgrid_domain_topic" { } output "eventgrid_domain_topic" { value = module.eventgrid_domain_topic -} \ No newline at end of file +} From 89b47beba79c662e75a18065b1425a586e5b816b Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Mon, 6 Nov 2023 15:56:25 +0100 Subject: [PATCH 005/244] Added support for different remote LZ for script storage account and managed identity --- modules/compute/virtual_machine_extensions/custom_script.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/compute/virtual_machine_extensions/custom_script.tf b/modules/compute/virtual_machine_extensions/custom_script.tf index 7bd96425c2..e6afbca035 100644 --- a/modules/compute/virtual_machine_extensions/custom_script.tf +++ b/modules/compute/virtual_machine_extensions/custom_script.tf @@ -43,7 +43,7 @@ locals { # managed identity identity_type = try(var.extension.identity_type, "") #userassigned, systemassigned or null managed_local_identity = try(var.managed_identities[var.client_config.landingzone_key][var.extension.managed_identity_key].principal_id, "") - managed_remote_identity = try(var.managed_identities[var.extension.lz_key][var.extension.managed_identity_key].principal_id, "") + managed_remote_identity = try(var.managed_identities[var.extension.managed_identity_lz_key][var.extension.managed_identity_key].principal_id, var.managed_identities[var.extension.lz_key][var.extension.managed_identity_key].principal_id, "") provided_identity = try(var.extension.managed_identity_id, "") managed_identity = try(coalesce(local.managed_local_identity, local.managed_remote_identity, local.provided_identity), "") @@ -71,7 +71,7 @@ locals { # fileuris fileuri_sa_key = try(var.extension.fileuri_sa_key, "") fileuri_sa_path = try(var.extension.fileuri_sa_path, "") - fileuri_sa = local.fileuri_sa_key != "" ? try(var.storage_accounts[var.extension.lz_key][var.extension.fileuri_sa_key].primary_blob_endpoint, var.storage_accounts[var.client_config.landingzone_key][var.extension.fileuri_sa_key].primary_blob_endpoint) : "" + fileuri_sa = local.fileuri_sa_key != "" ? try(var.storage_accounts[var.extension.fileuri_sa_lz_key][var.extension.fileuri_sa_key].primary_blob_endpoint, var.storage_accounts[var.extension.lz_key][var.extension.fileuri_sa_key].primary_blob_endpoint, var.storage_accounts[var.client_config.landingzone_key][var.extension.fileuri_sa_key].primary_blob_endpoint) : "" fileuri_sa_full_path = "${local.fileuri_sa}${local.fileuri_sa_path}" fileuri_sa_defined = try(var.extension.fileuris, "") fileuris = local.fileuri_sa_defined == "" ? [local.fileuri_sa_full_path] : var.extension.fileuris From 833c77bb85c6bf1d709116e8a6460b979c21fb70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hein=20Tonny=20K=C3=B8ien?= Date: Wed, 8 Nov 2023 04:12:18 +0100 Subject: [PATCH 006/244] Blinq global settings override custom role (#1845) * remove outcommented block * support global_settings override in custom_roles module * remove outcommented block * remove newline --------- Co-authored-by: Magnus Longva --- modules/roles/custom_roles/module.tf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/roles/custom_roles/module.tf b/modules/roles/custom_roles/module.tf index afcc8b8aa9..81d5bf91c1 100644 --- a/modules/roles/custom_roles/module.tf +++ b/modules/roles/custom_roles/module.tf @@ -1,13 +1,17 @@ +locals { + global_settings = merge(var.global_settings, var.custom_role.global_settings) +} + resource "azurecaf_name" "custom_role" { name = var.custom_role.name resource_type = "azurerm_resource_group" #TODO: need to be changed to appropriate resource (no caf reference for now) - prefixes = var.global_settings.prefixes - random_length = var.global_settings.random_length + prefixes = local.global_settings.prefixes + random_length = local.global_settings.random_length clean_input = true - passthrough = var.global_settings.passthrough - use_slug = var.global_settings.use_slug + passthrough = local.global_settings.passthrough + use_slug = local.global_settings.use_slug } resource "azurerm_role_definition" "custom_role" { From ccf3e803b50fdba71961ab6c79953996c2b838e0 Mon Sep 17 00:00:00 2001 From: Oleksandr Trapeznikov Date: Tue, 14 Nov 2023 16:45:10 +0000 Subject: [PATCH 007/244] add servicebus_topics scope for role assignment --- keyvault_certificate_requests.tf | 2 +- roles.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/keyvault_certificate_requests.tf b/keyvault_certificate_requests.tf index 0cf9cc3e0a..5ef559fa40 100644 --- a/keyvault_certificate_requests.tf +++ b/keyvault_certificate_requests.tf @@ -6,7 +6,7 @@ module "keyvault_certificate_requests" { depends_on = [module.keyvault_certificate_issuers, module.domain_name_registrations] source = "./modules/security/keyvault_certificate_request" for_each = local.security.keyvault_certificate_requests - + keyvault_id = can(each.value.keyvault_id) ? each.value.keyvault_id : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].id keyvault_uri = can(each.value.keyvault_uri) ? each.value.keyvault_uri : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].vault_uri cert_secret_name = can(each.value.cert_secret_name) || can(each.value.cert_password_key) == false ? try(each.value.cert_secret_name, null) : var.security.dynamic_keyvault_secrets[each.value.keyvault_key][each.value.cert_password_key].secret_name diff --git a/roles.tf b/roles.tf index 168c351c07..68c1c58790 100644 --- a/roles.tf +++ b/roles.tf @@ -156,6 +156,7 @@ locals { resource_groups = local.combined_objects_resource_groups route_tables = local.combined_objects_route_tables servicebus_namespaces = local.combined_objects_servicebus_namespaces + servicebus_topics = local.combined_objects_servicebus_topics storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces From 044027f5d69d552b6340258ffaafeec80f17e7fb Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 15 Nov 2023 04:22:41 +0000 Subject: [PATCH 008/244] Update for virtual_router_auto_scale_min_capacity attribute --- .../106-vwan-hub-routes/virtual_wan.tfvars | 17 +++++++++-------- .../virtual_hub/point_to_site_gateway.tf | 6 +++--- .../virtual_wan/virtual_hub/virtual_hub.tf | 17 +++++++++-------- 3 files changed, 21 insertions(+), 19 deletions(-) diff --git a/examples/networking/virtual_wan/106-vwan-hub-routes/virtual_wan.tfvars b/examples/networking/virtual_wan/106-vwan-hub-routes/virtual_wan.tfvars index 2f1b32e29b..cd0789bfcd 100644 --- a/examples/networking/virtual_wan/106-vwan-hub-routes/virtual_wan.tfvars +++ b/examples/networking/virtual_wan/106-vwan-hub-routes/virtual_wan.tfvars @@ -20,14 +20,15 @@ virtual_wans = { hubs = { hub_re1 = { - hub_name = "hub-re1" - region = "region1" - hub_address_prefix = "10.0.3.0/24" - deploy_p2s = false - p2s_config = {} - deploy_s2s = false - s2s_config = {} - deploy_er = false + hub_name = "hub-re1" + region = "region1" + hub_address_prefix = "10.0.3.0/24" + virtual_router_auto_scale_min_capacity = 4 + deploy_p2s = false + p2s_config = {} + deploy_s2s = false + s2s_config = {} + deploy_er = false routes = { route1 = { address_prefixes = ["10.0.5.0/25"] diff --git a/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf b/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf index 1412176ebc..01ecfdae01 100644 --- a/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf +++ b/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf @@ -72,9 +72,9 @@ resource "azurerm_vpn_server_configuration" "p2s_configuration" { for_each = can(var.virtual_hub_config.p2s_config.server_config.azure_active_directory_authentication) ? [1] : [] content { audience = var.virtual_hub_config.p2s_config.server_config.azure_active_directory_authentication.audience - tenant = var.virtual_hub_config.p2s_config.server_config.azure_active_directory_authentication.tenant - issuer = var.virtual_hub_config.p2s_config.server_config.azure_active_directory_authentication.issuer - } + tenant = var.virtual_hub_config.p2s_config.server_config.azure_active_directory_authentication.tenant + issuer = var.virtual_hub_config.p2s_config.server_config.azure_active_directory_authentication.issuer + } } } diff --git a/modules/networking/virtual_wan/virtual_hub/virtual_hub.tf b/modules/networking/virtual_wan/virtual_hub/virtual_hub.tf index 81ddefb39e..bb9d7eeb9b 100644 --- a/modules/networking/virtual_wan/virtual_hub/virtual_hub.tf +++ b/modules/networking/virtual_wan/virtual_hub/virtual_hub.tf @@ -11,14 +11,15 @@ resource "azurecaf_name" "vwan_hub" { ## creates a virtual hub in the region resource "azurerm_virtual_hub" "vwan_hub" { - name = azurecaf_name.vwan_hub.result - resource_group_name = var.resource_group_name - location = var.location - virtual_wan_id = var.vwan_id - sku = try(var.virtual_hub_config.sku, null) - address_prefix = try(var.virtual_hub_config.hub_address_prefix, null) - hub_routing_preference = try(var.virtual_hub_config.hub_routing_preference, null) - tags = local.tags + name = azurecaf_name.vwan_hub.result + resource_group_name = var.resource_group_name + location = var.location + virtual_wan_id = var.vwan_id + sku = try(var.virtual_hub_config.sku, null) + address_prefix = try(var.virtual_hub_config.hub_address_prefix, null) + hub_routing_preference = try(var.virtual_hub_config.hub_routing_preference, null) + virtual_router_auto_scale_min_capacity = try(var.virtual_hub_config.virtual_router_auto_scale_min_capacity, null) + tags = local.tags dynamic "route" { for_each = try(var.virtual_hub_config.routes, {}) From 82a330491b44ebd8f7a3d4a618a320d63852ffa2 Mon Sep 17 00:00:00 2001 From: Marco Mansi Date: Wed, 15 Nov 2023 08:18:25 +0100 Subject: [PATCH 009/244] - add immutability - add public_network_access_enabled --- modules/recovery_vault/recovery_vault.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/recovery_vault/recovery_vault.tf b/modules/recovery_vault/recovery_vault.tf index 4d73f65dba..bcf380f09e 100644 --- a/modules/recovery_vault/recovery_vault.tf +++ b/modules/recovery_vault/recovery_vault.tf @@ -19,6 +19,8 @@ resource "azurerm_recovery_services_vault" "asr" { tags = merge(local.tags, try(var.settings.tags, null)) soft_delete_enabled = try(var.settings.soft_delete_enabled, true) storage_mode_type = try(var.settings.storage_mode_type, "GeoRedundant") + public_network_access_enabled = try(var.settings.public_network_access_enabled, true) + immutability = try(var.settings.immutability, null) identity { type = "SystemAssigned" From c6a82534f77a89d2aa01ead56ba0526513f0b216 Mon Sep 17 00:00:00 2001 From: Marco Mansi Date: Wed, 15 Nov 2023 08:24:47 +0100 Subject: [PATCH 010/244] formatting --- modules/recovery_vault/recovery_vault.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/recovery_vault/recovery_vault.tf b/modules/recovery_vault/recovery_vault.tf index bcf380f09e..80b3924e7c 100644 --- a/modules/recovery_vault/recovery_vault.tf +++ b/modules/recovery_vault/recovery_vault.tf @@ -12,13 +12,13 @@ resource "azurecaf_name" "asr_rg_vault" { } resource "azurerm_recovery_services_vault" "asr" { - name = azurecaf_name.asr_rg_vault.result - location = local.location - resource_group_name = local.resource_group_name - sku = "Standard" - tags = merge(local.tags, try(var.settings.tags, null)) - soft_delete_enabled = try(var.settings.soft_delete_enabled, true) - storage_mode_type = try(var.settings.storage_mode_type, "GeoRedundant") + name = azurecaf_name.asr_rg_vault.result + location = local.location + resource_group_name = local.resource_group_name + sku = "Standard" + tags = merge(local.tags, try(var.settings.tags, null)) + soft_delete_enabled = try(var.settings.soft_delete_enabled, true) + storage_mode_type = try(var.settings.storage_mode_type, "GeoRedundant") public_network_access_enabled = try(var.settings.public_network_access_enabled, true) immutability = try(var.settings.immutability, null) From 0afee43590a9cb92ed0fa755b4598cb71ba735bd Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 15 Nov 2023 15:59:19 +0800 Subject: [PATCH 011/244] Update modules/recovery_vault/recovery_vault.tf --- modules/recovery_vault/recovery_vault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/recovery_vault/recovery_vault.tf b/modules/recovery_vault/recovery_vault.tf index 80b3924e7c..eecd16a3ac 100644 --- a/modules/recovery_vault/recovery_vault.tf +++ b/modules/recovery_vault/recovery_vault.tf @@ -19,7 +19,7 @@ resource "azurerm_recovery_services_vault" "asr" { tags = merge(local.tags, try(var.settings.tags, null)) soft_delete_enabled = try(var.settings.soft_delete_enabled, true) storage_mode_type = try(var.settings.storage_mode_type, "GeoRedundant") - public_network_access_enabled = try(var.settings.public_network_access_enabled, true) + public_network_access_enabled = try(var.settings.public_network_access_enabled, null) immutability = try(var.settings.immutability, null) identity { From df0a1ae3b544bb3db231b3aa93292ef170db0c64 Mon Sep 17 00:00:00 2001 From: leethanh2112 <33690376+leethanh2112@users.noreply.github.com> Date: Thu, 16 Nov 2023 17:23:21 +0700 Subject: [PATCH 012/244] Create Backup Policy for SQLDatabase and SAPHanaDatabase (#1843) * init code for backup policy vm workload * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * update code * separate SQLDatabase and SAPHana * init code example * revert code * refactor backup policy code * add example to workflow 106 * refactor backup_policies_vm_workloads implementation * enforce required for backup block * fix policy_type error * fix protection_policy error * add saphana tfvars --------- Co-authored-by: thanhlcao Co-authored-by: khairi --- .github/workflows/standalone-scenarios.json | 1 + .../configuration.tfvars | 13 ++++ .../recovery_vaults.tfvars | 73 +++++++++++++++++ .../backup_policies_vm_workload.tf | 78 +++++++++++++++++++ modules/recovery_vault/outputs.tf | 1 + 5 files changed, 166 insertions(+) create mode 100644 examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/configuration.tfvars create mode 100644 examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars create mode 100644 modules/recovery_vault/backup_policies_vm_workload.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 38c6d74801..8e74ef48c4 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -136,6 +136,7 @@ "recovery_vault/103-asr-with-private-endpoint", "recovery_vault/104-backupvault-with-private-endpoint", "recovery_vault/105-asr-with-network-mapping", + "recovery_vault/106-backupvault-with-sqldatabase-saphana", "redis_cache/103-redis-private-endpoints", "role_mapping/100-simple-role-mapping", "role_mapping/101-function-app-managed-identity", diff --git a/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/configuration.tfvars b/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/configuration.tfvars new file mode 100644 index 0000000000..85e59b2476 --- /dev/null +++ b/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/configuration.tfvars @@ -0,0 +1,13 @@ +global_settings = { + regions = { + region1 = "australiaeast" + } +} +resource_groups = { + primary = { + name = "backup_policy_sql" + region = "region1" + } +} + + diff --git a/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars b/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars new file mode 100644 index 0000000000..b744f026c2 --- /dev/null +++ b/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars @@ -0,0 +1,73 @@ +recovery_vaults = { + asr1 = { + name = "vault_re1" + resource_group_key = "primary" + region = "region1" + vnet_key = "vnet_region1" + subnet_key = "asr_subnet" + + soft_delete_enabled = false + backup_policies = { + vm_workloads = { + sql = { + name = "SQLTest" + workload_type = "SQLDataBase" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" + compression_enabled = false + protection_policies = { + sqlfull = { + policy_type = "Full" + backup = { + frequency = "Daily" + time = "15:00" + } + retention_daily = { + count = 8 + } + } + sqllog = { + policy_type = "Log" + backup = { + frequency_in_minutes = 15 + } + simple_retention = { + count = 8 + } + } + } + } + saphana = { + name = "SAPHANATest" + workload_type = "SAPHanaDatabase" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" + compression_enabled = false + protection_policies = { + saphanafull = { + policy_type = "Full" + backup = { + frequency = "Daily" + time = "15:00" + } + retention_daily = { + count = 8 + } + } + saphanalog = { + policy_type = "Log" + backup = { + frequency_in_minutes = 15 + } + simple_retention = { + count = 8 + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/recovery_vault/backup_policies_vm_workload.tf b/modules/recovery_vault/backup_policies_vm_workload.tf new file mode 100644 index 0000000000..b40bffdeda --- /dev/null +++ b/modules/recovery_vault/backup_policies_vm_workload.tf @@ -0,0 +1,78 @@ +resource "azurerm_backup_policy_vm_workload" "vm_workload" { + for_each = try(var.settings.backup_policies.vm_workloads, {}) + + name = each.value.name + resource_group_name = local.resource_group_name + recovery_vault_name = azurerm_recovery_services_vault.asr.name + workload_type = each.value.workload_type + + settings { + time_zone = each.value.timezone + compression_enabled = each.value.compression_enabled + } + + dynamic "protection_policy" { + for_each = each.value.protection_policies + + content { + policy_type = protection_policy.value.policy_type + + backup { + frequency = try(protection_policy.value.backup.frequency, null) + frequency_in_minutes = try(protection_policy.value.backup.frequency_in_minutes, null) + time = try(protection_policy.value.backup.time, null) + weekdays = try(protection_policy.value.backup.weekdays, null) + } + + dynamic "retention_daily" { + for_each = lookup(protection_policy.value, "retention_daily", null) == null ? [] : [1] + + content { + count = protection_policy.value.retention_daily.count + } + } + + dynamic "retention_weekly" { + for_each = lookup(protection_policy.value, "retention_weekly", null) == null ? [] : [1] + + content { + count = protection_policy.value.retention_weekly.count + weekdays = protection_policy.value.retention_weekly.weekdays + } + } + + dynamic "retention_monthly" { + for_each = lookup(protection_policy.value, "retention_monthly", null) == null ? [] : [1] + + content { + count = protection_policy.value.retention_monthly.count + format_type = protection_policy.value.retention_monthly.format_type + monthdays = try(protection_policy.value.retention_monthly.monthdays, null) + weekdays = try(protection_policy.value.retention_monthly.weekdays, null) + weeks = try(protection_policy.value.retention_monthly.weeks, null) + } + } + + dynamic "retention_yearly" { + for_each = lookup(protection_policy.value, "retention_yearly", null) == null ? [] : [1] + + content { + count = protection_policy.value.retention_yearly.count + format_type = protection_policy.value.retention_yearly.format_type + months = protection_policy.value.retention_yearly.months + monthdays = try(protection_policy.value.retention_yearly.monthdays, null) + weekdays = try(protection_policy.value.retention_yearly.weekdays, null) + weeks = try(protection_policy.value.retention_yearly.weeks, null) + } + } + + dynamic "simple_retention" { + for_each = lookup(protection_policy.value, "simple_retention", null) == null ? [] : [1] + + content { + count = protection_policy.value.simple_retention.count + } + } + } + } +} diff --git a/modules/recovery_vault/outputs.tf b/modules/recovery_vault/outputs.tf index 936572ebe9..7ddb9fc6b3 100644 --- a/modules/recovery_vault/outputs.tf +++ b/modules/recovery_vault/outputs.tf @@ -16,6 +16,7 @@ output "backup_policies" { value = { virtual_machines = azurerm_backup_policy_vm.vm file_shares = azurerm_backup_policy_file_share.fs + vm_workloads = azurerm_backup_policy_vm_workload.vm_workload } } From 95ac26342571589573e1e44c21276738c862f7a4 Mon Sep 17 00:00:00 2001 From: Marco Mansi Date: Wed, 22 Nov 2023 16:23:20 +0100 Subject: [PATCH 013/244] Added policy_type --- modules/recovery_vault/backup_policies_vm.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/recovery_vault/backup_policies_vm.tf b/modules/recovery_vault/backup_policies_vm.tf index b8260ca75a..fd2b2847a4 100644 --- a/modules/recovery_vault/backup_policies_vm.tf +++ b/modules/recovery_vault/backup_policies_vm.tf @@ -9,6 +9,7 @@ resource "azurerm_backup_policy_vm" "vm" { recovery_vault_name = azurerm_recovery_services_vault.asr.name instant_restore_retention_days = try(each.value.instant_restore_retention_days, null) timezone = try(each.value.timezone, null) + policy_type = try(each.value.policy_type, null) dynamic "backup" { for_each = lookup(each.value, "backup", null) == null ? [] : [1] From 73938408d2cbee68b17d135236437bfd0cb81755 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20DELMONT?= Date: Thu, 23 Nov 2023 15:08:51 +0100 Subject: [PATCH 014/244] - New maintenance configuration module - Update azurerm_windows_virtual_machine ressource to add bypass_platform_safety_checks_on_user_schedule_enabled --- .github/workflows/standalone-scenarios.json | 3 + .../configuration.tfvars | 26 +++ .../configuration.tfvars | 41 +++++ .../configuration.tfvars | 157 ++++++++++++++++++ examples/module.tf | 5 + examples/variables.tf | 6 + locals.combined_objects.tf | 2 + locals.tf | 7 + maintenance.tf | 44 +++++ modules/compute/virtual_machine/vm_windows.tf | 50 +++--- .../assignment_virtual_machine/main.tf | 15 ++ .../assignment_virtual_machine/module.tf | 7 + .../assignment_virtual_machine/outputs.tf | 4 + .../assignment_virtual_machine/variables.tf | 34 ++++ modules/maintenance/configuration/main.tf | 16 ++ modules/maintenance/configuration/module.tf | 60 +++++++ modules/maintenance/configuration/outputs.tf | 14 ++ .../maintenance/configuration/variables.tf | 67 ++++++++ roles.tf | 1 + variables.tf | 3 + 20 files changed, 537 insertions(+), 25 deletions(-) create mode 100644 examples/maintenance_configuration/100-maintenance-configuration/configuration.tfvars create mode 100644 examples/maintenance_configuration/101-maintenance-configuration-schedule/configuration.tfvars create mode 100644 examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars create mode 100644 maintenance.tf create mode 100644 modules/maintenance/assignment_virtual_machine/main.tf create mode 100644 modules/maintenance/assignment_virtual_machine/module.tf create mode 100644 modules/maintenance/assignment_virtual_machine/outputs.tf create mode 100644 modules/maintenance/assignment_virtual_machine/variables.tf create mode 100644 modules/maintenance/configuration/main.tf create mode 100644 modules/maintenance/configuration/module.tf create mode 100644 modules/maintenance/configuration/outputs.tf create mode 100644 modules/maintenance/configuration/variables.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 8e74ef48c4..2cffe09bd6 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -85,6 +85,9 @@ "machine_learning/100-aml", "machine_learning/101-aml-vnet", "machine_learning/102-aml-compute_instance", + "maintenance_configuration/100-maintenance-configuration", + "maintenance_configuration/101-maintenance-configuration-schedule", + "maintenance_configuration/200-maintenance-configuration-assignment-vm", "maps/101-azure-maps-account", "managed_service_identity/100-msi-levels", "mariadb_server/100-simple-mariadb", diff --git a/examples/maintenance_configuration/100-maintenance-configuration/configuration.tfvars b/examples/maintenance_configuration/100-maintenance-configuration/configuration.tfvars new file mode 100644 index 0000000000..82e88aa232 --- /dev/null +++ b/examples/maintenance_configuration/100-maintenance-configuration/configuration.tfvars @@ -0,0 +1,26 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "northeurope" + } +} + +resource_groups = { + rg1 = { + name = "rsg_umc" + region = "region1" + } +} + +maintenance_configuration = { + mc_re1 = { + name = "example-mc" + region = "region1" + resource_group_key = "rg1" + scope = "Host" + # tags = {} # optional + } +} + + + diff --git a/examples/maintenance_configuration/101-maintenance-configuration-schedule/configuration.tfvars b/examples/maintenance_configuration/101-maintenance-configuration-schedule/configuration.tfvars new file mode 100644 index 0000000000..1f4383d71c --- /dev/null +++ b/examples/maintenance_configuration/101-maintenance-configuration-schedule/configuration.tfvars @@ -0,0 +1,41 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "northeurope" + } +} + +resource_groups = { + rg1 = { + name = "rsg_umc" + region = "region1" + } +} + +maintenance_configuration = { + mc_re1 = { + name = "example-mc" + region = "region1" + resource_group_key = "rg1" + scope = "InGuestPatch" + in_guest_user_patch_mode = "User" + window = { + start_date_time = "2023-06-08 15:04" + duration = "03:55" + time_zone = "Romance Standard Time" + recur_every = "2Day" + } + + install_patches = { + windows = { + classifications_to_include = ["Critical", "Security"] + # kb_numbers_to_exclude = ["KB123456", "KB789012"] + # kb_numbers_to_include = ["KB345678", "KB901234"] + } + reboot = "IfRequired" + } + # tags = {} # optional + } +} + + diff --git a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars new file mode 100644 index 0000000000..db3bea1974 --- /dev/null +++ b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars @@ -0,0 +1,157 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "northeurope" + } +} + +resource_groups = { + rg1 = { + name = "rsg_umc" + region = "region1" + } +} + +keyvaults = { + example_vm_rg1 = { + name = "vmsecrets" + resource_group_key = "rg1" + sku_name = "standard" + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + } + } + } +} + +vnets = { + vnet_region1 = { + resource_group_key = "rg1" + vnet = { + name = "virtual_machines" + address_space = ["10.100.100.0/24"] + } + specialsubnets = {} + subnets = { + example = { + name = "examples" + cidr = ["10.100.100.0/29"] + } + } + + } +} + +public_ip_addresses = { + example_vm_pip1_rg1 = { + name = "example_vm_pip1" + resource_group_key = "rg1" + sku = "Standard" + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + + } +} + +virtual_machines = { + + # Configuration to deploy a bastion host linux virtual machine + example_vm1 = { + resource_group_key = "rg1" + provision_vm_agent = true + # when boot_diagnostics_storage_account_key is empty string "", boot diagnostics will be put on azure managed storage + # when boot_diagnostics_storage_account_key is a non-empty string, it needs to point to the key of a user managed storage defined in diagnostic_storage_accounts + # if boot_diagnostics_storage_account_key is not defined, but global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics is true, boot diagnostics will be put on azure managed storage + boot_diagnostics_storage_account_key = "bootdiag_region1" + + os_type = "windows" + + # the auto-generated ssh key in keyvault secret. Secret name being {VM name}-ssh-public and {VM name}-ssh-private + keyvault_key = "example_vm_rg1" + + # Define the number of networking cards to attach the virtual machine + networking_interfaces = { + nic0 = { + # Value of the keys from networking.tfvars + vnet_key = "vnet_region1" + subnet_key = "example" + name = "0" + enable_ip_forwarding = false + internal_dns_name_label = "nic0" + public_ip_address_key = "example_vm_pip1_rg1" + } + } + + virtual_machine_settings = { + windows = { + name = "example_vm1" + size = "Standard_F2" + admin_username = "adminuser" + + + # Spot VM to save money + priority = "Spot" + eviction_policy = "Deallocate" + + patch_mode = "AutomaticByPlatform" + bypassPlatformChecksOnUserSchedule = true + # When you want to load the file from the folder in the custom_data always use the relative path from the caf_solution in landing zones + custom_data = "../../examples/compute/virtual_machine/101-single-windows-vm/scripts/custom.ps1" + # Value of the nic keys to attach the VM. The first one in the list is the default nic + network_interface_keys = ["nic0"] + + os_disk = { + name = "example_vm1-os" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference = { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + } + } + } +} + +maintenance_configuration = { + mc_re1 = { + name = "example-mc" + region = "region1" + resource_group_key = "rg1" + scope = "InGuestPatch" + in_guest_user_patch_mode = "User" + window = { + start_date_time = "2023-06-08 15:04" + duration = "03:55" + time_zone = "Romance Standard Time" + recur_every = "2Day" + } + + install_patches = { + windows = { + classifications_to_include = ["Critical", "Security"] + # kb_numbers_to_exclude = ["KB123456", "KB789012"] + # kb_numbers_to_include = ["KB345678", "KB901234"] + } + reboot = "IfRequired" + } + # tags = {} # optional + } +} + +maintenance_assignment_virtual_machine = { + example = { + region = "region1" + maintenance_configuration_key = "mc_re1" + virtual_machine_key = "example_vm1" + } +} + + diff --git a/examples/module.tf b/examples/module.tf index b7d44ef80a..4defc90776 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -418,4 +418,9 @@ module "example" { powerbi_embedded = var.powerbi_embedded preview_features = var.preview_features + + maintenance = { + maintenance_configuration = var.maintenance_configuration + maintenance_assignment_virtual_machine = var.maintenance_assignment_virtual_machine + } } diff --git a/examples/variables.tf b/examples/variables.tf index 533fe452a4..dccceab7e7 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -1101,4 +1101,10 @@ variable "cosmosdb_role_definitions" { } variable "data_sources" { default = {} +} +variable "maintenance_configuration" { + default = {} +} +variable "maintenance_assignment_virtual_machine" { + default = {} } \ No newline at end of file diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 54a173be6e..6b801b034f 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -107,6 +107,8 @@ locals { combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), try(var.remote_objects.logic_app_workflow, {}), try(var.data_sources.logic_app_workflow, {})) combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {}), try(var.data_sources.machine_learning_workspaces, {})) + combined_objects_maintenance_configuration = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_configuration }), try(var.remote_objects.maintenance_configuration, {})) + combined_objects_maintenance_assignment_virtual_machine = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_assignment_virtual_machine }), try(var.remote_objects.maintenance_assignment_virtual_machine, {})) combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {}), try(var.data_sources.managed_identities, {})) combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), try(var.remote_objects.maps_accounts, {})) combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), try(var.remote_objects.monitor_action_groups, {}), try(var.data_sources.monitor_action_groups, {})) diff --git a/locals.tf b/locals.tf index abb558dbc0..1d5624ea74 100644 --- a/locals.tf +++ b/locals.tf @@ -196,6 +196,7 @@ locals { managed_identities = local.combined_objects_managed_identities mssql_databases = local.combined_objects_mssql_databases mssql_servers = local.combined_objects_mssql_servers + maintenance_configuration = local.combined_objects_maintenance_configuration storage_accounts = local.combined_objects_storage_accounts networking = local.combined_objects_networking } @@ -452,4 +453,10 @@ locals { } powerbi_embedded = try(var.powerbi_embedded, {}) + + maintenance = { + maintenance_configuration = try(var.maintenance.maintenance_configuration, {}) + maintenance_assignment_virtual_machine = try(var.maintenance.maintenance_assignment_virtual_machine, {}) + } + } diff --git a/maintenance.tf b/maintenance.tf new file mode 100644 index 0000000000..896772c45e --- /dev/null +++ b/maintenance.tf @@ -0,0 +1,44 @@ +module "maintenance_configuration" { + source = "./modules/maintenance/configuration" + for_each = local.maintenance.maintenance_configuration + + client_config = local.client_config + global_settings = local.global_settings + settings = each.value + name = each.value.name + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name + scope = each.value.scope + in_guest_user_patch_mode = each.value.scope == "InGuestPatch" ? each.value.in_guest_user_patch_mode : null + window = try(each.value.window, null) + install_patches = each.value.scope == "InGuestPatch" ? try(each.value.install_patches, null) : null + visibility = try(each.value.visibility, null) + properties = try(each.value.properties, {}) + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + tags = try(each.value.tags, {}) +} + +output "maintenance_configuration" { + value = module.maintenance_configuration +} + +module "maintenance_assignment_virtual_machine" { + source = "./modules/maintenance/assignment_virtual_machine" + for_each = local.maintenance.maintenance_assignment_virtual_machine + + client_config = local.client_config + global_settings = local.global_settings + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + maintenance_configuration_id = can(each.value.maintenance_configuration_id) ? each.value.maintenance_configuration_id : local.combined_objects_maintenance_configuration[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.maintenance_configuration_key].id + virtual_machine_id = local.combined_objects_virtual_machines[try(each.value.virtual_machine.lz_key, local.client_config.landingzone_key)][try(each.value.virtual_machine.key, each.value.virtual_machine_key)].id +} + +output "maintenance_assignment_virtual_machine" { + value = module.maintenance_assignment_virtual_machine +} + + + + + + diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 6d1d37ee14..33367e91e0 100644 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -41,31 +41,31 @@ resource "azurerm_windows_virtual_machine" "vm" { depends_on = [azurerm_network_interface.nic, azurerm_network_interface_security_group_association.nic_nsg] for_each = local.os_type == "windows" ? var.settings.virtual_machine_settings : {} - admin_password = try(each.value.admin_password_key, null) == null ? random_password.admin[local.os_type].result : local.admin_password - admin_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username - allow_extension_operations = try(each.value.allow_extension_operations, null) - availability_set_id = can(each.value.availability_set_key) || can(each.value.availability_set.key) ? var.availability_sets[try(var.client_config.landingzone_key, each.value.availability_set.lz_key)][try(each.value.availability_set_key, each.value.availability_set.key)].id : try(each.value.availability_set.id, each.value.availability_set_id, null) - computer_name = data.azurecaf_name.windows_computer_name[each.key].result - enable_automatic_updates = try(each.value.enable_automatic_updates, null) - encryption_at_host_enabled = try(each.value.encryption_at_host_enabled, null) - eviction_policy = try(each.value.eviction_policy, null) - license_type = try(each.value.license_type, null) - location = local.location - max_bid_price = try(each.value.max_bid_price, null) - name = data.azurecaf_name.windows[each.key].result - network_interface_ids = local.nic_ids - priority = try(each.value.priority, null) - patch_mode = try(each.value.patch_mode, "AutomaticByOS") - provision_vm_agent = try(each.value.provision_vm_agent, true) - proximity_placement_group_id = can(each.value.proximity_placement_group_key) || can(each.value.proximity_placement_group.key) ? var.proximity_placement_groups[try(var.client_config.landingzone_key, var.client_config.landingzone_key)][try(each.value.proximity_placement_group_key, each.value.proximity_placement_group.key)].id : try(each.value.proximity_placement_group_id, each.value.proximity_placement_group.id, null) - resource_group_name = local.resource_group_name - size = each.value.size - tags = merge(local.tags, try(each.value.tags, null)) - timezone = try(each.value.timezone, null) - zone = try(each.value.zone, null) - secure_boot_enabled = try(each.value.secure_boot_enabled, null) - vtpm_enabled = try(each.value.vtpm_enabled, null) - + admin_password = try(each.value.admin_password_key, null) == null ? random_password.admin[local.os_type].result : local.admin_password + admin_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username + allow_extension_operations = try(each.value.allow_extension_operations, null) + availability_set_id = can(each.value.availability_set_key) || can(each.value.availability_set.key) ? var.availability_sets[try(var.client_config.landingzone_key, each.value.availability_set.lz_key)][try(each.value.availability_set_key, each.value.availability_set.key)].id : try(each.value.availability_set.id, each.value.availability_set_id, null) + bypass_platform_safety_checks_on_user_schedule_enabled = try(each.value.bypass_platform_safety_checks_on_user_schedule_enabled, false) + computer_name = data.azurecaf_name.windows_computer_name[each.key].result + enable_automatic_updates = try(each.value.enable_automatic_updates, null) + encryption_at_host_enabled = try(each.value.encryption_at_host_enabled, null) + eviction_policy = try(each.value.eviction_policy, null) + license_type = try(each.value.license_type, null) + location = local.location + max_bid_price = try(each.value.max_bid_price, null) + name = data.azurecaf_name.windows[each.key].result + network_interface_ids = local.nic_ids + priority = try(each.value.priority, null) + patch_mode = try(each.value.patch_mode, "AutomaticByOS") + provision_vm_agent = try(each.value.provision_vm_agent, true) + proximity_placement_group_id = can(each.value.proximity_placement_group_key) || can(each.value.proximity_placement_group.key) ? var.proximity_placement_groups[try(var.client_config.landingzone_key, var.client_config.landingzone_key)][try(each.value.proximity_placement_group_key, each.value.proximity_placement_group.key)].id : try(each.value.proximity_placement_group_id, each.value.proximity_placement_group.id, null) + resource_group_name = local.resource_group_name + size = each.value.size + tags = merge(local.tags, try(each.value.tags, null)) + timezone = try(each.value.timezone, null) + zone = try(each.value.zone, null) + secure_boot_enabled = try(each.value.secure_boot_enabled, null) + vtpm_enabled = try(each.value.vtpm_enabled, null) custom_data = try( try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)), diff --git a/modules/maintenance/assignment_virtual_machine/main.tf b/modules/maintenance/assignment_virtual_machine/main.tf new file mode 100644 index 0000000000..02833ea709 --- /dev/null +++ b/modules/maintenance/assignment_virtual_machine/main.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } + +} +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = merge(var.base_tags, local.module_tag, try(var.tags, null)) + location = var.location +} \ No newline at end of file diff --git a/modules/maintenance/assignment_virtual_machine/module.tf b/modules/maintenance/assignment_virtual_machine/module.tf new file mode 100644 index 0000000000..2ea9ff6338 --- /dev/null +++ b/modules/maintenance/assignment_virtual_machine/module.tf @@ -0,0 +1,7 @@ +resource "azurerm_maintenance_assignment_virtual_machine" "maintenance_assignment_virtual_machine" { + location = var.location + maintenance_configuration_id = var.maintenance_configuration_id + virtual_machine_id = var.virtual_machine_id +} + + diff --git a/modules/maintenance/assignment_virtual_machine/outputs.tf b/modules/maintenance/assignment_virtual_machine/outputs.tf new file mode 100644 index 0000000000..4e69bbf8ea --- /dev/null +++ b/modules/maintenance/assignment_virtual_machine/outputs.tf @@ -0,0 +1,4 @@ +output "id" { + description = "The ID of the Maintenance Assignment." + value = azurerm_maintenance_assignment_virtual_machine.maintenance_assignment_virtual_machine.id +} diff --git a/modules/maintenance/assignment_virtual_machine/variables.tf b/modules/maintenance/assignment_virtual_machine/variables.tf new file mode 100644 index 0000000000..cc4cc84f9a --- /dev/null +++ b/modules/maintenance/assignment_virtual_machine/variables.tf @@ -0,0 +1,34 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} + +variable "client_config" { + description = "Client configuration object (see module README.md)." +} + +variable "tags" { + description = "Tags to be used for this resource deployment." + type = map(any) + default = {} +} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) + default = {} +} + +variable "location" { + description = "(Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "maintenance_configuration_id" { + description = "(Required) Specifies the ID of the Maintenance Configuration Resource. Changing this forces a new resource to be created." + type = string +} + +variable "virtual_machine_id" { + description = "(Required) Specifies the Virtual Machine ID to which the Maintenance Configuration will be assigned. Changing this forces a new resource to be created." + type = string +} \ No newline at end of file diff --git a/modules/maintenance/configuration/main.tf b/modules/maintenance/configuration/main.tf new file mode 100644 index 0000000000..d720f3c838 --- /dev/null +++ b/modules/maintenance/configuration/main.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } + +} +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = merge(var.base_tags, local.module_tag, try(var.tags, null)) + location = var.location + resource_group_name = var.resource_group_name +} \ No newline at end of file diff --git a/modules/maintenance/configuration/module.tf b/modules/maintenance/configuration/module.tf new file mode 100644 index 0000000000..52e304cc72 --- /dev/null +++ b/modules/maintenance/configuration/module.tf @@ -0,0 +1,60 @@ +resource "azurecaf_name" "maintenance_configuration" { + name = var.name + resource_type = "azurerm_maintenance_configuration" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_maintenance_configuration" "maintenance_configuration" { + name = azurecaf_name.maintenance_configuration.result + resource_group_name = var.resource_group_name + location = var.location + scope = var.scope + visibility = try(var.visibility, null) + properties = try(var.properties, {}) + in_guest_user_patch_mode = var.settings.scope == "InGuestPatch" ? var.in_guest_user_patch_mode : try(var.in_guest_user_patch_mode, null) + + + dynamic "window" { + for_each = var.settings.window != null ? [var.settings.window] : [] + content { + start_date_time = window.value.start_date_time + expiration_date_time = try(window.value.expiration_date_time, null) + duration = window.value.duration + time_zone = window.value.time_zone + recur_every = window.value.recur_every + } + } + + dynamic "install_patches" { + # install_patches is required if scope = "InGuestPatch" + for_each = var.settings.scope == "InGuestPatch" ? [1] : [] + content { + dynamic "linux" { + for_each = try(var.install_patches.linux, null) != null ? [1] : [] + content { + classifications_to_include = try(var.install_patches.linux.classifications_to_include, ["Critical", "Security"]) + package_names_mask_to_exclude = try(var.install_patches.linux.package_names_mask_to_exclude, []) + package_names_mask_to_include = try(var.install_patches.linux.package_names_mask_to_include, []) + } + } + + dynamic "windows" { + for_each = try(var.settings.install_patches.windows, null) != null ? [1] : [] + content { + classifications_to_include = try(var.settings.install_patches.windows.classifications_to_include, ["Critical", "Security"]) + kb_numbers_to_exclude = try(var.settings.install_patches.windows.kb_numbers_to_exclude, []) + kb_numbers_to_include = try(var.settings.install_patches.windows.kb_numbers_to_include, []) + + } + } + + reboot = try(var.settings.install_patches.reboot, "IfRequired" ) + } + } + + tags = var.tags +} \ No newline at end of file diff --git a/modules/maintenance/configuration/outputs.tf b/modules/maintenance/configuration/outputs.tf new file mode 100644 index 0000000000..701dd0eb94 --- /dev/null +++ b/modules/maintenance/configuration/outputs.tf @@ -0,0 +1,14 @@ +output "id" { + description = "The ID of the Maintenance Configuration." + value = azurerm_maintenance_configuration.maintenance_configuration.id +} + +output "maintenance_configuration_name" { + description = "The name of the maintenance configuration." + value = azurerm_maintenance_configuration.maintenance_configuration.name +} + +output "maintenance_configuration_location" { + description = "The location where the resource exists" + value = azurerm_maintenance_configuration.maintenance_configuration.location +} \ No newline at end of file diff --git a/modules/maintenance/configuration/variables.tf b/modules/maintenance/configuration/variables.tf new file mode 100644 index 0000000000..15a1888329 --- /dev/null +++ b/modules/maintenance/configuration/variables.tf @@ -0,0 +1,67 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} + +variable "client_config" { + description = "Client configuration object (see module README.md)." +} + +variable "tags" { + description = "Tags to be used for this resource deployment." + type = map(any) + default = {} +} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) + default = {} +} + +variable "name" { + description = "(Required) The name of the PowerBI Embedded. Changing this forces a new resource to be created." + type = string +} + +variable "location" { + description = "(Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "scope" { + description = "(Required) The scope of the Maintenance Configuration. Possible values are Extension, Host, InGuestPatch, OSImage, SQLDB or SQLManagedInstance." + type = string + validation { + condition = contains(["Extension", "Host", "InGuestPatch", "OSImage", "SQLDB", "SQLManagedInstance"], var.scope) + error_message = "Invalid value for scope. Possible values are Extension, Host, InGuestPatch, OSImage, SQLDB or SQLManagedInstance." + } +} + +variable "visibility" { + description = "The visibility of the Maintenance Configuration." + type = string + default = null +} + +variable "properties" { + description = "A mapping of properties to assign to the resource." + type = map(string) + default = {} +} + +variable "resource_group_name" { + description = "Resource group object" +} + +variable "window" {} + +variable "install_patches" {} + +variable "settings" {} + +variable "in_guest_user_patch_mode" { + description = "The in guest user patch mode." + type = string + default = null +} + diff --git a/roles.tf b/roles.tf index 168c351c07..1d0790acc7 100644 --- a/roles.tf +++ b/roles.tf @@ -144,6 +144,7 @@ locals { mssql_managed_databases = local.combined_objects_mssql_managed_databases mssql_managed_instances = local.combined_objects_mssql_managed_instances mssql_servers = local.combined_objects_mssql_servers + maintenance_configuration = local.combined_objects_maintenance_configuration mysql_servers = local.combined_objects_mysql_servers network_watchers = local.combined_objects_network_watchers networking = local.combined_objects_networking diff --git a/variables.tf b/variables.tf index 5cf61ab5a4..f3e1bf1959 100644 --- a/variables.tf +++ b/variables.tf @@ -438,3 +438,6 @@ variable "preview_features" { variable "powerbi_embedded" { default = {} } +variable "maintenance" { + default = {} +} \ No newline at end of file From 5c8ef25195222119fd64f51d2118ea408014e137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20DELMONT?= Date: Thu, 23 Nov 2023 15:11:36 +0100 Subject: [PATCH 015/244] Fix example --- .../configuration.tfvars | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars index db3bea1974..7f10a5f674 100644 --- a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars +++ b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars @@ -150,8 +150,8 @@ maintenance_assignment_virtual_machine = { example = { region = "region1" maintenance_configuration_key = "mc_re1" - virtual_machine_key = "example_vm1" + virtual_machine = { + key = "example_vm1" + } } } - - From ea8a5dd92780897b4fc88693420efdb20460a93f Mon Sep 17 00:00:00 2001 From: Oleksandr Trapeznikov Date: Thu, 23 Nov 2023 20:32:07 -0500 Subject: [PATCH 016/244] Add container app module (#1792) * add container app module * fix local variables names and format * add container_app variables in example module * name container_app resources in a plural form * add scale_rule support to container_app * add attributes to cae module --- .github/workflows/standalone-compute.json | 3 + container_app_dapr_components.tf | 15 + container_app_environment_certificates.tf | 15 + container_app_environment_storages.tf | 18 ++ container_app_environments.tf | 21 ++ container_apps.tf | 27 ++ .../configuration.tfvars | 52 ++++ .../configuration.tfvars | 86 ++++++ .../configuration.tfvars | 280 ++++++++++++++++++ examples/module.tf | 55 ++-- examples/variables.tf | 17 +- locals.combined_objects.tf | 3 + locals.tf | 55 ++-- .../compute/container_app/container_app.tf | 280 ++++++++++++++++++ modules/compute/container_app/locals.tf | 17 ++ modules/compute/container_app/main.tf | 26 ++ modules/compute/container_app/output.tf | 15 + modules/compute/container_app/variables.tf | 20 ++ .../container_app_dapr_component.tf | 28 ++ .../container_app_dapr_component/main.tf | 7 + .../container_app_dapr_component/output.tf | 3 + .../container_app_dapr_component/variables.tf | 8 + .../container_app_environment.tf | 21 ++ .../compute/container_app_environment/main.tf | 26 ++ .../container_app_environment/output.tf | 23 ++ .../container_app_environment/variables.tf | 20 ++ .../container_app_environment_certificate.tf | 7 + .../main.tf | 22 ++ .../output.tf | 15 + .../variables.tf | 8 + .../container_app_environment_storage.tf | 8 + .../container_app_environment_storage/main.tf | 7 + .../output.tf | 3 + .../variables.tf | 16 + 34 files changed, 1176 insertions(+), 51 deletions(-) create mode 100644 container_app_dapr_components.tf create mode 100644 container_app_environment_certificates.tf create mode 100644 container_app_environment_storages.tf create mode 100644 container_app_environments.tf create mode 100644 container_apps.tf create mode 100644 examples/compute/container_app/101-simple-container-app-env/configuration.tfvars create mode 100644 examples/compute/container_app/102-simple-private-container-app-env/configuration.tfvars create mode 100644 examples/compute/container_app/103-private-container-app-env/configuration.tfvars create mode 100644 modules/compute/container_app/container_app.tf create mode 100644 modules/compute/container_app/locals.tf create mode 100644 modules/compute/container_app/main.tf create mode 100644 modules/compute/container_app/output.tf create mode 100644 modules/compute/container_app/variables.tf create mode 100644 modules/compute/container_app_dapr_component/container_app_dapr_component.tf create mode 100644 modules/compute/container_app_dapr_component/main.tf create mode 100644 modules/compute/container_app_dapr_component/output.tf create mode 100644 modules/compute/container_app_dapr_component/variables.tf create mode 100644 modules/compute/container_app_environment/container_app_environment.tf create mode 100644 modules/compute/container_app_environment/main.tf create mode 100644 modules/compute/container_app_environment/output.tf create mode 100644 modules/compute/container_app_environment/variables.tf create mode 100644 modules/compute/container_app_environment_certificate/container_app_environment_certificate.tf create mode 100644 modules/compute/container_app_environment_certificate/main.tf create mode 100644 modules/compute/container_app_environment_certificate/output.tf create mode 100644 modules/compute/container_app_environment_certificate/variables.tf create mode 100644 modules/compute/container_app_environment_storage/container_app_environment_storage.tf create mode 100644 modules/compute/container_app_environment_storage/main.tf create mode 100644 modules/compute/container_app_environment_storage/output.tf create mode 100644 modules/compute/container_app_environment_storage/variables.tf diff --git a/.github/workflows/standalone-compute.json b/.github/workflows/standalone-compute.json index 8a3692d4da..2a777d8291 100644 --- a/.github/workflows/standalone-compute.json +++ b/.github/workflows/standalone-compute.json @@ -9,6 +9,9 @@ "compute/batch/batch_account/100-batch-account", "compute/batch/batch_account/200-batch-account-private-endpoint", "compute/batch/batch_application/100-batch-application", + "compute/container_app/101-simple-container-app-env", + "compute/container_app/102-simple-private-container-app-env", + "compute/container_app/103-private-container-app-env", "compute/container_groups/100-aci-rover-github-runner", "compute/container_groups/101-aci-nginx", "compute/container_registry/100-simple-acr", diff --git a/container_app_dapr_components.tf b/container_app_dapr_components.tf new file mode 100644 index 0000000000..0cf0342b17 --- /dev/null +++ b/container_app_dapr_components.tf @@ -0,0 +1,15 @@ +module "container_app_dapr_components" { + source = "./modules/compute/container_app_dapr_component" + for_each = local.compute.container_app_dapr_components + + base_tags = local.global_settings.inherit_tags + container_app_environment_id = can(each.value.container_app_environment_id) ? each.value.container_app_environment_id : local.combined_objects_container_app_environments[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.container_app_environment_key].id + client_config = local.client_config + global_settings = local.global_settings + settings = each.value +} + +output "container_app_dapr_components" { + value = module.container_app_dapr_components +} + diff --git a/container_app_environment_certificates.tf b/container_app_environment_certificates.tf new file mode 100644 index 0000000000..65dc7832a2 --- /dev/null +++ b/container_app_environment_certificates.tf @@ -0,0 +1,15 @@ +module "container_app_environment_certificates" { + source = "./modules/compute/container_app_environment_certificate" + for_each = local.compute.container_app_environment_certificates + + base_tags = local.global_settings.inherit_tags + container_app_environment_id = can(each.value.container_app_environment_id) ? each.value.container_app_environment_id : local.combined_objects_container_app_environments[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.container_app_environment_key].id + client_config = local.client_config + global_settings = local.global_settings + settings = each.value +} + +output "container_app_environment_certificates" { + value = module.container_app_environment_certificates +} + diff --git a/container_app_environment_storages.tf b/container_app_environment_storages.tf new file mode 100644 index 0000000000..6bc36024c3 --- /dev/null +++ b/container_app_environment_storages.tf @@ -0,0 +1,18 @@ +module "container_app_environment_storages" { + source = "./modules/compute/container_app_environment_storage" + for_each = local.compute.container_app_environment_storages + + base_tags = local.global_settings.inherit_tags + container_app_environment_id = can(each.value.container_app_environment_id) ? each.value.container_app_environment_id : local.combined_objects_container_app_environments[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.container_app_environment_key].id + client_config = local.client_config + global_settings = local.global_settings + combined_resources = { + storage_accounts = local.combined_objects_storage_accounts + } + settings = each.value +} + +output "container_app_environment_storages" { + value = module.container_app_environment_storages +} + diff --git a/container_app_environments.tf b/container_app_environments.tf new file mode 100644 index 0000000000..15a7066b6a --- /dev/null +++ b/container_app_environments.tf @@ -0,0 +1,21 @@ +module "container_app_environments" { + source = "./modules/compute/container_app_environment" + for_each = local.compute.container_app_environments + + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name + base_tags = local.global_settings.inherit_tags + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : try(local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][each.value.vnet.vnet_key].subnets[each.value.vnet.subnet_key].id, null) + client_config = local.client_config + combined_diagnostics = local.combined_diagnostics + diagnostic_profiles = try(each.value.diagnostic_profiles, {}) + diagnostics = local.combined_diagnostics + global_settings = local.global_settings + settings = each.value +} + +output "container_app_environments" { + value = module.container_app_environments +} + diff --git a/container_apps.tf b/container_apps.tf new file mode 100644 index 0000000000..45164e9463 --- /dev/null +++ b/container_apps.tf @@ -0,0 +1,27 @@ +module "container_apps" { + source = "./modules/compute/container_app" + for_each = local.compute.container_apps + + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name + base_tags = local.global_settings.inherit_tags + container_app_environment_id = can(each.value.container_app_environment_id) ? each.value.container_app_environment_id : local.combined_objects_container_app_environments[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.container_app_environment_key].id + client_config = local.client_config + combined_diagnostics = local.combined_diagnostics + diagnostic_profiles = try(each.value.diagnostic_profiles, {}) + diagnostics = local.combined_diagnostics + combined_resources = { + keyvaults = local.combined_objects_keyvaults + managed_identities = local.combined_objects_managed_identities + container_app_environment_certificates = local.combined_objects_container_app_environment_certificates + container_app_environment_storages = local.combined_objects_container_app_environment_storages + } + global_settings = local.global_settings + settings = each.value +} + +output "container_apps" { + value = module.container_apps +} + diff --git a/examples/compute/container_app/101-simple-container-app-env/configuration.tfvars b/examples/compute/container_app/101-simple-container-app-env/configuration.tfvars new file mode 100644 index 0000000000..9cb5029007 --- /dev/null +++ b/examples/compute/container_app/101-simple-container-app-env/configuration.tfvars @@ -0,0 +1,52 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "canadacentral" + } +} + +resource_groups = { + rg1 = { + name = "container-app-001" + region = "region1" + } +} + +diagnostic_log_analytics = { + central_logs_region1 = { + region = "region1" + name = "logs" + resource_group_key = "rg1" + } +} + +container_app_environments = { + cae1 = { + name = "cont-app-env-001" + region = "region1" + resource_group_key = "rg1" + log_analytics_key = "central_logs_region1" + } +} + +container_apps = { + ca1 = { + name = "nginx-app" + container_app_environment_key = "cae1" + resource_group_key = "rg1" + + revision_mode = "Single" + template = { + container = { + cont1 = { + name = "nginx" + image = "nginx:latest" + cpu = 0.5 + memory = "1Gi" + } + } + min_replicas = 1 + max_replicas = 1 + } + } +} diff --git a/examples/compute/container_app/102-simple-private-container-app-env/configuration.tfvars b/examples/compute/container_app/102-simple-private-container-app-env/configuration.tfvars new file mode 100644 index 0000000000..cbe2d15b8e --- /dev/null +++ b/examples/compute/container_app/102-simple-private-container-app-env/configuration.tfvars @@ -0,0 +1,86 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "canadacentral" + } +} + +resource_groups = { + rg1 = { + name = "container-app-001" + region = "region1" + } +} + +diagnostic_log_analytics = { + central_logs_region1 = { + region = "region1" + name = "logs" + resource_group_key = "rg1" + } +} + +vnets = { + cae_re1 = { + resource_group_key = "rg1" + region = "region1" + vnet = { + name = "container-app-network" + address_space = ["100.64.0.0/20"] + } + specialsubnets = {} + subnets = { + cae1 = { + name = "container-app-snet" + cidr = ["100.64.0.0/21"] + nsg_key = "empty_nsg" + } + } + + } +} + +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = {} +} + +container_app_environments = { + cae1 = { + name = "cont-app-env-001" + region = "region1" + resource_group_key = "rg1" + log_analytics_key = "central_logs_region1" + vnet = { + vnet_key = "cae_re1" + subnet_key = "cae1" + } + internal_load_balancer_enabled = true + + tags = { + environment = "testing" + } + } +} + +container_apps = { + ca1 = { + name = "nginx-app" + container_app_environment_key = "cae1" + resource_group_key = "rg1" + + revision_mode = "Single" + template = { + container = { + cont1 = { + name = "nginx" + image = "nginx:latest" + cpu = 0.5 + memory = "1Gi" + } + } + min_replicas = 1 + max_replicas = 1 + } + } +} diff --git a/examples/compute/container_app/103-private-container-app-env/configuration.tfvars b/examples/compute/container_app/103-private-container-app-env/configuration.tfvars new file mode 100644 index 0000000000..8a0f24fc42 --- /dev/null +++ b/examples/compute/container_app/103-private-container-app-env/configuration.tfvars @@ -0,0 +1,280 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "canadacentral" + } +} + +resource_groups = { + rg1 = { + name = "container-app-001" + region = "region1" + } +} + +diagnostic_log_analytics = { + central_logs_region1 = { + region = "region1" + name = "logs" + resource_group_key = "rg1" + } +} + +vnets = { + cae_re1 = { + resource_group_key = "rg1" + region = "region1" + vnet = { + name = "container-app-network" + address_space = ["100.64.0.0/20"] + } + specialsubnets = {} + subnets = { + cae1 = { + name = "container-app-snet" + cidr = ["100.64.0.0/21"] + nsg_key = "empty_nsg" + } + } + + } +} + +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = {} +} + +managed_identities = { + msi1 = { + name = "ca-identity-001" + resource_group_key = "rg1" + } +} + +storage_accounts = { + sa1 = { + name = "sa1caes001" + resource_group_key = "rg1" + account_kind = "FileStorage" + account_tier = "Premium" + account_replication_type = "LRS" + min_tls_version = "TLS1_2" + large_file_share_enabled = true + + file_shares = { + fs1 = { + name = "fs1" + quota = "100" + } + } + } +} + +container_app_environments = { + cae1 = { + name = "cont-app-env-001" + region = "region1" + resource_group_key = "rg1" + log_analytics_key = "central_logs_region1" + vnet = { + vnet_key = "cae_re1" + subnet_key = "cae1" + } + internal_load_balancer_enabled = true + zone_redundancy_enabled = true + + tags = { + environment = "testing" + } + } +} + +container_app_dapr_components = { + dapr1 = { + name = "dapr-component-001" + container_app_environment_key = "cae1" + component_type = "state.azure.blobstorage" + version = "v1" + ignore_errors = false + init_timeout = "1m" + secret = [ + { + name = "dapr-secret1" + value = "ccecewEWewce" + } + ] + metadata = [ + { + name = "dapr-meta1" + value = "ccweceww" + }, + { + name = "dapr-meta2" + secret_name = "dapr-secret1" + } + ] + } +} + +container_app_environment_certificates = { + caec1 = { + name = "caec-cert-001" + container_app_environment_key = "cae1" + certificate_blob_base64 = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ3lKR2o4dXlrTUN3UmIKcEx6NU9YWTJUcy9WaWpLKzZIV2ZVZTI2QlgxMzYwOXluWkZRbXhURHJkVlR1RXcrT1czcGxEUUlMTGZQSWNlZwozYzdCYnI0VlNNazhvNWFhaTFSclZKemxKMlUvNWlDK3l1Uk0wSFV5Y09RbE01K1NiU3QyY1gvSCtScTlOdTM0CmJBVXRIM0s4NE9yb2ZnRFBPb3dsRjdrSm0yL29WaGRkeTVqOU9DWUpIUmFSZys3R1ZlSnFDaHQ0NjNkYjlBMloKYXZ5a0VTb3EvWGpxR1NGTEpGRjBXb0ZFSklMRE0xY3ZyZWJRNEl6NTMwSWVDTHFqRjI5NzhOcFJGMTk2TTBKOApiVVk0STNtNTk3Nk04Vk8zVWxWUk53cThkZWc1YVVkeW04eVQ2T2cxaTlEZVZLRnlaOHVWaHJKZFI1WUNKMzI1CmxqeERiQUpyQWdNQkFBRUNnZ0VBTVp3WUxNSEdkWmNmMkpHeEdzclkwOWp3NGl3Qlk4OEM2cUo3VE1HNHBrdSsKclZHYUpWTjYzZCtzT0F0c0dDd1FJdXRsN2h6ZDkyNFYxUVBRVDJnU3dZU3FuaHVFbG5kVXhDc2xJbC90UDNWTQpDellmakJERmdvMlR5NVJyelBCZ0dUVVVlOUV3bEI4VytJYkVqa05peFp6eGJsdWd5QlVxOEMyQ0YxM1ZOV05GClRSc1c1SXpiUnpaQm9Rd1U0aFQ5NWJGNkxkcHp1NWRFNjY5eEZrSmh6cWVlczNqWkVLK3BvVWV0VjFneEt1TkUKUW5MN1ZPQXdraFp5UjR4cXg2cVZPaEw0QlFSempJSDUzRlJBRWFiWmZhUVRDMm0wVlNzMndlOFJhaFFTOEFrYwptNitpWkJHcVFhQ0lLVDBQSkhNbi9GaFVQTHNwZEU3b1Z5WXc4UU5OS1FLQmdRRE9Wa0hVU25oOFhCR2VwMExXClVtdmtRQ1VvcXMzZnhKMmh3VjMxZ2IwZEt4OUZPU25qMkRlUHFic2hsVWdBMW4vcnFXQ05aNnhNazh3OWh2dDkKSXlkWWg3TWVjK3l4VTYxaElET1ZkcUxFS2d1UWZ5akZ1NzNUYTNIRDlKOEZvazBmWmFINWxMd3k1NHUvVjBWSApmaUpzZ3RTOTZVZnRuUC93ZnRWZUlpdFFEd0tCZ1FEZEJPVkt5S2xyUWFuWVptVGRTVUxFaE1TQnRDdm50ZTM4ClgvM3NwRms5WE45Z0NzUnpoekozQkM3NzA4SUlOdVZJV1kzRzBoYUNRNDMweURna29SNm8yWTlNSU1TNkQwWUQKREVXaXM5c2pEQlFQNEMrMXc1ZVlKRWFWUllaeE1vMXBsZitrNk5DK3ZaSXYxQXlPQTQ1S0twUDhZSmdmNk5GQQpNY2h0UVRkTDVRS0JnSDlOZEp2M3ZsSnJzMnRCSXRsOFRKaXNnc0NPY1NwbjhpRkVYaVlFZjVzcGFjZVp0eUNkCjI5bkZESEZ4MnRTNWduN3hKMkxXM2RUNU12K2E4anFJbjlQZEZVUHFuZFBpSG94WUE3dHBVSTdhcWZ2aW1GTTIKdTYxZkV2ZWxTeDk4dlR4cnhmMW9LSnozZ3A3d3h3dU81TW95QmZPTnBCVVQwa3ljMUNPWnpVTTlBb0dBWjZ6aQpPZUJDeUpNMnJ0SHBRbndaRzhJRHc2dldaSXpNby9RTFVyUU5RR0dPVHFqK1dncnpPeXoxTlIreUJ0UnBYVFRVCjhveWVEbUROK0NMcll4TkpKSDlaWHFhSVlaYkVpcTE1Qk1kRlpmMUdjK1AvdlUyUWtNZURiSVgrZUo3MEFyRmcKQitWRjloTkt2YkRFYXVGMEg0bzFmTTk2ekkwVGl2OVBPeUM2WlprQ2dZQVdkUjNxYVJrUzJuVVNiT2hrS2s2ZgoyK0xkRWMwcmFuSE5EYW9kMzZTbDYrRm5RbVNSWC90QTB3UUFnZnhoRERlWENGR3lnV1EvKytTUmt3a0g1Nnp2CjYxb0lCWmlEdkd5YkYrb251dDRJRnlTU0NQM3BiQ2ExeHpVNVNUaVgzMTdOVUVkUG00M3hOVS96eVA3MFlid1UKc01rd1AvUXFmaVcyTVhVcTRoaEU3QT09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiekNDQWxlZ0F3SUJBZ0lRUFMwL2ZLTlhWWUpoWW5YVm9zU0wxREFOQmdrcWhraUc5dzBCQVFzRkFEQVcKTVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG1OdmJUQWVGdzB5TWpBM01qWXhORFUxTlROYUZ3MHpNakEzTWpNeApORFUxTlROYU1GY3hDekFKQmdOVkJBWVRBbFZUTVJ3d0dnWURWUVFLRXhORmVHRnRjR3hsSUZObGJHWWdVMmxuCmJtVmtNUlF3RWdZRFZRUUxFd3RsZUdGdGNHeGxMbU52YlRFVU1CSUdBMVVFQXhNTFpYaGhiWEJzWlM1amIyMHcKZ2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3lKR2o4dXlrTUN3UmJwTHo1T1hZMgpUcy9WaWpLKzZIV2ZVZTI2QlgxMzYwOXluWkZRbXhURHJkVlR1RXcrT1czcGxEUUlMTGZQSWNlZzNjN0JicjRWClNNazhvNWFhaTFSclZKemxKMlUvNWlDK3l1Uk0wSFV5Y09RbE01K1NiU3QyY1gvSCtScTlOdTM0YkFVdEgzSzgKNE9yb2ZnRFBPb3dsRjdrSm0yL29WaGRkeTVqOU9DWUpIUmFSZys3R1ZlSnFDaHQ0NjNkYjlBMlphdnlrRVNvcQovWGpxR1NGTEpGRjBXb0ZFSklMRE0xY3ZyZWJRNEl6NTMwSWVDTHFqRjI5NzhOcFJGMTk2TTBKOGJVWTRJM201Cjk3Nk04Vk8zVWxWUk53cThkZWc1YVVkeW04eVQ2T2cxaTlEZVZLRnlaOHVWaHJKZFI1WUNKMzI1bGp4RGJBSnIKQWdNQkFBR2plREIyTUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSQpLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCVEFxYWFkZ1diNGFLc1IyS2VFCmZlQ1NBNEFqZlRBV0JnTlZIUkVFRHpBTmdndGxlR0Z0Y0d4bExtTnZiVEFOQmdrcWhraUc5dzBCQVFzRkFBT0MKQVFFQVhSRkVraTVTbXJkL2p5OGk5TzBhYmpDSWczd0NpQkxaU0V0aE1MZ3hIbjZwUDN4K0xialZ3OGdOb0FQNApUNndaTmdhWkYvSlF0c09UQ2Ird0thenc0b1IvOE5xajFIWjdWT0hERU5yWVdPaG5nSjl0MFh1TC90OU1UaXBXCnRkR21wT0xVMURReU9VRFlJbWhhY05IVUxaeHd4TFdVU1F4Y25SSUJRTjdjemZ1NjFmcFp0dWFhMkhTYzIrVDkKNjFKeG5hRERlWldzQXQ1MXp3bjk0M3h2V3BFQjB1dGVKQnVIVWNUbUxGalVoaVV4RmxSM3Q0dWI0bDdPR1pmWgoxUG90OE4wM2lmNUN1N2lldGRhSUczYW4wNWZKYnJFTXVBaXFEdWtjb3FnNmxVRzlyZVdHQnRKUlBIMHMwRHNxCkVXNFM5Tzc2eHhUTWxLai9Tdlh2WHVkVUVBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" + certificate_password = "" + } +} + +container_app_environment_storages = { + caes1 = { + name = "caes-storage-001" + container_app_environment_key = "cae1" + storage_account = { + account_key = "sa1" + } + share_name = "fs1" + access_mode = "ReadWrite" + } +} + +container_apps = { + ca1 = { + name = "nginx-app" + container_app_environment_key = "cae1" + resource_group_key = "rg1" + + revision_mode = "Single" + template = { + container = { + cont1 = { + name = "nginx" + image = "nginx:latest" + cpu = 0.5 + memory = "1Gi" + liveness_probe = { + port = 80 + transport = "HTTP" + } + readiness_probe = { + port = 80 + transport = "HTTP" + } + startup_probe = { + port = 80 + transport = "HTTP" + } + env = [ + { + name = "VAR1" + value = "value1" + }, + { + name = "VAR2" + value = 2 + }, + { + name = "SECRET_VAR" + secret_name = "secret1" + } + ] + volume_mounts = { + vol1 = { + name = "vol1" + path = "/mnt/vol1" + } + } + } + } + + min_replicas = 1 + max_replicas = 3 + + http_scale_rule = { + rule1 = { + name = "azure-http-rule" + concurrent_requests = 50 + } + } + + volume = { + vol1 = { + name = "vol1" + storage_name = "caes-storage-001" + storage_type = "AzureFile" + } + } + } + ingress = { + external_enabled = false + target_port = 80 + transport = "http" + allow_insecure_connections = true + traffic_weight = { + blue = { + label = "blue" + latest_revision = false + revision_suffix = "blue" + percentage = 70 + } + green = { + label = "green" + latest_revision = true + revision_suffix = "green" + percentage = 30 + } + } + custom_domain = { + example = { + certificate_key = "caec1" + name = "example.com" + } + } + } + secret = [ + { + name = "secret1" + value = "djwHJcwjh" + }, + { + name = "secret2" + value = "cdjGHjew" + } + ] + identity = { + type = "UserAssigned" // Possible options are 'SystemAssigned, UserAssigned' 'SystemAssigned' or 'UserAssigned' + managed_identity_keys = [ + "msi1" + ] + } + # registry = { + # server = "testacr.azurecr.io" + # identity = { + # key = "msi1" + # } + # } + }, + ca2 = { + name = "dapr-app" + container_app_environment_key = "cae1" + resource_group_key = "rg1" + + revision_mode = "Single" + dapr = { + app_id = "nodeapp" + app_port = 3000 + } + template = { + container = { + cont1 = { + name = "nodeapp" + image = "daprio/daprd:edge" + cpu = 0.5 + memory = "1Gi" + } + } + min_replicas = 1 + max_replicas = 1 + } + } +} diff --git a/examples/module.tf b/examples/module.tf index b7d44ef80a..77405a4e19 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -93,31 +93,36 @@ module "example" { communication_services = var.communication_services } compute = { - aks_clusters = var.aks_clusters - aro_clusters = var.aro_clusters - availability_sets = var.availability_sets - azure_container_registries = var.azure_container_registries - batch_accounts = var.batch_accounts - batch_applications = var.batch_applications - batch_certificates = var.batch_certificates - batch_jobs = var.batch_jobs - batch_pools = var.batch_pools - bastion_hosts = var.bastion_hosts - container_groups = var.container_groups - dedicated_host_groups = var.dedicated_host_groups - dedicated_hosts = var.dedicated_hosts - machine_learning_compute_instance = var.machine_learning_compute_instance - proximity_placement_groups = var.proximity_placement_groups - runbooks = var.runbooks - virtual_machine_scale_sets = var.virtual_machine_scale_sets - virtual_machines = var.virtual_machines - vmware_private_clouds = var.vmware_private_clouds - vmware_clusters = var.vmware_clusters - vmware_express_route_authorizations = var.vmware_express_route_authorizations - wvd_applications = var.wvd_applications - wvd_application_groups = var.wvd_application_groups - wvd_host_pools = var.wvd_host_pools - wvd_workspaces = var.wvd_workspaces + aks_clusters = var.aks_clusters + aro_clusters = var.aro_clusters + availability_sets = var.availability_sets + azure_container_registries = var.azure_container_registries + batch_accounts = var.batch_accounts + batch_applications = var.batch_applications + batch_certificates = var.batch_certificates + batch_jobs = var.batch_jobs + batch_pools = var.batch_pools + bastion_hosts = var.bastion_hosts + container_apps = var.container_apps + container_app_dapr_components = var.container_app_dapr_components + container_app_environments = var.container_app_environments + container_app_environment_certificates = var.container_app_environment_certificates + container_app_environment_storages = var.container_app_environment_storages + container_groups = var.container_groups + dedicated_host_groups = var.dedicated_host_groups + dedicated_hosts = var.dedicated_hosts + machine_learning_compute_instance = var.machine_learning_compute_instance + proximity_placement_groups = var.proximity_placement_groups + runbooks = var.runbooks + virtual_machine_scale_sets = var.virtual_machine_scale_sets + virtual_machines = var.virtual_machines + vmware_private_clouds = var.vmware_private_clouds + vmware_clusters = var.vmware_clusters + vmware_express_route_authorizations = var.vmware_express_route_authorizations + wvd_applications = var.wvd_applications + wvd_application_groups = var.wvd_application_groups + wvd_host_pools = var.wvd_host_pools + wvd_workspaces = var.wvd_workspaces } diagnostics = { diagnostic_event_hub_namespaces = var.diagnostic_event_hub_namespaces diff --git a/examples/variables.tf b/examples/variables.tf index 533fe452a4..1e071de10d 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -559,6 +559,21 @@ variable "load_balancers" { variable "ip_groups" { default = {} } +variable "container_app_environments" { + default = {} +} +variable "container_app_environment_certificates" { + default = {} +} +variable "container_app_dapr_components" { + default = {} +} +variable "container_apps" { + default = {} +} +variable "container_app_environment_storages" { + default = {} +} variable "container_groups" { default = {} } @@ -1101,4 +1116,4 @@ variable "cosmosdb_role_definitions" { } variable "data_sources" { default = {} -} \ No newline at end of file +} diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 54a173be6e..984060295f 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -47,6 +47,9 @@ locals { combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), try(var.remote_objects.consumption_budgets_resource_groups, {}), try(var.data_sources.consumption_budgets_resource_groups, {})) combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), try(var.remote_objects.consumption_budgets_subscriptions, {}), try(var.data_sources.consumption_budgets_subscriptions, {})) combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {}), try(var.data_sources.container_registry, {})) + combined_objects_container_app_environments = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environments }), try(var.remote_objects.container_app_environments, {})) + combined_objects_container_app_environment_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_certificates }), try(var.remote_objects.container_app_environment_certificates, {})) + combined_objects_container_app_environment_storages = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_storages }), try(var.remote_objects.container_app_environment_storages, {})) combined_objects_cosmos_dbs = merge(tomap({ (local.client_config.landingzone_key) = module.cosmos_dbs }), try(var.remote_objects.cosmos_dbs, {}), try(var.data_sources.cosmos_dbs, {})) combined_objects_cosmosdb_sql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.cosmosdb_sql_databases }), try(var.remote_objects.cosmosdb_sql_databases, {})) combined_objects_data_factory = merge(tomap({ (local.client_config.landingzone_key) = merge(module.data_factory, try(var.data_sources.data_factory, {})) }), try(var.remote_objects.data_factory, {})) diff --git a/locals.tf b/locals.tf index abb558dbc0..1346e85242 100644 --- a/locals.tf +++ b/locals.tf @@ -74,31 +74,36 @@ locals { }, var.cloud) compute = { - aks_clusters = try(var.compute.aks_clusters, {}) - aro_clusters = try(var.compute.aro_clusters, {}) - availability_sets = try(var.compute.availability_sets, {}) - azure_container_registries = try(var.compute.azure_container_registries, {}) - bastion_hosts = try(var.compute.bastion_hosts, {}) - batch_accounts = try(var.compute.batch_accounts, {}) - batch_applications = try(var.compute.batch_applications, {}) - batch_certificates = try(var.compute.batch_certificates, {}) - batch_jobs = try(var.compute.batch_jobs, {}) - batch_pools = try(var.compute.batch_pools, {}) - container_groups = try(var.compute.container_groups, {}) - dedicated_hosts = try(var.compute.dedicated_hosts, {}) - dedicated_host_groups = try(var.compute.dedicated_host_groups, {}) - machine_learning_compute_instance = try(var.compute.machine_learning_compute_instance, {}) - proximity_placement_groups = try(var.compute.proximity_placement_groups, {}) - vmware_clusters = try(var.compute.vmware_clusters, {}) - vmware_private_clouds = try(var.compute.vmware_private_clouds, {}) - vmware_express_route_authorizations = try(var.compute.vmware_express_route_authorizations, {}) - wvd_applications = try(var.compute.wvd_applications, {}) - wvd_application_groups = try(var.compute.wvd_application_groups, {}) - wvd_host_pools = try(var.compute.wvd_host_pools, {}) - wvd_workspaces = try(var.compute.wvd_workspaces, {}) - virtual_machines = try(var.compute.virtual_machines, {}) - virtual_machine_scale_sets = try(var.compute.virtual_machine_scale_sets, {}) - runbooks = try(var.compute.runbooks, {}) + aks_clusters = try(var.compute.aks_clusters, {}) + aro_clusters = try(var.compute.aro_clusters, {}) + availability_sets = try(var.compute.availability_sets, {}) + azure_container_registries = try(var.compute.azure_container_registries, {}) + bastion_hosts = try(var.compute.bastion_hosts, {}) + batch_accounts = try(var.compute.batch_accounts, {}) + batch_applications = try(var.compute.batch_applications, {}) + batch_certificates = try(var.compute.batch_certificates, {}) + batch_jobs = try(var.compute.batch_jobs, {}) + batch_pools = try(var.compute.batch_pools, {}) + container_apps = try(var.compute.container_apps, {}) + container_app_dapr_components = try(var.compute.container_app_dapr_components, {}) + container_app_environments = try(var.compute.container_app_environments, {}) + container_app_environment_certificates = try(var.compute.container_app_environment_certificates, {}) + container_app_environment_storages = try(var.compute.container_app_environment_storages, {}) + container_groups = try(var.compute.container_groups, {}) + dedicated_hosts = try(var.compute.dedicated_hosts, {}) + dedicated_host_groups = try(var.compute.dedicated_host_groups, {}) + machine_learning_compute_instance = try(var.compute.machine_learning_compute_instance, {}) + proximity_placement_groups = try(var.compute.proximity_placement_groups, {}) + vmware_clusters = try(var.compute.vmware_clusters, {}) + vmware_private_clouds = try(var.compute.vmware_private_clouds, {}) + vmware_express_route_authorizations = try(var.compute.vmware_express_route_authorizations, {}) + wvd_applications = try(var.compute.wvd_applications, {}) + wvd_application_groups = try(var.compute.wvd_application_groups, {}) + wvd_host_pools = try(var.compute.wvd_host_pools, {}) + wvd_workspaces = try(var.compute.wvd_workspaces, {}) + virtual_machines = try(var.compute.virtual_machines, {}) + virtual_machine_scale_sets = try(var.compute.virtual_machine_scale_sets, {}) + runbooks = try(var.compute.runbooks, {}) } communication = { diff --git a/modules/compute/container_app/container_app.tf b/modules/compute/container_app/container_app.tf new file mode 100644 index 0000000000..f94b29fc68 --- /dev/null +++ b/modules/compute/container_app/container_app.tf @@ -0,0 +1,280 @@ +resource "azurecaf_name" "ca" { + name = var.settings.name + prefixes = var.global_settings.prefixes + resource_type = "azurerm_container_app" + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_container_app" "ca" { + name = azurecaf_name.ca.result + resource_group_name = local.resource_group_name + container_app_environment_id = var.container_app_environment_id + revision_mode = var.settings.revision_mode + tags = merge(local.tags, try(var.settings.tags, null)) + + template { + dynamic "container" { + for_each = var.settings.template.container + + content { + name = container.value.name + image = container.value.image + args = try(container.value.args, null) + command = try(container.value.command, null) + cpu = container.value.cpu + memory = container.value.memory + + dynamic "env" { + for_each = try(container.value.env, {}) + + content { + name = env.value.name + secret_name = try(env.value.secret_name, null) + value = try(env.value.value, null) + } + } + + dynamic "liveness_probe" { + for_each = can(container.value.liveness_probe) ? [container.value.liveness_probe] : [] + + content { + failure_count_threshold = try(liveness_probe.value.failure_count_threshold, null) + host = try(liveness_probe.value.host, null) + initial_delay = try(liveness_probe.value.initial_delay, null) + interval_seconds = try(liveness_probe.value.interval_seconds, null) + path = try(liveness_probe.value.path, null) + port = liveness_probe.value.port + termination_grace_period_seconds = try(liveness_probe.value.termination_grace_period_seconds, null) + timeout = try(liveness_probe.value.timeout, null) + transport = liveness_probe.value.transport + + dynamic "header" { + for_each = can(liveness_probe.value.header) ? [liveness_probe.value.header] : [] + + content { + name = header.value.name + value = header.value.value + } + } + } + } + + dynamic "readiness_probe" { + for_each = can(container.value.readiness_probe) ? [container.value.readiness_probe] : [] + + content { + failure_count_threshold = try(readiness_probe.value.failure_count_threshold, null) + host = try(readiness_probe.value.host, null) + interval_seconds = try(readiness_probe.value.interval_seconds, null) + path = try(readiness_probe.value.path, null) + port = readiness_probe.value.port + success_count_threshold = try(readiness_probe.value.success_count_threshold, null) + timeout = try(readiness_probe.value.timeout, null) + transport = readiness_probe.value.transport + + dynamic "header" { + for_each = can(readiness_probe.value.header) ? [readiness_probe.value.header] : [] + + content { + name = header.value.name + value = header.value.value + } + } + } + } + + dynamic "startup_probe" { + for_each = can(container.value.startup_probe) ? [container.value.startup_probe] : [] + + content { + failure_count_threshold = try(startup_probe.value.failure_count_threshold, null) + host = try(startup_probe.value.host, null) + interval_seconds = try(startup_probe.value.interval_seconds, null) + path = try(startup_probe.value.path, null) + port = startup_probe.value.port + termination_grace_period_seconds = try(startup_probe.value.termination_grace_period_seconds, null) + timeout = try(startup_probe.value.timeout, null) + transport = startup_probe.value.transport + + dynamic "header" { + for_each = can(startup_probe.value.header) ? [startup_probe.value.header] : [] + + content { + name = header.value.name + value = header.value.value + } + } + } + } + + dynamic "volume_mounts" { + for_each = try(container.value.volume_mounts, {}) + + content { + name = volume_mounts.value.name + path = volume_mounts.value.path + } + } + } + } + + dynamic "azure_queue_scale_rule" { + for_each = try(var.settings.template.azure_queue_scale_rule, {}) + content { + name = azure_queue_scale_rule.value.name + queue_name = azure_queue_scale_rule.value.queue_name + queue_length = azure_queue_scale_rule.value.queue_length + + dynamic "authentication" { + for_each = azure_queue_scale_rule.value.authentication + + content { + secret_name = authentication.value.secret_name + trigger_parameter = authentication.value.trigger_parameter + } + } + } + } + + dynamic "custom_scale_rule" { + for_each = try(var.settings.template.custom_scale_rule, {}) + content { + name = custom_scale_rule.value.name + custom_rule_type = custom_scale_rule.value.custom_rule_type + metadata = custom_scale_rule.value.metadata + + dynamic "authentication" { + for_each = try(custom_scale_rule.value.authentication, {}) + + content { + secret_name = authentication.value.secret_name + trigger_parameter = authentication.value.trigger_parameter + } + } + } + } + + dynamic "http_scale_rule" { + for_each = try(var.settings.template.http_scale_rule, {}) + content { + name = http_scale_rule.value.name + concurrent_requests = http_scale_rule.value.concurrent_requests + + dynamic "authentication" { + for_each = try(http_scale_rule.value.authentication, {}) + + content { + secret_name = authentication.value.secret_name + trigger_parameter = authentication.value.trigger_parameter + } + } + } + } + + dynamic "tcp_scale_rule" { + for_each = try(var.settings.template.tcp_scale_rule, {}) + content { + name = tcp_scale_rule.value.name + concurrent_requests = tcp_scale_rule.value.concurrent_requests + + dynamic "authentication" { + for_each = try(tcp_scale_rule.value.authentication, {}) + + content { + secret_name = authentication.value.secret_name + trigger_parameter = authentication.value.trigger_parameter + } + } + } + } + + min_replicas = try(var.settings.template.min_replicas, null) + max_replicas = try(var.settings.template.max_replicas, null) + revision_suffix = try(var.settings.template.revision_suffix, null) + + dynamic "volume" { + for_each = try(var.settings.template.volume, {}) + + content { + name = volume.value.name + storage_name = try(volume.value.storage_name, null) + storage_type = try(volume.value.storage_type, null) + } + } + } + + dynamic "ingress" { + for_each = can(var.settings.ingress) ? [var.settings.ingress] : [] + + content { + allow_insecure_connections = try(ingress.value.allow_insecure_connections, null) + external_enabled = try(ingress.value.external_enabled, null) + fqdn = try(ingress.value.fqdn, null) + target_port = ingress.value.target_port + transport = ingress.value.transport + + dynamic "custom_domain" { + for_each = try(ingress.value.custom_domain, {}) + + content { + certificate_binding_type = try(custom_domain.value.certificate_binding_type, null) + certificate_id = can(custom_domain.value.certificate_id) ? custom_domain.value.certificate_id : var.combined_resources.container_app_environment_certificates[try(custom_domain.value.lz_key, var.client_config.landingzone_key)][custom_domain.value.certificate_key].id + name = custom_domain.value.name + } + } + + dynamic "traffic_weight" { + for_each = try(ingress.value.traffic_weight, {}) + + content { + label = traffic_weight.value.label + latest_revision = traffic_weight.value.latest_revision + revision_suffix = traffic_weight.value.revision_suffix + percentage = traffic_weight.value.percentage + } + } + } + } + + dynamic "dapr" { + for_each = can(var.settings.dapr) ? [var.settings.dapr] : [] + + content { + app_id = dapr.value.app_id + app_port = try(dapr.value.app_port, null) + app_protocol = try(dapr.value.app_protocol, null) + } + } + + dynamic "secret" { + for_each = try(var.settings.secret, {}) + + content { + name = secret.value.name + value = secret.value.value + } + } + + dynamic "identity" { + for_each = can(var.settings.identity) ? [var.settings.identity] : [] + + content { + type = var.settings.identity.type + identity_ids = local.managed_identities + } + } + + dynamic "registry" { + for_each = can(var.settings.registry) ? [var.settings.registry] : [] + + content { + server = registry.value.server + identity = can(registry.value.identity.key) ? var.combined_resources.managed_identities[try(registry.value.identity.lz_key, var.client_config.landingzone_key)][registry.value.identity.key].id : try(registry.value.identity.id, null) + username = try(registry.value.username, null) + password_secret_name = try(registry.value.password_secret_name, null) + } + } +} diff --git a/modules/compute/container_app/locals.tf b/modules/compute/container_app/locals.tf new file mode 100644 index 0000000000..4daa5a1ebd --- /dev/null +++ b/modules/compute/container_app/locals.tf @@ -0,0 +1,17 @@ +locals { + managed_local_identities = flatten([ + for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ + var.combined_resources.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + ] + ]) + + managed_remote_identities = flatten([ + for lz_key, value in try(var.settings.identity.remote, []) : [ + for managed_identity_key in value.managed_identity_keys : [ + var.combined_resources.managed_identities[lz_key][managed_identity_key].id + ] + ] + ]) + + managed_identities = concat(local.managed_local_identities, local.managed_remote_identities) +} diff --git a/modules/compute/container_app/main.tf b/modules/compute/container_app/main.tf new file mode 100644 index 0000000000..e886ec6c93 --- /dev/null +++ b/modules/compute/container_app/main.tf @@ -0,0 +1,26 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} + +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.resource_group.tags, null), + local.module_tag, + try(var.settings.tags, null) + ) : merge( + local.module_tag, + try(var.settings.tags, + null) + ) + + location = coalesce(var.location, var.resource_group.location) + resource_group_name = coalesce(var.resource_group_name, var.resource_group.name) +} diff --git a/modules/compute/container_app/output.tf b/modules/compute/container_app/output.tf new file mode 100644 index 0000000000..fcd3430f8b --- /dev/null +++ b/modules/compute/container_app/output.tf @@ -0,0 +1,15 @@ +output "id" { + value = azurerm_container_app.ca.id +} +output "custom_domain_verification_id" { + value = azurerm_container_app.ca.custom_domain_verification_id +} +output "latest_revision_fqdn" { + value = azurerm_container_app.ca.latest_revision_fqdn +} +output "latest_revision_name" { + value = azurerm_container_app.ca.latest_revision_name +} +output "outbound_ip_addresses" { + value = azurerm_container_app.ca.outbound_ip_addresses +} diff --git a/modules/compute/container_app/variables.tf b/modules/compute/container_app/variables.tf new file mode 100644 index 0000000000..11e4f28fa9 --- /dev/null +++ b/modules/compute/container_app/variables.tf @@ -0,0 +1,20 @@ +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "client_config" {} +variable "diagnostics" {} +variable "diagnostic_profiles" {} +variable "combined_diagnostics" {} +variable "combined_resources" { + description = "Provide a map of combined resources for environment_variables_from_resources" + default = {} +} +variable "global_settings" {} +variable "location" {} +variable "resource_group_name" {} +variable "resource_group" { + description = "Resource group object to deploy the virtual machine" +} +variable "settings" {} +variable "container_app_environment_id" {} diff --git a/modules/compute/container_app_dapr_component/container_app_dapr_component.tf b/modules/compute/container_app_dapr_component/container_app_dapr_component.tf new file mode 100644 index 0000000000..5944658593 --- /dev/null +++ b/modules/compute/container_app_dapr_component/container_app_dapr_component.tf @@ -0,0 +1,28 @@ +resource "azurerm_container_app_environment_dapr_component" "cadc" { + name = var.settings.name + container_app_environment_id = var.container_app_environment_id + component_type = var.settings.component_type + version = var.settings.version + ignore_errors = try(var.settings.ignore_errors, false) + init_timeout = try(var.settings.init_timeout, null) + scopes = try(var.settings.scopes, null) + + dynamic "metadata" { + for_each = try(var.settings.metadata, {}) + + content { + name = metadata.value.name + secret_name = try(metadata.value.secret_name, null) + value = try(metadata.value.value, null) + } + } + + dynamic "secret" { + for_each = try(var.settings.secret, {}) + + content { + name = secret.value.name + value = secret.value.value + } + } +} diff --git a/modules/compute/container_app_dapr_component/main.tf b/modules/compute/container_app_dapr_component/main.tf new file mode 100644 index 0000000000..1fbfa06797 --- /dev/null +++ b/modules/compute/container_app_dapr_component/main.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} diff --git a/modules/compute/container_app_dapr_component/output.tf b/modules/compute/container_app_dapr_component/output.tf new file mode 100644 index 0000000000..3669022961 --- /dev/null +++ b/modules/compute/container_app_dapr_component/output.tf @@ -0,0 +1,3 @@ +output "id" { + value = azurerm_container_app_environment_dapr_component.cadc.id +} diff --git a/modules/compute/container_app_dapr_component/variables.tf b/modules/compute/container_app_dapr_component/variables.tf new file mode 100644 index 0000000000..a316af1bdc --- /dev/null +++ b/modules/compute/container_app_dapr_component/variables.tf @@ -0,0 +1,8 @@ +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "client_config" {} +variable "global_settings" {} +variable "settings" {} +variable "container_app_environment_id" {} diff --git a/modules/compute/container_app_environment/container_app_environment.tf b/modules/compute/container_app_environment/container_app_environment.tf new file mode 100644 index 0000000000..ab6517ba28 --- /dev/null +++ b/modules/compute/container_app_environment/container_app_environment.tf @@ -0,0 +1,21 @@ +resource "azurecaf_name" "cae" { + name = var.settings.name + resource_type = "azurerm_container_app_environment" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_container_app_environment" "cae" { + name = azurecaf_name.cae.result + location = local.location + resource_group_name = local.resource_group_name + log_analytics_workspace_id = can(var.settings.log_analytics_workspace_id) ? var.settings.log_analytics_workspace_id : var.diagnostics.log_analytics[var.settings.log_analytics_key].id + dapr_application_insights_connection_string = try(var.settings.dapr_application_insights_connection_string, null) + infrastructure_subnet_id = try(var.subnet_id, null) + internal_load_balancer_enabled = try(var.settings.internal_load_balancer_enabled, null) + zone_redundancy_enabled = try(var.settings.zone_redundancy_enabled, null) + tags = merge(local.tags, try(var.settings.tags, null)) +} diff --git a/modules/compute/container_app_environment/main.tf b/modules/compute/container_app_environment/main.tf new file mode 100644 index 0000000000..e886ec6c93 --- /dev/null +++ b/modules/compute/container_app_environment/main.tf @@ -0,0 +1,26 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} + +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.resource_group.tags, null), + local.module_tag, + try(var.settings.tags, null) + ) : merge( + local.module_tag, + try(var.settings.tags, + null) + ) + + location = coalesce(var.location, var.resource_group.location) + resource_group_name = coalesce(var.resource_group_name, var.resource_group.name) +} diff --git a/modules/compute/container_app_environment/output.tf b/modules/compute/container_app_environment/output.tf new file mode 100644 index 0000000000..c20e15e443 --- /dev/null +++ b/modules/compute/container_app_environment/output.tf @@ -0,0 +1,23 @@ +output "id" { + value = azurerm_container_app_environment.cae.id +} + +output "default_domain" { + value = azurerm_container_app_environment.cae.default_domain +} + +output "docker_bridge_cidr" { + value = try(var.settings.infrastructure_subnet_id, null) != null ? azurerm_container_app_environment.cae.docker_bridge_cidr : null +} + +output "platform_reserved_cidr" { + value = try(var.settings.infrastructure_subnet_id, null) != null ? azurerm_container_app_environment.cae.platform_reserved_cidr : null +} + +output "platform_reserved_dns_ip_address" { + value = try(var.settings.infrastructure_subnet_id, null) != null ? azurerm_container_app_environment.cae.platform_reserved_dns_ip_address : null +} + +output "static_ip_address" { + value = try(var.settings.internal_load_balancer_enabled, false) == true ? azurerm_container_app_environment.cae.static_ip_address : null +} diff --git a/modules/compute/container_app_environment/variables.tf b/modules/compute/container_app_environment/variables.tf new file mode 100644 index 0000000000..5ceb7e3873 --- /dev/null +++ b/modules/compute/container_app_environment/variables.tf @@ -0,0 +1,20 @@ +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "client_config" {} +variable "diagnostics" {} +variable "diagnostic_profiles" {} +variable "combined_diagnostics" {} +variable "combined_resources" { + description = "Provide a map of combined resources for environment_variables_from_resources" + default = {} +} +variable "global_settings" {} +variable "location" {} +variable "resource_group_name" {} +variable "resource_group" { + description = "Resource group object to deploy the virtual machine" +} +variable "settings" {} +variable "subnet_id" {} diff --git a/modules/compute/container_app_environment_certificate/container_app_environment_certificate.tf b/modules/compute/container_app_environment_certificate/container_app_environment_certificate.tf new file mode 100644 index 0000000000..10d5fe0777 --- /dev/null +++ b/modules/compute/container_app_environment_certificate/container_app_environment_certificate.tf @@ -0,0 +1,7 @@ +resource "azurerm_container_app_environment_certificate" "caec" { + name = var.settings.name + container_app_environment_id = var.container_app_environment_id + certificate_blob_base64 = var.settings.certificate_blob_base64 + certificate_password = var.settings.certificate_password + tags = merge(local.tags, try(var.settings.tags, null)) +} diff --git a/modules/compute/container_app_environment_certificate/main.tf b/modules/compute/container_app_environment_certificate/main.tf new file mode 100644 index 0000000000..40fc6fa25f --- /dev/null +++ b/modules/compute/container_app_environment_certificate/main.tf @@ -0,0 +1,22 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} + +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = var.base_tags ? merge( + var.global_settings.tags, + local.module_tag, + try(var.settings.tags, null) + ) : merge( + local.module_tag, + try(var.settings.tags, + null) + ) +} diff --git a/modules/compute/container_app_environment_certificate/output.tf b/modules/compute/container_app_environment_certificate/output.tf new file mode 100644 index 0000000000..4820a27b2f --- /dev/null +++ b/modules/compute/container_app_environment_certificate/output.tf @@ -0,0 +1,15 @@ +output "id" { + value = azurerm_container_app_environment_certificate.caec.id +} +output "expiration_date" { + value = azurerm_container_app_environment_certificate.caec.expiration_date +} +output "issue_date" { + value = azurerm_container_app_environment_certificate.caec.issue_date +} +output "issuer" { + value = azurerm_container_app_environment_certificate.caec.issuer +} +output "subject_name" { + value = azurerm_container_app_environment_certificate.caec.subject_name +} diff --git a/modules/compute/container_app_environment_certificate/variables.tf b/modules/compute/container_app_environment_certificate/variables.tf new file mode 100644 index 0000000000..a316af1bdc --- /dev/null +++ b/modules/compute/container_app_environment_certificate/variables.tf @@ -0,0 +1,8 @@ +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "client_config" {} +variable "global_settings" {} +variable "settings" {} +variable "container_app_environment_id" {} diff --git a/modules/compute/container_app_environment_storage/container_app_environment_storage.tf b/modules/compute/container_app_environment_storage/container_app_environment_storage.tf new file mode 100644 index 0000000000..b7e0ee7fb6 --- /dev/null +++ b/modules/compute/container_app_environment_storage/container_app_environment_storage.tf @@ -0,0 +1,8 @@ +resource "azurerm_container_app_environment_storage" "caes" { + name = var.settings.name + container_app_environment_id = var.container_app_environment_id + account_name = can(var.settings.account_name) ? var.settings.account_name : var.combined_resources.storage_accounts[try(var.settings.storage_account.lz_key, var.client_config.landingzone_key)][var.settings.storage_account.account_key].name + share_name = var.settings.share_name + access_key = can(var.settings.access_key) ? var.settings.access_key : var.combined_resources.storage_accounts[try(var.settings.storage_account.lz_key, var.client_config.landingzone_key)][var.settings.storage_account.account_key].primary_access_key + access_mode = var.settings.access_mode +} diff --git a/modules/compute/container_app_environment_storage/main.tf b/modules/compute/container_app_environment_storage/main.tf new file mode 100644 index 0000000000..1fbfa06797 --- /dev/null +++ b/modules/compute/container_app_environment_storage/main.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} diff --git a/modules/compute/container_app_environment_storage/output.tf b/modules/compute/container_app_environment_storage/output.tf new file mode 100644 index 0000000000..874f0c1fad --- /dev/null +++ b/modules/compute/container_app_environment_storage/output.tf @@ -0,0 +1,3 @@ +output "id" { + value = azurerm_container_app_environment_storage.caes.id +} diff --git a/modules/compute/container_app_environment_storage/variables.tf b/modules/compute/container_app_environment_storage/variables.tf new file mode 100644 index 0000000000..05b84bd7b7 --- /dev/null +++ b/modules/compute/container_app_environment_storage/variables.tf @@ -0,0 +1,16 @@ +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "client_config" {} +variable "global_settings" {} +variable "combined_resources" { + description = "Provide a map of combined resources for environment_variables_from_resources" + default = {} +} +variable "remote_objects" { + description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + default = {} +} +variable "settings" {} +variable "container_app_environment_id" {} From cd5176ea387e4eb57b77a14f0f3ed7799c191004 Mon Sep 17 00:00:00 2001 From: kevindelmont <133667252+kevindelmont@users.noreply.github.com> Date: Wed, 29 Nov 2023 08:58:49 +0100 Subject: [PATCH 017/244] Add diagnostic on Azure Recovery Service Vault (#1824) * Add diagnostic on Azure Recovery Service Vault * fix example - missing closing bracket * fix --- .github/workflows/standalone-scenarios.json | 1 + .../107-asr-diagnostics/configuration.tfvars | 151 ++++++++++++++++++ modules/recovery_vault/diagnostics.tf | 1 + modules/recovery_vault/variables.tf | 9 +- recovery_vaults.tf | 1 + 5 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 examples/recovery_vault/107-asr-diagnostics/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 8e74ef48c4..7cf7abe72d 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -137,6 +137,7 @@ "recovery_vault/104-backupvault-with-private-endpoint", "recovery_vault/105-asr-with-network-mapping", "recovery_vault/106-backupvault-with-sqldatabase-saphana", + "recovery_vault/107-asr-diagnostics", "redis_cache/103-redis-private-endpoints", "role_mapping/100-simple-role-mapping", "role_mapping/101-function-app-managed-identity", diff --git a/examples/recovery_vault/107-asr-diagnostics/configuration.tfvars b/examples/recovery_vault/107-asr-diagnostics/configuration.tfvars new file mode 100644 index 0000000000..bd90d904f5 --- /dev/null +++ b/examples/recovery_vault/107-asr-diagnostics/configuration.tfvars @@ -0,0 +1,151 @@ +global_settings = { + regions = { + region1 = "australiaeast" + region2 = "australiacentral" + } +} +resource_groups = { + primary = { + name = "sharedsvc_re1" + } +} +diagnostics_definition = { + azure_site_recovery = { + name = "operational_logs_and_metrics" + log_analytics_destination_type = "Dedicated" + categories = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AzureBackupReport", true, true, 0], + ["CoreAzureBackup", true, true, 0], + ["AddonAzureBackupAlerts", true, true, 0], + ["AddonAzureBackupJobs", true, true, 0], + ["AddonAzureBackupPolicy", true, true, 0], + ["AddonAzureBackupProtectedInstance", true, true, 0], + ["AddonAzureBackupStorage", true, true, 0], + ["AzureSiteRecoveryJobs", true, true, 0], + ["AzureSiteRecoveryEvents", true, true, 0], + ["AzureSiteRecoveryReplicatedItems", true, true, 0], + ["AzureSiteRecoveryReplicationStats", true, true, 0], + ["AzureSiteRecoveryRecoveryPoints", true, true, 0], + ["AzureSiteRecoveryReplicationDataUploadRate", true, true, 0], + ["AzureSiteRecoveryProtectedDiskDataChurn", true, true, 0], + ] + metric = [ + ["AllMetrics", true, true, 0], + ] + } + } +} + +diagnostic_event_hub_namespaces = { + event_hub_namespace1 = { + name = "operation_logs" + resource_group_key = "primary" + sku = "Standard" + region = "region1" + } +} + +diagnostics_destinations = { + event_hub_namespaces = { + central_logs_example = { + event_hub_namespace_key = "event_hub_namespace1" + } + } +} + +recovery_vaults = { + asr1 = { + name = "vault_re1" + resource_group_key = "primary" + + diagnostic_profiles = { + azure_site_recovery = { + definition_key = "azure_site_recovery" + destination_type = "event_hub" + destination_key = "central_logs_example" + } + } + region = "region1" + + replication_policies = { + repl1 = { + name = "policy1" + resource_group_key = "primary" + + recovery_point_retention_in_minutes = 24 * 60 + application_consistent_snapshot_frequency_in_minutes = 4 * 60 + } + } + + + backup_policies = { + vms = { + policy1 = { + name = "VMBackupPolicy1" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" + instant_restore_retention_days = 5 + backup = { + frequency = "Daily" + time = "23:00" + #if not desired daily, can pick weekdays as below: + #weekdays = ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"] + } + retention_daily = { + count = 10 + } + retention_weekly = { + count = 42 + weekdays = ["Sunday", "Wednesday", "Friday", "Saturday"] + } + retention_monthly = { + count = 7 + weekdays = ["Sunday", "Wednesday"] + weeks = ["First", "Last"] + } + retention_yearly = { + count = 7 + weekdays = ["Sunday"] + weeks = ["Last"] + months = ["January"] + } + } + } + + fs = { + policy1 = { + name = "FSBackupPolicy1" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" + backup = { + frequency = "Daily" + time = "23:00" + } + retention_daily = { + count = 1 + } + retention_weekly = { + count = 1 + weekdays = ["Sunday", "Wednesday", "Friday", "Saturday"] + } + retention_monthly = { + count = 1 + weekdays = ["Sunday", "Wednesday"] + weeks = ["First", "Last"] + } + retention_yearly = { + count = 2 + weekdays = ["Sunday"] + weeks = ["Last"] + months = ["January"] + } + } + } + } + } + +} diff --git a/modules/recovery_vault/diagnostics.tf b/modules/recovery_vault/diagnostics.tf index 0caaba4e20..50f56b34e9 100644 --- a/modules/recovery_vault/diagnostics.tf +++ b/modules/recovery_vault/diagnostics.tf @@ -1,6 +1,7 @@ module "diagnostics" { source = "../diagnostics" + count = var.diagnostic_profiles == null ? 0 : 1 resource_id = azurerm_recovery_services_vault.asr.id resource_location = local.location diff --git a/modules/recovery_vault/variables.tf b/modules/recovery_vault/variables.tf index 5f4359b7e4..aeae2a877a 100644 --- a/modules/recovery_vault/variables.tf +++ b/modules/recovery_vault/variables.tf @@ -4,7 +4,14 @@ variable "global_settings" { description = "Global settings object (see module README.md)" } -variable "diagnostics" {} +variable "diagnostic_profiles" { + default = {} +} + +variable "diagnostics" { + default = null +} + variable "private_endpoints" {} variable "vnets" {} variable "client_config" { diff --git a/recovery_vaults.tf b/recovery_vaults.tf index 2449c3d201..47a45ccb57 100644 --- a/recovery_vaults.tf +++ b/recovery_vaults.tf @@ -6,6 +6,7 @@ module "recovery_vaults" { global_settings = local.global_settings client_config = local.client_config settings = each.value + diagnostic_profiles = try(each.value.diagnostic_profiles, {}) diagnostics = local.combined_diagnostics identity = try(each.value.identity, null) vnets = try(local.combined_objects_networking, {}) From 140a789ce2981f3d0f5a07a57be72ba5cd8289b7 Mon Sep 17 00:00:00 2001 From: Marco Mansi Date: Wed, 29 Nov 2023 15:46:22 +0100 Subject: [PATCH 018/244] fix error with missing global settings in variable --- modules/roles/custom_roles/module.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/roles/custom_roles/module.tf b/modules/roles/custom_roles/module.tf index 81d5bf91c1..44cbc4d118 100644 --- a/modules/roles/custom_roles/module.tf +++ b/modules/roles/custom_roles/module.tf @@ -1,6 +1,6 @@ locals { - global_settings = merge(var.global_settings, var.custom_role.global_settings) + global_settings = merge(var.global_settings, try(var.custom_role.global_settings,{})) } resource "azurecaf_name" "custom_role" { From 9d4b0f22b9e71f4dd413cc0fbea38a9576e0b936 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 1 Dec 2023 12:31:51 +0000 Subject: [PATCH 019/244] fix(azurerm_eventhub_namespace): fixing for_each reference --- modules/event_hubs/namespaces/event_hub_namespaces.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/event_hubs/namespaces/event_hub_namespaces.tf b/modules/event_hubs/namespaces/event_hub_namespaces.tf index e1b92ae4ba..20b6ee3788 100644 --- a/modules/event_hubs/namespaces/event_hub_namespaces.tf +++ b/modules/event_hubs/namespaces/event_hub_namespaces.tf @@ -34,7 +34,7 @@ resource "azurerm_eventhub_namespace" "evh" { trusted_service_access_enabled = try(network_rulesets.value.trusted_service_access_enabled, null) dynamic "virtual_network_rule" { - for_each = try(var.settings.network_rulesets.virtual_network_rule, {}) + for_each = try(network_rulesets.value.virtual_network_rule, {}) content { subnet_id = virtual_network_rule.value.subnet_id ignore_missing_virtual_network_service_endpoint = try(virtual_network_rule.value.ignore_missing_virtual_network_service_endpoint, null) @@ -42,7 +42,7 @@ resource "azurerm_eventhub_namespace" "evh" { } dynamic "ip_rule" { - for_each = try(var.settings.network_rulesets.ip_rule, {}) + for_each = try(network_rulesets.value.ip_rule, {}) content { ip_mask = ip_rule.value.ip_mask action = try(ip_rule.value.action, null) From dc157d5c480c241b303f3731cadd4d7332419ed4 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Wed, 6 Dec 2023 15:41:59 +0000 Subject: [PATCH 020/244] fix(public_ip_addresses): reverse_fqdn type Use string as variable type for reverse_fqdn --- modules/networking/public_ip_addresses/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/public_ip_addresses/variables.tf b/modules/networking/public_ip_addresses/variables.tf index 260f56de25..24a16437a2 100644 --- a/modules/networking/public_ip_addresses/variables.tf +++ b/modules/networking/public_ip_addresses/variables.tf @@ -70,7 +70,7 @@ variable "generate_domain_name_label" { variable "reverse_fqdn" { description = "(Optional) A fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - type = bool + type = string default = null } From 2720bda7fb675bc0300ded05364572824c1cf36c Mon Sep 17 00:00:00 2001 From: khairi Date: Tue, 12 Dec 2023 09:26:44 +0000 Subject: [PATCH 021/244] fix urlpathmap issue when update backendpool --- .../301-agw-v1/agw_application.tfvars | 37 +++++++++++++++---- .../scripts/set_resource.sh | 30 ++++++++++++--- .../url_path_map.tf | 4 ++ 3 files changed, 58 insertions(+), 13 deletions(-) diff --git a/examples/networking/app_gateway/301-agw-v1/agw_application.tfvars b/examples/networking/app_gateway/301-agw-v1/agw_application.tfvars index fbfceda541..538a3d300c 100644 --- a/examples/networking/app_gateway/301-agw-v1/agw_application.tfvars +++ b/examples/networking/app_gateway/301-agw-v1/agw_application.tfvars @@ -16,6 +16,18 @@ application_gateway_applications_v1 = { # key = "" # } } + demo2 = { + name = "demo_pool02" + fqdns = ["babc-app-ptsg-5sspdemoappap2-lo.babc-ase-ase01-pd.appserviceenvironment.net"] + } + demo3 = { + name = "demo_pool03" + fqdns = ["babc-app-ptsg-5sspdemoappap3-lo.babc-ase-ase01-pd.appserviceenvironment.net"] + } + demo4 = { + name = "demo_pool04" + fqdns = ["babc-app-ptsg-5sspdemoappap4-lo.babc-ase-ase01-pd.appserviceenvironment.net"] + } } http_settings = { @@ -83,12 +95,14 @@ application_gateway_applications_v1 = { url_path_maps = { demo = { - name = "test_path_map" - paths = "/test/*" - rule_name = "test_path_rule" - backend_pool_key = "demo" - http_settings_key = "demo" - rewrite_rule_set_key = "rrs1" + name = "test_path_map" + paths = "/test/*" + rule_name = "test_path_rule" + default_backend_pool_key = "demo" + backend_pool_key = "demo" + default_http_settings_key = "demo" + http_settings_key = "demo" + rewrite_rule_set_key = "rrs1" } } @@ -97,14 +111,21 @@ application_gateway_applications_v1 = { name = "rule1-demo" url_path_map_key = "demo" paths = "/test/rule1/*" - backend_pool_key = "demo" + backend_pool_key = "demo2" http_settings_key = "demo" } rule2 = { name = "rule2-demo" url_path_map_key = "demo" paths = "/test/rule2/*" - backend_pool_key = "demo" + backend_pool_key = "demo3" + http_settings_key = "demo" + } + rule3 = { + name = "rule3-demo" + url_path_map_key = "demo" + paths = "/test/rule3/*" + backend_pool_key = "demo4" http_settings_key = "demo" } } diff --git a/modules/networking/application_gateway_application/scripts/set_resource.sh b/modules/networking/application_gateway_application/scripts/set_resource.sh index 06d2b425b1..907410a67c 100755 --- a/modules/networking/application_gateway_application/scripts/set_resource.sh +++ b/modules/networking/application_gateway_application/scripts/set_resource.sh @@ -160,15 +160,35 @@ case "${RESOURCE}" in --name ${NAME} ${certfile}${keyvaultsecretid} ;; PATHMAP) - addresspool=$([ -z "${ADDRESS_POOL}" ] && echo "" || echo "--address-pool ${ADDRESS_POOL} --default-address-pool ${ADDRESS_POOL} ") - httpsettings=$([ -z "${HTTP_SETTINGS}" ] && echo "" || echo "--http-settings ${HTTP_SETTINGS} --default-http-settings ${HTTP_SETTINGS} ") + defaultaddresspool=$([ -z "${DEFAULT_ADDRESS_POOL}" ] && echo "" || echo "--default-address-pool ${DEFAULT_ADDRESS_POOL} ") + addresspool=$([ -z "${ADDRESS_POOL}" ] && echo "" || echo "--address-pool ${ADDRESS_POOL} ") + defaulthttpsettings=$([ -z "${DEFAULT_HTTP_SETTINGS}" ] && echo "" || echo "--default-http-settings ${DEFAULT_HTTP_SETTINGS} ") + httpsettings=$([ -z "${HTTP_SETTINGS}" ] && echo "" || echo "--http-settings ${HTTP_SETTINGS} ") + defaultredirectconfig=$([ -z "${DEFAULT_REDIRECT_CONFIG}" ] && echo "" || echo "--default-redirect-config ${DEFAULT_REDIRECT_CONFIG} ") redirectconfig=$([ -z "${REDIRECT_CONFIG}" ] && echo "" || echo "--redirect-config ${REDIRECT_CONFIG} ") + defaultrewriteruleset=$([ -z "${DEFAULT_REWRITE_RULE_SET}" ] && echo "" || echo "--default-rewrite-rule-set ${DEFAULT_REWRITE_RULE_SET} ") rewriteruleset=$([ -z "${REWRITE_RULE_SET}" ] && echo "" || echo "--rewrite-rule-set ${REWRITE_RULE_SET} ") rulename=$([ -z "${RULE_NAME}" ] && echo "" || echo "--rule-name ${RULE_NAME} ") wafpolicy=$([ -z "${WAF_POLICY}" ] && echo "" || echo "--waf-policy ${WAF_POLICY} ") - execute_with_backoff az network application-gateway url-path-map create -g ${RG_NAME} --gateway-name ${APPLICATION_GATEWAY_NAME} \ - -n ${NAME} --paths ${PATHS} ${addresspool}${httpsettings}${redirectconfig}${rewriteruleset}${rulename}${wafpolicy} + # Check if pathmap already created + output=$(az network application-gateway url-path-map show -g ${RG_NAME} --gateway-name ${APPLICATION_GATEWAY_NAME} -n ${NAME} 2> error.txt) + + # Check if the error file contains the ResourceNotFoundError message + if grep -q "ResourceNotFoundError" error.txt; then + execute_with_backoff az network application-gateway url-path-map create -g ${RG_NAME} --gateway-name ${APPLICATION_GATEWAY_NAME} \ + -n ${NAME} --paths ${PATHS} ${defaultaddresspool}${addresspool}${defaulthttpsettings}${httpsettings} \ + ${defaultredirectconfig}${redirectconfig}${defaultrewriteruleset}${rewriteruleset}${rulename}${wafpolicy} + else + execute_with_backoff az network application-gateway url-path-map update -g ${RG_NAME} --gateway-name ${APPLICATION_GATEWAY_NAME} \ + -n ${NAME} ${defaultaddresspool}${defaulthttpsettings}${defaultredirectconfig}${defaultrewriteruleset} + execute_with_backoff az network application-gateway url-path-map rule create -g ${RG_NAME} --gateway-name ${APPLICATION_GATEWAY_NAME} \ + -n ${RULE_NAME} --path-map-name ${NAME} --paths ${PATHS} ${addresspool}${httpsettings}${redirectconfig}${rewriteruleset}${wafpolicy} + fi + + # Remove the error file + rm error.txt + ;; PATHRULE) addresspool=$([ -z "${ADDRESS_POOL}" ] && echo "" || echo "--address-pool ${ADDRESS_POOL} ") @@ -215,7 +235,7 @@ case "${RESOURCE}" in ignorecase=$([ -z "${IGNORE_CASE}" ] && echo "" || echo "--ignore-case ${IGNORE_CASE} ") negate=$([ -z "${NEGATE}" ] && echo "" || echo "--negate ${NEGATE} ") pattern=$([ -z "${PATTERN}" ] && echo "" || echo "--pattern ${PATTERN} ") - +2 execute_with_backoff az network application-gateway rewrite-rule condition create -g ${RG_NAME} \ --gateway-name ${APPLICATION_GATEWAY_NAME} --variable ${VARIABLE} --rule-set-name ${RULE_SET_NAME} --rule-name ${RULE_NAME}\ ${ignorecase} ${negate} ${pattern} diff --git a/modules/networking/application_gateway_application/url_path_map.tf b/modules/networking/application_gateway_application/url_path_map.tf index 6a10a51b2d..c3b0a94626 100644 --- a/modules/networking/application_gateway_application/url_path_map.tf +++ b/modules/networking/application_gateway_application/url_path_map.tf @@ -20,9 +20,13 @@ resource "null_resource" "set_url_path_map" { APPLICATION_GATEWAY_ID = var.application_gateway.id NAME = each.value.name PATHS = each.value.paths + DEFAULT_ADDRESS_POOL = try(var.settings.backend_pools[each.value.default_backend_pool_key].name, var.settings.backend_pools[each.value.backend_pool_key].name) ADDRESS_POOL = var.settings.backend_pools[each.value.backend_pool_key].name + DEFAULT_HTTP_SETTINGS = try(var.settings.http_settings[each.value.default_http_settings_key].name, var.settings.http_settings[each.value.http_settings_key].name) HTTP_SETTINGS = var.settings.http_settings[each.value.http_settings_key].name + DEFAULT_REDIRECT_CONFIG = try(each.value.default_redirect_config, each.value.redirect_config, null) REDIRECT_CONFIG = try(each.value.redirect_config, null) + DEFAULT_REWRITE_RULE_SET = try(var.settings.rewrite_rule_sets[each.value.default_rewrite_rule_set_key].name, var.settings.rewrite_rule_sets[each.value.rewrite_rule_set_key].name, null) REWRITE_RULE_SET = try(var.settings.rewrite_rule_sets[each.value.rewrite_rule_set_key].name, null) RULE_NAME = try(each.value.rule_name, null) WAF_POLICY = try(each.value.waf_policy, null) From b83c028d44559191e56f0fc8fc6b96d340e3f225 Mon Sep 17 00:00:00 2001 From: William Payen Date: Fri, 15 Dec 2023 13:48:00 +0100 Subject: [PATCH 022/244] Add Support of domain_configuration_type parameter --- .../configuration.tfvars | 9 +++++---- .../active_directory_domain_service/module.tf | 15 ++++++++------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/examples/identity/active_directory_domain_service/100-active_directory_domain_service-replica/configuration.tfvars b/examples/identity/active_directory_domain_service/100-active_directory_domain_service-replica/configuration.tfvars index 72b9319c3e..e0adc702d1 100644 --- a/examples/identity/active_directory_domain_service/100-active_directory_domain_service-replica/configuration.tfvars +++ b/examples/identity/active_directory_domain_service/100-active_directory_domain_service-replica/configuration.tfvars @@ -37,9 +37,10 @@ active_directory_domain_service = { resource_group = { key = "rg" } - domain_name = "widgetslogin.net" - sku = "Enterprise" - filtered_sync_enabled = false + domain_name = "widgetslogin.net" + sku = "Enterprise" + filtered_sync_enabled = false + domain_configuration_type = "FullySynced" initial_replica_set = { region = "region1" @@ -79,4 +80,4 @@ active_directory_domain_service_replica_set = { key = "aadds" } } -} \ No newline at end of file +} diff --git a/modules/identity/active_directory_domain_service/module.tf b/modules/identity/active_directory_domain_service/module.tf index eb96be8310..d3af67beb6 100644 --- a/modules/identity/active_directory_domain_service/module.tf +++ b/modules/identity/active_directory_domain_service/module.tf @@ -19,13 +19,14 @@ resource "azurecaf_name" "aadds" { # use_slug = var.global_settings.use_slug # } resource "azurerm_active_directory_domain_service" "aadds" { - name = azurecaf_name.aadds.result - resource_group_name = local.resource_group_name - location = local.location - domain_name = var.settings.domain_name - filtered_sync_enabled = try(var.settings.filtered_sync_enabled, null) - sku = var.settings.sku - tags = merge(local.tags, try(var.settings.tags, {})) + name = azurecaf_name.aadds.result + resource_group_name = local.resource_group_name + location = local.location + domain_name = var.settings.domain_name + filtered_sync_enabled = try(var.settings.filtered_sync_enabled, null) + domain_configuration_type = try(var.settings.domain_configuration_type, null) + sku = var.settings.sku + tags = merge(local.tags, try(var.settings.tags, {})) dynamic "secure_ldap" { for_each = can(var.settings.secure_ldap) ? [var.settings.secure_ldap] : [] From 9aa27dbbe5c841bcef00ac2df0032a20c46d20ef Mon Sep 17 00:00:00 2001 From: Leela Satyavathi Pentakota Date: Thu, 28 Dec 2023 17:22:50 +0530 Subject: [PATCH 023/244] added wait time/delay after private endpoint creation --- modules/networking/private_endpoint/private_endpoint.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index 199478464b..dd5a6ca7be 100644 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -54,3 +54,12 @@ resource "azurerm_private_endpoint" "pep" { } } + +resource "time_sleep" "delay" { + count = can(lookup(var.settings,var.settings.delay_time_after_creation,false)) ? 1: 0 + depends_on = [azurerm_private_endpoint.pep] + create_duration = var.settings.delay_time_after_creation + lifecycle { + replace_triggered_by = [ azurerm_private_endpoint.pep ] + } +} \ No newline at end of file From 887162b3d496e01f2113e0ec5f9c383baf3c65cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20DELMONT?= Date: Mon, 8 Jan 2024 09:41:55 +0100 Subject: [PATCH 024/244] - fix maintenance configuration module - add example for linux vm --- .github/workflows/standalone-scenarios.json | 3 +- .../configuration.tfvars | 3 +- .../configuration.tfvars | 213 ++++++++++++++++++ modules/compute/virtual_machine/vm_linux.tf | 1 + modules/compute/virtual_machine/vm_windows.tf | 2 +- modules/maintenance/configuration/module.tf | 10 +- 6 files changed, 223 insertions(+), 9 deletions(-) rename examples/maintenance_configuration/{200-maintenance-configuration-assignment-vm => 200-maintenance-configuration-assignment-vm-windows}/configuration.tfvars (97%) create mode 100644 examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 2cffe09bd6..79dd0dbe38 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -87,7 +87,8 @@ "machine_learning/102-aml-compute_instance", "maintenance_configuration/100-maintenance-configuration", "maintenance_configuration/101-maintenance-configuration-schedule", - "maintenance_configuration/200-maintenance-configuration-assignment-vm", + "maintenance_configuration/200-maintenance-configuration-assignment-vm-windows", + "maintenance_configuration/201-maintenance-configuration-assignment-vm-linux", "maps/101-azure-maps-account", "managed_service_identity/100-msi-levels", "mariadb_server/100-simple-mariadb", diff --git a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars similarity index 97% rename from examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars rename to examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars index 7f10a5f674..dae867700e 100644 --- a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm/configuration.tfvars +++ b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars @@ -64,7 +64,6 @@ virtual_machines = { # when boot_diagnostics_storage_account_key is empty string "", boot diagnostics will be put on azure managed storage # when boot_diagnostics_storage_account_key is a non-empty string, it needs to point to the key of a user managed storage defined in diagnostic_storage_accounts # if boot_diagnostics_storage_account_key is not defined, but global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics is true, boot diagnostics will be put on azure managed storage - boot_diagnostics_storage_account_key = "bootdiag_region1" os_type = "windows" @@ -96,7 +95,7 @@ virtual_machines = { eviction_policy = "Deallocate" patch_mode = "AutomaticByPlatform" - bypassPlatformChecksOnUserSchedule = true + bypass_platform_safety_checks_on_user_schedule_enabled = true # When you want to load the file from the folder in the custom_data always use the relative path from the caf_solution in landing zones custom_data = "../../examples/compute/virtual_machine/101-single-windows-vm/scripts/custom.ps1" # Value of the nic keys to attach the VM. The first one in the list is the default nic diff --git a/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars b/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars new file mode 100644 index 0000000000..fa7f0951d4 --- /dev/null +++ b/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars @@ -0,0 +1,213 @@ + +global_settings = { + default_region = "region1" + regions = { + region1 = "australiaeast" + } + + inherit_tags = true + + resource_defaults = { + virtual_machines = { + # set the below to enable az managed boot diagostics for vms + # this will be override if a user managed storage account is defined for the vm + # use_azmanaged_storage_for_boot_diagnostics = true + } + } +} + +resource_groups = { + vm_region1 = { + name = "example-virtual-machine-rg1" + } +} + +# Virtual machines +virtual_machines = { + + # Configuration to deploy a bastion host linux virtual machine + example_vm1 = { + resource_group_key = "vm_region1" + provision_vm_agent = true + # when boot_diagnostics_storage_account_key is empty string "", boot diagnostics will be put on azure managed storage + # when boot_diagnostics_storage_account_key is a non-empty string, it needs to point to the key of a user managed storage defined in diagnostic_storage_accounts + # if boot_diagnostics_storage_account_key is not defined, but global_settings.resource_defaults.virtual_machines.use_azmanaged_storage_for_boot_diagnostics is true, boot diagnostics will be put on azure managed storage + + os_type = "linux" + + # the auto-generated ssh key in keyvault secret. Secret name being {VM name}-ssh-public and {VM name}-ssh-private + keyvault_key = "example_vm_rg1" + + # Define the number of networking cards to attach the virtual machine + # Option to use when BYOI (Bring your Own Interface) + # networking_interface_ids = ["/subscriptions//resourceGroups//providers/Microsoft.Network/networkInterfaces/"] + + networking_interfaces = { + nic0 = { + # Value of the keys from networking.tfvars + vnet_key = "vnet_region1" + subnet_key = "example" + primary = true + name = "0" + enable_ip_forwarding = false + internal_dns_name_label = "nic0" + public_ip_address_key = "example_vm_pip1_rg1" + # example with external network objects + # subnet_id = "/subscriptions/sub-id/resourceGroups/test-manual/providers/Microsoft.Network/virtualNetworks/vnet/subnets/default" + # public_address_id = "/subscriptions/sub-id/resourceGroups/test-manual/providers/Microsoft.Network/publicIPAddresses/arnaudip" + # nsg_id = "/subscriptions/sub-id/resourceGroups/test-manual/providers/Microsoft.Network/networkSecurityGroups/nsgtest" + + } + } + + virtual_machine_settings = { + linux = { + name = "example_vm1" + size = "Standard_F2" + admin_username = "adminuser" + disable_password_authentication = true + + # Spot VM to save money + priority = "Spot" + eviction_policy = "Deallocate" + + patch_mode = "AutomaticByPlatform" + bypass_platform_safety_checks_on_user_schedule_enabled = true + + # Value of the nic keys to attach the VM. The first one in the list is the default nic + network_interface_keys = ["nic0"] + + os_disk = { + name = "example_vm1-os" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + identity = { + type = "SystemAssigned" #SystemAssigned OR UserAssigned OR SystemAssigned, UserAssigned + # remote = { + # remote_kz_key = { # remote lz key + # managed_identity_keys = [""] # remote msi resource key + # } + # } + # managed_identity_keys = [""] //local msi resource key + } + source_image_reference = { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } + + } + } + data_disks = { + data1 = { + name = "server1-data1" + storage_account_type = "Standard_LRS" + # Only Empty is supported. More community contributions required to cover other scenarios + create_option = "Empty" + disk_size_gb = "10" + lun = 1 + zones = ["1"] + } + } + } +} + + +keyvaults = { + example_vm_rg1 = { + name = "vmlinuxakv" + resource_group_key = "vm_region1" + sku_name = "standard" + soft_delete_enabled = true + purge_protection_enabled = true + enabled_for_disk_encryption = true + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"] + } + } + } +} + +keyvault_keys = { + key1 = { + keyvault_key = "example_vm_rg1" + resource_group_key = "vm_region1" + name = "disk-key" + key_type = "RSA" + key_size = "2048" + key_opts = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"] + tags = { + encryption = "rsa-204" + new_tag = "yes" } + } +} + +vnets = { + vnet_region1 = { + resource_group_key = "vm_region1" + vnet = { + name = "virtual_machines" + address_space = ["10.100.100.0/24"] + } + specialsubnets = {} + subnets = { + example = { + name = "examples" + cidr = ["10.100.100.0/29"] + } + } + + } +} + +public_ip_addresses = { + example_vm_pip1_rg1 = { + name = "example_vm_pip1" + resource_group_key = "vm_region1" + sku = "Standard" + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + + } +} + +maintenance_configuration = { + mc_re1 = { + name = "example-mc" + region = "region1" + resource_group_key = "vm_region1" + scope = "InGuestPatch" + in_guest_user_patch_mode = "User" + window = { + start_date_time = "2023-06-08 15:04" + duration = "03:55" + time_zone = "Romance Standard Time" + recur_every = "2Day" + } + + install_patches = { + linux = { + classifications_to_include = ["Critical", "Security"] + # package_names_mask_to_exclude = ["ppt"] + # package_names_mask_to_include = ["apt"] + } + reboot = "IfRequired" + } + # tags = {} # optional + } +} + +maintenance_assignment_virtual_machine = { + example = { + region = "region1" + maintenance_configuration_key = "mc_re1" + virtual_machine = { + key = "example_vm1" + } + } +} diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index a791462a52..dc0acc4cc5 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -67,6 +67,7 @@ resource "azurerm_linux_virtual_machine" "vm" { max_bid_price = try(each.value.max_bid_price, null) name = data.azurecaf_name.linux[each.key].result network_interface_ids = local.nic_ids + bypass_platform_safety_checks_on_user_schedule_enabled = try(each.value.bypass_platform_safety_checks_on_user_schedule_enabled, null) # (Optional) Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault. Defaults to ImageDefault. For more information on patch modes please see the product documentation. patch_mode = try(each.value.patch_mode, "ImageDefault") priority = try(each.value.priority, null) diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 33367e91e0..19f98f932b 100644 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -45,7 +45,7 @@ resource "azurerm_windows_virtual_machine" "vm" { admin_username = try(each.value.admin_username_key, null) == null ? each.value.admin_username : local.admin_username allow_extension_operations = try(each.value.allow_extension_operations, null) availability_set_id = can(each.value.availability_set_key) || can(each.value.availability_set.key) ? var.availability_sets[try(var.client_config.landingzone_key, each.value.availability_set.lz_key)][try(each.value.availability_set_key, each.value.availability_set.key)].id : try(each.value.availability_set.id, each.value.availability_set_id, null) - bypass_platform_safety_checks_on_user_schedule_enabled = try(each.value.bypass_platform_safety_checks_on_user_schedule_enabled, false) + bypass_platform_safety_checks_on_user_schedule_enabled = try(each.value.bypass_platform_safety_checks_on_user_schedule_enabled, null) computer_name = data.azurecaf_name.windows_computer_name[each.key].result enable_automatic_updates = try(each.value.enable_automatic_updates, null) encryption_at_host_enabled = try(each.value.encryption_at_host_enabled, null) diff --git a/modules/maintenance/configuration/module.tf b/modules/maintenance/configuration/module.tf index 52e304cc72..f28e7033c5 100644 --- a/modules/maintenance/configuration/module.tf +++ b/modules/maintenance/configuration/module.tf @@ -19,7 +19,7 @@ resource "azurerm_maintenance_configuration" "maintenance_configuration" { dynamic "window" { - for_each = var.settings.window != null ? [var.settings.window] : [] + for_each = try(var.settings.window, null) != null ? [var.settings.window] : [] content { start_date_time = window.value.start_date_time expiration_date_time = try(window.value.expiration_date_time, null) @@ -34,11 +34,11 @@ resource "azurerm_maintenance_configuration" "maintenance_configuration" { for_each = var.settings.scope == "InGuestPatch" ? [1] : [] content { dynamic "linux" { - for_each = try(var.install_patches.linux, null) != null ? [1] : [] + for_each = try(var.settings.install_patches.linux, null) != null ? [1] : [] content { - classifications_to_include = try(var.install_patches.linux.classifications_to_include, ["Critical", "Security"]) - package_names_mask_to_exclude = try(var.install_patches.linux.package_names_mask_to_exclude, []) - package_names_mask_to_include = try(var.install_patches.linux.package_names_mask_to_include, []) + classifications_to_include = try(var.settings.install_patches.linux.classifications_to_include, ["Critical", "Security"]) + package_names_mask_to_exclude = try(var.settings.install_patches.linux.package_names_mask_to_exclude, []) + package_names_mask_to_include = try(var.settings.install_patches.linux.package_names_mask_to_include, []) } } From a8c9751e62d057afc833b769af5a1fe67c926357 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Mon, 15 Jan 2024 10:05:49 +0000 Subject: [PATCH 025/244] feat(aks): add temporary_name_for_rotation --- .../101-single-cluster/aks.tfvars | 13 +++++++------ modules/compute/aks/aks.tf | 1 + 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars b/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars index dbbf22f00e..a55d375ee9 100644 --- a/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars +++ b/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars @@ -61,11 +61,12 @@ aks_clusters = { key = "aks_nodepool_system" #resource_id = "/subscriptions/97958dac-xxxx-xxxx-xxxx-9f436fa73bd4/resourceGroups/qxgc-rg-aks-re1/providers/Microsoft.Network/virtualNetworks/qxgc-vnet-aks/subnets/qxgc-snet-aks_nodepool_system" } - enabled_auto_scaling = false - enable_node_public_ip = false - max_pods = 30 - node_count = 1 - os_disk_size_gb = 512 + enabled_auto_scaling = false + enable_node_public_ip = false + max_pods = 30 + node_count = 1 + os_disk_size_gb = 512 + temporary_name_for_rotation = "temp" tags = { "project" = "system services" } @@ -80,4 +81,4 @@ aks_clusters = { } } } -} \ No newline at end of file +} diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 4e0eb98d9b..14a76b7407 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -63,6 +63,7 @@ resource "azurerm_kubernetes_cluster" "aks" { os_disk_type = try(var.settings.default_node_pool.os_disk_type, null) os_sku = try(var.settings.default_node_pool.os_sku, null) tags = merge(try(var.settings.default_node_pool.tags, {}), local.tags) + temporary_name_for_rotation = try(var.settings.default_node_pool.temporary_name_for_rotation, null) type = try(var.settings.default_node_pool.type, "VirtualMachineScaleSets") ultra_ssd_enabled = try(var.settings.default_node_pool.ultra_ssd_enabled, false) vm_size = var.settings.default_node_pool.vm_size From b7b71db56c3698402577817c195aa8f42093d0a5 Mon Sep 17 00:00:00 2001 From: chian <91816369+chianw@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:13:21 +0800 Subject: [PATCH 026/244] Fixed typo on set_resource.sh Fixed typo on set_resource.sh - line 238 --- .../application_gateway_application/scripts/set_resource.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/application_gateway_application/scripts/set_resource.sh b/modules/networking/application_gateway_application/scripts/set_resource.sh index 907410a67c..a817762cd7 100755 --- a/modules/networking/application_gateway_application/scripts/set_resource.sh +++ b/modules/networking/application_gateway_application/scripts/set_resource.sh @@ -235,9 +235,9 @@ case "${RESOURCE}" in ignorecase=$([ -z "${IGNORE_CASE}" ] && echo "" || echo "--ignore-case ${IGNORE_CASE} ") negate=$([ -z "${NEGATE}" ] && echo "" || echo "--negate ${NEGATE} ") pattern=$([ -z "${PATTERN}" ] && echo "" || echo "--pattern ${PATTERN} ") -2 + execute_with_backoff az network application-gateway rewrite-rule condition create -g ${RG_NAME} \ --gateway-name ${APPLICATION_GATEWAY_NAME} --variable ${VARIABLE} --rule-set-name ${RULE_SET_NAME} --rule-name ${RULE_NAME}\ ${ignorecase} ${negate} ${pattern} ;; -esac \ No newline at end of file +esac From 5b85b6e8bd7283788f3c3bb37e7e0b7cff40e7fd Mon Sep 17 00:00:00 2001 From: Leela Satyavathi Pentakota <106110313+leelasatyavathip@users.noreply.github.com> Date: Mon, 22 Jan 2024 14:19:16 +0530 Subject: [PATCH 027/244] Add Search service module (#1907) * azure search service module * Added outputs for search service module * updated standalone-scenarios for search service * updated module with feedback provided * updated examples folder --- .github/workflows/standalone-scenarios.json | 3 + examples/module.tf | 3 + .../configuration.tfvars | 61 +++++++++++++++++++ .../configuration.tfvars | 25 ++++++++ .../configuration.tfvars | 29 +++++++++ examples/variables.tf | 3 + local.remote_objects.tf | 1 + locals.combined_objects.tf | 1 + locals.tf | 4 +- modules/search_service/main.tf | 19 ++++++ modules/search_service/output.tf | 16 +++++ modules/search_service/private_endpoint.tf | 18 ++++++ modules/search_service/searchservice.tf | 32 ++++++++++ modules/search_service/variables.tf | 44 +++++++++++++ search_service.tf | 21 +++++++ variables.tf | 6 +- 16 files changed, 284 insertions(+), 2 deletions(-) create mode 100644 examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars create mode 100644 examples/search_service/101-search-service-only-api-keys/configuration.tfvars create mode 100644 examples/search_service/102-search-service-only-azuread/configuration.tfvars create mode 100644 modules/search_service/main.tf create mode 100644 modules/search_service/output.tf create mode 100644 modules/search_service/private_endpoint.tf create mode 100644 modules/search_service/searchservice.tf create mode 100644 modules/search_service/variables.tf create mode 100644 search_service.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 85b744ce38..3a4a611179 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -145,6 +145,9 @@ "redis_cache/103-redis-private-endpoints", "role_mapping/100-simple-role-mapping", "role_mapping/101-function-app-managed-identity", + "search_service/100-search-service-both-apikeys-and-azuread", + "search_service/101-search-service-only-api-keys", + "search_service/102-search-service-only-azuread", "sentinel/101-automation_rule", "sentinel/104-ar_fusion", "sentinel/105-ar_ml_behavior_analytics", diff --git a/examples/module.tf b/examples/module.tf index 6dcb493193..084a916ceb 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -428,4 +428,7 @@ module "example" { maintenance_configuration = var.maintenance_configuration maintenance_assignment_virtual_machine = var.maintenance_assignment_virtual_machine } + search_services = { + search_services = var.search_services + } } diff --git a/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars b/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars new file mode 100644 index 0000000000..2d302c73f8 --- /dev/null +++ b/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars @@ -0,0 +1,61 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "eastus" + } + inherit_tags = true + # prefixes = ["iac-shared"] + # random_length = 0 +} + + +resource_groups = { + new_rg = { + name = "RG1" + location = "region1" + } +} + +vnets = { + vnet1 = { + resource_group_key = "new_rg" + vnet = { + name = "vnet-001" + address_space = ["10.5.0.0/16"] + } + subnets = { + default = { + name = "default" + cidr = ["10.5.1.0/24"] + } + } + } +} + +search_services = { + ss1 = { + name = "ss001" + resource_group_key = "new_rg" + region = "region1" + identity = { + type = "SystemAssigned" + } + sku = "basic" + local_authentication_enabled = true + authentication_failure_mode = "http403" + partition_count = 1 + replica_count = 2 + private_endpoints = { + pe1 = { + name = "pe-searchservice" + subnet_key = "default" + vnet_key = "vnet1" + private_service_connection = { + name = "pe-ssconnection" + is_manual_connection = false + subresource_names = ["searchService"] + } + } + } + } +} \ No newline at end of file diff --git a/examples/search_service/101-search-service-only-api-keys/configuration.tfvars b/examples/search_service/101-search-service-only-api-keys/configuration.tfvars new file mode 100644 index 0000000000..ee2f77b526 --- /dev/null +++ b/examples/search_service/101-search-service-only-api-keys/configuration.tfvars @@ -0,0 +1,25 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "eastus" + } + inherit_tags = true + # prefixes = ["iac-shared"] + # random_length = 0 +} + +resource_groups = { + new_rg = { + name = "RG1" + location = "region1" + } +} + +search_services = { + ss1 = { + name = "ss002" + resource_group_key = "new_rg" + region = "region1" + sku = "basic" + } +} \ No newline at end of file diff --git a/examples/search_service/102-search-service-only-azuread/configuration.tfvars b/examples/search_service/102-search-service-only-azuread/configuration.tfvars new file mode 100644 index 0000000000..fa4190a82c --- /dev/null +++ b/examples/search_service/102-search-service-only-azuread/configuration.tfvars @@ -0,0 +1,29 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "eastus" + } + inherit_tags = true +} + +resource_groups = { + new_rg = { + name = "RG1" + location = "region1" + } +} + +search_services = { + ss1 = { + name = "ss003" + resource_group_key = "new_rg" + region = "region1" + sku = "standard" + identity = { + type = "SystemAssigned" + } + local_authentication_enabled = false + # public_network_access_enabled = true + # allowed_ips = ["13.478.57.73"] + } +} \ No newline at end of file diff --git a/examples/variables.tf b/examples/variables.tf index d170000952..84c67d15fb 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -1123,3 +1123,6 @@ variable "maintenance_configuration" { variable "maintenance_assignment_virtual_machine" { default = {} } +variable "search_services" { + default = {} +} \ No newline at end of file diff --git a/local.remote_objects.tf b/local.remote_objects.tf index 27b150be1f..ecc530c543 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -113,6 +113,7 @@ locals { recovery_vaults = try(local.combined_objects_recovery_vaults, null) redis_caches = try(local.combined_objects_redis_caches, null) resource_groups = try(local.combined_objects_resource_groups, null) + search_services = try(local.combined_objects_search_services, null) servicebus_namespaces = try(local.combined_objects_servicebus_namespaces, null) servicebus_topics = try(local.combined_objects_servicebus_topics, null) servicebus_queues = try(local.combined_objects_servicebus_queues, null) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 9b4bab4fd5..306a030fed 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -146,6 +146,7 @@ locals { combined_objects_relay_namespace = merge(tomap({ (local.client_config.landingzone_key) = module.relay_namespace }), try(var.remote_objects.relay_namespace, {})) combined_objects_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = merge(local.resource_groups, try(var.data_sources.resource_groups, {})) }), try(var.remote_objects.resource_groups, {})) combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) + combined_objects_search_services = merge(tomap({ (local.client_config.landingzone_key) = module.search_service }), try(var.remote_objects.search_services, {}), try(var.data_sources.search_services, {})) combined_objects_sentinel_watchlists = merge(tomap({ (local.client_config.landingzone_key) = module.sentinel_watchlists }), try(var.remote_objects.sentinel_watchlists, {})) combined_objects_servicebus_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_namespaces }), try(var.remote_objects.servicebus_namespaces, {}), try(var.data_sources.servicebus_namespaces, {})) combined_objects_servicebus_queues = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_queues }), try(var.remote_objects.servicebus_queues, {}), try(var.data_sources.servicebus_queues, {})) diff --git a/locals.tf b/locals.tf index 6546b46edd..60ae975b75 100644 --- a/locals.tf +++ b/locals.tf @@ -247,7 +247,9 @@ locals { cognitive_services = { cognitive_services_account = try(var.cognitive_services.cognitive_services_account, {}) } - + search_services = { + search_services = try(var.search_services.search_services, {}) + } maps = { maps_accounts = try(var.maps.maps_accounts, {}) } diff --git a/modules/search_service/main.tf b/modules/search_service/main.tf new file mode 100644 index 0000000000..50f65e1e7d --- /dev/null +++ b/modules/search_service/main.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } + +} + +locals { + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.resource_group.tags, null), + try(var.settings.tags, null) + ) : try(var.settings.tags, null) + + location = coalesce(var.location, var.resource_group.location) + resource_group_name = coalesce(var.resource_group_name, var.resource_group.name) +} \ No newline at end of file diff --git a/modules/search_service/output.tf b/modules/search_service/output.tf new file mode 100644 index 0000000000..9b89f354c0 --- /dev/null +++ b/modules/search_service/output.tf @@ -0,0 +1,16 @@ +output "name" { + value = azurerm_search_service.search_service.name +} + +output "location" { + value = azurerm_search_service.search_service.location +} + +output "tags" { + value = azurerm_search_service.search_service.tags + +} + +output "id" { + value = azurerm_search_service.search_service.id +} \ No newline at end of file diff --git a/modules/search_service/private_endpoint.tf b/modules/search_service/private_endpoint.tf new file mode 100644 index 0000000000..66838a9993 --- /dev/null +++ b/modules/search_service/private_endpoint.tf @@ -0,0 +1,18 @@ +module "private_endpoint" { + source = "../networking/private_endpoint" + for_each = var.private_endpoints + + resource_id = azurerm_search_service.search_service.id + name = each.value.name + location = local.location + resource_group_name = local.resource_group_name + subnet_id = can(each.value.subnet_id) || can(each.value.virtual_subnet_key) ? try(each.value.subnet_id, var.virtual_subnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.virtual_subnet_key].id) : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + settings = each.value + global_settings = var.global_settings + tags = local.tags + base_tags = var.base_tags + private_dns = var.private_dns + client_config = var.client_config +} + + diff --git a/modules/search_service/searchservice.tf b/modules/search_service/searchservice.tf new file mode 100644 index 0000000000..0a9efbb00a --- /dev/null +++ b/modules/search_service/searchservice.tf @@ -0,0 +1,32 @@ + +resource "azurecaf_name" "service" { + name = var.settings.name + prefixes = var.global_settings.prefixes + resource_type = "azurerm_search_service" + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_search_service" "search_service" { + name = azurecaf_name.service.result + location = local.location + resource_group_name = local.resource_group_name + sku = lower(var.settings.sku) + local_authentication_enabled = try(var.settings.local_authentication_enabled, null) + authentication_failure_mode = try(var.settings.authentication_failure_mode, null) + public_network_access_enabled = try(var.settings.public_network_access_enabled, false) + allowed_ips = try(var.settings.public_network_access_enabled, false) ? try(var.settings.allowed_ips, []) : [] + customer_managed_key_enforcement_enabled = try(var.settings.customer_managed_key_enforcement_enabled, null) + hosting_mode = (lower(var.settings.sku) == "standard3") ? try(var.settings.hosting_mode, "default") : null + dynamic "identity" { + for_each = try(var.identity, null) == null ? [] : [1] + + content { + type = var.identity.type + } + } + partition_count = ((lower(var.settings.sku) != "free") && (lower(var.settings.sku) != "basic")) ? try(var.settings.partition_count, null) : null + replica_count = (lower(var.settings.sku) != "free") ? try(var.settings.replica_count, null) : null +} \ No newline at end of file diff --git a/modules/search_service/variables.tf b/modules/search_service/variables.tf new file mode 100644 index 0000000000..f430c40d38 --- /dev/null +++ b/modules/search_service/variables.tf @@ -0,0 +1,44 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "client_config" { + description = "Client configuration object (see module README.md)." +} +variable "location" { + description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + type = string +} + +variable "resource_group_name" { + description = "Name of the existing resource group to deploy the virtual machine" + type = string +} +variable "resource_group" { + description = "Resource group object to deploy the virtual machine" +} +variable "identity" { + default = null +} + +variable "settings" {} + +variable "private_endpoints" { + default = {} +} + +variable "private_dns" { + default = {} +} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "vnets" { + default = {} +} +variable "virtual_subnets" { + description = "Map of virtual_subnets objects" + default = {} + nullable = false +} \ No newline at end of file diff --git a/search_service.tf b/search_service.tf new file mode 100644 index 0000000000..da079ee11b --- /dev/null +++ b/search_service.tf @@ -0,0 +1,21 @@ +module "search_service" { + source = "./modules/search_service" + for_each = local.search_services.search_services + + client_config = local.client_config + global_settings = local.global_settings + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null + location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] + settings = each.value + base_tags = local.global_settings.inherit_tags + identity = try(each.value.identity, null) + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + vnets = local.combined_objects_networking + virtual_subnets = local.combined_objects_virtual_subnets +} + +output "search_service" { + value = module.search_service +} diff --git a/variables.tf b/variables.tf index f3e1bf1959..a1d3ddb6c8 100644 --- a/variables.tf +++ b/variables.tf @@ -440,4 +440,8 @@ variable "powerbi_embedded" { } variable "maintenance" { default = {} -} \ No newline at end of file +} +variable "search_services" { + description = "Configuration object - Search service Resource " + default = {} +} From ae7fb3cc05071d67f797adb00584544c03270805 Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Fri, 26 Jan 2024 08:19:45 +0000 Subject: [PATCH 028/244] docs: add notice and remove MSFT refs --- README.md | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index ff399e16ee..1ee782818d 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,17 @@ # Cloud Adoption Framework for Azure - Terraform module -Microsoft [Cloud Adoption Framework for Azure](https://aka.ms/caf) provides you with guidance and best practices to adopt Azure. +> :warning: This solution, offered by the Open-Source community, will no longer receive contributions from Microsoft. Customers are encouraged to transition to [Microsoft Azure Verified Modules](https://aka.ms/avm) for Microsoft support and updates. -This module allows you to create resources on Microsoft Azure, is used by the Cloud Adoption Framework for Azure (CAF) landing zones to provision resources in an Azure subscription and can deploy resources being directly invoked from the Terraform registry. +This module allows you to create resources on Microsoft Azure, is used by the Azure Terraform SRE to provision resources in an Azure subscription and can deploy resources being directly invoked from the Terraform registry. ## Prerequisites -- Setup your **environment** using the following guide [Getting Started](https://github.com/Azure/caf-terraform-landingzones/blob/master/documentation/getting_started/getting_started.md) or you use it online with [GitHub Codespaces](https://github.com/features/codespaces). +- Setup your **environment** using the following guide [Getting Started](https://github.com/aztfmod/caf-terraform-landingzones/blob/master/documentation/getting_started/getting_started.md) or you use it online with [GitHub Codespaces](https://github.com/features/codespaces). - Access to an **Azure subscription**. - ## Getting started -This module can be used inside [:books: Azure Terraform Landing zones](https://aka.ms/caf/terraform), or can be used as standalone, directly from the [Terraform registry](https://registry.terraform.io/modules/aztfmod/caf/azurerm/) +This module can be used inside [:books: Azure Terraform Landing zones](https://aztfmod.github.io/documentation/), or can be used as standalone, directly from the [Terraform registry](https://registry.terraform.io/modules/aztfmod/caf/azurerm/) ```terraform module "caf" { @@ -28,28 +27,18 @@ For a complete set of examples you can review the [full library here](https://gi

- - ## Community Feel free to open an issue for feature or bug, or to submit a PR, [Please check out the WIKI for coding standards, common patterns and PR checklist.](https://github.com/aztfmod/terraform-azurerm-caf/wiki) -In case you have any question, you can reach out to tf-landingzones at microsoft dot com. - You can also reach us on [Gitter](https://gitter.im/aztfmod/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) ## Contributing This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us -the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. +the rights to use your contribution. For details, visit . When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. - -## Code of conduct - -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). -For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or -contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. From b48c2c9c197a85b8db65cdc88efdcd1e0bf2ea0e Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Wed, 14 Feb 2024 08:22:38 +0000 Subject: [PATCH 029/244] feat(load_test): Adding azurerm_load_test resource --- .github/workflows/standalone-scenarios.json | 1 + .../100-load-test/configuration.tfvars | 33 +++++++++++++++++++ examples/module.tf | 2 ++ examples/variables.tf | 5 ++- load_test.tf | 22 +++++++++++++ locals.combined_objects.tf | 1 + locals.tf | 2 ++ modules/load_test/load_test.tf | 28 ++++++++++++++++ modules/load_test/main.tf | 25 ++++++++++++++ modules/load_test/managed_identities.tf | 23 +++++++++++++ modules/load_test/output.tf | 11 +++++++ modules/load_test/variables.tf | 31 +++++++++++++++++ variables.tf | 5 +++ 13 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 examples/load_test/100-load-test/configuration.tfvars create mode 100644 load_test.tf create mode 100644 modules/load_test/load_test.tf create mode 100644 modules/load_test/main.tf create mode 100644 modules/load_test/managed_identities.tf create mode 100644 modules/load_test/output.tf create mode 100644 modules/load_test/variables.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 3a4a611179..0685eb8779 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -74,6 +74,7 @@ "iot/103-iot-hub-with-dps", "iot/110-iot-central-application", "iot/111-iot-security-solution", + "load_test/100-load-test", "logic_app/100-logic_app_workflow", "logic_app/102-logic_app_integration_account", "logic_app/103-logic_app_action_http", diff --git a/examples/load_test/100-load-test/configuration.tfvars b/examples/load_test/100-load-test/configuration.tfvars new file mode 100644 index 0000000000..ecce19bdee --- /dev/null +++ b/examples/load_test/100-load-test/configuration.tfvars @@ -0,0 +1,33 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "uksouth" + } +} + +resource_groups = { + load-test-region1 = { + name = "load-test-rg" + region = "region1" + } +} + +load_test = { + example_load_test = { + name = "example-load-test" + resource_group_key = "load-test-region1" + identity = { + type = "UserAssigned" + managed_identity_keys = ["load_test"] + } + } +} + +managed_identities = { + load_test = { + name = "load-test" + resource_group = { + key = "load-test-region1" + } + } +} diff --git a/examples/module.tf b/examples/module.tf index 084a916ceb..714be5e54c 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -422,6 +422,8 @@ module "example" { } powerbi_embedded = var.powerbi_embedded + load_test = var.load_test + preview_features = var.preview_features maintenance = { diff --git a/examples/variables.tf b/examples/variables.tf index 84c67d15fb..1be70cbbcb 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -1125,4 +1125,7 @@ variable "maintenance_assignment_virtual_machine" { } variable "search_services" { default = {} -} \ No newline at end of file +} +variable "load_test" { + default = {} +} diff --git a/load_test.tf b/load_test.tf new file mode 100644 index 0000000000..d1b0c18b03 --- /dev/null +++ b/load_test.tf @@ -0,0 +1,22 @@ +module "load_test" { + source = "./modules/load_test" + for_each = local.load_test + + global_settings = local.global_settings + client_config = local.client_config + settings = each.value + + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name + + remote_objects = { + managed_identities = local.combined_objects_managed_identities + } + + base_tags = local.global_settings.inherit_tags +} + +output "load_test" { + value = module.load_test +} \ No newline at end of file diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 306a030fed..7efaaf7fd0 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -105,6 +105,7 @@ locals { combined_objects_lb_backend_address_pool = merge(tomap({ (local.client_config.landingzone_key) = module.lb_backend_address_pool }), try(var.remote_objects.lb_backend_address_pool, {})) combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), try(var.remote_objects.lb_probe, {})) combined_objects_load_balancers = merge(tomap({ (local.client_config.landingzone_key) = module.load_balancers }), try(var.remote_objects.load_balancers, {}), try(var.data_sources.load_balancers, {})) + combined_objects_load_test = merge(tomap({ (local.client_config.landingzone_key) = module.load_test }), try(var.remote_objects.load_test, {}), try(var.data_sources.load_test, {})) combined_objects_log_analytics = merge(tomap({ (local.client_config.landingzone_key) = module.log_analytics }), try(var.remote_objects.log_analytics, {}), try(var.data_sources.log_analytics, {})) combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), try(var.remote_objects.logic_app_integration_account, {}), try(var.data_sources.logic_app_integration_account, {})) combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) diff --git a/locals.tf b/locals.tf index 60ae975b75..e8e74de925 100644 --- a/locals.tf +++ b/locals.tf @@ -466,4 +466,6 @@ locals { maintenance_assignment_virtual_machine = try(var.maintenance.maintenance_assignment_virtual_machine, {}) } + + load_test = try(var.load_test, {}) } diff --git a/modules/load_test/load_test.tf b/modules/load_test/load_test.tf new file mode 100644 index 0000000000..1191116aa2 --- /dev/null +++ b/modules/load_test/load_test.tf @@ -0,0 +1,28 @@ +# Terraform azurerm resource: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/load_test + +data "azurecaf_name" "this" { + name = var.settings.name + resource_type = "azurerm_load_test" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_load_test" "this" { + name = data.azurecaf_name.this.result + resource_group_name = local.resource_group_name + location = local.location + description = try(var.settings.description, null) + + dynamic "identity" { + for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1] + content { + type = var.settings.identity.type + identity_ids = local.managed_identities + } + } + + tags = merge(local.tags, lookup(var.settings, "tags", {})) +} diff --git a/modules/load_test/main.tf b/modules/load_test/main.tf new file mode 100644 index 0000000000..3a3afd4ff8 --- /dev/null +++ b/modules/load_test/main.tf @@ -0,0 +1,25 @@ +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.resource_group.tags, null), + local.module_tag, + try(var.settings.tags, null) + ) : merge( + local.module_tag, + try(var.settings.tags, + null) + ) + location = coalesce(var.location, var.resource_group.location) + resource_group_name = coalesce(var.resource_group_name, var.resource_group.name) +} + +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} diff --git a/modules/load_test/managed_identities.tf b/modules/load_test/managed_identities.tf new file mode 100644 index 0000000000..a425758162 --- /dev/null +++ b/modules/load_test/managed_identities.tf @@ -0,0 +1,23 @@ +# +# Managed identities from remote state +# + +locals { + managed_local_identities = flatten([ + for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ + var.remote_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + ] + ]) + + managed_remote_identities = flatten([ + for lz_key, value in try(var.settings.identity.remote, []) : [ + for managed_identity_key in value.managed_identity_keys : [ + var.remote_objects.managed_identities[lz_key][managed_identity_key].id + ] + ] + ]) + + provided_identities = try(var.settings.identity.managed_identity_ids, []) + + managed_identities = concat(local.provided_identities, local.managed_local_identities, local.managed_remote_identities) +} diff --git a/modules/load_test/output.tf b/modules/load_test/output.tf new file mode 100644 index 0000000000..41618c004d --- /dev/null +++ b/modules/load_test/output.tf @@ -0,0 +1,11 @@ +output "id" { + value = azurerm_load_test.this.id +} + +output "data_plane_uri" { + value = azurerm_load_test.this.data_plane_uri +} + +output "identity" { + value = try(azurerm_load_test.this.identity, null) +} diff --git a/modules/load_test/variables.tf b/modules/load_test/variables.tf new file mode 100644 index 0000000000..b31af17fcf --- /dev/null +++ b/modules/load_test/variables.tf @@ -0,0 +1,31 @@ +variable "settings" {} + +variable "global_settings" { + description = "Global settings object (see module README.md)" +} + +variable "client_config" { + description = "Client configuration object (see module README.md)." +} + +variable "resource_group_name" { + description = "(Required) Resource group of the IoT Hub" +} + +variable "resource_group" { + description = "Resource group object to deploy the IoT Hub" +} + +variable "location" { + description = "(Required) Region in which the resource will be deployed" +} + +variable "remote_objects" { + description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + default = {} +} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} diff --git a/variables.tf b/variables.tf index a1d3ddb6c8..4c4d69c4a1 100644 --- a/variables.tf +++ b/variables.tf @@ -445,3 +445,8 @@ variable "search_services" { description = "Configuration object - Search service Resource " default = {} } +variable "load_test" { + description = "Configuration object - Load Test resources" + default = {} +} + From 633288664d6f8f6d15e802da3707e72f75397a91 Mon Sep 17 00:00:00 2001 From: Oleksandr Trapeznikov Date: Thu, 29 Feb 2024 22:49:20 -0500 Subject: [PATCH 030/244] Add VPN Gateway NAT Rules module (#1923) * add bgp_route_translation_for_nat_enabled parameter * Add VPN Gateway NAT rules * move example to longrun * Fix nat rule description --- .../standalone-scenarios-longrunners.json | 1 + examples/module.tf | 1 + .../virtual_wan.tfvars | 247 ++++++++++++++++++ examples/variables.tf | 3 + local.remote_objects.tf | 1 + locals.combined_objects.tf | 1 + locals.tf | 1 + .../virtual_hub/site_to_site_gateway.tf | 7 +- .../vpn_gateway_connection/module.tf | 12 + .../vpn_gateway_connection/variables.tf | 1 + .../networking/vpn_gateway_nat_rule/main.tf | 7 + .../networking/vpn_gateway_nat_rule/module.tf | 27 ++ .../networking/vpn_gateway_nat_rule/output.tf | 4 + .../vpn_gateway_nat_rule/variables.tf | 10 + networking_vpn_gateway_connection.tf | 1 + networking_vpn_gateway_nat_rule.tf | 23 ++ 16 files changed, 344 insertions(+), 3 deletions(-) create mode 100644 examples/networking/virtual_wan/111-vwan-vpn-gateway-connection-with-nat/virtual_wan.tfvars create mode 100644 modules/networking/vpn_gateway_nat_rule/main.tf create mode 100644 modules/networking/vpn_gateway_nat_rule/module.tf create mode 100644 modules/networking/vpn_gateway_nat_rule/output.tf create mode 100644 modules/networking/vpn_gateway_nat_rule/variables.tf create mode 100644 networking_vpn_gateway_nat_rule.tf diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json index dc0d12268f..06cf1ee6fc 100644 --- a/.github/workflows/standalone-scenarios-longrunners.json +++ b/.github/workflows/standalone-scenarios-longrunners.json @@ -31,6 +31,7 @@ "networking/virtual_wan/105-vwan-hub-route-table", "networking/virtual_wan/109-vwan-vpn-gateway-connection", "networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert", + "networking/virtual_wan/111-vwan-vpn-gateway-connection-with-nat", "redis_cache/100-redis-standard", "redis_cache/101-redis-diagnostics", "redis_cache/102-redis-private", diff --git a/examples/module.tf b/examples/module.tf index 084a916ceb..df9556eecd 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -265,6 +265,7 @@ module "example" { vnets = var.vnets virtual_subnets = var.virtual_subnets vpn_gateway_connections = var.vpn_gateway_connections + vpn_gateway_nat_rules = var.vpn_gateway_nat_rules vpn_sites = var.vpn_sites } diff --git a/examples/networking/virtual_wan/111-vwan-vpn-gateway-connection-with-nat/virtual_wan.tfvars b/examples/networking/virtual_wan/111-vwan-vpn-gateway-connection-with-nat/virtual_wan.tfvars new file mode 100644 index 0000000000..17443638b1 --- /dev/null +++ b/examples/networking/virtual_wan/111-vwan-vpn-gateway-connection-with-nat/virtual_wan.tfvars @@ -0,0 +1,247 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "australiaeast" + } +} + +resource_groups = { + hub_re1 = { + name = "vnet-hub-re1" + region = "region1" + } +} + +virtual_wans = { + vwan_re1 = { + resource_group_key = "hub_re1" + name = "contosovWAN-re1" + region = "region1" + + hubs = { + hub_re1 = { + hub_name = "hub-re1" + region = "region1" + hub_address_prefix = "10.0.3.0/24" + deploy_p2s = false + p2s_config = {} + deploy_s2s = true + s2s_config = { + name = "caf-sea-vpn-s2s" + scale_unit = 1 + bgp_route_translation_for_nat_enabled = true + } + deploy_er = false + } + } + } +} + +virtual_hub_route_tables = { + routetable1 = { + name = "example-vhubroutetable1" + + virtual_wan_key = "vwan_re1" + virtual_hub_key = "hub_re1" + + labels = ["label1"] + } + routetable2 = { + name = "example-vhubroutetable2" + + virtual_wan_key = "vwan_re1" + virtual_hub_key = "hub_re1" + + labels = ["label2"] + } +} + +vpn_sites = { + vpn-site-1 = { + name = "vpn-site-1" + address_cidrs = ["1.2.3.0/24", "4.5.6.0/24"] + device_vendor = "Cisco" + device_model = "800" + + resource_group = { + key = "hub_re1" + } + + virtual_wan = { + key = "vwan_re1" + } + + links = { + primary = { + name = "primary" + ip_address = "1.2.3.4" + provider_name = "Microsoft" + speed_in_mbps = "150" + } + secondary = { + name = "secondary" + fqdn = "secondary.link.com" + provider_name = "Microsoft" + speed_in_mbps = "50" + # bgp = { + # asn = "65534" + # peering_address = "169.254.1.2" + # } + } + } + } +} + +vpn_gateway_connections = { + connection-1 = { + name = "connection-1" + internet_security_enabled = false + + # vpn_site_id = "" # Set the Resource ID of an existing VPN Site + vpn_site = { + # lz_key = "vpns" # Set the 'lz_key' of a VPN Site created in a remote deployment + key = "vpn-site-1" # Set the 'key' of the VPN Site created in this (or a remote) deployment + } + virtual_wan = { + key = "vwan_re1" + } + # virtual_hub_gateway_id = "" # Set the Resource ID of an existing Virtual Hub's VPN Gateway + virtual_hub = { + # lz_key = "" # Set the 'lz_key' of a Virtual Hub created in a remote deployment + key = "hub_re1" # Set the 'key' of the Virtual Hub created in this (or a remote) deployment + } + + vpn_links = { + link-1 = { + link_index = 0 # Index order of VPN Site's Link + name = "link-1" + bandwidth_mbps = "100" # Optional + bgp_enabled = false # Optional + protocol = "IKEv2" # Optional + ratelimit_enabled = true # Optional + route_weight = "100" # Optional + shared_key = "abc123456" # Optional + local_azure_ip_address_enabled = false # Optional + policy_based_traffic_selectors_enabled = false # Optional + + egress_nat_rules = { # Optional + rule-1 = { + key = "rule-1" + } + } + ingress_nat_rules = { # Optional + rule-2 = { + key = "rule-2" + } + } + ipsec_policies = { # Optional + policy1 = { + dh_group = "DHGroup14" + ike_encryption_algorithm = "AES256" + ike_integrity_algorithm = "SHA256" + encryption_algorithm = "AES256" + integrity_algorithm = "SHA256" + pfs_group = "PFS14" + sa_data_size_kb = "102400000" + sa_lifetime_sec = "27000" + } + } + } + # link-2 = { + # link_index = 1 + # name = "link-2" + # } + } + + } +} + +vpn_gateway_nat_rules = { + rule-1 = { + resource_group_key = "hub_re1" + name = "rule-1" + + virtual_wan = { + key = "vwan_re1" + } + # virtual_hub_gateway_id = "" # Set the Resource ID of an existing Virtual Hub's VPN Gateway + virtual_hub = { + # lz_key = "" # Set the 'lz_key' of a Virtual Hub created in a remote deployment + key = "hub_re1" # Set the 'key' of the Virtual Hub created in this (or a remote) deployment + } + + internal_mapping = { + imap-1 = { + address_space = "192.168.41.0/26" + } + } + + external_mapping = { + emap-1 = { + address_space = "192.168.45.0/26" + } + } + mode = "EgressSnat" + type = "Static" + } + rule-2 = { + resource_group_key = "hub_re1" + name = "rule-2" + + virtual_wan = { + key = "vwan_re1" + } + # virtual_hub_gateway_id = "" # Set the Resource ID of an existing Virtual Hub's VPN Gateway + virtual_hub = { + # lz_key = "" # Set the 'lz_key' of a Virtual Hub created in a remote deployment + key = "hub_re1" # Set the 'key' of the Virtual Hub created in this (or a remote) deployment + } + + internal_mapping = { + imap-1 = { + address_space = "192.168.21.0/26" + } + } + + external_mapping = { + emap-1 = { + address_space = "192.168.25.0/26" + } + } + mode = "IngressSnat" + type = "Static" + } + rule-3 = { + resource_group_key = "hub_re1" + name = "rule-3" + + virtual_wan = { + key = "vwan_re1" + } + # virtual_hub_gateway_id = "" # Set the Resource ID of an existing Virtual Hub's VPN Gateway + virtual_hub = { + # lz_key = "" # Set the 'lz_key' of a Virtual Hub created in a remote deployment + key = "hub_re1" # Set the 'key' of the Virtual Hub created in this (or a remote) deployment + } + ip_configuration_id = "Instance0" + internal_mapping = { + imap-1 = { + address_space = "192.168.26.0/26" + } + imap-2 = { + address_space = "192.168.31.0/26" + } + } + + external_mapping = { + emap-1 = { + address_space = "192.168.27.0/26" + } + emap-2 = { + address_space = "192.168.35.0/26" + } + } + mode = "IngressSnat" + type = "Dynamic" + } +} diff --git a/examples/variables.tf b/examples/variables.tf index 84c67d15fb..f1f2ccc1c9 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -640,6 +640,9 @@ variable "vpn_sites" { variable "vpn_gateway_connections" { default = {} } +variable "vpn_gateway_nat_rules" { + default = {} +} variable "servicebus_namespaces" { default = {} } diff --git a/local.remote_objects.tf b/local.remote_objects.tf index ecc530c543..f1c406efcc 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -136,6 +136,7 @@ locals { vmware_express_route_authorizations = try(local.combined_objects_vmware_express_route_authorizations, null) vmware_private_clouds = try(local.combined_objects_vmware_private_clouds, null) vpn_gateway_connections = try(local.combined_objects_vpn_gateway_connections, null) + vpn_gateway_nat_rules = try(local.combined_objects_vpn_gateway_nat_rules, null) vpn_sites = try(local.combined_objects_vpn_sites, null) web_pubsubs = try(local.combined_objects_web_pubsubs, null) web_pubsub_hubs = try(local.combined_objects_web_pubsub_hubs, null) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 306a030fed..6f34f10246 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -172,6 +172,7 @@ locals { combined_objects_vmware_express_route_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_express_route_authorizations }), try(var.remote_objects.vmware_express_route_authorizations, {})) combined_objects_vmware_private_clouds = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_private_clouds }), try(var.remote_objects.vmware_private_clouds, {}), try(var.data_sources.vmware_private_clouds, {})) combined_objects_vpn_gateway_connections = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), try(var.remote_objects.vpn_gateway_connections, {})) + combined_objects_vpn_gateway_nat_rules = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_nat_rules }), try(var.remote_objects.vpn_gateway_nat_rules, {})) combined_objects_vpn_sites = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), try(var.remote_objects.vpn_sites, {})) combined_objects_web_pubsub_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsub_hubs }), try(var.remote_objects.web_pubsub_hubs, {})) combined_objects_web_pubsubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsubs }), try(var.remote_objects.web_pubsubs, {})) diff --git a/locals.tf b/locals.tf index 60ae975b75..33ec1ffafb 100644 --- a/locals.tf +++ b/locals.tf @@ -342,6 +342,7 @@ locals { vnet_peerings_v1 = try(var.networking.vnet_peerings_v1, {}) vnets = try(var.networking.vnets, {}) vpn_gateway_connections = try(var.networking.vpn_gateway_connections, {}) + vpn_gateway_nat_rules = try(var.networking.vpn_gateway_nat_rules, {}) vpn_sites = try(var.networking.vpn_sites, {}) } diff --git a/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf b/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf index 0014169dea..f4d6655594 100644 --- a/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf +++ b/modules/networking/virtual_wan/virtual_hub/site_to_site_gateway.tf @@ -22,8 +22,9 @@ resource "azurerm_vpn_gateway" "s2s_gateway" { tags = local.tags virtual_hub_id = azurerm_virtual_hub.vwan_hub.id - scale_unit = var.virtual_hub_config.s2s_config.scale_unit - routing_preference = try(var.virtual_hub_config.s2s_config.routing_preference, "Microsoft Network") + scale_unit = var.virtual_hub_config.s2s_config.scale_unit + routing_preference = try(var.virtual_hub_config.s2s_config.routing_preference, "Microsoft Network") + bgp_route_translation_for_nat_enabled = try(var.virtual_hub_config.s2s_config.bgp_route_translation_for_nat_enabled, false) dynamic "bgp_settings" { for_each = try(var.virtual_hub_config.s2s_config.bgp_settings, null) == null ? [] : [1] @@ -55,4 +56,4 @@ resource "azurerm_vpn_gateway" "s2s_gateway" { create = "120m" delete = "120m" } -} \ No newline at end of file +} diff --git a/modules/networking/vpn_gateway_connection/module.tf b/modules/networking/vpn_gateway_connection/module.tf index 09a70a0a6e..5e8b2b8247 100644 --- a/modules/networking/vpn_gateway_connection/module.tf +++ b/modules/networking/vpn_gateway_connection/module.tf @@ -30,6 +30,18 @@ resource "azurerm_vpn_gateway_connection" "vpn_gateway_connection" { shared_key = try(vpn_link.value.shared_key, null) local_azure_ip_address_enabled = try(vpn_link.value.local_azure_ip_address_enabled, null) policy_based_traffic_selector_enabled = try(vpn_link.value.policy_based_traffic_selector_enabled, null) + egress_nat_rule_ids = try(compact( + [ + for key, value in vpn_link.value.egress_nat_rules : + can(value.id) ? value.id : var.nat_rules[try(value.lz_key, var.client_config.landingzone_key)][value.key].id + ] + ), []) + ingress_nat_rule_ids = try(compact( + [ + for key, value in vpn_link.value.ingress_nat_rules : + can(value.id) ? value.id : var.nat_rules[try(value.lz_key, var.client_config.landingzone_key)][value.key].id + ] + ), []) vpn_site_link_id = coalesce( try(var.vpn_sites[try(var.settings.vpn_site.lz_key, var.client_config.landingzone_key)][var.settings.vpn_site.key].vpn_site.link[vpn_link.value.link_index].id, null), diff --git a/modules/networking/vpn_gateway_connection/variables.tf b/modules/networking/vpn_gateway_connection/variables.tf index abb3037c16..193e40e488 100644 --- a/modules/networking/vpn_gateway_connection/variables.tf +++ b/modules/networking/vpn_gateway_connection/variables.tf @@ -6,3 +6,4 @@ variable "vpn_gateway_id" {} variable "vpn_sites" {} variable "client_config" {} variable "route_tables" {} +variable "nat_rules" {} diff --git a/modules/networking/vpn_gateway_nat_rule/main.tf b/modules/networking/vpn_gateway_nat_rule/main.tf new file mode 100644 index 0000000000..1fbfa06797 --- /dev/null +++ b/modules/networking/vpn_gateway_nat_rule/main.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} diff --git a/modules/networking/vpn_gateway_nat_rule/module.tf b/modules/networking/vpn_gateway_nat_rule/module.tf new file mode 100644 index 0000000000..cdd05f3523 --- /dev/null +++ b/modules/networking/vpn_gateway_nat_rule/module.tf @@ -0,0 +1,27 @@ +resource "azurerm_vpn_gateway_nat_rule" "vpn_gateway_nat_rule" { + name = var.settings.name + resource_group_name = var.resource_group_name + vpn_gateway_id = var.vpn_gateway_id + ip_configuration_id = try(var.settings.ip_configuration_id, null) + + mode = var.settings.mode + type = var.settings.type + + dynamic "external_mapping" { + for_each = try(var.settings.external_mapping, {}) + + content { + address_space = external_mapping.value.address_space + port_range = try(external_mapping.value.port_range, null) + } + } + + dynamic "internal_mapping" { + for_each = try(var.settings.internal_mapping, {}) + + content { + address_space = internal_mapping.value.address_space + port_range = try(internal_mapping.value.port_range, null) + } + } +} diff --git a/modules/networking/vpn_gateway_nat_rule/output.tf b/modules/networking/vpn_gateway_nat_rule/output.tf new file mode 100644 index 0000000000..ded382e112 --- /dev/null +++ b/modules/networking/vpn_gateway_nat_rule/output.tf @@ -0,0 +1,4 @@ +output "id" { + value = azurerm_vpn_gateway_nat_rule.vpn_gateway_nat_rule.id + description = "Resource ID of the VPN Gateway NAT rule" +} diff --git a/modules/networking/vpn_gateway_nat_rule/variables.tf b/modules/networking/vpn_gateway_nat_rule/variables.tf new file mode 100644 index 0000000000..0a5a9df7e3 --- /dev/null +++ b/modules/networking/vpn_gateway_nat_rule/variables.tf @@ -0,0 +1,10 @@ +variable "settings" {} +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "vpn_gateway_id" {} +variable "resource_group_name" { + description = "(Required) The name of the resource group where to create the resource." + type = string +} +variable "client_config" {} diff --git a/networking_vpn_gateway_connection.tf b/networking_vpn_gateway_connection.tf index 49bee6d68d..49456c2728 100644 --- a/networking_vpn_gateway_connection.tf +++ b/networking_vpn_gateway_connection.tf @@ -19,6 +19,7 @@ module "vpn_gateway_connections" { client_config = local.client_config vpn_sites = local.combined_objects_vpn_sites route_tables = local.combined_objects_virtual_hub_route_tables + nat_rules = local.combined_objects_vpn_gateway_nat_rules vpn_gateway_id = can(each.value.virtual_hub_gateway_id) || can(each.value.virtual_wan) ? try(each.value.virtual_hub_gateway_id, local.combined_objects_virtual_wans[try(each.value.virtual_wan.lz_key, each.value.lz_key, local.client_config.landingzone_key)][try(each.value.virtual_wan.key, each.value.virtual_wan_key)].virtual_hubs[try(each.value.virtual_hub.key, each.value.virtual_hub_key)].s2s_gateway.id) : local.combined_objects_virtual_hubs[try(each.value.virtual_hub.lz_key, local.client_config.landingzone_key)][each.value.virtual_hub.key].s2s_gateway.id } diff --git a/networking_vpn_gateway_nat_rule.tf b/networking_vpn_gateway_nat_rule.tf new file mode 100644 index 0000000000..6bab061a19 --- /dev/null +++ b/networking_vpn_gateway_nat_rule.tf @@ -0,0 +1,23 @@ + +# +# +# VPN Gateway NAT Rule used for VPN Gatway Connection +# +# + +output "vpn_gateway_nat_rules" { + value = module.vpn_gateway_nat_rules +} + +module "vpn_gateway_nat_rules" { + depends_on = [module.virtual_wans, module.vpn_sites, module.virtual_hubs] + source = "./modules/networking/vpn_gateway_nat_rule" + for_each = local.networking.vpn_gateway_nat_rules + + settings = each.value + global_settings = local.global_settings + client_config = local.client_config + + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name + vpn_gateway_id = can(each.value.virtual_hub_gateway_id) || can(each.value.virtual_wan) ? try(each.value.virtual_hub_gateway_id, local.combined_objects_virtual_wans[try(each.value.virtual_wan.lz_key, each.value.lz_key, local.client_config.landingzone_key)][try(each.value.virtual_wan.key, each.value.virtual_wan_key)].virtual_hubs[try(each.value.virtual_hub.key, each.value.virtual_hub_key)].s2s_gateway.id) : local.combined_objects_virtual_hubs[try(each.value.virtual_hub.lz_key, local.client_config.landingzone_key)][each.value.virtual_hub.key].s2s_gateway.id +} From 3bb3e2032d93ca31a9b5a3a6c15ea36f546638ab Mon Sep 17 00:00:00 2001 From: Nick Metz Date: Fri, 1 Mar 2024 05:05:27 +0100 Subject: [PATCH 031/244] feat: Add scm_ip_restriction for webapps (#1896) * feat(DEVOPS-1591): Add scm_ip_restriction for webapps * Update modules/webapps/appservice/module.tf Improve condition for scm_ip_restriction virtual_network_subnet_id Co-authored-by: Simon Schneider * Update modules/webapps/appservice/module.tf Improve condition for scm_ip_restriction virtual_network_subnet_id Co-authored-by: Simon Schneider * Update modules/webapps/appservice/slot.tf --------- Co-authored-by: Simon Schneider Co-authored-by: Arnaud Lheureux --- .../configuration.tfvars | 17 ++++++++++++++ modules/webapps/appservice/module.tf | 22 +++++++++++++++++++ modules/webapps/appservice/slot.tf | 22 +++++++++++++++++++ 3 files changed, 61 insertions(+) diff --git a/examples/webapps/appservice/103-appservice-extend/configuration.tfvars b/examples/webapps/appservice/103-appservice-extend/configuration.tfvars index 83fcb322e9..f4cd1fcc04 100644 --- a/examples/webapps/appservice/103-appservice-extend/configuration.tfvars +++ b/examples/webapps/appservice/103-appservice-extend/configuration.tfvars @@ -50,6 +50,23 @@ app_services = { ftps_state = "AllAllowed" //AllAllowed, FtpsOnly and Disabled http2_enabled = false + ip_restriction = [ + { + name = "deny-all-traffic" + action = "Deny" + ip_address = "0.0.0.0/0" + priority = 65000 + } + ] + + scm_ip_restriction = [ + { + name = "allow-all-traffic" + action = "Allow" + ip_address = "0.0.0.0/0" + priority = 65000 + } + ] } app_settings = { diff --git a/modules/webapps/appservice/module.tf b/modules/webapps/appservice/module.tf index 105d5d56f5..7ad8c896ec 100644 --- a/modules/webapps/appservice/module.tf +++ b/modules/webapps/appservice/module.tf @@ -84,6 +84,28 @@ resource "azurerm_app_service" "app_service" { dynamic "headers" { for_each = try(ip_restriction.headers, {}) + content { + x_azure_fdid = lookup(headers.value, "x_azure_fdid", null) + x_fd_health_probe = lookup(headers.value, "x_fd_health_probe", null) + x_forwarded_for = lookup(headers.value, "x_forwarded_for", null) + x_forwarded_host = lookup(headers.value, "x_forwarded_host", null) + } + } + } + } + dynamic "scm_ip_restriction" { + for_each = try(var.settings.site_config.scm_ip_restriction, {}) + + content { + ip_address = lookup(scm_ip_restriction.value, "ip_address", null) + service_tag = lookup(scm_ip_restriction.value, "service_tag", null) + virtual_network_subnet_id = can(scm_ip_restriction.value.virtual_network_subnet_id) ? scm_ip_restriction.value.virtual_network_subnet_id : can(scm_ip_restriction.value.virtual_network_subnet.id) ? scm_ip_restriction.value.virtual_network_subnet.id : can(scm_ip_restriction.value.virtual_network_subnet.subnet_key) ? var.combined_objects.networking[try(scm_ip_restriction.value.virtual_network_subnet.lz_key, var.client_config.landingzone_key)][scm_ip_restriction.value.virtual_network_subnet.vnet_key].subnets[scm_ip_restriction.value.virtual_network_subnet.subnet_key].id : null + name = lookup(scm_ip_restriction.value, "name", null) + priority = lookup(scm_ip_restriction.value, "priority", null) + action = lookup(scm_ip_restriction.value, "action", null) + dynamic "headers" { + for_each = try(scm_ip_restriction.headers, {}) + content { x_azure_fdid = lookup(headers.value, "x_azure_fdid", null) x_fd_health_probe = lookup(headers.value, "x_fd_health_probe", null) diff --git a/modules/webapps/appservice/slot.tf b/modules/webapps/appservice/slot.tf index aa4926c28b..c737549e3b 100644 --- a/modules/webapps/appservice/slot.tf +++ b/modules/webapps/appservice/slot.tf @@ -68,6 +68,28 @@ resource "azurerm_app_service_slot" "slots" { virtual_network_subnet_id = lookup(var.settings.site_config.ip_restriction, "virtual_network_subnet_id", null) } } + dynamic "scm_ip_restriction" { + for_each = try(var.settings.site_config.scm_ip_restriction, {}) + + content { + ip_address = lookup(scm_ip_restriction.value, "ip_address", null) + service_tag = lookup(scm_ip_restriction.value, "service_tag", null) + virtual_network_subnet_id = can(scm_ip_restriction.value.virtual_network_subnet_id) ? scm_ip_restriction.value.virtual_network_subnet_id : can(scm_ip_restriction.value.virtual_network_subnet.id) ? scm_ip_restriction.value.virtual_network_subnet.id : can(scm_ip_restriction.value.virtual_network_subnet.subnet_key) ? var.combined_objects.networking[try(scm_ip_restriction.value.virtual_network_subnet.lz_key, var.client_config.landingzone_key)][scm_ip_restriction.value.virtual_network_subnet.vnet_key].subnets[scm_ip_restriction.value.virtual_network_subnet.subnet_key].id : null + name = lookup(scm_ip_restriction.value, "name", null) + priority = lookup(scm_ip_restriction.value, "priority", null) + action = lookup(scm_ip_restriction.value, "action", null) + dynamic "headers" { + for_each = try(scm_ip_restriction.headers, {}) + + content { + x_azure_fdid = lookup(headers.value, "x_azure_fdid", null) + x_fd_health_probe = lookup(headers.value, "x_fd_health_probe", null) + x_forwarded_for = lookup(headers.value, "x_forwarded_for", null) + x_forwarded_host = lookup(headers.value, "x_forwarded_host", null) + } + } + } + } } } From ac5968fff9c1d1c051aaf0c69264c659911f5bfa Mon Sep 17 00:00:00 2001 From: Tjomme Vergauwen <42241062+TjommeVergauwen@users.noreply.github.com> Date: Fri, 8 Mar 2024 13:30:11 +0100 Subject: [PATCH 032/244] #990: Update module.tf global_parameter should be processed as list of objects --- modules/data_factory/data_factory/module.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/data_factory/data_factory/module.tf b/modules/data_factory/data_factory/module.tf index 4479a85741..9e6f7387c2 100644 --- a/modules/data_factory/data_factory/module.tf +++ b/modules/data_factory/data_factory/module.tf @@ -25,7 +25,7 @@ resource "azurerm_data_factory" "df" { } } dynamic "global_parameter" { - for_each = try(var.settings.global_parameter, null) != null ? [var.settings.global_parameter] : [] + for_each = try(var.settings.global_parameter, null) != null ? var.settings.global_parameter : {} content { name = global_parameter.value.name From e8519d841e2a07d38415069b4899e5fe0dfda43b Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Tue, 12 Mar 2024 16:34:46 +0100 Subject: [PATCH 033/244] Feature/route table import (#47) * gallery app * feature: route table import --- networking.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/networking.tf b/networking.tf index f906002385..a3cd729c74 100644 --- a/networking.tf +++ b/networking.tf @@ -259,7 +259,7 @@ resource "azurecaf_name" "route_tables" { prefixes = local.global_settings.prefixes random_length = local.global_settings.random_length clean_input = true - passthrough = local.global_settings.passthrough + passthrough = can( each.value.passthrough ) ? true : local.global_settings.passthrough use_slug = local.global_settings.use_slug } From 518917ba6e4bb8dfba3fad620517c3671c85fa1b Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Tue, 12 Mar 2024 09:58:03 +0000 Subject: [PATCH 034/244] feat(kusto_cluster): add private endpoint --- data_explorer.tf | 2 ++ .../data_explorer/kusto_clusters/module.tf | 13 +++++++------ .../kusto_clusters/private_endpoint.tf | 16 ++++++++++++++++ .../data_explorer/kusto_clusters/variables.tf | 2 +- 4 files changed, 26 insertions(+), 7 deletions(-) create mode 100644 modules/databases/data_explorer/kusto_clusters/private_endpoint.tf diff --git a/data_explorer.tf b/data_explorer.tf index ee06f70ee5..7d4b408304 100644 --- a/data_explorer.tf +++ b/data_explorer.tf @@ -7,9 +7,11 @@ module "kusto_clusters" { settings = each.value location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name + private_endpoints = try(each.value.private_endpoints, {}) base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} combined_resources = { + private_dns = local.combined_objects_private_dns vnets = local.combined_objects_networking pips = local.combined_objects_public_ip_addresses managed_identities = local.combined_objects_managed_identities diff --git a/modules/databases/data_explorer/kusto_clusters/module.tf b/modules/databases/data_explorer/kusto_clusters/module.tf index 82bea499fe..4a7ad9ffbf 100644 --- a/modules/databases/data_explorer/kusto_clusters/module.tf +++ b/modules/databases/data_explorer/kusto_clusters/module.tf @@ -52,9 +52,10 @@ resource "azurerm_kusto_cluster" "kusto" { maximum_instances = optimized_auto_scale.value.maximum_instances } } - trusted_external_tenants = try(var.settings.trusted_external_tenants, null) - zones = try(var.settings.zones, null) - engine = try(var.settings.engine, null) - auto_stop_enabled = try(var.settings.auto_stop_enabled, null) - tags = local.tags -} \ No newline at end of file + trusted_external_tenants = try(var.settings.trusted_external_tenants, null) + zones = try(var.settings.zones, null) + engine = try(var.settings.engine, null) + auto_stop_enabled = try(var.settings.auto_stop_enabled, null) + public_network_access_enabled = try(var.settings.public_network_access_enabled, null) + tags = local.tags +} diff --git a/modules/databases/data_explorer/kusto_clusters/private_endpoint.tf b/modules/databases/data_explorer/kusto_clusters/private_endpoint.tf new file mode 100644 index 0000000000..8c1d1b88c5 --- /dev/null +++ b/modules/databases/data_explorer/kusto_clusters/private_endpoint.tf @@ -0,0 +1,16 @@ +module "private_endpoint" { + source = "../../../networking/private_endpoint" + for_each = try(var.private_endpoints, {}) + + resource_id = azurerm_kusto_cluster.kusto.id + name = each.value.name + location = var.location + resource_group_name = var.resource_group_name + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.combined_resources.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + settings = each.value + global_settings = var.global_settings + base_tags = var.global_settings.inherit_tags + tags = local.tags + private_dns = var.combined_resources.private_dns + client_config = var.client_config +} diff --git a/modules/databases/data_explorer/kusto_clusters/variables.tf b/modules/databases/data_explorer/kusto_clusters/variables.tf index b0934606a9..a6b677d72a 100644 --- a/modules/databases/data_explorer/kusto_clusters/variables.tf +++ b/modules/databases/data_explorer/kusto_clusters/variables.tf @@ -25,8 +25,8 @@ variable "vnets" { variable "pips" { default = null } +variable "private_endpoints" {} variable "combined_resources" { description = "Provide a map of combined resources for environment_variables_from_resources" default = {} } - From 03e9641333c37cd830ec209a6655b4bc3a3f23c2 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Wed, 13 Mar 2024 15:04:41 +0000 Subject: [PATCH 035/244] feat(azurerm_kusto_cluster): example for private endpoint --- .github/workflows/standalone-scenarios.json | 1 + .../107-private-endpoint/configuration.tfvars | 75 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 examples/data_explorer/107-private-endpoint/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 3a4a611179..08037a46f3 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -26,6 +26,7 @@ "data_explorer/104-kusto_cluster_database", "data_explorer/105-kusto_attached_database_configuration", "data_explorer/106-database_principal_assignment", + "data_explorer/107-private-endpoint", "data_factory/101-data_factory", "data_factory/102-data_factory_pipeline", "data_factory/103-data_factory_trigger_schedule", diff --git a/examples/data_explorer/107-private-endpoint/configuration.tfvars b/examples/data_explorer/107-private-endpoint/configuration.tfvars new file mode 100644 index 0000000000..f831afb6e6 --- /dev/null +++ b/examples/data_explorer/107-private-endpoint/configuration.tfvars @@ -0,0 +1,75 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "eastus" + } +} + +resource_groups = { + rg1 = { + name = "dedicated-test" + region = "region1" + } +} +kusto_clusters = { + kc1 = { + name = "kustocluster" + auto_stop_enabled = false + resource_group = { + key = "rg1" + #lz_key = "" + #name = "" + } + region = "region1" + + sku = { + name = "Dev(No SLA)_Standard_E2a_v4" + capacity = 1 + } + + private_endpoints = { + pe1 = { + name = "kusto-shared" + resource_group_key = "rg1" + vnet_key = "vnet_region1" + subnet_key = "private_endpoints" + private_service_connection = { + name = "kusto-shared" + is_manual_connection = false + subresource_names = ["cluster"] + } + private_dns = { + keys = ["kusto"] + } + } + } + } +} + +## Networking configuration +vnets = { + vnet_region1 = { + resource_group_key = "rg1" + region = "region1" + + vnet = { + name = "kusto" + address_space = ["10.10.0.0/24"] + } + + subnets = { + private_endpoints = { + name = "private-endpoint" + cidr = ["10.10.0.0/25"] + enforce_private_link_endpoint_network_policies = true + } + } + } +} + +private_dns = { + kusto = { + name = "privatelink.westeurope.kusto.windows.net" + resource_group_key = "rg1" + } +} From 818ec56700101081ce449b5229ce5965e201dd10 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Tue, 12 Mar 2024 10:43:03 +0000 Subject: [PATCH 036/244] feat(private_endpoint): fix sanity checks for resource_group_name --- modules/networking/private_endpoint/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/private_endpoint/main.tf b/modules/networking/private_endpoint/main.tf index c9a409e81e..b8af5addcc 100644 --- a/modules/networking/private_endpoint/main.tf +++ b/modules/networking/private_endpoint/main.tf @@ -16,6 +16,6 @@ locals { location = can(var.location) || can(var.settings.region) ? try(var.location, var.global_settings.regions[var.settings.region]) : var.resource_groups[try(var.settings.resource_group.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)].location - resource_group_name = can(var.resource_group_name) ? var.resource_group_name : var.resource_groups[try(var.settings.resource_group.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)].name + resource_group_name = can(var.resource_group_name) && var.resource_group_name != null ? var.resource_group_name : var.resource_groups[try(var.settings.resource_group.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)].name } From 58395fb1cbe143ebd4f5ede7a2b316908f374874 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Thu, 14 Mar 2024 08:54:44 +0100 Subject: [PATCH 037/244] Postgresql flexible server private endpoint (#1938) * feat(postgresql_flexible_servers): add private endpoint * feat(postgresql_flexible_server): add example for private endpoint --------- Co-authored-by: Simon Schneider --- .github/workflows/standalone-scenarios.json | 1 + .../104-private-endpoint/configuration.tfvars | 143 ++++++++++++++++++ .../private_endpoint.tf | 16 ++ .../postgresql_flexible_server/variables.tf | 10 +- postgresql_flexible_servers.tf | 13 +- 5 files changed, 177 insertions(+), 6 deletions(-) create mode 100644 examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars create mode 100644 modules/databases/postgresql_flexible_server/private_endpoint.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 75d861947b..a7f95055b5 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -130,6 +130,7 @@ "postgresql_flexible_server/100-simple-postgresql-flexible", "postgresql_flexible_server/101-delegated-subnet-with-fw-rule", "postgresql_flexible_server/102-advanced-postgresql-flexible", + "postgresql_flexible_server/104-private-endpoint", "postgresql_server/100-simple-postgresql", "postgresql_server/101-vnet-rule-postgresql", "postgresql_server/102-private-endpoint-postgresql", diff --git a/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars b/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars new file mode 100644 index 0000000000..97c3107668 --- /dev/null +++ b/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars @@ -0,0 +1,143 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "uksouth" + } +} + +resource_groups = { + postgresql_region1 = { + name = "postgresql-region1" + region = "region1" + } +} + +postgresql_flexible_servers = { + primary_region1 = { + name = "primary-region1" + region = "region1" + version = "12" + sku_name = "MO_Standard_E4s_v3" + zone = 1 + storage_mb = 131072 + + resource_group = { + key = "postgresql_region1" + # lz_key = "" # Set the lz_key if the resource group is remote. + } + + # Auto-generated administrator credentials stored in azure keyvault when not set (recommended). + # administrator_username = "postgresqladmin" + # administrator_password = "ComplxP@ssw0rd!" + keyvault = { + key = "postgresql_region1" # (Required) when auto-generated administrator credentials needed. + # lz_key = "" # Set the lz_key if the keyvault is remote. + } + + # [Optional] Firewall Rules + postgresql_firewall_rules = { + postgresql-firewall-rule1 = { + name = "postgresql-firewall-rule1" + start_ip_address = "10.0.1.10" + end_ip_address = "10.0.1.11" + } + postgresql-firewall-rule2 = { + name = "postgresql-firewall-rule2" + start_ip_address = "10.0.2.10" + end_ip_address = "10.0.2.11" + } + } + + # [Optional] Server Configurations + postgresql_configurations = { + backslash_quote = { + name = "backslash_quote" + value = "on" + } + bgwriter_delay = { + name = "bgwriter_delay" + value = "25" + } + } + + + postgresql_databases = { + sampledb1 = { + name = "sampledb1" + } + sampledb2 = { + name = "sampledb2" + passthrough = true + } + } + + private_endpoints = { + pe1 = { + name = "pe1" + vnet_key = "vnet_region1" + subnet_key = "private_endpoints" + resource_group_key = "postgresql_region1" + + private_service_connection = { + name = "pe1" + is_manual_connection = false + subresource_names = ["postgresqlServer"] + } + + private_dns = { + zone_group_name = "postgres" + keys = ["postgres"] + } + } + } + + tags = { + segment = "sales" + } + + } + +} + +# Store the postgresql_flexible_server administrator credentials into keyvault if the attribute keyvault{} block is defined. +keyvaults = { + postgresql_region1 = { + name = "akv" + resource_group_key = "postgresql_region1" + sku_name = "standard" + soft_delete_enabled = true + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + } + } +} + +## Networking configuration +vnets = { + vnet_region1 = { + resource_group_key = "postgresql_region1" + region = "region1" + + vnet = { + name = "postgresql" + address_space = ["10.10.0.0/24"] + } + + subnets = { + private_endpoints = { + name = "private-endpoint" + cidr = ["10.10.0.0/25"] + enforce_private_link_endpoint_network_policies = true + } + } + } +} + +private_dns = { + postgres = { + name = "privatelink.postgres.database.azure.com" + resource_group_key = "postgresql_region1" + } +} diff --git a/modules/databases/postgresql_flexible_server/private_endpoint.tf b/modules/databases/postgresql_flexible_server/private_endpoint.tf new file mode 100644 index 0000000000..ae7aeda65f --- /dev/null +++ b/modules/databases/postgresql_flexible_server/private_endpoint.tf @@ -0,0 +1,16 @@ +module "private_endpoint" { + source = "../../networking/private_endpoint" + for_each = try(var.private_endpoints, {}) + + resource_id = azurerm_postgresql_flexible_server.postgresql.id + name = each.value.name + location = local.location + resource_group_name = local.resource_group_name + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + tags = local.tags + private_dns = var.private_dns + client_config = var.client_config +} diff --git a/modules/databases/postgresql_flexible_server/variables.tf b/modules/databases/postgresql_flexible_server/variables.tf index 50b5db9df1..1c25a4f06d 100755 --- a/modules/databases/postgresql_flexible_server/variables.tf +++ b/modules/databases/postgresql_flexible_server/variables.tf @@ -25,4 +25,12 @@ variable "resource_group" { variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = bool -} \ No newline at end of file +} + +variable "vnets" {} + +variable "private_endpoints" {} + +variable "private_dns" { + default = {} +} diff --git a/postgresql_flexible_servers.tf b/postgresql_flexible_servers.tf index 4f44c6316c..2755f33f16 100755 --- a/postgresql_flexible_servers.tf +++ b/postgresql_flexible_servers.tf @@ -7,11 +7,14 @@ module "postgresql_flexible_servers" { depends_on = [module.keyvaults, module.networking] for_each = local.database.postgresql_flexible_servers - global_settings = local.global_settings - client_config = local.client_config - settings = each.value - resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)] - base_tags = local.global_settings.inherit_tags + global_settings = local.global_settings + client_config = local.client_config + settings = each.value + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)] + base_tags = local.global_settings.inherit_tags + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns remote_objects = { subnet_id = can(each.value.vnet.subnet_key) ? local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][each.value.vnet.key].subnets[each.value.vnet.subnet_key].id : null From e542183289db8cd8f89a706bb4933e98b448a1e1 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Thu, 14 Mar 2024 09:32:43 +0100 Subject: [PATCH 038/244] feat(azurerm_postgresql_flexible_server): add Entra ID administrator (#1903) * feat(azurerm_postgresql_flexible_server): aad adminstrator * feat(azurerm_postgresql_flexible_server): aad admin fixes - remove duplicated authentication block - set administrator login and password to null when password_auth_enabled is false - add managed identity as aad admin --------- Co-authored-by: Simon Schneider --- .../configuration.tfvars | 24 ++++++++++++++++++- .../postgresql_flexible_server/server.tf | 21 +++++++++++++--- postgresql_flexible_servers.tf | 6 ++++- 3 files changed, 46 insertions(+), 5 deletions(-) diff --git a/examples/postgresql_flexible_server/103-simple-postgresql-flexible-with-az-auth/configuration.tfvars b/examples/postgresql_flexible_server/103-simple-postgresql-flexible-with-az-auth/configuration.tfvars index 7006aae94d..8d9509c2ec 100644 --- a/examples/postgresql_flexible_server/103-simple-postgresql-flexible-with-az-auth/configuration.tfvars +++ b/examples/postgresql_flexible_server/103-simple-postgresql-flexible-with-az-auth/configuration.tfvars @@ -38,8 +38,15 @@ postgresql_flexible_servers = { # (Optional) The Tenant ID of the Azure Active Directory which is used by the Active Directory authentication. active_directory_auth_enabled must be set to true. #tenant_id = "00000-ee35-4265-95f6-46e9a9b4ec96" - } + active_directory_administrators = { + test_client = { + object_key = "sp1" + principal_name = "testclient" + principal_type = "ServicePrincipal" + } + } + } # Auto-generated administrator credentials stored in azure keyvault when not set (recommended). # administrator_username = "postgresqladmin" @@ -108,3 +115,18 @@ keyvaults = { } } } + +azuread_applications = { + test_client = { + useprefix = true + application_name = "test-client" + } +} + +azuread_service_principals = { + sp1 = { + azuread_application = { + key = "test_client" + } + } +} \ No newline at end of file diff --git a/modules/databases/postgresql_flexible_server/server.tf b/modules/databases/postgresql_flexible_server/server.tf index 13ef261ef8..5a97256436 100644 --- a/modules/databases/postgresql_flexible_server/server.tf +++ b/modules/databases/postgresql_flexible_server/server.tf @@ -24,8 +24,8 @@ resource "azurerm_postgresql_flexible_server" "postgresql" { point_in_time_restore_time_in_utc = try(var.settings.create_mode, "PointInTimeRestore") == "PointInTimeRestore" ? try(var.settings.point_in_time_restore_time_in_utc, null) : null source_server_id = try(var.settings.create_mode, "PointInTimeRestore") == "PointInTimeRestore" ? try(var.settings.source_server_id, null) : null - administrator_login = try(var.settings.create_mode, "Default") == "Default" ? try(var.settings.administrator_username, "pgadmin") : null - administrator_password = try(var.settings.create_mode, "Default") == "Default" ? try(var.settings.administrator_password, azurerm_key_vault_secret.postgresql_administrator_password.0.value) : null + administrator_login = try(var.settings.create_mode, "Default") == "Default" && try(var.settings.authentication.password_auth_enabled, true) ? try(var.settings.administrator_username, "pgadmin") : null + administrator_password = try(var.settings.create_mode, "Default") == "Default" && try(var.settings.authentication.password_auth_enabled, true) ? try(var.settings.administrator_password, azurerm_key_vault_secret.postgresql_administrator_password.0.value) : null dynamic "authentication" { for_each = try(var.settings.authentication, null) == null ? [] : [var.settings.authentication] @@ -115,4 +115,19 @@ resource "azurerm_key_vault_secret" "postgresql_fqdn" { name = format("%s-fqdn", azurecaf_name.postgresql_flexible_server.result) value = azurerm_postgresql_flexible_server.postgresql.fqdn key_vault_id = var.remote_objects.keyvault_id -} \ No newline at end of file +} + +resource "azurerm_postgresql_flexible_server_active_directory_administrator" "administrator" { + for_each = try(var.settings.authentication.active_directory_administrators, {}) + server_name = azurerm_postgresql_flexible_server.postgresql.name + resource_group_name = local.resource_group_name + tenant_id = try(var.settings.authentication.tenant_id, var.client_config.tenant_id) + object_id = can(each.value.object_id) ? each.value.object_id : ( + each.value.principal_type == "ServicePrincipal" ? var.remote_objects.service_principals[try(each.value.object_lz_key, var.client_config.landingzone_key)][each.value.object_key].object_id : + each.value.principal_type == "Group" ? var.remote_objects.azuread_groups[try(each.value.object_lz_key, var.client_config.landingzone_key)][each.value.object_key].object_id : + each.value.principal_type == "User" ? var.remote_objects.azuread_users[try(each.value.object_lz_key, var.client_config.landingzone_key)][each.value.object_key].object_id : + each.value.principal_type == "ManagedIdentity" ? var.remote_objects.managed_identities[try(each.value.object_lz_key, var.client_config.landingzone_key)][each.value.object_key].principal_id : null + ) + principal_name = each.value.principal_name + principal_type = each.value.principal_type == "ManagedIdentity" ? "ServicePrincipal" : each.value.principal_type +} diff --git a/postgresql_flexible_servers.tf b/postgresql_flexible_servers.tf index 2755f33f16..68dbd2865f 100755 --- a/postgresql_flexible_servers.tf +++ b/postgresql_flexible_servers.tf @@ -21,5 +21,9 @@ module "postgresql_flexible_servers" { private_dns_zone_id = can(each.value.private_dns_zone.key) ? local.combined_objects_private_dns[try(each.value.private_dns_zone.lz_key, local.client_config.landingzone_key)][each.value.private_dns_zone.key].id : null keyvault_id = can(each.value.keyvault.key) ? local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][each.value.keyvault.key].id : null diagnostics = local.combined_diagnostics + azuread_groups = local.combined_objects_azuread_groups + azuread_users = local.combined_objects_azuread_users + service_principals = local.combined_objects_azuread_service_principals + managed_identities = local.combined_objects_managed_identities } -} \ No newline at end of file +} From 61f82e16aaba8fd1e741bf202c13cbd9297512b4 Mon Sep 17 00:00:00 2001 From: Viacheslav Kuzmenko <60648640+onlyillusion@users.noreply.github.com> Date: Fri, 15 Mar 2024 05:14:38 +0200 Subject: [PATCH 039/244] Module databricks access connector (#1933) * adding dac module * Update databricks_access_connectors.tf * Update main.tf * Update configuration.tfvars --- databricks_access_connectors.tf | 18 ++++++++++ .../configuration.tfvars | 34 +++++++++++++++++++ examples/module.tf | 1 + examples/variables.tf | 3 ++ local.remote_objects.tf | 1 + locals.combined_objects.tf | 1 + locals.tf | 1 + .../databricks_access_connector/main.tf | 18 ++++++++++ .../managed_identities.tf | 17 ++++++++++ .../databricks_access_connector/module.tf | 15 ++++++++ .../databricks_access_connector/output.tf | 4 +++ .../databricks_access_connector/variables.tf | 21 ++++++++++++ 12 files changed, 134 insertions(+) create mode 100644 databricks_access_connectors.tf create mode 100644 examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars create mode 100644 modules/analytics/databricks_access_connector/main.tf create mode 100644 modules/analytics/databricks_access_connector/managed_identities.tf create mode 100644 modules/analytics/databricks_access_connector/module.tf create mode 100644 modules/analytics/databricks_access_connector/output.tf create mode 100644 modules/analytics/databricks_access_connector/variables.tf diff --git a/databricks_access_connectors.tf b/databricks_access_connectors.tf new file mode 100644 index 0000000000..108aaf3e99 --- /dev/null +++ b/databricks_access_connectors.tf @@ -0,0 +1,18 @@ +module "databricks_access_connectors" { + source = "./modules/analytics/databricks_access_connector" + for_each = local.database.databricks_access_connectors + + client_config = local.client_config + global_settings = local.global_settings + name = each.value.name + settings = each.value + resource_groups = local.combined_objects_resource_groups + base_tags = local.global_settings.inherit_tags + remote_objects = { + managed_identities = local.combined_objects_managed_identities + } +} + +output "databricks_access_connectors" { + value = module.databricks_access_connectors +} diff --git a/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars b/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars new file mode 100644 index 0000000000..b3dd3e7fb8 --- /dev/null +++ b/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars @@ -0,0 +1,34 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "australiaeast" + } +} + +resource_groups = { + dac_test = { + name = "rg-databricks-access-connectors" + } +} + +databricks_access_connectors = { + dac_1 = { + name = "example-name" + resource_group_key = "dac_test" + identity = { + type = "UserAssigned" #SystemAssigned + managed_identity_keys = ["dac_test"] + } + tags = { + test = "test" + test1 = "test1" + } + } +} + +managed_identities = { + dac_test = { + name = "mi-dac-test" + resource_group_key = "dac_test" + } +} diff --git a/examples/module.tf b/examples/module.tf index 255003eab1..f2fbbc1c6c 100644 --- a/examples/module.tf +++ b/examples/module.tf @@ -141,6 +141,7 @@ module "example" { databricks_workspaces = var.databricks_workspaces database_migration_services = var.database_migration_services databricks_workspaces = var.databricks_workspaces + databricks_access_connectors = var.databricks_access_connectors machine_learning_workspaces = var.machine_learning_workspaces mariadb_servers = var.mariadb_servers mariadb_databases = var.mariadb_databases diff --git a/examples/variables.tf b/examples/variables.tf index e1879395af..0e46b8498f 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -355,6 +355,9 @@ variable "batch_pools" { variable "databricks_workspaces" { default = {} } +variable "databricks_access_connectors" { + default = {} +} variable "machine_learning_workspaces" { default = {} } diff --git a/local.remote_objects.tf b/local.remote_objects.tf index f1c406efcc..76de44f2cd 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -41,6 +41,7 @@ locals { container_registry = try(local.combined_objects_container_registry, null) cosmos_dbs = try(local.combined_objects_cosmos_dbs, null) databricks_workspaces = try(local.combined_objects_databricks_workspaces, null) + databricks_access_connectors = try(local.combined_objects_databricks_access_connectors, null) data_factory = try(local.combined_objects_data_factory, null) data_factory_integration_runtime_azure_ssis = try(local.combined_objects_data_factory_integration_runtime_azure_ssis, null) data_factory_linked_service_azure_blob_storage = try(local.combined_objects_data_factory_linked_service_azure_blob_storage, null) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 91d8a107f5..8505d87082 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -64,6 +64,7 @@ locals { combined_objects_data_factory_pipeline = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_pipeline }), try(var.remote_objects.data_factory_pipeline, {})) combined_objects_database_migration_services = merge(tomap({ (local.client_config.landingzone_key) = module.database_migration_services }), try(var.remote_objects.database_migration_services, {})) combined_objects_databricks_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_workspaces }), try(var.remote_objects.databricks_workspaces, {}), try(var.data_sources.databricks_workspaces, {})) + combined_objects_databricks_access_connectors = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_access_connectors }), try(var.remote_objects.databricks_access_connectors, {}), try(var.data_sources.databricks_access_connectors, {})) combined_objects_ddos_services = merge(tomap({ (local.client_config.landingzone_key) = azurerm_network_ddos_protection_plan.ddos_protection_plan }), try(var.remote_objects.ddos_services, {}), try(var.remote_objects.ddos_services, {})) combined_objects_dedicated_host_groups = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_host_groups }), try(var.remote_objects.dedicated_host_groups, {}), try(var.data_sources.dedicated_host_groups, {})) combined_objects_dedicated_hosts = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_hosts }), try(var.remote_objects.dedicated_hosts, {}), try(var.data_sources.dedicated_hosts, {})) diff --git a/locals.tf b/locals.tf index f1e20aa26d..f869fa3412 100644 --- a/locals.tf +++ b/locals.tf @@ -122,6 +122,7 @@ locals { database_migration_services = try(var.database.database_migration_services, {}) database_migration_projects = try(var.database.database_migration_projects, {}) databricks_workspaces = try(var.database.databricks_workspaces, {}) + databricks_access_connectors = try(var.database.databricks_access_connectors, {}) machine_learning_workspaces = try(var.database.machine_learning_workspaces, {}) mariadb_databases = try(var.database.mariadb_databases, {}) mariadb_servers = try(var.database.mariadb_servers, {}) diff --git a/modules/analytics/databricks_access_connector/main.tf b/modules/analytics/databricks_access_connector/main.tf new file mode 100644 index 0000000000..00369bb2be --- /dev/null +++ b/modules/analytics/databricks_access_connector/main.tf @@ -0,0 +1,18 @@ +locals { + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.resource_groups.tags, null), + try(var.settings.tags, null) + ) : try(var.settings.tags, null) + + + resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] +} + +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} diff --git a/modules/analytics/databricks_access_connector/managed_identities.tf b/modules/analytics/databricks_access_connector/managed_identities.tf new file mode 100644 index 0000000000..4257d2d09d --- /dev/null +++ b/modules/analytics/databricks_access_connector/managed_identities.tf @@ -0,0 +1,17 @@ +locals { + managed_local_identities = flatten([ + for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ + var.remote_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + ] + ]) + + managed_remote_identities = flatten([ + for lz_key, value in try(var.settings.identity.remote, []) : [ + for managed_identity_key in value.managed_identity_keys : [ + var.remote_objects.managed_identities[lz_key][managed_identity_key].id + ] + ] + ]) + + managed_identities = concat(local.managed_local_identities, local.managed_remote_identities) +} \ No newline at end of file diff --git a/modules/analytics/databricks_access_connector/module.tf b/modules/analytics/databricks_access_connector/module.tf new file mode 100644 index 0000000000..9da6636dfb --- /dev/null +++ b/modules/analytics/databricks_access_connector/module.tf @@ -0,0 +1,15 @@ +resource "azurerm_databricks_access_connector" "databricks_access_connector" { + name = var.name + resource_group_name = local.resource_group.name + location = lookup(var.settings, "region", null) == null ? local.resource_group.location : var.global_settings.regions[var.settings.region] + tags = local.tags + + dynamic "identity" { + for_each = can(var.settings.identity) ? [var.settings.identity] : [] + content { + type = identity.value.type + identity_ids = concat(local.managed_identities, try(identity.value.identity_ids, [])) + } + } + +} diff --git a/modules/analytics/databricks_access_connector/output.tf b/modules/analytics/databricks_access_connector/output.tf new file mode 100644 index 0000000000..1b1301a120 --- /dev/null +++ b/modules/analytics/databricks_access_connector/output.tf @@ -0,0 +1,4 @@ +output "id" { + description = "The ID of the Manages a Databricks Access Connector." + value = azurerm_databricks_access_connector.databricks_access_connector.id +} \ No newline at end of file diff --git a/modules/analytics/databricks_access_connector/variables.tf b/modules/analytics/databricks_access_connector/variables.tf new file mode 100644 index 0000000000..b58645c073 --- /dev/null +++ b/modules/analytics/databricks_access_connector/variables.tf @@ -0,0 +1,21 @@ +variable "name" { + default = null +} +variable "settings" {} + +variable "global_settings" { + description = "Global settings object (see module README.md)" +} + +variable "client_config" { + description = "Client configuration object (see module README.md)." +} + +variable "resource_groups" { + default = {} +} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "remote_objects" {} From fd10ebc48f60d39f7f23cf3004207d0508e964cc Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 15 Mar 2024 08:49:17 +0000 Subject: [PATCH 040/244] fix(rbac): Adding diagnostic_storage_accounts to rbac scopes --- roles.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles.tf b/roles.tf index 69c6332151..8b7610af36 100644 --- a/roles.tf +++ b/roles.tf @@ -126,6 +126,7 @@ locals { batch_accounts = local.combined_objects_batch_accounts data_factory = local.combined_objects_data_factory databricks_workspaces = local.combined_objects_databricks_workspaces + diagnostic_storage_accounts = local.current_objects_diagnostic_storage_accounts dns_zones = local.combined_objects_dns_zones event_hub_namespaces = local.combined_objects_event_hub_namespaces function_apps = local.combined_objects_function_apps @@ -173,6 +174,11 @@ locals { (var.current_landingzone_key) = merge(local.combined_objects_log_analytics, local.combined_diagnostics.log_analytics) } ) + current_objects_diagnostic_storage_accounts = tomap( + { + (var.current_landingzone_key) = merge(local.combined_objects_diagnostic_storage_accounts, local.combined_diagnostics.storage_accounts) + } + ) logged_in = tomap( { From b81238eda6571cdb113063d9b690cecd253466d0 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 15 Mar 2024 08:49:17 +0000 Subject: [PATCH 041/244] fix(rbac): Adding diagnostic_storage_accounts to rbac scopes --- roles.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles.tf b/roles.tf index 5874167bd5..7c8a186d4f 100644 --- a/roles.tf +++ b/roles.tf @@ -132,6 +132,7 @@ locals { batch_accounts = local.combined_objects_batch_accounts data_factory = local.combined_objects_data_factory databricks_workspaces = local.combined_objects_databricks_workspaces + diagnostic_storage_accounts = local.current_objects_diagnostic_storage_accounts dns_zones = local.combined_objects_dns_zones event_hub_namespaces = local.combined_objects_event_hub_namespaces function_apps = local.combined_objects_function_apps @@ -183,6 +184,11 @@ locals { (var.current_landingzone_key) = merge(local.combined_objects_log_analytics, local.combined_diagnostics.log_analytics) } ) + current_objects_diagnostic_storage_accounts = tomap( + { + (var.current_landingzone_key) = merge(local.combined_objects_diagnostic_storage_accounts, local.combined_diagnostics.storage_accounts) + } + ) logged_in = tomap( { From 695a8c0c2ed7539a4d67ea85c553cb1b07225f7a Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Mon, 25 Mar 2024 17:25:35 +0100 Subject: [PATCH 042/244] - replaced deprecated option disabled_rules (#49) in azurerm_web_application_firewall_policy Co-authored-by: Najeeb Vayal Valappil --- .../application_gateway_waf_policies/waf_policy.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/networking/application_gateway_waf_policies/waf_policy.tf b/modules/networking/application_gateway_waf_policies/waf_policy.tf index ab0da3fa8a..ffad0c8823 100644 --- a/modules/networking/application_gateway_waf_policies/waf_policy.tf +++ b/modules/networking/application_gateway_waf_policies/waf_policy.tf @@ -83,7 +83,16 @@ resource "azurerm_web_application_firewall_policy" "wafpolicy" { for_each = try(managed_rule_set.value.rule_group_override, {}) content { rule_group_name = rule_group_override.value.rule_group_name - disabled_rules = try(rule_group_override.value.disabled_rules, null) + dynamic "rule" { + for_each = { + for key, value in try(rule_group_override.value.rules, {}) : key => value + } + content { + id = rule.value.id + enabled = try(rule.value.enabled, null) + action = try(rule.value.action, null) + } + } } } } From 801c361f649b2b60f75237cbc2d810c787f03ae1 Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Tue, 26 Mar 2024 13:16:28 +0100 Subject: [PATCH 043/244] feature: (#50) added - list support for status and levels Co-authored-by: Najeeb Vayal Valappil --- modules/monitoring/monitor_activity_log_alert/module.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/monitoring/monitor_activity_log_alert/module.tf b/modules/monitoring/monitor_activity_log_alert/module.tf index a2b2ec515a..c5b5b8344d 100644 --- a/modules/monitoring/monitor_activity_log_alert/module.tf +++ b/modules/monitoring/monitor_activity_log_alert/module.tf @@ -35,7 +35,9 @@ resource "azurerm_monitor_activity_log_alert" "mala" { ) caller = try(criteria.value.caller, null) level = try(criteria.value.level, null) + levels = try(criteria.value.levels, null) status = try(criteria.value.status, null) + statuses = try(criteria.value.statuses, null) sub_status = try(criteria.value.sub_status, null) recommendation_type = try(criteria.value.recommendation_type, null) recommendation_category = try(criteria.value.recommendation_category, null) From 58aa877c645fd25071a573f07d194902b4b761cb Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Wed, 27 Mar 2024 11:50:12 +0000 Subject: [PATCH 044/244] fix(connection-monitors): Adding connection-monitors to rbac scopes --- roles.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles.tf b/roles.tf index 7c8a186d4f..447328cb69 100644 --- a/roles.tf +++ b/roles.tf @@ -146,6 +146,7 @@ locals { machine_learning_workspaces = local.combined_objects_machine_learning managed_identities = local.combined_objects_managed_identities management_group = local.management_groups + monitor_action_groups = local.combined_objects_monitor_action_groups mssql_databases = local.combined_objects_mssql_databases mssql_elastic_pools = local.combined_objects_mssql_elastic_pools mssql_managed_databases = local.combined_objects_mssql_managed_databases From 1c179b2360449558a353edd34780500c6dd3993a Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Wed, 27 Mar 2024 11:51:28 +0000 Subject: [PATCH 045/244] feat:(connection-monitor): adding capability to reference diagnostic log anayltics --- modules/networking/network_connection_monitor/module.tf | 6 +++++- modules/networking/network_connection_monitor/variables.tf | 4 +++- networking_connection_monitor.tf | 1 + 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/networking/network_connection_monitor/module.tf b/modules/networking/network_connection_monitor/module.tf index ad7ad397fd..f627b2e89f 100644 --- a/modules/networking/network_connection_monitor/module.tf +++ b/modules/networking/network_connection_monitor/module.tf @@ -126,11 +126,15 @@ locals { key => var.combined_objects_log_analytics[try(value.lz_key, var.client_config.landingzone_key)][value.key].id if try(value.key, null) != null } + workspace_id_from_diagnostics = {for key, value in var.diagnostics.log_analytics : + key => value.id + if try(value.diagnostic_log_destination_key, null) != null + } workspace_from_ids = { for key, value in var.settings.output_workspaces : key => value.id if try(value.id, null) != null } - workspace_ids = concat(values(local.workspace_ids_from_keys), values(local.workspace_from_ids)) + workspace_ids = concat(values(local.workspace_ids_from_keys), values(local.workspace_from_ids), values(local.workspace_id_from_diagnostics)) name = var.network_watcher_name != null ? var.network_watcher_name : format("NetworkWatcher_%s", var.location) resource_group_name = var.network_watcher_resource_group_name != null ? var.network_watcher_resource_group_name : "NetworkWatcherRG" diff --git a/modules/networking/network_connection_monitor/variables.tf b/modules/networking/network_connection_monitor/variables.tf index 872b685bac..c072e2c9e7 100644 --- a/modules/networking/network_connection_monitor/variables.tf +++ b/modules/networking/network_connection_monitor/variables.tf @@ -32,7 +32,9 @@ variable "network_watcher_id" { default = null } variable "combined_objects_log_analytics" {} - +variable "diagnostics" { + default = {} +} variable "endpoint_objects" { description = "map of possible endpoint objects from caf" diff --git a/networking_connection_monitor.tf b/networking_connection_monitor.tf index 1104635bb9..8c4b908caa 100644 --- a/networking_connection_monitor.tf +++ b/networking_connection_monitor.tf @@ -15,6 +15,7 @@ module "network_connection_monitors" { network_watcher_name = try(each.value.network_watcher_name, null) combined_objects_log_analytics = local.combined_objects_log_analytics + diagnostics = local.combined_diagnostics endpoint_objects = { virtual_subnets = local.combined_objects_virtual_subnets From dfee863c918ce9dd1720131389eb2784602864e0 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Wed, 27 Mar 2024 11:50:12 +0000 Subject: [PATCH 046/244] fix(connection-monitors): Adding connection-monitors to rbac scopes --- roles.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles.tf b/roles.tf index 69c6332151..ca85bf9762 100644 --- a/roles.tf +++ b/roles.tf @@ -139,6 +139,7 @@ locals { machine_learning_workspaces = local.combined_objects_machine_learning managed_identities = local.combined_objects_managed_identities management_group = local.management_groups + monitor_action_groups = local.combined_objects_monitor_action_groups mssql_databases = local.combined_objects_mssql_databases mssql_elastic_pools = local.combined_objects_mssql_elastic_pools mssql_managed_databases = local.combined_objects_mssql_managed_databases From 7d44a22b1821d53ffe63b952c1d8a518a00ee329 Mon Sep 17 00:00:00 2001 From: Oleksandr Trapeznikov Date: Thu, 28 Mar 2024 20:43:34 +0000 Subject: [PATCH 047/244] Fix VPN Gateway Connection Routing --- .../virtual_wan.tfvars | 34 +++++++++++-------- .../virtual_wan/virtual_hub/output.tf | 7 +++- .../vpn_gateway_connection/module.tf | 20 +++++++---- .../vpn_gateway_connection/variables.tf | 1 + networking_vpn_gateway_connection.tf | 3 +- 5 files changed, 42 insertions(+), 23 deletions(-) diff --git a/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars b/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars index f10f32afe2..0464a1b3f1 100644 --- a/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars +++ b/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars @@ -43,7 +43,7 @@ virtual_hub_route_tables = { virtual_wan_key = "vwan_re1" virtual_hub_key = "hub_re1" - labels = ["label1"] + labels = ["label1", "default"] } routetable2 = { name = "example-vhubroutetable2" @@ -143,22 +143,26 @@ vpn_gateway_connections = { } routing = { # Optional - associated_route_table = { - # id = "" # Set the Resource ID of an existing Virtual WAN Route Table - # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment - key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment - } + # associated_route_table = { # Can only be Default Route Table https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing#considerations + # id = "" # Set the Resource ID of an existing Virtual WAN Route Table + # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment + # key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment + # } propagated_route_table = { - routetable1 = { - # id = "" # Set the Resource ID of an existing Virtual WAN Route Table - # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment - key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment - } - routetable2 = { - # id = "" # Set the Resource ID of an existing Virtual WAN Route Table - # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment - key = "routetable2" # Set the 'key' of the Route Table created in this (or a remote) deployment + route_tables = { + routetable1 = { + # id = "" # Set the Resource ID of an existing Virtual WAN Route Table + # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment + key = "routetable1" # Set the 'key' of the Route Table created in this (or a remote) deployment + labels = ["label1"] # Optional + } + routetable2 = { + # id = "" # Set the Resource ID of an existing Virtual WAN Route Table + # lz_key = "" # Set the 'lz_key' of a Route Table created in a remote deployment + key = "routetable2" # Set the 'key' of the Route Table created in this (or a remote) deployment + labels = ["label2", "default"] # Optional + } } } } diff --git a/modules/networking/virtual_wan/virtual_hub/output.tf b/modules/networking/virtual_wan/virtual_hub/output.tf index e80d4cfd39..df4496377a 100644 --- a/modules/networking/virtual_wan/virtual_hub/output.tf +++ b/modules/networking/virtual_wan/virtual_hub/output.tf @@ -37,4 +37,9 @@ output "p2s_gateway" { output "resource_group_name" { description = "Name of the resource group where the resources are deployed." value = var.resource_group_name -} \ No newline at end of file +} + +output "default_route_table_id" { + description = "Resource ID of the Virtual Hub Default Route Table" + value = azurerm_virtual_hub.vwan_hub.default_route_table_id +} diff --git a/modules/networking/vpn_gateway_connection/module.tf b/modules/networking/vpn_gateway_connection/module.tf index 5e8b2b8247..93396a2354 100644 --- a/modules/networking/vpn_gateway_connection/module.tf +++ b/modules/networking/vpn_gateway_connection/module.tf @@ -67,19 +67,27 @@ resource "azurerm_vpn_gateway_connection" "vpn_gateway_connection" { dynamic "routing" { for_each = can(var.settings.routing) ? [var.settings.routing] : [] content { - associated_route_table = can(routing.value.associated_route_table.key) ? var.route_tables[try(routing.value.associated_route_table.lz_key, var.client_config.landingzone_key)][routing.value.associated_route_table.key].id : try(routing.value.associated_route_table.id, null) + associated_route_table = can(routing.value.associated_route_table.key) ? var.route_tables[try(routing.value.associated_route_table.lz_key, var.client_config.landingzone_key)][routing.value.associated_route_table.key].id : try(routing.value.associated_route_table.id, try(var.default_route_table_id, null)) dynamic "propagated_route_table" { # propagated_route_tables kept to smooth the migration to azurerm 3.0 - for_each = can(routing.value.propagated_route_table) ? routing.value.propagated_route_table : routing.value.propagated_route_tables - + for_each = can(routing.value.propagated_route_table) ? [routing.value.propagated_route_table] : [] content { - route_table_ids = can(propagated_route_table.value.id) ? propagated_route_table.value.id : var.route_tables[try(propagated_route_table.value.lz_key, var.client_config.landingzone_key)][propagated_route_table.value.key].id + route_table_ids = compact( + [ + for key, value in propagated_route_table.value.route_tables : + can(value.id) ? value.id : var.route_tables[try(value.lz_key, var.client_config.landingzone_key)][value.key].id + ] + ) - labels = try(propagated_route_table.value.labels, null) + labels = flatten( + [ + for key, value in propagated_route_table.value.route_tables : + can(value.labels) ? value.labels : [] + ] + ) } } - } } } diff --git a/modules/networking/vpn_gateway_connection/variables.tf b/modules/networking/vpn_gateway_connection/variables.tf index 193e40e488..a462584483 100644 --- a/modules/networking/vpn_gateway_connection/variables.tf +++ b/modules/networking/vpn_gateway_connection/variables.tf @@ -7,3 +7,4 @@ variable "vpn_sites" {} variable "client_config" {} variable "route_tables" {} variable "nat_rules" {} +variable "default_route_table_id" {} diff --git a/networking_vpn_gateway_connection.tf b/networking_vpn_gateway_connection.tf index 49456c2728..aa19169ef6 100644 --- a/networking_vpn_gateway_connection.tf +++ b/networking_vpn_gateway_connection.tf @@ -21,5 +21,6 @@ module "vpn_gateway_connections" { route_tables = local.combined_objects_virtual_hub_route_tables nat_rules = local.combined_objects_vpn_gateway_nat_rules - vpn_gateway_id = can(each.value.virtual_hub_gateway_id) || can(each.value.virtual_wan) ? try(each.value.virtual_hub_gateway_id, local.combined_objects_virtual_wans[try(each.value.virtual_wan.lz_key, each.value.lz_key, local.client_config.landingzone_key)][try(each.value.virtual_wan.key, each.value.virtual_wan_key)].virtual_hubs[try(each.value.virtual_hub.key, each.value.virtual_hub_key)].s2s_gateway.id) : local.combined_objects_virtual_hubs[try(each.value.virtual_hub.lz_key, local.client_config.landingzone_key)][each.value.virtual_hub.key].s2s_gateway.id + default_route_table_id = can(each.value.virtual_wan) ? local.combined_objects_virtual_wans[try(each.value.virtual_wan.lz_key, each.value.lz_key, local.client_config.landingzone_key)][try(each.value.virtual_wan.key, each.value.virtual_wan_key)].virtual_hubs[try(each.value.virtual_hub.key, each.value.virtual_hub_key)].default_route_table_id : local.combined_objects_virtual_hubs[try(each.value.virtual_hub.lz_key, local.client_config.landingzone_key)][each.value.virtual_hub.key].default_route_table_id + vpn_gateway_id = can(each.value.virtual_hub_gateway_id) || can(each.value.virtual_wan) ? try(each.value.virtual_hub_gateway_id, local.combined_objects_virtual_wans[try(each.value.virtual_wan.lz_key, each.value.lz_key, local.client_config.landingzone_key)][try(each.value.virtual_wan.key, each.value.virtual_wan_key)].virtual_hubs[try(each.value.virtual_hub.key, each.value.virtual_hub_key)].s2s_gateway.id) : local.combined_objects_virtual_hubs[try(each.value.virtual_hub.lz_key, local.client_config.landingzone_key)][each.value.virtual_hub.key].s2s_gateway.id } From 7caa78c47dcfecaaa4c4e19f40c9c06a0625e77d Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Fri, 12 Apr 2024 16:32:38 +0200 Subject: [PATCH 048/244] Add diagnostic profiles on function apps --- function_app.tf | 4 +++- modules/webapps/function_app/diagnostic.tf | 9 +++++++++ modules/webapps/function_app/variables.tf | 8 +++++++- 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 modules/webapps/function_app/diagnostic.tf diff --git a/function_app.tf b/function_app.tf index ff61c6fe57..991270f463 100644 --- a/function_app.tf +++ b/function_app.tf @@ -11,6 +11,8 @@ module "function_apps" { app_service_plan_id = can(each.value.app_service_plan_id) || can(each.value.app_service_plan_key) == false ? try(each.value.app_service_plan_id, null) : local.combined_objects_app_service_plans[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.app_service_plan_key].id settings = each.value.settings application_insight = try(each.value.application_insight_key, null) == null ? null : module.azurerm_application_insights[each.value.application_insight_key] + diagnostic_profiles = try(each.value.diagnostic_profiles, null) + diagnostics = local.combined_diagnostics identity = try(each.value.identity, null) connection_strings = try(each.value.connection_strings, {}) storage_account_name = try(data.azurerm_storage_account.function_apps[each.key].name, null) @@ -48,4 +50,4 @@ data "azurerm_storage_account" "function_apps" { name = local.combined_objects_storage_accounts[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.storage_account_key].name resource_group_name = local.combined_objects_storage_accounts[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.storage_account_key].resource_group_name -} \ No newline at end of file +} diff --git a/modules/webapps/function_app/diagnostic.tf b/modules/webapps/function_app/diagnostic.tf new file mode 100644 index 0000000000..981bd0dd3a --- /dev/null +++ b/modules/webapps/function_app/diagnostic.tf @@ -0,0 +1,9 @@ +module "diagnostics" { + source = "../../diagnostics" + count = var.diagnostic_profiles == null ? 0 : 1 + + resource_id = azurerm_function_app.function_app.id + resource_location = local.location + diagnostics = var.diagnostics + profiles = var.diagnostic_profiles +} diff --git a/modules/webapps/function_app/variables.tf b/modules/webapps/function_app/variables.tf index 713ad444b1..b3fb6425cc 100644 --- a/modules/webapps/function_app/variables.tf +++ b/modules/webapps/function_app/variables.tf @@ -86,4 +86,10 @@ variable "virtual_subnets" { } variable "vnets" { default = {} -} \ No newline at end of file +} +variable "diagnostic_profiles" { + default = {} +} +variable "diagnostics" { + default = null +} From 0e4bfccabcaeaf07e22f570d6e9c8bd53f28c251 Mon Sep 17 00:00:00 2001 From: Milan Jugovic Date: Fri, 19 Apr 2024 23:37:46 +0200 Subject: [PATCH 049/244] Added capability for MSI to be assigned a role so it can access azure open ai service. --- .../configuration.tfvars | 45 +++++++++++++++++++ roles.tf | 1 + 2 files changed, 46 insertions(+) create mode 100644 examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars diff --git a/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars b/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars new file mode 100644 index 0000000000..875f053a47 --- /dev/null +++ b/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars @@ -0,0 +1,45 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "uksouth" + } +} + +resource_groups = { + rg1 = { + name = "example-msi-openai-rg1" + } +} + +cognitive_services_account = { + primer = { + resource_group = { + key = "rg1" + } + name = "pinecone-llm-demoopenai" + kind = "OpenAI" + sku_name = "S0" + custom_subdomain_name = "cs-alz-caf-llm-demoopenai" + } +} + +managed_identities = { + workload-msi = { + name = "example-msi-openai-rolemap-msi" + resource_group_key = "rg1" + } +} + +role_mapping = { + built_in_role_mapping = { + cognitive_services_account = { + primer = { + "Cognitive Services User" = { + managed_identities = { + keys = ["workload-msi"] + } + } + } + } + } +} \ No newline at end of file diff --git a/roles.tf b/roles.tf index 69c6332151..6505ff5ad6 100644 --- a/roles.tf +++ b/roles.tf @@ -124,6 +124,7 @@ locals { azurerm_firewalls = local.combined_objects_azurerm_firewalls backup_vaults = local.combined_objects_backup_vaults batch_accounts = local.combined_objects_batch_accounts + cognitive_services_account = local.combined_objects_cognitive_services_accounts data_factory = local.combined_objects_data_factory databricks_workspaces = local.combined_objects_databricks_workspaces dns_zones = local.combined_objects_dns_zones From 6880c81df9fab87d481ebc04a4d8bf7f0a5e4e63 Mon Sep 17 00:00:00 2001 From: Milan Jugovic Date: Mon, 22 Apr 2024 23:26:24 +0200 Subject: [PATCH 050/244] added private endpoint for cognitive services account with an example --- .../configuration.tfvars | 76 +++++++++++++++++++ .../subnet/cognitive_services_account.tf | 36 +++++++++ networking_private_links.tf | 1 + 3 files changed, 113 insertions(+) create mode 100644 examples/networking/private_links/endpoints/100-azure-open-ai-private-endpoint/configuration.tfvars create mode 100644 modules/networking/private_links/endpoints/subnet/cognitive_services_account.tf diff --git a/examples/networking/private_links/endpoints/100-azure-open-ai-private-endpoint/configuration.tfvars b/examples/networking/private_links/endpoints/100-azure-open-ai-private-endpoint/configuration.tfvars new file mode 100644 index 0000000000..73220fa1ca --- /dev/null +++ b/examples/networking/private_links/endpoints/100-azure-open-ai-private-endpoint/configuration.tfvars @@ -0,0 +1,76 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "uksouth" + } +} + +resource_groups = { + rg1 = { + name = "example-rg1" + } +} + +cognitive_services_account = { + my_account = { + resource_group = { + key = "rg1" + } + name = "pineconellmdemoopenai1" + kind = "OpenAI" + sku_name = "S0" + custom_subdomain_name = "cs-alz-caf-test-b" + #log_analytics_key = "la1" + } +} + +vnets = { + vnet1 = { + resource_group_key = "rg1" + vnet = { + name = "VNet" + address_space = ["10.0.0.0/16"] + } + specialsubnets = {} + subnets = { + private_endpoints_subnet = { + name = "PrivateEndpoints" + cidr = ["10.0.16.0/24"] + enforce_private_endpoint_network_policies = true + enforce_private_link_endpoint_network_policies = false + } + } + } +} + +private_dns = { + dns1 = { + name = "privatelink.openai.azure.com" + resource_group_key = "rg1" + vnet_links = { + vnet_link_01 = { + name = "vnet_link_01" + vnet_key = "vnet1" + } + } + } +} + +private_endpoints = { + vnet1 = { + vnet_key = "vnet1" + subnet_keys = ["private_endpoints_subnet"] + resource_group_key = "rg1" + cognitive_services_account = { + my_account = { + private_service_connection = { + name = "CognitiveServicesPrivateEndpoint" + } + private_dns = { + zone_group_name = "privatelink.openai.azure.com" + keys = ["dns1"] + } + } + } + } +} \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/subnet/cognitive_services_account.tf b/modules/networking/private_links/endpoints/subnet/cognitive_services_account.tf new file mode 100644 index 0000000000..517c4a80b2 --- /dev/null +++ b/modules/networking/private_links/endpoints/subnet/cognitive_services_account.tf @@ -0,0 +1,36 @@ +module "cognitive_services_account" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.cognitive_services_account, {}) : key => value + if can(value.lz_key) == false + } + global_settings = var.global_settings + client_config = var.client_config + settings = each.value + resource_id = can(each.value.resource_id) ? each.value.resource_id : var.remote_objects.cognitive_services_accounts[var.client_config.landingzone_key][try(each.value.key, each.key)].id + subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["account"])) + subnet_id = var.subnet_id + private_dns = var.private_dns + name = try(each.value.name, each.key) + resource_group_name = can(each.value.resource_group_key) ? var.resource_groups[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.resource_group_key].name : var.vnet_resource_group_name + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + base_tags = var.base_tags +} +module "cognitive_services_account_remote" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.cognitive_services_account, {}) : key => value + if can(value.lz_key) + } + global_settings = var.global_settings + client_config = var.client_config + settings = each.value + resource_id = can(each.value.key) ? var.remote_objects.cognitive_services_accounts[each.value.lz_key][each.value.key].id : var.remote_objects.cognitive_services_accounts[each.value.lz_key][each.key].id + subresource_names = toset(try(each.value.private_service_connection.subresource_names, ["account"])) + subnet_id = var.subnet_id + private_dns = var.private_dns + name = try(each.value.name, each.key) + resource_group_name = can(each.value.resource_group_key) ? var.resource_groups[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.resource_group_key].name : var.vnet_resource_group_name + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + base_tags = var.base_tags +} \ No newline at end of file diff --git a/networking_private_links.tf b/networking_private_links.tf index db8ea88cb2..a3fc27d0de 100644 --- a/networking_private_links.tf +++ b/networking_private_links.tf @@ -19,6 +19,7 @@ module "private_endpoints" { app_config = local.combined_objects_app_config batch_accounts = local.combined_objects_batch_accounts azure_container_registries = local.combined_objects_azure_container_registries + cognitive_services_accounts = local.combined_objects_cognitive_services_accounts cosmos_dbs = local.combined_objects_cosmos_dbs data_factory = local.combined_objects_data_factory event_hub_namespaces = local.combined_objects_event_hub_namespaces From 3dc54873a4d51476b2f5c4bece2d3bac49446744 Mon Sep 17 00:00:00 2001 From: Oleksandr Trapeznikov Date: Mon, 22 Apr 2024 23:17:30 -0400 Subject: [PATCH 051/244] Add AKS Istio and Open service mesh support (#1878) * add osm attribute * add aks service_mesh_profile * Add AKS with Istio example --- .github/workflows/standalone-compute.json | 1 + .../109-single-cluster-istio/aks.tfvars | 94 +++++++++ .../diagnostics.tfvars | 7 + .../networking.tfvars | 190 ++++++++++++++++++ modules/compute/aks/aks.tf | 12 +- 5 files changed, 303 insertions(+), 1 deletion(-) create mode 100644 examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars create mode 100644 examples/compute/kubernetes_services/109-single-cluster-istio/diagnostics.tfvars create mode 100644 examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars diff --git a/.github/workflows/standalone-compute.json b/.github/workflows/standalone-compute.json index 2a777d8291..0ef269d56b 100644 --- a/.github/workflows/standalone-compute.json +++ b/.github/workflows/standalone-compute.json @@ -26,6 +26,7 @@ "compute/kubernetes_services/105-cluster-usermsi", "compute/kubernetes_services/107-agic-brownfield", "compute/kubernetes_services/108-single-cluster-remote-adgroup-admin", + "compute/kubernetes_services/109-single-cluster-istio", "compute/proximity_placement_group", "compute/virtual_machine_scale_set/100-linux-win-vmss-lb", "compute/virtual_machine_scale_set/101-linux-win-vmss-agw", diff --git a/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars b/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars new file mode 100644 index 0000000000..c20a45e8b7 --- /dev/null +++ b/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars @@ -0,0 +1,94 @@ +preview_features = { + "Microsoft.ContainerService" = [ + "AzureServiceMeshPreview" + ] +} + +global_settings = { + default_region = "region1" + regions = { + region1 = "australiaeast" + } +} + +resource_groups = { + aks_re1 = { + name = "aks-re1" + region = "region1" + } +} + +aks_clusters = { + cluster_re1 = { + name = "akscluster-re1-001" + resource_group_key = "aks_re1" + os_type = "Linux" + + identity = { + type = "SystemAssigned" + } + + vnet_key = "spoke_aks_re1" + + network_profile = { + network_plugin = "azure" + load_balancer_sku = "standard" + } + + # enable_rbac = true + role_based_access_control = { + enabled = true + azure_active_directory = { + managed = true + } + } + + oms_agent = { + log_analytics_key = "central_logs_region1" + } + + service_mesh_profile = { + internal_ingress_gateway_enabled = true + mode = "Istio" + } + + # admin_groups = { + # # ids = [] + # # azuread_groups = { + # # keys = [] + # # } + # } + + load_balancer_profile = { + # Only one option can be set + managed_outbound_ip_count = 1 + } + + default_node_pool = { + name = "sharedsvc" + vm_size = "Standard_F4s_v2" + #subnet_key = "aks_nodepool_system" + subnet = { + key = "aks_nodepool_system" + #resource_id = "/subscriptions/97958dac-xxxx-xxxx-xxxx-9f436fa73bd4/resourceGroups/qxgc-rg-aks-re1/providers/Microsoft.Network/virtualNetworks/qxgc-vnet-aks/subnets/qxgc-snet-aks_nodepool_system" + } + enabled_auto_scaling = false + enable_node_public_ip = false + max_pods = 30 + node_count = 1 + os_disk_size_gb = 512 + tags = { + "project" = "system services" + } + } + + node_resource_group_name = "aks-nodes-re1" + + addon_profile = { + azure_keyvault_secrets_provider = { + secret_rotation_enabled = true + secret_rotation_interval = "2m" + } + } + } +} diff --git a/examples/compute/kubernetes_services/109-single-cluster-istio/diagnostics.tfvars b/examples/compute/kubernetes_services/109-single-cluster-istio/diagnostics.tfvars new file mode 100644 index 0000000000..ab1f3ee038 --- /dev/null +++ b/examples/compute/kubernetes_services/109-single-cluster-istio/diagnostics.tfvars @@ -0,0 +1,7 @@ +diagnostic_log_analytics = { + central_logs_region1 = { + region = "region1" + name = "logs" + resource_group_key = "aks_re1" + } +} diff --git a/examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars b/examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars new file mode 100644 index 0000000000..7707a24d01 --- /dev/null +++ b/examples/compute/kubernetes_services/109-single-cluster-istio/networking.tfvars @@ -0,0 +1,190 @@ +vnets = { + spoke_aks_re1 = { + resource_group_key = "aks_re1" + region = "region1" + vnet = { + name = "aks" + address_space = ["100.64.48.0/22"] + } + specialsubnets = {} + subnets = { + aks_nodepool_system = { + name = "aks_nodepool_system" + cidr = ["100.64.48.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + aks_nodepool_user1 = { + name = "aks_nodepool_user1" + cidr = ["100.64.49.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + aks_nodepool_user2 = { + name = "aks_nodepool_user2" + cidr = ["100.64.50.0/24"] + nsg_key = "azure_kubernetes_cluster_nsg" + } + AzureBastionSubnet = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = ["100.64.51.64/27"] + nsg_key = "azure_bastion_nsg" + } + private_endpoints = { + name = "private_endpoints" + cidr = ["100.64.51.0/27"] + enforce_private_link_endpoint_network_policies = true + } + jumpbox = { + name = "jumpbox" + cidr = ["100.64.51.128/27"] + nsg_key = "azure_bastion_nsg" + } + } + + } +} + +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg = {} + azure_kubernetes_cluster_nsg = { + nsg = [ + { + name = "aks-http-in-allow", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-https-in-allow", + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-api-out-allow-1194", + priority = "100" + direction = "Outbound" + access = "Allow" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "1194" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + }, + { + name = "aks-api-out-allow-9000", + priority = "110" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "9000" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + }, + { + name = "aks-ntp-out-allow", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "123" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "aks-https-out-allow-443", + priority = "130" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + ] + } + azure_bastion_nsg = { + + nsg = [ + { + name = "bastion-in-allow", + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "bastion-control-in-allow-443", + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "135" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "Kerberos-password-change", + priority = "121" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "4443" + source_address_prefix = "GatewayManager" + destination_address_prefix = "*" + }, + { + name = "bastion-vnet-out-allow-22", + priority = "103" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-vnet-out-allow-3389", + priority = "101" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "bastion-azure-out-allow", + priority = "120" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "AzureCloud" + } + ] + } +} diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 14a76b7407..3ac8887a23 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -169,7 +169,7 @@ resource "azurerm_kubernetes_cluster" "aks" { for_each = try(var.settings.addon_profile.oms_agent[*], var.settings.oms_agent[*], {}) content { - log_analytics_workspace_id = can(oms_agent.value.log_analytics_workspace_id) ? oms_agent.value.log_analytics_workspace_id : var.diagnostics.log_analytics[oms_agent.value.log_analytics_key].id + log_analytics_workspace_id = can(oms_agent.value.log_analytics_workspace_id) ? oms_agent.value.log_analytics_workspace_id : var.diagnostics.log_analytics[oms_agent.value.log_analytics_key].id msi_auth_for_monitoring_enabled = try(oms_agent.value.msi_auth_for_monitoring_enabled, null) } } @@ -349,8 +349,18 @@ resource "azurerm_kubernetes_cluster" "aks" { } } + dynamic "service_mesh_profile" { + for_each = try(var.settings.service_mesh_profile[*], {}) + content { + mode = try(service_mesh_profile.value.mode, null) + internal_ingress_gateway_enabled = try(service_mesh_profile.value.internal_ingress_gateway_enabled, null) + external_ingress_gateway_enabled = try(service_mesh_profile.value.external_ingress_gateway_enabled, null) + } + } + node_resource_group = azurecaf_name.rg_node.result oidc_issuer_enabled = try(var.settings.oidc_issuer_enabled, null) + open_service_mesh_enabled = try(var.settings.open_service_mesh_enabled, null) private_cluster_enabled = try(var.settings.private_cluster_enabled, null) private_dns_zone_id = try(var.private_dns_zone_id, null) private_cluster_public_fqdn_enabled = try(var.settings.private_cluster_public_fqdn_enabled, null) From d335431fb66729869500219157ff33bb3c4cc32b Mon Sep 17 00:00:00 2001 From: Viacheslav Kuzmenko <60648640+onlyillusion@users.noreply.github.com> Date: Tue, 23 Apr 2024 06:39:36 +0300 Subject: [PATCH 052/244] Add disk_encryption_set_id support to VM module (#1952) * add support for disk_encryption_set_id to vm module * Update configurations.tfvars * Update configurations.tfvars * Update vm_disk.tf * Update vm_linux.tf * Update vm_windows.tf --- .../212-vm-disk-encryption-set/configurations.tfvars | 1 + modules/compute/virtual_machine/vm_disk.tf | 5 ++--- modules/compute/virtual_machine/vm_linux.tf | 3 +-- modules/compute/virtual_machine/vm_windows.tf | 3 +-- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/examples/compute/virtual_machine/212-vm-disk-encryption-set/configurations.tfvars b/examples/compute/virtual_machine/212-vm-disk-encryption-set/configurations.tfvars index 56bdeaed0f..615d94cd16 100644 --- a/examples/compute/virtual_machine/212-vm-disk-encryption-set/configurations.tfvars +++ b/examples/compute/virtual_machine/212-vm-disk-encryption-set/configurations.tfvars @@ -152,6 +152,7 @@ virtual_machines = { disk_encryption_set_key = "set1" # lz_key = "" # for remote disk_encryption_set + # disk_encryption_set_id = "/subscription/xxx/id" # for disk_encryption_set_id } source_image_reference = { diff --git a/modules/compute/virtual_machine/vm_disk.tf b/modules/compute/virtual_machine/vm_disk.tf index 2f1b9aea7c..3195a8945a 100644 --- a/modules/compute/virtual_machine/vm_disk.tf +++ b/modules/compute/virtual_machine/vm_disk.tf @@ -10,7 +10,7 @@ data "azurecaf_name" "disk" { use_slug = var.global_settings.use_slug } -resource "azurerm_managed_disk" "disk" { +resource "azurerm_managed_disk" "disk" { for_each = lookup(var.settings, "data_disks", {}) name = data.azurecaf_name.disk[each.key].result @@ -23,8 +23,7 @@ resource "azurerm_managed_disk" "disk" { disk_iops_read_write = try(each.value.disk_iops_read_write, null) disk_mbps_read_write = try(each.value.disk.disk_mbps_read_write, null) tags = merge(local.tags, try(each.value.tags, {})) - disk_encryption_set_id = try(each.value.disk_encryption_set_key, null) == null ? null : var.disk_encryption_sets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.disk_encryption_set_key].id - + disk_encryption_set_id = can(each.value.disk_encryption_set_id) ? each.value.disk_encryption_set_id : can(each.value.disk_encryption_set_key) ? var.disk_encryption_sets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.disk_encryption_set_key].id : null lifecycle { ignore_changes = [ name, #for ASR disk restores diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index dc0acc4cc5..5bd8b073e9 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -148,8 +148,7 @@ resource "azurerm_linux_virtual_machine" "vm" { name = try(data.azurecaf_name.os_disk_linux[each.key].result, null) storage_account_type = try(each.value.os_disk.storage_account_type, null) write_accelerator_enabled = try(each.value.os_disk.write_accelerator_enabled, false) - disk_encryption_set_id = try(each.value.os_disk.disk_encryption_set_key, null) == null ? null : try(var.disk_encryption_sets[var.client_config.landingzone_key][each.value.os_disk.disk_encryption_set_key].id, var.disk_encryption_sets[each.value.os_disk.lz_key][each.value.os_disk.disk_encryption_set_key].id, null) - + disk_encryption_set_id = can(each.value.os_disk.disk_encryption_set_id) ? each.value.os_disk.disk_encryption_set_id : can(each.value.os_disk.disk_encryption_set_key) ? var.disk_encryption_sets[try(each.value.os_disk.lz_key, var.client_config.landingzone_key)][each.value.os_disk.disk_encryption_set_key].id : null dynamic "diff_disk_settings" { for_each = try(each.value.diff_disk_settings, false) == false ? [] : [1] diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf index 19f98f932b..cd15555e34 100644 --- a/modules/compute/virtual_machine/vm_windows.tf +++ b/modules/compute/virtual_machine/vm_windows.tf @@ -81,8 +81,7 @@ resource "azurerm_windows_virtual_machine" "vm" { name = data.azurecaf_name.os_disk_windows[each.key].result storage_account_type = each.value.os_disk.storage_account_type write_accelerator_enabled = try(each.value.os_disk.write_accelerator_enabled, false) - disk_encryption_set_id = try(each.value.os_disk.disk_encryption_set_key, null) == null ? null : try(var.disk_encryption_sets[var.client_config.landingzone_key][each.value.os_disk.disk_encryption_set_key].id, var.disk_encryption_sets[each.value.os_disk.lz_key][each.value.os_disk.disk_encryption_set_key].id, null) - + disk_encryption_set_id = can(each.value.os_disk.disk_encryption_set_id) ? each.value.os_disk.disk_encryption_set_id : can(each.value.os_disk.disk_encryption_set_key) ? var.disk_encryption_sets[try(each.value.os_disk.lz_key, var.client_config.landingzone_key)][each.value.os_disk.disk_encryption_set_key].id : null dynamic "diff_disk_settings" { for_each = try(each.value.diff_disk_settings, false) == false ? [] : [1] From 303ec73bc65e134b1268f6efcfe1efc78f94c35d Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 26 Apr 2024 13:13:39 +0800 Subject: [PATCH 053/244] Terraform 1.8.1 and housekeeping (#1969) * Rover update * ARO version update * Pipelines housekeeping * Update example --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/landingzone-scenarios.yaml | 4 ++-- .github/workflows/rover.yaml | 4 ++-- .github/workflows/standalone-compute.yaml | 8 ++++---- .github/workflows/standalone-networking.yaml | 8 ++++---- .github/workflows/standalone-regressor-tf100.yaml | 10 +++++----- .github/workflows/standalone-tf100.yaml | 8 ++++---- .../101_basic_private_cluster/aro.tfvars | 2 +- .../102_basic_public_cluster/aro.tfvars | 2 +- .../109-single-cluster-istio/aks.tfvars | 6 ------ rover_on_ssh_host.yml | 2 +- 11 files changed, 25 insertions(+), 31 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 5bb99e8792..f4266941e2 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.5.6-2309.0507 + image: aztfmod/rover:1.8.1-2404.2314 user: vscode labels: diff --git a/.github/workflows/landingzone-scenarios.yaml b/.github/workflows/landingzone-scenarios.yaml index 29e43f4e44..cc789c8e24 100644 --- a/.github/workflows/landingzone-scenarios.yaml +++ b/.github/workflows/landingzone-scenarios.yaml @@ -46,7 +46,7 @@ jobs: outputs: jobs: ${{ steps.load_scenarios.outputs.jobs }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: load_scenarios run: | jobs=$( cat ./.github/workflows/${{ github.event.inputs.scenario }} | jq -c .) @@ -86,7 +86,7 @@ jobs: needs: [job] container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: diff --git a/.github/workflows/rover.yaml b/.github/workflows/rover.yaml index 0b37069de5..a4b59e9e0c 100644 --- a/.github/workflows/rover.yaml +++ b/.github/workflows/rover.yaml @@ -46,7 +46,7 @@ jobs: needs: rover_setup container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 env: @@ -58,7 +58,7 @@ jobs: ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set Environment Variables run: | diff --git a/.github/workflows/standalone-compute.yaml b/.github/workflows/standalone-compute.yaml index addc4b4ad5..5fe7004f58 100644 --- a/.github/workflows/standalone-compute.yaml +++ b/.github/workflows/standalone-compute.yaml @@ -30,7 +30,7 @@ jobs: outputs: matrix: ${{ steps.load_scenarios.outputs.matrix }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: load_scenarios run: | cases=$(cat ./.github/workflows/standalone-compute.json | jq -c .) @@ -46,12 +46,12 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Create environment variables run: | @@ -131,7 +131,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: diff --git a/.github/workflows/standalone-networking.yaml b/.github/workflows/standalone-networking.yaml index 1993780eca..b8733455ca 100644 --- a/.github/workflows/standalone-networking.yaml +++ b/.github/workflows/standalone-networking.yaml @@ -30,7 +30,7 @@ jobs: outputs: matrix: ${{ steps.load_scenarios.outputs.matrix }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: load_scenarios run: | cases=$(cat ./.github/workflows/standalone-networking.json | jq -c .) @@ -46,12 +46,12 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Create environment variables run: | @@ -131,7 +131,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: diff --git a/.github/workflows/standalone-regressor-tf100.yaml b/.github/workflows/standalone-regressor-tf100.yaml index c5efcfd152..e8cdc30a5d 100644 --- a/.github/workflows/standalone-regressor-tf100.yaml +++ b/.github/workflows/standalone-regressor-tf100.yaml @@ -41,7 +41,7 @@ jobs: outputs: matrix: ${{ steps.load_scenarios.outputs.matrix }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: load_scenarios run: | cases=$(( @@ -58,12 +58,12 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: - name: Checkout with tag ${{ github.event.inputs.base_version }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.inputs.base_version }} @@ -107,7 +107,7 @@ jobs: ${{ env.PLAN_FILE }} - name: Checkout from selected branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Terraform Init example with selected branch run: | @@ -178,7 +178,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: diff --git a/.github/workflows/standalone-tf100.yaml b/.github/workflows/standalone-tf100.yaml index 1ef75d3a8f..230ab8df49 100644 --- a/.github/workflows/standalone-tf100.yaml +++ b/.github/workflows/standalone-tf100.yaml @@ -37,7 +37,7 @@ jobs: outputs: matrix: ${{ steps.load_scenarios.outputs.matrix }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: load_scenarios run: | cases=$(( @@ -55,12 +55,12 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Create environment variables run: | @@ -140,7 +140,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.5.7-2310.0211 + image: aztfmod/rover:1.8.1-2404.2314 options: --user 0 steps: diff --git a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars index 9f9ecf1fde..71c634ecc4 100644 --- a/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars +++ b/examples/compute/azure_redhat_openshift/101_basic_private_cluster/aro.tfvars @@ -49,7 +49,7 @@ aro_clusters = { # secret = "your_secret" # secret_id = "resource_id_of_the_secret" #} - version = "4.10.40" + version = "4.13.23" resource_group = { # cant be an existing RG, you can specify the name of the RG to create with id="" or just a name="" # id = "resource_group_id" diff --git a/examples/compute/azure_redhat_openshift/102_basic_public_cluster/aro.tfvars b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/aro.tfvars index e7601597a7..b62efbb214 100644 --- a/examples/compute/azure_redhat_openshift/102_basic_public_cluster/aro.tfvars +++ b/examples/compute/azure_redhat_openshift/102_basic_public_cluster/aro.tfvars @@ -48,7 +48,7 @@ aro_clusters = { # secret = "your_secret" # secret_id = "resource_id_of_the_secret" #} - version = "4.10.40" + version = "4.13.23" resource_group = { # cant be an existing RG, you can specify the name of the RG to create with id="" or just a name="" # id = "resource_group_id" diff --git a/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars b/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars index c20a45e8b7..89661ee997 100644 --- a/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars +++ b/examples/compute/kubernetes_services/109-single-cluster-istio/aks.tfvars @@ -1,9 +1,3 @@ -preview_features = { - "Microsoft.ContainerService" = [ - "AzureServiceMeshPreview" - ] -} - global_settings = { default_region = "region1" regions = { diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml index 74132a91f2..492809e131 100644 --- a/rover_on_ssh_host.yml +++ b/rover_on_ssh_host.yml @@ -11,7 +11,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.5.7-2310.0211 +R image: aztfmod/rover:1.8.1-2404.2314 user: vscode From a0d4ba1a89eb545ad3c145a28dc4a07429be5b8d Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 2 May 2024 11:44:35 +0700 Subject: [PATCH 054/244] Rover with Terraform 1.7.5 (#1970) * Terraform 1.7.5 --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/landingzone-scenarios.yaml | 2 +- .github/workflows/rover.yaml | 2 +- .github/workflows/standalone-compute.yaml | 4 ++-- .github/workflows/standalone-networking.yaml | 4 ++-- .github/workflows/standalone-regressor-tf100.yaml | 4 ++-- .github/workflows/standalone-tf100.yaml | 4 ++-- rover_on_ssh_host.yml | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index f4266941e2..abb8fc8456 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 user: vscode labels: diff --git a/.github/workflows/landingzone-scenarios.yaml b/.github/workflows/landingzone-scenarios.yaml index cc789c8e24..e3d52f4533 100644 --- a/.github/workflows/landingzone-scenarios.yaml +++ b/.github/workflows/landingzone-scenarios.yaml @@ -86,7 +86,7 @@ jobs: needs: [job] container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 steps: diff --git a/.github/workflows/rover.yaml b/.github/workflows/rover.yaml index a4b59e9e0c..d03b3be271 100644 --- a/.github/workflows/rover.yaml +++ b/.github/workflows/rover.yaml @@ -46,7 +46,7 @@ jobs: needs: rover_setup container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 env: diff --git a/.github/workflows/standalone-compute.yaml b/.github/workflows/standalone-compute.yaml index 5fe7004f58..5b80628294 100644 --- a/.github/workflows/standalone-compute.yaml +++ b/.github/workflows/standalone-compute.yaml @@ -46,7 +46,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 steps: @@ -131,7 +131,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 steps: diff --git a/.github/workflows/standalone-networking.yaml b/.github/workflows/standalone-networking.yaml index b8733455ca..26010aab56 100644 --- a/.github/workflows/standalone-networking.yaml +++ b/.github/workflows/standalone-networking.yaml @@ -46,7 +46,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 steps: @@ -131,7 +131,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.8.0-2405.0203 options: --user 0 steps: diff --git a/.github/workflows/standalone-regressor-tf100.yaml b/.github/workflows/standalone-regressor-tf100.yaml index e8cdc30a5d..428a4cf791 100644 --- a/.github/workflows/standalone-regressor-tf100.yaml +++ b/.github/workflows/standalone-regressor-tf100.yaml @@ -58,7 +58,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 steps: @@ -178,7 +178,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 steps: diff --git a/.github/workflows/standalone-tf100.yaml b/.github/workflows/standalone-tf100.yaml index 230ab8df49..c9d2aeba9e 100644 --- a/.github/workflows/standalone-tf100.yaml +++ b/.github/workflows/standalone-tf100.yaml @@ -55,7 +55,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 steps: @@ -140,7 +140,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.8.1-2404.2314 + image: aztfmod/rover:1.7.5-2405.0203 options: --user 0 steps: diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml index 492809e131..3ca008f2df 100644 --- a/rover_on_ssh_host.yml +++ b/rover_on_ssh_host.yml @@ -11,7 +11,7 @@ version: '3.7' services: rover: -R image: aztfmod/rover:1.8.1-2404.2314 +R image: aztfmod/rover:1.8.0-2405.0203 user: vscode From 51be0750e4cb69567b1fa1d34520c71a4c5d713c Mon Sep 17 00:00:00 2001 From: Leela Satyavathi Pentakota <106110313+leelasatyavathip@users.noreply.github.com> Date: Thu, 2 May 2024 11:39:41 +0530 Subject: [PATCH 055/244] Add Private Endpoint feature for SQL MI module (#1963) * Added block for sqlmi private endpoint deployment and updated examples * added sqlmi example in longrunners file --- .../standalone-scenarios-longrunners.json | 1 + examples/mssql_mi/200-mi/configuration.tfvars | 21 ++++++++++++++++- examples/mssql_mi/200-mi/nsg.tfvars | 3 +++ .../private_endpoints.tf | 23 +++++++++++++++++++ .../mssql_managed_instance/variables.tf | 10 ++++++++ .../private_endpoints.tf | 23 +++++++++++++++++++ .../mssql_managed_instance_v1/variables.tf | 12 +++++++++- msssql_managed_instances.tf | 11 ++++++++- msssql_managed_instances_v1.tf | 10 ++++++++ 9 files changed, 111 insertions(+), 3 deletions(-) create mode 100644 modules/databases/mssql_managed_instance/private_endpoints.tf create mode 100644 modules/databases/mssql_managed_instance_v1/private_endpoints.tf diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json index 06cf1ee6fc..89371a1435 100644 --- a/.github/workflows/standalone-scenarios-longrunners.json +++ b/.github/workflows/standalone-scenarios-longrunners.json @@ -19,6 +19,7 @@ "apim/117-api_management_product", "app_gateway/301-agw-v1", "compute/vmware_cluster/101-vmware_cluster", + "mssql_mi/200-mi", "networking/virtual_network_gateway/100-expressroute-gateway", "networking/virtual_network_gateway/101-vpn-site-to-site", "networking/virtual_network_gateway/102-vpn-site-to-site-active-active", diff --git a/examples/mssql_mi/200-mi/configuration.tfvars b/examples/mssql_mi/200-mi/configuration.tfvars index 72c3278848..962c048b99 100644 --- a/examples/mssql_mi/200-mi/configuration.tfvars +++ b/examples/mssql_mi/200-mi/configuration.tfvars @@ -21,7 +21,7 @@ vnets = { resource_group_key = "networking_region1" vnet = { name = "sqlmi-rg1" - address_space = ["172.25.88.0/21"] + address_space = ["172.25.88.0/21","10.2.0.0/24"] } subnets = { sqlmi1 = { @@ -39,6 +39,12 @@ vnets = { ] } } + subnet02 = { + name = "subnet02" + cidr = ["10.2.0.0/24"] + nsg_key = "subnet02" + route_table_key = "sqlmi1" + } } } } @@ -71,6 +77,19 @@ mssql_managed_instances = { storageSizeInGB = 32 vCores = 8 + private_endpoints = { + privatelink-sqlmi = { + name = "pe-sqlmi1" + vnet_key = "sqlmi_region1" + subnet_key = "subnet02" + resource_group_key = "sqlmi_region1" + private_service_connection = { + name = "conn-sqlmi1" + is_manual_connection = false + subresource_names = ["managedInstance"] + } + } + } } } diff --git a/examples/mssql_mi/200-mi/nsg.tfvars b/examples/mssql_mi/200-mi/nsg.tfvars index a01fed2440..d07e9224d5 100644 --- a/examples/mssql_mi/200-mi/nsg.tfvars +++ b/examples/mssql_mi/200-mi/nsg.tfvars @@ -83,4 +83,7 @@ network_security_group_definition = { } ] } + subnet02 = { + nsg= [] + } } diff --git a/modules/databases/mssql_managed_instance/private_endpoints.tf b/modules/databases/mssql_managed_instance/private_endpoints.tf new file mode 100644 index 0000000000..81e3668e46 --- /dev/null +++ b/modules/databases/mssql_managed_instance/private_endpoints.tf @@ -0,0 +1,23 @@ + + +# +# Private endpoint +# + +module "private_endpoint" { + source = "../../networking/private_endpoint" + for_each = var.private_endpoints + + resource_id = local.output.id + name = each.value.name + location = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + + settings = each.value + global_settings = var.global_settings + base_tags = var.inherit_tags + tags = local.tags + private_dns = var.private_dns + client_config = var.client_config +} diff --git a/modules/databases/mssql_managed_instance/variables.tf b/modules/databases/mssql_managed_instance/variables.tf index 2aafbc3456..7b6ba43c80 100644 --- a/modules/databases/mssql_managed_instance/variables.tf +++ b/modules/databases/mssql_managed_instance/variables.tf @@ -7,6 +7,10 @@ variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = map(any) } +variable "inherit_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} variable "subnet_id" {} variable "resource_group_name" { description = "(Required) The name of the resource group where to create the resource." @@ -20,3 +24,9 @@ variable "primary_server_id" { default = "" } variable "keyvault" {} +variable "vnets" {} +variable "resource_groups" {} +variable "private_endpoints" {} +variable "private_dns" { + default = {} +} diff --git a/modules/databases/mssql_managed_instance_v1/private_endpoints.tf b/modules/databases/mssql_managed_instance_v1/private_endpoints.tf new file mode 100644 index 0000000000..7b1d83fe7b --- /dev/null +++ b/modules/databases/mssql_managed_instance_v1/private_endpoints.tf @@ -0,0 +1,23 @@ + + +# +# Private endpoint +# + +module "private_endpoint" { + source = "../../networking/private_endpoint" + for_each = var.private_endpoints + + resource_id = azurerm_mssql_managed_instance.mssqlmi.id + name = each.value.name + location = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + + settings = each.value + global_settings = var.global_settings + base_tags = var.inherit_tags + tags = local.tags + private_dns = var.private_dns + client_config = var.client_config +} diff --git a/modules/databases/mssql_managed_instance_v1/variables.tf b/modules/databases/mssql_managed_instance_v1/variables.tf index 8504b3733b..2ee8d621a8 100644 --- a/modules/databases/mssql_managed_instance_v1/variables.tf +++ b/modules/databases/mssql_managed_instance_v1/variables.tf @@ -30,7 +30,16 @@ variable "group_id" { } variable "keyvault" {} - +variable "resource_groups" {} +variable "vnets" {} +variable "private_endpoints" {} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) +} +variable "private_dns" { + default = {} +} variable "primary_server_id" {} variable "settings" { @@ -54,6 +63,7 @@ variable "settings" { "minimal_tls_version", "name", "networking", + "private_endpoints", "primary_server", "proxy_override", "public_data_endpoint_enabled", diff --git a/msssql_managed_instances.tf b/msssql_managed_instances.tf index 5bf6b33d61..e4e0b84ad3 100644 --- a/msssql_managed_instances.tf +++ b/msssql_managed_instances.tf @@ -16,8 +16,12 @@ module "mssql_managed_instances" { location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + inherit_tags = try(local.global_settings.inherit_tags, false) keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] - + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups } module "mssql_managed_instances_secondary" { @@ -34,9 +38,14 @@ module "mssql_managed_instances_secondary" { location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + inherit_tags = try(local.global_settings.inherit_tags, false) subnet_id = can(each.value.networking.subnet_id) ? each.value.networking.subnet_id : local.combined_objects_networking[try(each.value.networking.lz_key, local.client_config.landingzone_key)][each.value.networking.vnet_key].subnets[each.value.networking.subnet_key].id primary_server_id = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups } module "mssql_mi_failover_groups" { diff --git a/msssql_managed_instances_v1.tf b/msssql_managed_instances_v1.tf index f1ac78b3f0..9de5953861 100644 --- a/msssql_managed_instances_v1.tf +++ b/msssql_managed_instances_v1.tf @@ -34,7 +34,12 @@ module "mssql_managed_instances_v1" { keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] primary_server_id = null group_id = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) resource_group = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? null : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null @@ -57,7 +62,12 @@ module "mssql_managed_instances_secondary_v1" { primary_server_id = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] group_id = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.administrators.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) resource_group = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? null : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null From e200534e3fd682e04781f835a05a63c373c6ee64 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Tue, 14 May 2024 08:01:26 +0000 Subject: [PATCH 056/244] fix(logic-apps): #1973 - adding version, fixing identity assignment --- logic_app.tf | 32 +++++++++---------- .../logic_app/standard/managed_identities.tf | 17 ---------- modules/logic_app/standard/module.tf | 17 +++++++--- modules/logic_app/standard/variables.tf | 8 ++--- 4 files changed, 33 insertions(+), 41 deletions(-) delete mode 100644 modules/logic_app/standard/managed_identities.tf diff --git a/logic_app.tf b/logic_app.tf index 47d15f8b1e..a592845324 100644 --- a/logic_app.tf +++ b/logic_app.tf @@ -140,23 +140,23 @@ module "logic_app_standard" { for_each = local.logic_app.logic_app_standard - global_settings = local.global_settings - client_config = local.client_config - settings = each.value - resource_groups = local.combined_objects_resource_groups - storage_accounts = local.combined_objects_storage_accounts - app_service_plans = local.combined_objects_app_service_plans - app_settings = try(each.value.app_settings, null) - subnets = local.combined_objects_networking - identity = try(each.value.identity, null) - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - vnets = local.combined_objects_networking - virtual_subnets = local.combined_objects_virtual_subnets - base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} - vnet_integration = try(each.value.vnet_integration, {}) + global_settings = local.global_settings + client_config = local.client_config + settings = each.value + resource_groups = local.combined_objects_resource_groups + storage_accounts = local.combined_objects_storage_accounts + app_service_plans = local.combined_objects_app_service_plans + app_settings = try(each.value.app_settings, null) + subnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + vnets = local.combined_objects_networking + virtual_subnets = local.combined_objects_virtual_subnets + base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + vnet_integration = try(each.value.vnet_integration, {}) + managed_identities = local.combined_objects_managed_identities } output "logic_app_standard" { value = module.logic_app_standard -} \ No newline at end of file +} diff --git a/modules/logic_app/standard/managed_identities.tf b/modules/logic_app/standard/managed_identities.tf deleted file mode 100644 index cb18c82023..0000000000 --- a/modules/logic_app/standard/managed_identities.tf +++ /dev/null @@ -1,17 +0,0 @@ -locals { - managed_local_identities = flatten([ - for managed_identity_key in try(var.identity.managed_identity_keys, []) : [ - var.combined_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id - ] - ]) - - managed_remote_identities = flatten([ - for keyvault_key, value in try(var.identity.remote, []) : [ - for managed_identity_key in value.managed_identity_keys : [ - var.combined_objects.managed_identities[keyvault_key][managed_identity_key].id - ] - ] - ]) - - managed_identities = concat(local.managed_local_identities, local.managed_remote_identities) -} \ No newline at end of file diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index a2606ec3b4..6c5e53c9e2 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -15,6 +15,7 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { app_service_plan_id = local.app_service_plan.id storage_account_name = local.storage_account.name storage_account_access_key = local.storage_account.primary_access_key + version = lookup(var.settings, "version", null) app_settings = local.app_settings @@ -42,14 +43,22 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } } } + dynamic "identity" { + for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] + content { + type = lookup(var.settings.identity, "type", null) + identity_ids = try(try(lookup(var.settings.identity, "identity_ids"), [try(var.managed_identities[var.client_config.landingzone_key][var.settings.identity.key].id, var.managed_identities[var.settings.identity.lz_key][var.settings.identity.key].id)]), null) + } + } + } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) } \ No newline at end of file diff --git a/modules/logic_app/standard/variables.tf b/modules/logic_app/standard/variables.tf index 8cce8a818e..7521d7fb84 100644 --- a/modules/logic_app/standard/variables.tf +++ b/modules/logic_app/standard/variables.tf @@ -34,9 +34,6 @@ variable "vnets" { variable "base_tags" { default = {} } -variable "identity" { - default = null -} variable "combined_objects" { default = {} } @@ -45,4 +42,7 @@ variable "virtual_subnets" { } variable "vnet_integration" { default = {} -} \ No newline at end of file +} +variable "managed_identities" { + default = {} +} From bbcd4e9b49b7a1d4feaeb33d80d0a838f5d99622 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 17 May 2024 09:36:00 +0000 Subject: [PATCH 057/244] fix: bool is expected --- logic_app.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logic_app.tf b/logic_app.tf index a592845324..c2837dd247 100644 --- a/logic_app.tf +++ b/logic_app.tf @@ -152,7 +152,7 @@ module "logic_app_standard" { private_dns = local.combined_objects_private_dns vnets = local.combined_objects_networking virtual_subnets = local.combined_objects_virtual_subnets - base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + base_tags = try(local.global_settings.inherit_tags, false) vnet_integration = try(each.value.vnet_integration, {}) managed_identities = local.combined_objects_managed_identities } From 44dda4af891e2a6c9922acc4197abc3945121beb Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Wed, 15 May 2024 13:12:29 +0000 Subject: [PATCH 058/244] fix: azurerm_logic_app_standard virtual_network_subnet_id is always reset --- modules/logic_app/standard/module.tf | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 6c5e53c9e2..9492b72576 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -16,7 +16,8 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { storage_account_name = local.storage_account.name storage_account_access_key = local.storage_account.primary_access_key version = lookup(var.settings, "version", null) - + virtual_network_subnet_id = lookup(var.settings, "vnet_integration", null) != null ? can(var.settings.vnet_integration.subnet_id) ? var.settings.vnet_integration.subnet_id : try(var.vnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.vnet_integration.subnet_key].id, var.virtual_subnets[var.settings.vnet_integration.lz_key][var.settings.vnet_integration.subnet_key].id)) : null app_settings = local.app_settings dynamic "site_config" { @@ -53,12 +54,12 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } -resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 - - app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) - -} \ No newline at end of file +#resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { +# depends_on = [azurerm_logic_app_standard.logic_app_standard] +# count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 +# +# app_service_id = azurerm_logic_app_standard.logic_app_standard.id +# subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, +# try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) +# +#} \ No newline at end of file From 2dfc5e50747ff1cab1ad06e05f5842534c4e0e24 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 17 May 2024 11:00:19 +0000 Subject: [PATCH 059/244] feat: adding example --- .../configuration.tfvars | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 examples/logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity/configuration.tfvars diff --git a/examples/logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity/configuration.tfvars b/examples/logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity/configuration.tfvars new file mode 100644 index 0000000000..da855810fa --- /dev/null +++ b/examples/logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity/configuration.tfvars @@ -0,0 +1,97 @@ +resource_groups = { + la_test = { + name = "rg-logic-app" + } +} + +vnets = { + vnet = { + resource_group_key = "la_test" + vnet = { + name = "la-vnet" + address_space = ["10.0.0.0/24"] + } + subnets = { + private_endpoints_sn = { + name = "private-endpoints" + cidr = ["10.0.0.32/27"] + enforce_private_link_endpoint_network_policies = false + enforce_private_link_service_network_policies = false + } + la_test_subnet = { + name = "logic_apps" + cidr = ["10.0.0.64/27"] + delegation = { + name = "functions" + service_delegation = "Microsoft.Web/serverFarms" + actions = ["Microsoft.Network/virtualNetworks/subnets/action"] + } + } + } + } +} + +storage_accounts = { + sa1 = { + name = "la_sa" + resource_group_key = "la_test" + account_tier = "Standard" + account_replication_type = "LRS" + } +} + +managed_identities = { + logicapp_msi = { + name = "logicapp1-msi" + resource_group_key = "la_test" + } +} + + +app_service_plans = { + asp1 = { + name = "appserviceplan1" + resource_group_key = "la_test" + kind = "elastic" + + sku = { + tier = "WorkflowStandard" + size = "WS1" + } + } +} + +logic_app_standard = { + las1 = { + name = "logicapp1" + resource_group_key = "la_test" + app_service_plan_key = "asp1" + storage_account_key = "sa1" + version = "~4" + # Required for virtual network integration + vnet_integration = { + vnet_key = "vnet" + subnet_key = "la_test_subnet" + # lz_key = "" + # subnet_id = "" + } + identity = { + type = "UserAssigned" #SystemAssigned + key = "logicapp_msi" + #lz_key = "" + #identity_ids = ["/subscriptions/sub-id/resourceGroups/rg-id/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-id"] + } + private_endpoints = { + pe_la = { + private_service_connection = { + name = "pe_la_sc" + subresource_names = ["sites"] + } + name = "pe_la" + vnet_key = "vnet" + subnet_key = "private_endpoints_sn" + #lz_key = "" + } + } + } +} \ No newline at end of file From a1f622fb915501a30f708973cf9f3d27cef73503 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 17 May 2024 11:02:22 +0000 Subject: [PATCH 060/244] feat: adding logic app example to tests --- .github/workflows/standalone-scenarios.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 4b15d939ea..9d060fb515 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -132,6 +132,7 @@ "logic_app/106-logic_app_trigger_recurrence", "logic_app/107-logic_app_trigger_custom", "logic_app/109-logic_app_standard_vnet_integration", + "logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity", "machine_learning/100-aml", "machine_learning/101-aml-vnet", "machine_learning/102-aml-compute_instance", From d20ffb72cfbca860aa5137f62e2e5a0a49f0d9a5 Mon Sep 17 00:00:00 2001 From: arne21a <42212708+arne21a@users.noreply.github.com> Date: Fri, 17 May 2024 09:26:03 +0200 Subject: [PATCH 061/244] Update modules/logic_app/standard/module.tf Co-authored-by: Arnaud Lheureux --- modules/logic_app/standard/module.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 9492b72576..b97953ba7a 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -48,7 +48,7 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] content { type = lookup(var.settings.identity, "type", null) - identity_ids = try(try(lookup(var.settings.identity, "identity_ids"), [try(var.managed_identities[var.client_config.landingzone_key][var.settings.identity.key].id, var.managed_identities[var.settings.identity.lz_key][var.settings.identity.key].id)]), null) + identity_ids = can(var.settings.identity.ids) ? var.settings.identity.ids : can(var.settings.identity.key) ? [var.managed_identities[try(var.settings.identity.lz_key, var.client_config.landingzone_key)][var.settings.identity.key].id] : null } } From 17638b6946d1f49be8f127aa9b9082d6d893980b Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 23 May 2024 11:17:58 +0800 Subject: [PATCH 062/244] APIM - use existing pip - #1960 (#1971) * apm - use existing pip * add to long runner integration test * Refactor API Management module and example Refactor API Management module and update example configuration for better clarity and functionality. - Modify the `public_ip_address_id` assignment in `modules/apim/api_management/module.tf` to use `can` statements for conditional checks, enhancing clarity and reducing potential confusion during plan-time evaluation. - Update the example configuration in `examples/apim/118-api_management_platform_stv2/configuration.tfvars` to correct resource group keys, vnet and subnet address spaces, ensuring they align with task requirements. - Remove NSG flow logs configurations from the example file to simplify the setup and adhere to the task's request for removal. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/aztfmod/terraform-azurerm-caf/pull/1960?shareId=73fef528-9148-4db9-8557-478779a850ce). * Update module.tf * Update to use public_ip_address --------- Co-authored-by: mark.gronow@shapingcloud.com --- .../standalone-scenarios-longrunners.json | 1 + api_management.tf | 1 + .../configuration.tfvars | 181 ++++++++++++++++++ modules/apim/api_management/module.tf | 5 +- modules/apim/api_management/variables.tf | 3 + 5 files changed, 190 insertions(+), 1 deletion(-) create mode 100644 examples/apim/118-api_management_platform_stv2/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json index 89371a1435..6bb91b665d 100644 --- a/.github/workflows/standalone-scenarios-longrunners.json +++ b/.github/workflows/standalone-scenarios-longrunners.json @@ -17,6 +17,7 @@ "apim/115-api_management_private_virtual_network", "apim/116-api_management_subscription", "apim/117-api_management_product", + "apim/118-api_management_platform_stv2", "app_gateway/301-agw-v1", "compute/vmware_cluster/101-vmware_cluster", "mssql_mi/200-mi", diff --git a/api_management.tf b/api_management.tf index acb5eb095e..9bb39eeb67 100644 --- a/api_management.tf +++ b/api_management.tf @@ -7,6 +7,7 @@ module "api_management" { settings = each.value vnets = local.combined_objects_networking + public_ip_addresses = local.combined_objects_public_ip_addresses base_tags = local.global_settings.inherit_tags resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null diff --git a/examples/apim/118-api_management_platform_stv2/configuration.tfvars b/examples/apim/118-api_management_platform_stv2/configuration.tfvars new file mode 100644 index 0000000000..605fed4e7d --- /dev/null +++ b/examples/apim/118-api_management_platform_stv2/configuration.tfvars @@ -0,0 +1,181 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "uksouth" + } + inherit_tags = true + tags = { + example = "apim/118-stv2.*" + } +} + +resource_groups = { + rg_example_apim_uks = { + name = "example-apim-uks" # prefix-rg-example-apim-uks + region = "region1" + tags = { + level = "level3" + } + } +} + +vnets = { + # Example vNet + vnet_example_uks = { + resource_group_key = "rg_example_apim_uks" + region = "region1" + vnet = { + name = "example-uks" # prefix-vnet-example-uks + address_space = ["10.0.0.0/16"] + } + subnets = { + + # Example subnet for APIM private endpoint + + snet_example_apim_uks = { + name = "example-apim-uks" #prefix-snet-example-apim-uks + cidr = ["10.0.1.0/24"] + nsg_key = "nsg_example_apim_uks" + # route_table_key = "" + service_endpoints = ["Microsoft.KeyVault", "Microsoft.Storage", "Microsoft.Sql", "Microsoft.EventHub", "Microsoft.ServiceBus"] # service endpoints required for APIM + } + } + } +} + +network_security_group_definition = { + # This entry is applied to all subnets with no NSG defined + empty_nsg_no_log = {} + + # Example NSG for APIM + nsg_example_apim_uks = { + name = "example-apim-uks" # prefix-nsg-example-apim-uks + version = 1 + resource_group_key = "rg_example_apim_uks" + nsg = [ + { + name = "Inbound-ApiManagement", + priority = "1000" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3443" + source_address_prefix = "ApiManagement" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "Inbound-AzureLoadBalancer", + priority = "1010" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "6390" + source_address_prefix = "AzureLoadBalancer" + destination_address_prefix = "VirtualNetwork" + }, + { + name = "Outbound-Storage", + priority = "1000" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Storage" + }, + { + name = "Outbound-SQL", + priority = "1010" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "1443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "SQL" + }, + { + name = "Outbound-AzureKeyVault", + priority = "1020" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureKeyVault" + }, + { + name = "Outbound-AzureMonitor", + priority = "1030" + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_ranges = ["443", "1886"] + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureMonitor" + }, + ] + } +} + +public_ip_addresses = { + + # Public IP for the example APIM Instance + pip_apim_uks = { + name = "example-apim-uks" # prefix-pip-example-apim-uks + region = "region1" + resource_group_key = "rg_example_apim_uks" + sku = "Standard" # must be 'Standard' SKU + + # Standard SKU Public IP Addresses that do not specify a zone are zone redundant by default. + allocation_method = "Static" + ip_version = "IPv4" + idle_timeout_in_minutes = "4" + domain_name_label = "example-apim-uks" + } +} + +api_management = { + apim_uks = { + name = "example-uks" # prefix-apim-example-uks + resource_group_key = "rg_example_apim_uks" + publisher_name = "apim.example.sre.com" + publisher_email = "example.apim@sre.com" + sku_name = "Developer_1" # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management#sku_name + region = "region1" + + # Required to deploy APIM on platform verions stv2.* + public_ip_address = { + key = "pip_apim_uks" + # lz_key = "" + } + + virtual_network_type = "Internal" # The type of virtual network you want to use, valid values include: None, External, Internal. Defaults to None. + virtual_network_configuration = { + vnet_key = "vnet_example_uks" + subnet_key = "snet_example_apim_uks" + # lz_key = "" + } + + identity = { + type = "UserAssigned" + managed_identity_keys = ["msi_apim_uks"] + } + + portal = { + host_name = "example.apim.com" + } + } +} + +managed_identities = { + msi_apim_uks = { + name = "example-apim-uks" # prefix-msi-example-apim-uks + resource_group_key = "rg_example_apim_uks" + } +} diff --git a/modules/apim/api_management/module.tf b/modules/apim/api_management/module.tf index d2b1ff61ba..65c1a777f1 100644 --- a/modules/apim/api_management/module.tf +++ b/modules/apim/api_management/module.tf @@ -16,6 +16,9 @@ resource "azurerm_api_management" "apim" { publisher_name = var.settings.publisher_name publisher_email = var.settings.publisher_email sku_name = var.settings.sku_name + + public_ip_address_id = can(var.settings.public_ip_address_id) ? var.settings.public_ip_address_id : can(var.settings.public_ip_address.key) ? var.public_ip_addresses[try(var.settings.public_ip_address.lz_key, var.client_config.landingzone_key)][var.settings.public_ip_address.key].id : null + dynamic "additional_location" { for_each = try(var.settings.additional_location, null) != null ? [var.settings.additional_location] : [] @@ -214,4 +217,4 @@ resource "azurerm_api_management" "apim" { } tags = merge(local.tags, try(var.settings.tags, {})) -} \ No newline at end of file +} diff --git a/modules/apim/api_management/variables.tf b/modules/apim/api_management/variables.tf index 2307fc2caa..1ef70086ea 100644 --- a/modules/apim/api_management/variables.tf +++ b/modules/apim/api_management/variables.tf @@ -29,3 +29,6 @@ variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = bool } +variable "public_ip_addresses" { + default = {} +} From 6d031d70b35e81e7d48fe4bdc68aa326cf2b047c Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 23 May 2024 08:23:03 +0000 Subject: [PATCH 063/244] Upgrade to TF 1.8.4 --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/landingzone-scenarios.yaml | 2 +- .github/workflows/rover.yaml | 2 +- .github/workflows/standalone-compute.yaml | 4 ++-- .github/workflows/standalone-networking.yaml | 2 +- .github/workflows/standalone-regressor-tf100.yaml | 4 ++-- .github/workflows/standalone-tf100.yaml | 4 ++-- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index abb8fc8456..403f4a8750 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 user: vscode labels: diff --git a/.github/workflows/landingzone-scenarios.yaml b/.github/workflows/landingzone-scenarios.yaml index e3d52f4533..d09ef13ac1 100644 --- a/.github/workflows/landingzone-scenarios.yaml +++ b/.github/workflows/landingzone-scenarios.yaml @@ -86,7 +86,7 @@ jobs: needs: [job] container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 steps: diff --git a/.github/workflows/rover.yaml b/.github/workflows/rover.yaml index d03b3be271..3a60486cf1 100644 --- a/.github/workflows/rover.yaml +++ b/.github/workflows/rover.yaml @@ -46,7 +46,7 @@ jobs: needs: rover_setup container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 env: diff --git a/.github/workflows/standalone-compute.yaml b/.github/workflows/standalone-compute.yaml index 5b80628294..17696aa0e1 100644 --- a/.github/workflows/standalone-compute.yaml +++ b/.github/workflows/standalone-compute.yaml @@ -46,7 +46,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 steps: @@ -131,7 +131,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 steps: diff --git a/.github/workflows/standalone-networking.yaml b/.github/workflows/standalone-networking.yaml index 26010aab56..3ae0243874 100644 --- a/.github/workflows/standalone-networking.yaml +++ b/.github/workflows/standalone-networking.yaml @@ -46,7 +46,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 steps: diff --git a/.github/workflows/standalone-regressor-tf100.yaml b/.github/workflows/standalone-regressor-tf100.yaml index 428a4cf791..22a66c6458 100644 --- a/.github/workflows/standalone-regressor-tf100.yaml +++ b/.github/workflows/standalone-regressor-tf100.yaml @@ -58,7 +58,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 steps: @@ -178,7 +178,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 steps: diff --git a/.github/workflows/standalone-tf100.yaml b/.github/workflows/standalone-tf100.yaml index c9d2aeba9e..3ba94fd09e 100644 --- a/.github/workflows/standalone-tf100.yaml +++ b/.github/workflows/standalone-tf100.yaml @@ -55,7 +55,7 @@ jobs: matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 steps: @@ -140,7 +140,7 @@ jobs: needs: [testcases] container: - image: aztfmod/rover:1.7.5-2405.0203 + image: aztfmod/rover:1.8.4-2405.2306 options: --user 0 steps: From 8dd2e2d25c1ff695415996cb37a516cbaf7f0652 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 23 May 2024 17:31:44 +0800 Subject: [PATCH 064/244] Adding FMT on push (#1979) * fmt on push * Update workflows versions --- .github/workflows/on_push_fmt.yaml | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/on_push_fmt.yaml diff --git a/.github/workflows/on_push_fmt.yaml b/.github/workflows/on_push_fmt.yaml new file mode 100644 index 0000000000..ab5af599a4 --- /dev/null +++ b/.github/workflows/on_push_fmt.yaml @@ -0,0 +1,34 @@ +name: Terraform Format + +on: + push: + branches: + - main + +jobs: + terraform: + name: 'Terraform Format' + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Important: This is needed to push changes back to the repository + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + + - name: Terraform Format + run: terraform fmt -recursive + + - name: Commit changes + run: | + git config --local user.email "action@github.com" + git config --local user.name "GitHub Action" + git diff --quiet && git diff --staged --quiet || (git add -A && git commit -m "Apply terraform fmt") + + - name: Push changes + uses: ad-m/github-push-action@v0.8.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 67ffa01a1550c7f2f6d619e60cad3129814b51c0 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Thu, 23 May 2024 11:01:47 +0000 Subject: [PATCH 065/244] fix: adding https_only flag --- modules/logic_app/standard/module.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index b97953ba7a..b05e033585 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -16,10 +16,10 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { storage_account_name = local.storage_account.name storage_account_access_key = local.storage_account.primary_access_key version = lookup(var.settings, "version", null) - virtual_network_subnet_id = lookup(var.settings, "vnet_integration", null) != null ? can(var.settings.vnet_integration.subnet_id) ? var.settings.vnet_integration.subnet_id : try(var.vnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, + virtual_network_subnet_id = lookup(var.settings, "vnet_integration", null) != null ? can(var.settings.vnet_integration.subnet_id) ? var.settings.vnet_integration.subnet_id : try(var.vnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.vnet_integration.subnet_key].id, var.virtual_subnets[var.settings.vnet_integration.lz_key][var.settings.vnet_integration.subnet_key].id)) : null app_settings = local.app_settings - + https_only = lookup(var.settings, "https_only", null) dynamic "site_config" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] @@ -47,7 +47,7 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { dynamic "identity" { for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] content { - type = lookup(var.settings.identity, "type", null) + type = lookup(var.settings.identity, "type", null) identity_ids = can(var.settings.identity.ids) ? var.settings.identity.ids : can(var.settings.identity.key) ? [var.managed_identities[try(var.settings.identity.lz_key, var.client_config.landingzone_key)][var.settings.identity.key].id] : null } } @@ -62,4 +62,4 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { # subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, # try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) # -#} \ No newline at end of file +#} From 029ca551148395808d2bc458e946ce8678f7a8c5 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Thu, 23 May 2024 11:16:57 +0000 Subject: [PATCH 066/244] fix: adding https_only --- modules/logic_app/standard/module.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index cb592bbc63..5f0b47d1bc 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -15,8 +15,8 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { app_service_plan_id = local.app_service_plan.id storage_account_name = local.storage_account.name storage_account_access_key = local.storage_account.primary_access_key - - app_settings = local.app_settings + https_only = lookup(var.settings, "https_only", null) + app_settings = local.app_settings dynamic "site_config" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] From e051ada517a5c895c2ef7ad848699218d6f52ddb Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 24 May 2024 18:45:13 +0800 Subject: [PATCH 067/244] Add initial mock tests examples and pipelines (#1983) * Mock tests examples and pipelines * Update workflows * Adding tflint config --- .github/workflows/developer.md | 11 +- .github/workflows/pr_dispatch.yaml | 64 ++++++ .github/workflows/pr_workflow.yaml | 250 +++++++++++++++++++++++ .tflint.hcl | 18 ++ examples/tests/README.md | 138 +++++++++++++ examples/tests/general.tftest.hcl | 13 ++ examples/tests/mock/e2e_plan.tftest.hcl | 17 ++ examples/tests/mock_data/data.tfmock.hcl | 17 ++ locals.tf | 2 +- 9 files changed, 524 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/pr_dispatch.yaml create mode 100644 .github/workflows/pr_workflow.yaml create mode 100644 .tflint.hcl create mode 100644 examples/tests/README.md create mode 100644 examples/tests/general.tftest.hcl create mode 100644 examples/tests/mock/e2e_plan.tftest.hcl create mode 100644 examples/tests/mock_data/data.tfmock.hcl diff --git a/.github/workflows/developer.md b/.github/workflows/developer.md index 3f7ce7c58c..11baf95468 100644 --- a/.github/workflows/developer.md +++ b/.github/workflows/developer.md @@ -3,16 +3,17 @@ You can test the workflows on your local machine ## MacOS -Install act to run Github workflows on your local machine -``` +Install [Act](https://github.com/nektos/act) to run Github workflows on your local machine + +```bash brew install act ``` -from the root of the module +From the root of the module: -``` +```bash # Make sure you have a GH_TOKEN with repo and workflow privileges -export GH_TOKEN=xxx +export GH_TOKEN="$(gh auth token)" act --container-architecture linux/arm64 \ -s GITHUB_TOKEN=$GITHUB_TOKEN \ diff --git a/.github/workflows/pr_dispatch.yaml b/.github/workflows/pr_dispatch.yaml new file mode 100644 index 0000000000..f478bd51ff --- /dev/null +++ b/.github/workflows/pr_dispatch.yaml @@ -0,0 +1,64 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: PR Dispatch Workflow + +on: + pull_request: + types: [opened, synchronize, reopened] + +env: + TF_VERSION: "1.8.4" + TF_LINT_VERSION: "v0.50.3" +jobs: + linting: + name: Format and Lint Checks + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: '20.x' + + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: Install Terraform Linter + uses: terraform-linters/setup-tflint@v4 + with: + tflint_version: ${{ env.TF_LINT_VERSION }} + + + - name: Run TFLint with reviewdog + uses: reviewdog/action-tflint@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + reporter: github-pr-check + level: info + tflint_init: true + + dispatch: + runs-on: ubuntu-latest + strategy: + matrix: + scenario: + - standalone-scenarios-azuread.json + - standalone-scenarios.json + - standalone-compute.json + - standalone-networking.json + - standalone-scenarios-longrunners.json + + steps: + - name: Repository Dispatch + uses: peter-evans/repository-dispatch@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + event-type: pr-${{ matrix.scenario }} + client-payload: '{"scenario": "${{ (matrix.scenario) }}", "sha": "${{ github.event.pull_request.head.sha }}"}' diff --git a/.github/workflows/pr_workflow.yaml b/.github/workflows/pr_workflow.yaml new file mode 100644 index 0000000000..b5b6710518 --- /dev/null +++ b/.github/workflows/pr_workflow.yaml @@ -0,0 +1,250 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: PR tests + +on: + repository_dispatch: + types: [pr-*] + workflow_dispatch: + inputs: + scenario: + description: "Select the scenario you want to run:" + required: false + type: choice + default: "standalone-networking.json" + options: + - standalone-scenarios-azuread.json + - standalone-scenarios.json + - standalone-compute.json + - standalone-networking.json + - standalone-scenarios-longrunners.json + +permissions: + id-token: write + contents: read + +env: + DEFAULT_SCENARIO: "standalone-networking.json" + TF_VERSION: "1.8.4" + TF_LINT_VERSION: "v0.50.3" + +jobs: + load_scenarios: + name: Load Test Scenarios Matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.load_scenarios.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.client_payload.sha }} + + - id: load_scenarios + run: | + echo "Scenario: ${{ github.event.client_payload.scenario }}" + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + cases=$(cat ./.github/workflows/${{ github.event.inputs.scenario }} | jq -c .) + else + cases=$(cat ./.github/workflows/${{ github.event.client_payload.scenario }} | jq -c .) + fi + echo "matrix=${cases}" >> $GITHUB_OUTPUT + + mock_plan_scenarios: + name: Test-${{ matrix.config_files }} + runs-on: ubuntu-latest + needs: load_scenarios + + strategy: + fail-fast: false + matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.client_payload.sha }} + + - name: Create environment variables + run: | + cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} + FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) + echo STATE_FILE=${HOME}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV + echo PLAN_FILE=${HOME}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV + echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV + echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: '20.x' + + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: Configure Terraform plugin cache + run: | + echo "TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache" >>"$GITHUB_ENV" + mkdir --parents "$HOME/.terraform.d/plugin-cache" + + - name: Cache Terraform + uses: actions/cache@v4 + with: + path: | + ~/.terraform.d/plugin-cache + key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform- + + - name: Terraform Init example + id: tf_init + run: | + terraform -chdir=examples \ + init + + - name: Terraform Test example + id: tf_test + run: | + terraform -chdir=examples \ + test \ + -test-directory=./tests/mock \ + ${{ env.PARAMETER_FILES }} \ + -verbose + + terraform_integration_tests: + name: Integration-${{ matrix.config_files }} + runs-on: ubuntu-latest + if: always() + needs: [load_scenarios, mock_plan_scenarios] + + strategy: + fail-fast: false + matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} + + environment: + name: 'integration' + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.client_payload.sha }} + + - name: Create environment variables + run: | + cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} + FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) + echo STATE_FILE=${HOME}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV + echo PLAN_FILE=${HOME}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV + echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV + echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV + + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: Configure Terraform plugin cache + run: | + echo "TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache" >>"$GITHUB_ENV" + mkdir --parents "$HOME/.terraform.d/plugin-cache" + + - name: Cache Terraform + uses: actions/cache@v4 + with: + path: | + ~/.terraform.d/plugin-cache + key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform- + + - name: Azure Login + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Terraform Init example + id: tf_init + run: | + terraform -chdir=${GITHUB_WORKSPACE}/examples \ + init | grep -P '^- (?=Downloading|Using|Finding|Installing)|^[^-]' + + - name: Terraform Plan example + id: tf_plan + run: | + terraform -chdir=${GITHUB_WORKSPACE}/examples \ + plan \ + ${{ env.PARAMETER_FILES }} \ + -var tags='{testing_job_id='"${{ github.run_id }}"'}' \ + -var var_folder_path=${{ env.CURRENT_FOLDER }} \ + -refresh=true \ + -input=false \ + -state=${{ env.STATE_FILE }} \ + -out=${{ env.PLAN_FILE }} + + - name: Terraform Apply example + id: tf_apply + run: | + terraform -chdir=${GITHUB_WORKSPACE}/examples \ + apply \ + -state=${{ env.STATE_FILE }} \ + ${{ env.PLAN_FILE }} + + - name: Terraform Destroy Plan + id: tf_destroy_plan + run: | + terraform -chdir=${GITHUB_WORKSPACE}/examples \ + plan \ + ${{ env.PARAMETER_FILES }} \ + -var tags='{testing_job_id='"${{ github.run_id }}"'}' \ + -var var_folder_path=${{ env.CURRENT_FOLDER }} \ + -refresh=true \ + -input=false \ + -destroy \ + -state=${{ env.STATE_FILE }} \ + -out=${{ env.PLAN_FILE }}-destroy + + - name: Terraform Destroy Apply + id: tf_destroy_apply + run: | + terraform -chdir=${GITHUB_WORKSPACE}/examples \ + apply \ + -refresh=false \ + -auto-approve \ + -state=${{ env.STATE_FILE }} \ + ${{ env.PLAN_FILE }}-destroy + + purge: + name: Purge Integration Environment + runs-on: ubuntu-latest + if: ${{ failure() || cancelled() }} + + needs: [load_scenarios, terraform_integration_tests] + + environment: + name: 'integration' + + steps: + - name: Azure Login + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Purge based on run_id + run: | + for i in `az monitor diagnostic-settings subscription list -o tsv --query "value[?contains(name, '${{ github.run_id }}' )].name"`; do echo "purging subscription diagnostic-settings: $i" && $(az monitor diagnostic-settings subscription delete --name $i --yes); done + for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done + for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].id" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done + for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done + for i in `az keyvault list-deleted --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done + for i in `az group list --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done + for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done + for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done \ No newline at end of file diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000000..fd7865f524 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,18 @@ +#Tflint config file +config { + call_module_type = "all" + force = false + disabled_by_default = false +} + +# Adds azurerm plugin +plugin "azurerm" { + enabled = true + version = "0.25.1" + source = "github.com/terraform-linters/tflint-ruleset-azurerm" +} + +# Will be enabled progressively as we add more types +rule "terraform_typed_variables" { + enabled = false +} \ No newline at end of file diff --git a/examples/tests/README.md b/examples/tests/README.md new file mode 100644 index 0000000000..7fe2167d0c --- /dev/null +++ b/examples/tests/README.md @@ -0,0 +1,138 @@ +# Terraform Test Commands + +This README provides an example on how to use locally Terraform test commands. + +## Running Tests + +To run tests in Terraform, you can use the following command: + +```bash +terraform -chdir=./examples test \ +-test-directory=./tests/mock \ +-var-file=../examples/communication/communication_services/101-communication_service/configuration.tfvars \ +-verbose +``` + +It will output the following: +```bash +tests/mock/e2e_plan.tftest.hcl... in progress + run "test_plan"... pass + +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # module.example.random_string.prefix[0] will be created + + resource "random_string" "prefix" { + + id = (known after apply) + + length = 4 + + lower = true + + min_lower = 0 + + min_numeric = 0 + + min_special = 0 + + min_upper = 0 + + number = false + + numeric = false + + result = (known after apply) + + special = false + + upper = false + } + + # module.example.module.communication_services["cs1"].azurecaf_name.acs will be created + + resource "azurecaf_name" "acs" { + + clean_input = true + + id = (known after apply) + + name = "test-acs1-re1" + + passthrough = false + + prefixes = (known after apply) + + random_length = 0 + + resource_type = "azurerm_communication_service" + + result = (known after apply) + + results = (known after apply) + + separator = "-" + + use_slug = true + } + + # module.example.module.communication_services["cs1"].azurerm_communication_service.acs will be created + + resource "azurerm_communication_service" "acs" { + + data_location = "United States" + + id = (known after apply) + + name = (known after apply) + + primary_connection_string = (known after apply) + + primary_key = (known after apply) + + resource_group_name = (known after apply) + + secondary_connection_string = (known after apply) + + secondary_key = (known after apply) + + tags = { + + "module" = "communication_services" + } + } + + # module.example.module.communication_services["cs2"].azurecaf_name.acs will be created + + resource "azurecaf_name" "acs" { + + clean_input = true + + id = (known after apply) + + name = "test-acs2-re2" + + passthrough = false + + prefixes = (known after apply) + + random_length = 0 + + resource_type = "azurerm_communication_service" + + result = (known after apply) + + results = (known after apply) + + separator = "-" + + use_slug = true + } + + # module.example.module.communication_services["cs2"].azurerm_communication_service.acs will be created + + resource "azurerm_communication_service" "acs" { + + data_location = "United States" + + id = (known after apply) + + name = (known after apply) + + primary_connection_string = (known after apply) + + primary_key = (known after apply) + + resource_group_name = (known after apply) + + secondary_connection_string = (known after apply) + + secondary_key = (known after apply) + + tags = { + + "module" = "communication_services" + } + } + + # module.example.module.resource_groups["rg1"].azurecaf_name.rg will be created + + resource "azurecaf_name" "rg" { + + clean_input = true + + id = (known after apply) + + name = "rg1" + + passthrough = false + + prefixes = (known after apply) + + random_length = 0 + + resource_type = "azurerm_resource_group" + + result = (known after apply) + + results = (known after apply) + + separator = "-" + + use_slug = true + } + + # module.example.module.resource_groups["rg1"].azurerm_resource_group.rg will be created + + resource "azurerm_resource_group" "rg" { + + id = (known after apply) + + location = "australiacentral" + + name = (known after apply) + + tags = { + + "landingzone" = "examples" + + "rover_version" = null + } + } + +Plan: 7 to add, 0 to change, 0 to destroy. + +Changes to Outputs: + + objects = (sensitive value) + +tests/mock/e2e_plan.tftest.hcl... tearing down +tests/mock/e2e_plan.tftest.hcl... pass + +Success! 1 passed, 0 failed. + +``` diff --git a/examples/tests/general.tftest.hcl b/examples/tests/general.tftest.hcl new file mode 100644 index 0000000000..e408f27923 --- /dev/null +++ b/examples/tests/general.tftest.hcl @@ -0,0 +1,13 @@ +mock_provider "azurerm" { +} + +mock_provider "azurerm" { + alias = "vhub" +} + +mock_provider "azuread" { +} + +run "test" { + +} \ No newline at end of file diff --git a/examples/tests/mock/e2e_plan.tftest.hcl b/examples/tests/mock/e2e_plan.tftest.hcl new file mode 100644 index 0000000000..a9d1cb2780 --- /dev/null +++ b/examples/tests/mock/e2e_plan.tftest.hcl @@ -0,0 +1,17 @@ +mock_provider "azurerm" { + source = "./tests/mock_data" +} + +mock_provider "azurerm" { + alias = "vhub" + source = "./tests/mock_data" +} + +mock_provider "azuread" { + source = "./tests/mock_data" +} + +run "test_plan" { + // E2E plan test the examples + command = plan +} \ No newline at end of file diff --git a/examples/tests/mock_data/data.tfmock.hcl b/examples/tests/mock_data/data.tfmock.hcl new file mode 100644 index 0000000000..b29c7c3f4d --- /dev/null +++ b/examples/tests/mock_data/data.tfmock.hcl @@ -0,0 +1,17 @@ +mock_data "azurerm_client_config" { + defaults = { + client_id = "00000000-0000-0000-0000-000000000000" + object_id = "00000000-0000-0000-0000-000000000000" + subscription_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } +} + +mock_data "azuread_client_config" { + defaults = { + client_id = "00000000-0000-0000-0000-000000000000" + object_id = "00000000-0000-0000-0000-000000000000" + subscription_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } +} \ No newline at end of file diff --git a/locals.tf b/locals.tf index f869fa3412..9d0d3f8179 100644 --- a/locals.tf +++ b/locals.tf @@ -35,7 +35,7 @@ locals { object_id = local.object_id subscription_id = data.azurerm_client_config.current.subscription_id tenant_id = data.azurerm_client_config.current.tenant_id - } : map(var.client_config) + } : tomap(var.client_config) cloud = merge({ acrLoginServerEndpoint = try(var.cloud.acrLoginServerEndpoint, {}) From 17d46d6a81a57da7f725c67e482b015ddced6003 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 27 May 2024 07:17:37 +0000 Subject: [PATCH 068/244] Upgrade to 3.105 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e411427323..605b96986c 100644 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.75.0" + version = "~> 3.105.0" configuration_aliases = [ azurerm.vhub ] From f1641efc742a16147b9c83a129cc1311f0cabaa6 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 27 May 2024 07:22:45 +0000 Subject: [PATCH 069/244] Remove update --- modules/apim/api_management_gateway_api/module.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/apim/api_management_gateway_api/module.tf b/modules/apim/api_management_gateway_api/module.tf index a955868d9e..6c4dd19ff7 100644 --- a/modules/apim/api_management_gateway_api/module.tf +++ b/modules/apim/api_management_gateway_api/module.tf @@ -19,7 +19,6 @@ resource "azurerm_api_management_gateway_api" "apim" { content { create = try(timeouts.value.create, null) read = try(timeouts.value.read, null) - update = try(timeouts.value.update, null) delete = try(timeouts.value.delete, null) } } From 0f63520ae368d57e8251ac23397a026bcebc62ee Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 27 May 2024 07:31:30 +0000 Subject: [PATCH 070/244] Adding explicit azuread configuration for mock provider tests --- main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.tf b/main.tf index 605b96986c..f56d26b496 100644 --- a/main.tf +++ b/main.tf @@ -35,6 +35,9 @@ provider "azapi" { skip_provider_registration = true } +provider "azuread" { +} + data "azurerm_subscription" "primary" {} data "azurerm_client_config" "current" {} data "azuread_client_config" "current" {} From acea3c3c0111a548fd9e2423dbef2ead7245a51b Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 27 May 2024 08:22:57 +0000 Subject: [PATCH 071/244] Adding azuread provider stub --- examples/main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/main.tf b/examples/main.tf index 64a74b9c1d..1834c20c66 100644 --- a/examples/main.tf +++ b/examples/main.tf @@ -57,6 +57,9 @@ provider "azurerm" { features {} } + +provider "azuread" {} + data "azurerm_client_config" "default" {} locals { From c2b900ae0f641a982b71b1716c0d6538e05c8386 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 27 May 2024 08:28:03 +0000 Subject: [PATCH 072/244] Azuread provider --- main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.tf b/main.tf index f56d26b496..605b96986c 100644 --- a/main.tf +++ b/main.tf @@ -35,9 +35,6 @@ provider "azapi" { skip_provider_registration = true } -provider "azuread" { -} - data "azurerm_subscription" "primary" {} data "azurerm_client_config" "current" {} data "azuread_client_config" "current" {} From e2de92d2e14067b7b82e89dfc1371385aff42723 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 27 May 2024 08:45:11 +0000 Subject: [PATCH 073/244] Update long runner scenarios --- .github/workflows/standalone-scenarios-longrunners.json | 1 - .../103-vpn-site-to-site-connection/configuration.tfvars | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json index 6bb91b665d..5712cd8f61 100644 --- a/.github/workflows/standalone-scenarios-longrunners.json +++ b/.github/workflows/standalone-scenarios-longrunners.json @@ -18,7 +18,6 @@ "apim/116-api_management_subscription", "apim/117-api_management_product", "apim/118-api_management_platform_stv2", - "app_gateway/301-agw-v1", "compute/vmware_cluster/101-vmware_cluster", "mssql_mi/200-mi", "networking/virtual_network_gateway/100-expressroute-gateway", diff --git a/examples/networking/virtual_network_gateway/103-vpn-site-to-site-connection/configuration.tfvars b/examples/networking/virtual_network_gateway/103-vpn-site-to-site-connection/configuration.tfvars index a0932a6965..72638fb57a 100644 --- a/examples/networking/virtual_network_gateway/103-vpn-site-to-site-connection/configuration.tfvars +++ b/examples/networking/virtual_network_gateway/103-vpn-site-to-site-connection/configuration.tfvars @@ -78,7 +78,7 @@ virtual_network_gateway_connections = { connection1 = { name = "connection" resource_group_key = "vpngw" - type = "IPSec" + type = "IPsec" region = "region1" virtual_network_gateway_key = "gateway1" local_network_gateway_key = "local1" From 4040c99e1396375fcb03b05f45825b59e20e50c8 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 27 May 2024 09:50:30 +0000 Subject: [PATCH 074/244] Deprecated attribute --- modules/databases/cosmos_dbs/output.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/databases/cosmos_dbs/output.tf b/modules/databases/cosmos_dbs/output.tf index 00995cc84d..379cff6d14 100644 --- a/modules/databases/cosmos_dbs/output.tf +++ b/modules/databases/cosmos_dbs/output.tf @@ -2,10 +2,6 @@ output "cosmos_account" { value = azurerm_cosmosdb_account.cosmos_account.id } -output "connection_string" { - value = azurerm_cosmosdb_account.cosmos_account.connection_strings[0] -} - output "primary_key" { value = azurerm_cosmosdb_account.cosmos_account.primary_key } From ce3d5f0571a1ec40d429eb31a60663ab7d9c49c4 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 28 May 2024 06:26:01 +0000 Subject: [PATCH 075/244] Update spark version number --- .../synapse_analytics/101-synapse-sparkpool/configuration.tfvars | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/synapse_analytics/101-synapse-sparkpool/configuration.tfvars b/examples/synapse_analytics/101-synapse-sparkpool/configuration.tfvars index 9ecadd8905..93f3b9a033 100644 --- a/examples/synapse_analytics/101-synapse-sparkpool/configuration.tfvars +++ b/examples/synapse_analytics/101-synapse-sparkpool/configuration.tfvars @@ -54,6 +54,7 @@ synapse_workspaces = { synapse_workspace_key = "synapse_wrkspc_re1" node_size_family = "MemoryOptimized" node_size = "Small" + spark_version = "3.4" auto_scale = { max_node_count = 50 min_node_count = 3 From cb4936260194d8e21bb7a970d1d043f678a615e9 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 28 May 2024 06:38:28 +0000 Subject: [PATCH 076/244] Iot config files update --- examples/iot/100-iot-hub/configuration.tfvars | 2 +- examples/iot/103-iot-hub-with-dps/configuration.tfvars | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/iot/100-iot-hub/configuration.tfvars b/examples/iot/100-iot-hub/configuration.tfvars index 28769ed613..835b5ddaf8 100644 --- a/examples/iot/100-iot-hub/configuration.tfvars +++ b/examples/iot/100-iot-hub/configuration.tfvars @@ -43,7 +43,7 @@ iot_hub_certificate = { key = "iothub1" } is_verified = true - certificate_content = "iot/100-iot-hub/cert.pem" + certificate_content = "examples/iot/100-iot-hub/cert.pem" } } diff --git a/examples/iot/103-iot-hub-with-dps/configuration.tfvars b/examples/iot/103-iot-hub-with-dps/configuration.tfvars index 11b85e838c..5a89365040 100644 --- a/examples/iot/103-iot-hub-with-dps/configuration.tfvars +++ b/examples/iot/103-iot-hub-with-dps/configuration.tfvars @@ -67,7 +67,7 @@ iot_dps_certificate = { key = "dps1" } resource_group_key = "ioth_region1" - certificate_content = "iot/103-iot-hub-with-dps/cert.pem" + certificate_content = "examples/iot/103-iot-hub-with-dps/cert.pem" } } From 2243907ebf5b181b78f2f3464b2e0e76f67faaca Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 28 May 2024 07:07:14 +0000 Subject: [PATCH 077/244] Update azurerm_servicebus_namespace --- .../101-adt-servicebus/configuration.tfvars | 3 ++- .../messaging/servicebus/namespace/namespace.tf | 15 ++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/examples/digital_twins/101-adt-servicebus/configuration.tfvars b/examples/digital_twins/101-adt-servicebus/configuration.tfvars index 94209583e9..de91dda74c 100644 --- a/examples/digital_twins/101-adt-servicebus/configuration.tfvars +++ b/examples/digital_twins/101-adt-servicebus/configuration.tfvars @@ -1,7 +1,7 @@ global_settings = { default_region = "region1" regions = { - region1 = "southeastasia" + region1 = "australiaeast" } } @@ -106,6 +106,7 @@ servicebus_namespaces = { sku = "Premium" # Basic | standard | Premium capacity = 1 # capacity only for Premium: 1,2,4,8,16 otherwise 0 # zone_redundant = false # only true for Premium + premium_messaging_partitions = 1 # tags = {} # optional namespace_auth_rules = { rule1 = { diff --git a/modules/messaging/servicebus/namespace/namespace.tf b/modules/messaging/servicebus/namespace/namespace.tf index 7a6094806e..6161f55de5 100644 --- a/modules/messaging/servicebus/namespace/namespace.tf +++ b/modules/messaging/servicebus/namespace/namespace.tf @@ -11,11 +11,12 @@ resource "azurecaf_name" "namespace" { } resource "azurerm_servicebus_namespace" "namespace" { - name = azurecaf_name.namespace.result - sku = var.settings.sku - capacity = try(var.settings.capacity, null) - zone_redundant = try(var.settings.zone_redundant, null) - tags = merge(local.base_tags, try(var.settings.tags, {})) - location = local.location - resource_group_name = local.resource_group_name + name = azurecaf_name.namespace.result + sku = var.settings.sku + capacity = try(var.settings.capacity, null) + zone_redundant = try(var.settings.zone_redundant, null) + tags = merge(local.base_tags, try(var.settings.tags, {})) + premium_messaging_partitions = try(var.settings.premium_messaging_partitions, null) + location = local.location + resource_group_name = local.resource_group_name } From 8bbcc42b0aee44e05920a4d8c671bc006485a440 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 28 May 2024 08:22:00 +0000 Subject: [PATCH 078/244] Tflint warning (List items should be accessed using square brackets) --- azuread_users.tf | 2 +- compute_virtual_machines.tf | 3 ++- compute_virtual_machines_scale_sets.tf | 3 ++- locals.tf | 6 +++--- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/azuread_users.tf b/azuread_users.tf index f75e57cc13..ac8d3d4860 100644 --- a/azuread_users.tf +++ b/azuread_users.tf @@ -4,7 +4,7 @@ module "azuread_users" { source = "./modules/azuread/users" - depends_on = [module.keyvault_access_policies, time_sleep.azurerm_role_assignment_for.0] + depends_on = [module.keyvault_access_policies, time_sleep.azurerm_role_assignment_for[0]] for_each = local.azuread.azuread_users client_config = local.client_config diff --git a/compute_virtual_machines.tf b/compute_virtual_machines.tf index 9e4f1bd07d..87f8344c28 100644 --- a/compute_virtual_machines.tf +++ b/compute_virtual_machines.tf @@ -12,7 +12,8 @@ module "virtual_machines" { module.packer_service_principal, module.proximity_placement_groups, module.storage_account_blobs, - time_sleep.azurerm_role_assignment_for.0 + time_sleep.azurerm_role_assignment_for[0] + ] ] for_each = local.compute.virtual_machines diff --git a/compute_virtual_machines_scale_sets.tf b/compute_virtual_machines_scale_sets.tf index 574860dc77..187282bf51 100644 --- a/compute_virtual_machines_scale_sets.tf +++ b/compute_virtual_machines_scale_sets.tf @@ -13,7 +13,8 @@ module "virtual_machine_scale_sets" { module.packer_build, module.packer_service_principal, module.proximity_placement_groups, - time_sleep.azurerm_role_assignment_for.0 + time_sleep.azurerm_role_assignment_for[0] + ] ] for_each = local.compute.virtual_machine_scale_sets diff --git a/locals.tf b/locals.tf index 9d0d3f8179..f6038e943f 100644 --- a/locals.tf +++ b/locals.tf @@ -225,8 +225,8 @@ locals { inherit_tags = try(var.global_settings.inherit_tags, false) passthrough = try(var.global_settings.passthrough, false) prefix = try(var.global_settings.prefix, null) - prefix_with_hyphen = try(var.global_settings.prefix_with_hyphen, format("%s-", try(var.global_settings.prefix, try(var.global_settings.prefixes[0], random_string.prefix.0.result)))) - prefixes = try(var.global_settings.prefix, null) == "" ? null : try([var.global_settings.prefix], try(var.global_settings.prefixes, [random_string.prefix.0.result])) + prefix_with_hyphen = try(var.global_settings.prefix_with_hyphen, format("%s-", try(var.global_settings.prefix, try(var.global_settings.prefixes[0], random_string.prefix[0].result)))) + prefixes = try(var.global_settings.prefix, null) == "" ? null : try([var.global_settings.prefix], try(var.global_settings.prefixes, [random_string.prefix[0].result])) random_length = try(var.global_settings.random_length, 0) regions = try(var.global_settings.regions, null) tags = try(var.global_settings.tags, null) @@ -347,7 +347,7 @@ locals { vpn_sites = try(var.networking.vpn_sites, {}) } - object_id = coalesce(var.logged_user_objectId, var.logged_aad_app_objectId, try(data.azuread_client_config.current.object_id, null), try(data.azuread_service_principal.logged_in_app.0.object_id, null)) + object_id = coalesce(var.logged_user_objectId, var.logged_aad_app_objectId, try(data.azuread_client_config.current.object_id, null), try(data.azuread_service_principal.logged_in_app[0].object_id, null)) security = { disk_encryption_sets = try(var.security.disk_encryption_sets, {}) From 90b76bcef9e1dc8a8a903be2659e32448da2fa92 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 28 May 2024 08:25:13 +0000 Subject: [PATCH 079/244] Extra char --- compute_virtual_machines.tf | 2 +- compute_virtual_machines_scale_sets.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/compute_virtual_machines.tf b/compute_virtual_machines.tf index 87f8344c28..4152a9ecb0 100644 --- a/compute_virtual_machines.tf +++ b/compute_virtual_machines.tf @@ -14,7 +14,7 @@ module "virtual_machines" { module.storage_account_blobs, time_sleep.azurerm_role_assignment_for[0] ] - ] + for_each = local.compute.virtual_machines application_security_groups = local.combined_objects_application_security_groups diff --git a/compute_virtual_machines_scale_sets.tf b/compute_virtual_machines_scale_sets.tf index 187282bf51..175e213d33 100644 --- a/compute_virtual_machines_scale_sets.tf +++ b/compute_virtual_machines_scale_sets.tf @@ -15,7 +15,7 @@ module "virtual_machine_scale_sets" { module.proximity_placement_groups, time_sleep.azurerm_role_assignment_for[0] ] - ] + for_each = local.compute.virtual_machine_scale_sets availability_sets = local.combined_objects_availability_sets From e5810dbe3dd2c2ac2643261f24187ffb832ec900 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 28 May 2024 08:36:09 +0000 Subject: [PATCH 080/244] Tflint (Lookup with 2 arguments is deprecated (terraform_deprecated_lookup) --- machine_learning.tf | 6 +++--- shared_image_gallery.tf | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/machine_learning.tf b/machine_learning.tf index 18011d51ee..60ab47e2e4 100644 --- a/machine_learning.tf +++ b/machine_learning.tf @@ -7,9 +7,9 @@ module "machine_learning_workspaces" { global_settings = local.global_settings settings = each.value vnets = local.combined_objects_networking - storage_account_id = lookup(each.value, "storage_account_key") == null ? null : module.storage_accounts[each.value.storage_account_key].id - keyvault_id = lookup(each.value, "keyvault_key") == null ? null : module.keyvaults[each.value.keyvault_key].id - application_insights_id = lookup(each.value, "application_insights_key") == null ? null : module.azurerm_application_insights[each.value.application_insights_key].id + storage_account_id = lookup(each.value, "storage_account_key", null) == null ? null : module.storage_accounts[lookup(each.value, "storage_account_key")].id + keyvault_id = lookup(each.value, "keyvault_key", null) == null ? null : module.keyvaults[lookup(each.value, "keyvault_key")].id + application_insights_id = lookup(each.value, "application_insights_key", null) == null ? null : module.azurerm_application_insights[lookup(each.value, "application_insights_key")].id container_registry_id = can(each.value.container_registry_id) || can(each.value.container_registry_key) == false ? try(each.value.container_registry_id, null) : local.combined_objects_container_registry[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.container_registry_key].id base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} diff --git a/shared_image_gallery.tf b/shared_image_gallery.tf index fe702a858f..9c8afaa8a8 100644 --- a/shared_image_gallery.tf +++ b/shared_image_gallery.tf @@ -44,7 +44,7 @@ module "packer_service_principal" { tenant_id = data.azurerm_client_config.current.tenant_id gallery_name = module.shared_image_galleries[each.value.shared_image_gallery_destination.gallery_key].name image_name = module.image_definitions[each.value.shared_image_gallery_destination.image_key].name - key_vault_id = lookup(each.value, "keyvault_key") == null ? null : module.keyvaults[each.value.keyvault_key].id + key_vault_id = lookup(each.value, "keyvault_key", null) == null ? null : module.keyvaults[each.value.keyvault_key].id settings = each.value depends_on = [ @@ -67,7 +67,7 @@ module "packer_build" { tenant_id = data.azurerm_client_config.current.tenant_id gallery_name = module.shared_image_galleries[each.value.shared_image_gallery_destination.gallery_key].name image_name = module.image_definitions[each.value.shared_image_gallery_destination.image_key].name - key_vault_id = lookup(each.value, "keyvault_key") == null ? null : module.keyvaults[each.value.keyvault_key].id + key_vault_id = each.value.keyvault_key == null ? null : module.keyvaults[each.value.keyvault_key].id managed_identities = local.combined_objects_managed_identities vnet_name = try(try(local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].name, local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].name), "") subnet_name = try(lookup(each.value, "lz_key", null) == null ? local.combined_objects_networking[local.client_config.landingzone_key][each.value.vnet_key].subnets[each.value.subnet_key].name : local.combined_objects_networking[each.value.lz_key][each.value.vnet_key].subnets[each.value.subnet_key].name, "") From 13a0b2f9491e78381b81b708340df2a38c08a754 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 29 May 2024 00:53:17 +0000 Subject: [PATCH 081/244] Simplify expression --- machine_learning.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/machine_learning.tf b/machine_learning.tf index 60ab47e2e4..589e4bfe64 100644 --- a/machine_learning.tf +++ b/machine_learning.tf @@ -7,9 +7,9 @@ module "machine_learning_workspaces" { global_settings = local.global_settings settings = each.value vnets = local.combined_objects_networking - storage_account_id = lookup(each.value, "storage_account_key", null) == null ? null : module.storage_accounts[lookup(each.value, "storage_account_key")].id - keyvault_id = lookup(each.value, "keyvault_key", null) == null ? null : module.keyvaults[lookup(each.value, "keyvault_key")].id - application_insights_id = lookup(each.value, "application_insights_key", null) == null ? null : module.azurerm_application_insights[lookup(each.value, "application_insights_key")].id + storage_account_id = can(each.value.storage_account_key) ? try(module.storage_accounts[each.value.storage_account_key].id, null) : null + keyvault_id = can(each.value.keyvault_key) ? try(module.keyvaults[each.value.keyvault_key].id, null) : null + application_insights_id = can(each.value.application_insights_key) ? try(module.azurerm_application_insights[each.value.application_insights_key].id, null) : null container_registry_id = can(each.value.container_registry_id) || can(each.value.container_registry_key) == false ? try(each.value.container_registry_id, null) : local.combined_objects_container_registry[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.container_registry_key].id base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} From 370d3dad91ef951136ee3d961cdb8a30957db7ed Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 29 May 2024 01:49:18 +0000 Subject: [PATCH 082/244] Additional mock data sources --- examples/tests/mock_data/data.tfmock.hcl | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/examples/tests/mock_data/data.tfmock.hcl b/examples/tests/mock_data/data.tfmock.hcl index b29c7c3f4d..09746fff75 100644 --- a/examples/tests/mock_data/data.tfmock.hcl +++ b/examples/tests/mock_data/data.tfmock.hcl @@ -14,4 +14,22 @@ mock_data "azuread_client_config" { subscription_id = "00000000-0000-0000-0000-000000000000" tenant_id = "00000000-0000-0000-0000-000000000000" } +} + +mock_data "azurerm_subscription" { + defaults = { + id = "/subscriptions/00000000-0000-0000-0000-000000000001" + subscription_id = "00000000-0000-0000-0000-000000000001" + display_name = "mock_subscription" + tenant_id = "00000000-0000-0000-0000-000000000000" + } +} + +mock_data "azuread_service_principal" { + defaults = { + client_id = "00000000-0000-0000-0000-000000000000" + application_id = "00000000-0000-0000-0000-000000000000" + display_name = "mock_service_principal" + object_id = "00000000-0000-0000-0000-000000000000" + } } \ No newline at end of file From 536d3d5186f7a4dba9dd2ed278580b7d079235f2 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 29 May 2024 10:01:26 +0000 Subject: [PATCH 083/244] Update workflow --- .github/workflows/pr_dispatch.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pr_dispatch.yaml b/.github/workflows/pr_dispatch.yaml index f478bd51ff..b5353fb82d 100644 --- a/.github/workflows/pr_dispatch.yaml +++ b/.github/workflows/pr_dispatch.yaml @@ -59,6 +59,5 @@ jobs: - name: Repository Dispatch uses: peter-evans/repository-dispatch@v3 with: - token: ${{ secrets.GITHUB_TOKEN }} event-type: pr-${{ matrix.scenario }} client-payload: '{"scenario": "${{ (matrix.scenario) }}", "sha": "${{ github.event.pull_request.head.sha }}"}' From 702a7780b71a93a1f0ec316fd37ef4c512b4a4d0 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 29 May 2024 10:17:38 +0000 Subject: [PATCH 084/244] Remove token access --- .github/workflows/pr_workflow.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pr_workflow.yaml b/.github/workflows/pr_workflow.yaml index b5b6710518..67dd50f950 100644 --- a/.github/workflows/pr_workflow.yaml +++ b/.github/workflows/pr_workflow.yaml @@ -23,7 +23,6 @@ on: - standalone-scenarios-longrunners.json permissions: - id-token: write contents: read env: From 96fdce179fe6b31d29716a68f08d28cea8fc9226 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 30 May 2024 12:40:10 +0000 Subject: [PATCH 085/244] Apply terraform fmt --- databricks_access_connectors.tf | 12 ++--- .../configuration.tfvars | 40 +++++++-------- .../aks.tfvars | 2 +- .../configuration.tfvars | 12 ++--- .../configuration.tfvars | 18 +++---- .../configuration.tfvars | 2 +- .../configuration.tfvars | 20 ++++---- examples/mssql_mi/200-mi/configuration.tfvars | 2 +- examples/mssql_mi/200-mi/nsg.tfvars | 2 +- .../recovery_vaults.tfvars | 30 +++++------ .../configuration.tfvars | 8 +-- .../configuration.tfvars | 4 +- .../configuration.tfvars | 2 +- examples/tests/mock/e2e_plan.tftest.hcl | 2 +- examples/variables.tf | 2 +- .../configuration.tfvars | 16 +++--- .../databricks_access_connector/main.tf | 4 +- .../databricks_access_connector/module.tf | 2 +- modules/apim/api_management/module.tf | 2 +- .../container_app_dapr_component.tf | 12 ++--- .../virtual_machine/dynamic_custom_data.tf | 28 +++++------ modules/compute/virtual_machine/vm_disk.tf | 2 +- modules/compute/virtual_machine/vm_linux.tf | 50 +++++++++---------- .../assignment_virtual_machine/main.tf | 4 +- .../assignment_virtual_machine/module.tf | 2 +- modules/maintenance/configuration/module.tf | 6 +-- modules/maintenance/configuration/outputs.tf | 4 +- .../private_endpoint/private_endpoint.tf | 6 +-- modules/networking/virtual_wan/virtual_wan.tf | 2 +- .../backup_policies_vm_workload.tf | 2 +- modules/recovery_vault/outputs.tf | 2 +- modules/roles/custom_roles/module.tf | 2 +- msssql_managed_instances.tf | 16 +++--- msssql_managed_instances_v1.tf | 16 +++--- 34 files changed, 168 insertions(+), 168 deletions(-) diff --git a/databricks_access_connectors.tf b/databricks_access_connectors.tf index 108aaf3e99..87975da0bb 100644 --- a/databricks_access_connectors.tf +++ b/databricks_access_connectors.tf @@ -2,12 +2,12 @@ module "databricks_access_connectors" { source = "./modules/analytics/databricks_access_connector" for_each = local.database.databricks_access_connectors - client_config = local.client_config - global_settings = local.global_settings - name = each.value.name - settings = each.value - resource_groups = local.combined_objects_resource_groups - base_tags = local.global_settings.inherit_tags + client_config = local.client_config + global_settings = local.global_settings + name = each.value.name + settings = each.value + resource_groups = local.combined_objects_resource_groups + base_tags = local.global_settings.inherit_tags remote_objects = { managed_identities = local.combined_objects_managed_identities } diff --git a/examples/apim/118-api_management_platform_stv2/configuration.tfvars b/examples/apim/118-api_management_platform_stv2/configuration.tfvars index 605fed4e7d..59892b21df 100644 --- a/examples/apim/118-api_management_platform_stv2/configuration.tfvars +++ b/examples/apim/118-api_management_platform_stv2/configuration.tfvars @@ -26,20 +26,20 @@ vnets = { region = "region1" vnet = { name = "example-uks" # prefix-vnet-example-uks - address_space = ["10.0.0.0/16"] + address_space = ["10.0.0.0/16"] } subnets = { - + # Example subnet for APIM private endpoint - + snet_example_apim_uks = { - name = "example-apim-uks" #prefix-snet-example-apim-uks - cidr = ["10.0.1.0/24"] - nsg_key = "nsg_example_apim_uks" - # route_table_key = "" + name = "example-apim-uks" #prefix-snet-example-apim-uks + cidr = ["10.0.1.0/24"] + nsg_key = "nsg_example_apim_uks" + # route_table_key = "" service_endpoints = ["Microsoft.KeyVault", "Microsoft.Storage", "Microsoft.Sql", "Microsoft.EventHub", "Microsoft.ServiceBus"] # service endpoints required for APIM } - } + } } } @@ -142,31 +142,31 @@ public_ip_addresses = { api_management = { apim_uks = { - name = "example-uks" # prefix-apim-example-uks - resource_group_key = "rg_example_apim_uks" - publisher_name = "apim.example.sre.com" - publisher_email = "example.apim@sre.com" - sku_name = "Developer_1" # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management#sku_name - region = "region1" + name = "example-uks" # prefix-apim-example-uks + resource_group_key = "rg_example_apim_uks" + publisher_name = "apim.example.sre.com" + publisher_email = "example.apim@sre.com" + sku_name = "Developer_1" # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management#sku_name + region = "region1" # Required to deploy APIM on platform verions stv2.* - public_ip_address = { - key = "pip_apim_uks" - # lz_key = "" - } + public_ip_address = { + key = "pip_apim_uks" + # lz_key = "" + } virtual_network_type = "Internal" # The type of virtual network you want to use, valid values include: None, External, Internal. Defaults to None. virtual_network_configuration = { vnet_key = "vnet_example_uks" subnet_key = "snet_example_apim_uks" - # lz_key = "" + # lz_key = "" } identity = { type = "UserAssigned" managed_identity_keys = ["msi_apim_uks"] } - + portal = { host_name = "example.apim.com" } diff --git a/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars b/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars index f147de340c..da406c0403 100644 --- a/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars +++ b/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars @@ -39,7 +39,7 @@ aks_clusters = { addon_profile = { oms_agent = { - log_analytics_key = "central_logs_region1" + log_analytics_key = "central_logs_region1" msi_auth_for_monitoring_enabled = true } } diff --git a/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars b/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars index 35822f8398..42b9ea57b3 100644 --- a/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars +++ b/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars @@ -63,23 +63,23 @@ virtual_machines = { disable_password_authentication = true custom_data = { - templatefile = "compute/virtual_machine/113-single-linux-custom-data-template/custom_data.tpl" - my_value = "my_value" + templatefile = "compute/virtual_machine/113-single-linux-custom-data-template/custom_data.tpl" + my_value = "my_value" } dynamic_custom_data = { vnets = { - vnet_region1 ={} + vnet_region1 = {} } storage_accounts = { sa1 = { - file_share = "share1" - file_share_directory = "dir1" + file_share = "share1" + file_share_directory = "dir1" } } keyvault_keys = { key1 = { keyvault_key = "example_vm_rg1" - name = "disk-key" + name = "disk-key" } } } diff --git a/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars b/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars index b3dd3e7fb8..e7ece91817 100644 --- a/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars +++ b/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars @@ -13,16 +13,16 @@ resource_groups = { databricks_access_connectors = { dac_1 = { - name = "example-name" - resource_group_key = "dac_test" - identity = { - type = "UserAssigned" #SystemAssigned - managed_identity_keys = ["dac_test"] + name = "example-name" + resource_group_key = "dac_test" + identity = { + type = "UserAssigned" #SystemAssigned + managed_identity_keys = ["dac_test"] + } + tags = { + test = "test" + test1 = "test1" } - tags = { - test = "test" - test1 = "test1" - } } } diff --git a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars index dae867700e..dc7b8369b2 100644 --- a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars +++ b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars @@ -94,7 +94,7 @@ virtual_machines = { priority = "Spot" eviction_policy = "Deallocate" - patch_mode = "AutomaticByPlatform" + patch_mode = "AutomaticByPlatform" bypass_platform_safety_checks_on_user_schedule_enabled = true # When you want to load the file from the folder in the custom_data always use the relative path from the caf_solution in landing zones custom_data = "../../examples/compute/virtual_machine/101-single-windows-vm/scripts/custom.ps1" diff --git a/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars b/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars index fa7f0951d4..2da8bdcddc 100644 --- a/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars +++ b/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars @@ -6,7 +6,7 @@ global_settings = { } inherit_tags = true - + resource_defaults = { virtual_machines = { # set the below to enable az managed boot diagostics for vms @@ -70,17 +70,17 @@ virtual_machines = { # Spot VM to save money priority = "Spot" eviction_policy = "Deallocate" - - patch_mode = "AutomaticByPlatform" + + patch_mode = "AutomaticByPlatform" bypass_platform_safety_checks_on_user_schedule_enabled = true # Value of the nic keys to attach the VM. The first one in the list is the default nic network_interface_keys = ["nic0"] os_disk = { - name = "example_vm1-os" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" + name = "example_vm1-os" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" } identity = { type = "SystemAssigned" #SystemAssigned OR UserAssigned OR SystemAssigned, UserAssigned @@ -105,10 +105,10 @@ virtual_machines = { name = "server1-data1" storage_account_type = "Standard_LRS" # Only Empty is supported. More community contributions required to cover other scenarios - create_option = "Empty" - disk_size_gb = "10" - lun = 1 - zones = ["1"] + create_option = "Empty" + disk_size_gb = "10" + lun = 1 + zones = ["1"] } } } diff --git a/examples/mssql_mi/200-mi/configuration.tfvars b/examples/mssql_mi/200-mi/configuration.tfvars index 962c048b99..8eea3a3122 100644 --- a/examples/mssql_mi/200-mi/configuration.tfvars +++ b/examples/mssql_mi/200-mi/configuration.tfvars @@ -21,7 +21,7 @@ vnets = { resource_group_key = "networking_region1" vnet = { name = "sqlmi-rg1" - address_space = ["172.25.88.0/21","10.2.0.0/24"] + address_space = ["172.25.88.0/21", "10.2.0.0/24"] } subnets = { sqlmi1 = { diff --git a/examples/mssql_mi/200-mi/nsg.tfvars b/examples/mssql_mi/200-mi/nsg.tfvars index d07e9224d5..d5bb2718bb 100644 --- a/examples/mssql_mi/200-mi/nsg.tfvars +++ b/examples/mssql_mi/200-mi/nsg.tfvars @@ -84,6 +84,6 @@ network_security_group_definition = { ] } subnet02 = { - nsg= [] + nsg = [] } } diff --git a/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars b/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars index b744f026c2..b740c02701 100644 --- a/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars +++ b/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars @@ -10,11 +10,11 @@ recovery_vaults = { backup_policies = { vm_workloads = { sql = { - name = "SQLTest" - workload_type = "SQLDataBase" - vault_key = "asr1" - rg_key = "primary" - timezone = "UTC" + name = "SQLTest" + workload_type = "SQLDataBase" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" compression_enabled = false protection_policies = { sqlfull = { @@ -23,8 +23,8 @@ recovery_vaults = { frequency = "Daily" time = "15:00" } - retention_daily = { - count = 8 + retention_daily = { + count = 8 } } sqllog = { @@ -39,11 +39,11 @@ recovery_vaults = { } } saphana = { - name = "SAPHANATest" - workload_type = "SAPHanaDatabase" - vault_key = "asr1" - rg_key = "primary" - timezone = "UTC" + name = "SAPHANATest" + workload_type = "SAPHanaDatabase" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" compression_enabled = false protection_policies = { saphanafull = { @@ -52,8 +52,8 @@ recovery_vaults = { frequency = "Daily" time = "15:00" } - retention_daily = { - count = 8 + retention_daily = { + count = 8 } } saphanalog = { @@ -65,7 +65,7 @@ recovery_vaults = { count = 8 } } - } + } } } } diff --git a/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars b/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars index 875f053a47..873eb25a94 100644 --- a/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars +++ b/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars @@ -16,16 +16,16 @@ cognitive_services_account = { resource_group = { key = "rg1" } - name = "pinecone-llm-demoopenai" - kind = "OpenAI" - sku_name = "S0" + name = "pinecone-llm-demoopenai" + kind = "OpenAI" + sku_name = "S0" custom_subdomain_name = "cs-alz-caf-llm-demoopenai" } } managed_identities = { workload-msi = { - name = "example-msi-openai-rolemap-msi" + name = "example-msi-openai-rolemap-msi" resource_group_key = "rg1" } } diff --git a/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars b/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars index 2d302c73f8..a849c3cfca 100644 --- a/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars +++ b/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars @@ -25,8 +25,8 @@ vnets = { } subnets = { default = { - name = "default" - cidr = ["10.5.1.0/24"] + name = "default" + cidr = ["10.5.1.0/24"] } } } diff --git a/examples/search_service/102-search-service-only-azuread/configuration.tfvars b/examples/search_service/102-search-service-only-azuread/configuration.tfvars index fa4190a82c..fd91a13b81 100644 --- a/examples/search_service/102-search-service-only-azuread/configuration.tfvars +++ b/examples/search_service/102-search-service-only-azuread/configuration.tfvars @@ -22,7 +22,7 @@ search_services = { identity = { type = "SystemAssigned" } - local_authentication_enabled = false + local_authentication_enabled = false # public_network_access_enabled = true # allowed_ips = ["13.478.57.73"] } diff --git a/examples/tests/mock/e2e_plan.tftest.hcl b/examples/tests/mock/e2e_plan.tftest.hcl index a9d1cb2780..213502c713 100644 --- a/examples/tests/mock/e2e_plan.tftest.hcl +++ b/examples/tests/mock/e2e_plan.tftest.hcl @@ -3,7 +3,7 @@ mock_provider "azurerm" { } mock_provider "azurerm" { - alias = "vhub" + alias = "vhub" source = "./tests/mock_data" } diff --git a/examples/variables.tf b/examples/variables.tf index 0e46b8498f..53625d0dd2 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -1130,7 +1130,7 @@ variable "maintenance_assignment_virtual_machine" { default = {} } variable "search_services" { - default = {} + default = {} } variable "load_test" { default = {} diff --git a/examples/webapps/appservice/103-appservice-extend/configuration.tfvars b/examples/webapps/appservice/103-appservice-extend/configuration.tfvars index f4cd1fcc04..b01dcbc5a3 100644 --- a/examples/webapps/appservice/103-appservice-extend/configuration.tfvars +++ b/examples/webapps/appservice/103-appservice-extend/configuration.tfvars @@ -52,19 +52,19 @@ app_services = { ip_restriction = [ { - name = "deny-all-traffic" - action = "Deny" - ip_address = "0.0.0.0/0" - priority = 65000 + name = "deny-all-traffic" + action = "Deny" + ip_address = "0.0.0.0/0" + priority = 65000 } ] scm_ip_restriction = [ { - name = "allow-all-traffic" - action = "Allow" - ip_address = "0.0.0.0/0" - priority = 65000 + name = "allow-all-traffic" + action = "Allow" + ip_address = "0.0.0.0/0" + priority = 65000 } ] } diff --git a/modules/analytics/databricks_access_connector/main.tf b/modules/analytics/databricks_access_connector/main.tf index 00369bb2be..f6a34ca013 100644 --- a/modules/analytics/databricks_access_connector/main.tf +++ b/modules/analytics/databricks_access_connector/main.tf @@ -5,8 +5,8 @@ locals { try(var.settings.tags, null) ) : try(var.settings.tags, null) - - resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] + + resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] } terraform { diff --git a/modules/analytics/databricks_access_connector/module.tf b/modules/analytics/databricks_access_connector/module.tf index 9da6636dfb..4b577f596f 100644 --- a/modules/analytics/databricks_access_connector/module.tf +++ b/modules/analytics/databricks_access_connector/module.tf @@ -11,5 +11,5 @@ resource "azurerm_databricks_access_connector" "databricks_access_connector" { identity_ids = concat(local.managed_identities, try(identity.value.identity_ids, [])) } } - + } diff --git a/modules/apim/api_management/module.tf b/modules/apim/api_management/module.tf index 65c1a777f1..59e188c6a6 100644 --- a/modules/apim/api_management/module.tf +++ b/modules/apim/api_management/module.tf @@ -17,7 +17,7 @@ resource "azurerm_api_management" "apim" { publisher_email = var.settings.publisher_email sku_name = var.settings.sku_name - public_ip_address_id = can(var.settings.public_ip_address_id) ? var.settings.public_ip_address_id : can(var.settings.public_ip_address.key) ? var.public_ip_addresses[try(var.settings.public_ip_address.lz_key, var.client_config.landingzone_key)][var.settings.public_ip_address.key].id : null + public_ip_address_id = can(var.settings.public_ip_address_id) ? var.settings.public_ip_address_id : can(var.settings.public_ip_address.key) ? var.public_ip_addresses[try(var.settings.public_ip_address.lz_key, var.client_config.landingzone_key)][var.settings.public_ip_address.key].id : null dynamic "additional_location" { for_each = try(var.settings.additional_location, null) != null ? [var.settings.additional_location] : [] diff --git a/modules/compute/container_app_dapr_component/container_app_dapr_component.tf b/modules/compute/container_app_dapr_component/container_app_dapr_component.tf index 5944658593..c3f47aef36 100644 --- a/modules/compute/container_app_dapr_component/container_app_dapr_component.tf +++ b/modules/compute/container_app_dapr_component/container_app_dapr_component.tf @@ -9,11 +9,11 @@ resource "azurerm_container_app_environment_dapr_component" "cadc" { dynamic "metadata" { for_each = try(var.settings.metadata, {}) - + content { - name = metadata.value.name - secret_name = try(metadata.value.secret_name, null) - value = try(metadata.value.value, null) + name = metadata.value.name + secret_name = try(metadata.value.secret_name, null) + value = try(metadata.value.value, null) } } @@ -21,8 +21,8 @@ resource "azurerm_container_app_environment_dapr_component" "cadc" { for_each = try(var.settings.secret, {}) content { - name = secret.value.name - value = secret.value.value + name = secret.value.name + value = secret.value.value } } } diff --git a/modules/compute/virtual_machine/dynamic_custom_data.tf b/modules/compute/virtual_machine/dynamic_custom_data.tf index c47299c4ee..2b2623b53e 100644 --- a/modules/compute/virtual_machine/dynamic_custom_data.tf +++ b/modules/compute/virtual_machine/dynamic_custom_data.tf @@ -1,6 +1,6 @@ data "azurerm_key_vault_secret" "custom_data" { - for_each = local.os_type == "linux" ? try({for k,v in local.dynamic_custom_data_to_process["keyvaults"]: k => v }, {}) : {} + for_each = local.os_type == "linux" ? try({ for k, v in local.dynamic_custom_data_to_process["keyvaults"] : k => v }, {}) : {} key_vault_id = var.keyvaults[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.keyvault_key].id name = each.value.name @@ -8,7 +8,7 @@ data "azurerm_key_vault_secret" "custom_data" { } data "azurerm_key_vault_key" "custom_data" { - for_each = local.os_type == "linux" ? try({for k,v in local.dynamic_custom_data_to_process["keyvault_keys"]: k =>v }, {}) : {} + for_each = local.os_type == "linux" ? try({ for k, v in local.dynamic_custom_data_to_process["keyvault_keys"] : k => v }, {}) : {} key_vault_id = var.keyvaults[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.keyvault_key].id name = each.value.name @@ -17,7 +17,7 @@ data "azurerm_key_vault_key" "custom_data" { } data "azurerm_key_vault_certificate" "custom_data" { - for_each = local.os_type == "linux" ? try({for k,v in local.dynamic_custom_data_to_process["keyvault_certificates"]: k => v }, {}) : {} + for_each = local.os_type == "linux" ? try({ for k, v in local.dynamic_custom_data_to_process["keyvault_certificates"] : k => v }, {}) : {} key_vault_id = var.keyvaults[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.keyvault_key].id name = each.value.name @@ -25,7 +25,7 @@ data "azurerm_key_vault_certificate" "custom_data" { } locals { - + palo_alto_connection_string = { for item in var.settings.virtual_machine_settings : item.name => base64encode("storage-account=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].name}, access-key=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].primary_access_key}, file-share=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].name}, share-directory=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].file_share_directories[item.palo_alto_connection_string.file_share_directory].name}") @@ -33,14 +33,14 @@ locals { } combined_objects = { - storage_accounts = var.storage_accounts - keyvaults = var.keyvaults - keyvault_keys = try(data.azurerm_key_vault_key.custom_data,{}) - keyvault_secrets = try(data.azurerm_key_vault_secret.custom_data,{}) - keyvault_certificates = try(data.azurerm_key_vault_certificate.custom_data,{}) - vnets = var.vnets + storage_accounts = var.storage_accounts + keyvaults = var.keyvaults + keyvault_keys = try(data.azurerm_key_vault_key.custom_data, {}) + keyvault_secrets = try(data.azurerm_key_vault_secret.custom_data, {}) + keyvault_certificates = try(data.azurerm_key_vault_certificate.custom_data, {}) + vnets = var.vnets } - + dynamic_custom_data_to_process = { for setting in flatten([ @@ -55,10 +55,10 @@ locals { ]) : setting.key => setting.value } - dynamic_custom_data_combined_objects ={ - for key, value in local.dynamic_custom_data_to_process: key => + dynamic_custom_data_combined_objects = { + for key, value in local.dynamic_custom_data_to_process : key => { - for k,v in value: k => try(local.combined_objects[key][try(v.lz_key, var.client_config.landingzone_key)][k], local.combined_objects[key][k]) + for k, v in value : k => try(local.combined_objects[key][try(v.lz_key, var.client_config.landingzone_key)][k], local.combined_objects[key][k]) } } diff --git a/modules/compute/virtual_machine/vm_disk.tf b/modules/compute/virtual_machine/vm_disk.tf index 3195a8945a..506ad2e2a2 100644 --- a/modules/compute/virtual_machine/vm_disk.tf +++ b/modules/compute/virtual_machine/vm_disk.tf @@ -10,7 +10,7 @@ data "azurecaf_name" "disk" { use_slug = var.global_settings.use_slug } -resource "azurerm_managed_disk" "disk" { +resource "azurerm_managed_disk" "disk" { for_each = lookup(var.settings, "data_disks", {}) name = data.azurecaf_name.disk[each.key].result diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 5bd8b073e9..6703623b32 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -46,7 +46,7 @@ data "azurecaf_name" "os_disk_linux" { use_slug = var.global_settings.use_slug } resource "local_sensitive_file" "custom_data" { - for_each = local.os_type == "linux" ? try({for k,v in var.settings.virtual_machine_settings : k => v if can(v.custom_data.templatefile)} , {}) : {} + for_each = local.os_type == "linux" ? try({ for k, v in var.settings.virtual_machine_settings : k => v if can(v.custom_data.templatefile) }, {}) : {} content = templatefile(try(format("%s/%s", path.cwd, each.value.custom_data.templatefile), each.value.custom_data.templatefile), merge(each.value.custom_data, local.dynamic_custom_data)) filename = try(format("%s/%s.out", path.cwd, each.value.custom_data.templatefile), each.value.custom_data.templatefile) } @@ -54,37 +54,37 @@ resource "local_sensitive_file" "custom_data" { resource "azurerm_linux_virtual_machine" "vm" { for_each = local.os_type == "linux" ? var.settings.virtual_machine_settings : {} - admin_password = each.value.disable_password_authentication == false ? each.value.admin_password : null - admin_username = each.value.admin_username - allow_extension_operations = try(each.value.allow_extension_operations, null) - availability_set_id = can(each.value.availability_set_key) || can(each.value.availability_set.key) ? var.availability_sets[try(var.client_config.landingzone_key, each.value.availability_set.lz_key)][try(each.value.availability_set_key, each.value.availability_set.key)].id : try(each.value.availability_set.id, each.value.availability_set_id, null) - computer_name = data.azurecaf_name.linux_computer_name[each.key].result - disable_password_authentication = try(each.value.disable_password_authentication, true) - encryption_at_host_enabled = try(each.value.encryption_at_host_enabled, null) - eviction_policy = try(each.value.eviction_policy, null) - license_type = try(each.value.license_type, null) - location = local.location - max_bid_price = try(each.value.max_bid_price, null) - name = data.azurecaf_name.linux[each.key].result - network_interface_ids = local.nic_ids + admin_password = each.value.disable_password_authentication == false ? each.value.admin_password : null + admin_username = each.value.admin_username + allow_extension_operations = try(each.value.allow_extension_operations, null) + availability_set_id = can(each.value.availability_set_key) || can(each.value.availability_set.key) ? var.availability_sets[try(var.client_config.landingzone_key, each.value.availability_set.lz_key)][try(each.value.availability_set_key, each.value.availability_set.key)].id : try(each.value.availability_set.id, each.value.availability_set_id, null) + computer_name = data.azurecaf_name.linux_computer_name[each.key].result + disable_password_authentication = try(each.value.disable_password_authentication, true) + encryption_at_host_enabled = try(each.value.encryption_at_host_enabled, null) + eviction_policy = try(each.value.eviction_policy, null) + license_type = try(each.value.license_type, null) + location = local.location + max_bid_price = try(each.value.max_bid_price, null) + name = data.azurecaf_name.linux[each.key].result + network_interface_ids = local.nic_ids bypass_platform_safety_checks_on_user_schedule_enabled = try(each.value.bypass_platform_safety_checks_on_user_schedule_enabled, null) # (Optional) Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault. Defaults to ImageDefault. For more information on patch modes please see the product documentation. - patch_mode = try(each.value.patch_mode, "ImageDefault") - priority = try(each.value.priority, null) - provision_vm_agent = try(each.value.provision_vm_agent, true) - proximity_placement_group_id = can(each.value.proximity_placement_group_key) || can(each.value.proximity_placement_group.key) ? var.proximity_placement_groups[try(var.client_config.landingzone_key, var.client_config.landingzone_key)][try(each.value.proximity_placement_group_key, each.value.proximity_placement_group.key)].id : try(each.value.proximity_placement_group_id, each.value.proximity_placement_group.id, null) - resource_group_name = local.resource_group_name - size = each.value.size - tags = merge(local.tags, try(each.value.tags, null)) - zone = try(each.value.zone, null) - secure_boot_enabled = try(each.value.secure_boot_enabled, null) - vtpm_enabled = try(each.value.vtpm_enabled, null) + patch_mode = try(each.value.patch_mode, "ImageDefault") + priority = try(each.value.priority, null) + provision_vm_agent = try(each.value.provision_vm_agent, true) + proximity_placement_group_id = can(each.value.proximity_placement_group_key) || can(each.value.proximity_placement_group.key) ? var.proximity_placement_groups[try(var.client_config.landingzone_key, var.client_config.landingzone_key)][try(each.value.proximity_placement_group_key, each.value.proximity_placement_group.key)].id : try(each.value.proximity_placement_group_id, each.value.proximity_placement_group.id, null) + resource_group_name = local.resource_group_name + size = each.value.size + tags = merge(local.tags, try(each.value.tags, null)) + zone = try(each.value.zone, null) + secure_boot_enabled = try(each.value.secure_boot_enabled, null) + vtpm_enabled = try(each.value.vtpm_enabled, null) custom_data = try( try( try(local_sensitive_file.custom_data[each.key].content_base64, local.dynamic_custom_data[each.value.custom_data][each.value.name]), - try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data))), + try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data))), null) diff --git a/modules/maintenance/assignment_virtual_machine/main.tf b/modules/maintenance/assignment_virtual_machine/main.tf index 02833ea709..7c28cbbdb3 100644 --- a/modules/maintenance/assignment_virtual_machine/main.tf +++ b/modules/maintenance/assignment_virtual_machine/main.tf @@ -10,6 +10,6 @@ locals { module_tag = { "module" = basename(abspath(path.module)) } - tags = merge(var.base_tags, local.module_tag, try(var.tags, null)) - location = var.location + tags = merge(var.base_tags, local.module_tag, try(var.tags, null)) + location = var.location } \ No newline at end of file diff --git a/modules/maintenance/assignment_virtual_machine/module.tf b/modules/maintenance/assignment_virtual_machine/module.tf index 2ea9ff6338..8db2502a19 100644 --- a/modules/maintenance/assignment_virtual_machine/module.tf +++ b/modules/maintenance/assignment_virtual_machine/module.tf @@ -1,4 +1,4 @@ -resource "azurerm_maintenance_assignment_virtual_machine" "maintenance_assignment_virtual_machine" { +resource "azurerm_maintenance_assignment_virtual_machine" "maintenance_assignment_virtual_machine" { location = var.location maintenance_configuration_id = var.maintenance_configuration_id virtual_machine_id = var.virtual_machine_id diff --git a/modules/maintenance/configuration/module.tf b/modules/maintenance/configuration/module.tf index f28e7033c5..aa5e777aa1 100644 --- a/modules/maintenance/configuration/module.tf +++ b/modules/maintenance/configuration/module.tf @@ -14,10 +14,10 @@ resource "azurerm_maintenance_configuration" "maintenance_configuration" { location = var.location scope = var.scope visibility = try(var.visibility, null) - properties = try(var.properties, {}) + properties = try(var.properties, {}) in_guest_user_patch_mode = var.settings.scope == "InGuestPatch" ? var.in_guest_user_patch_mode : try(var.in_guest_user_patch_mode, null) - + dynamic "window" { for_each = try(var.settings.window, null) != null ? [var.settings.window] : [] content { @@ -52,7 +52,7 @@ resource "azurerm_maintenance_configuration" "maintenance_configuration" { } } - reboot = try(var.settings.install_patches.reboot, "IfRequired" ) + reboot = try(var.settings.install_patches.reboot, "IfRequired") } } diff --git a/modules/maintenance/configuration/outputs.tf b/modules/maintenance/configuration/outputs.tf index 701dd0eb94..3163ab4fa2 100644 --- a/modules/maintenance/configuration/outputs.tf +++ b/modules/maintenance/configuration/outputs.tf @@ -5,10 +5,10 @@ output "id" { output "maintenance_configuration_name" { description = "The name of the maintenance configuration." - value = azurerm_maintenance_configuration.maintenance_configuration.name + value = azurerm_maintenance_configuration.maintenance_configuration.name } output "maintenance_configuration_location" { description = "The location where the resource exists" - value = azurerm_maintenance_configuration.maintenance_configuration.location + value = azurerm_maintenance_configuration.maintenance_configuration.location } \ No newline at end of file diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index dd5a6ca7be..d74f19c6bd 100644 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -56,10 +56,10 @@ resource "azurerm_private_endpoint" "pep" { } resource "time_sleep" "delay" { - count = can(lookup(var.settings,var.settings.delay_time_after_creation,false)) ? 1: 0 - depends_on = [azurerm_private_endpoint.pep] + count = can(lookup(var.settings, var.settings.delay_time_after_creation, false)) ? 1 : 0 + depends_on = [azurerm_private_endpoint.pep] create_duration = var.settings.delay_time_after_creation lifecycle { - replace_triggered_by = [ azurerm_private_endpoint.pep ] + replace_triggered_by = [azurerm_private_endpoint.pep] } } \ No newline at end of file diff --git a/modules/networking/virtual_wan/virtual_wan.tf b/modules/networking/virtual_wan/virtual_wan.tf index b0bb2b03e8..11cb9a2bbd 100644 --- a/modules/networking/virtual_wan/virtual_wan.tf +++ b/modules/networking/virtual_wan/virtual_wan.tf @@ -34,6 +34,6 @@ module "hubs" { tags = merge(try(each.value.tags, null), local.tags) virtual_hub_config = each.value virtual_networks = var.virtual_networks - keyvaults = var.keyvaults + keyvaults = var.keyvaults vwan_id = azurerm_virtual_wan.vwan.id } diff --git a/modules/recovery_vault/backup_policies_vm_workload.tf b/modules/recovery_vault/backup_policies_vm_workload.tf index b40bffdeda..83520e77c0 100644 --- a/modules/recovery_vault/backup_policies_vm_workload.tf +++ b/modules/recovery_vault/backup_policies_vm_workload.tf @@ -15,7 +15,7 @@ resource "azurerm_backup_policy_vm_workload" "vm_workload" { for_each = each.value.protection_policies content { - policy_type = protection_policy.value.policy_type + policy_type = protection_policy.value.policy_type backup { frequency = try(protection_policy.value.backup.frequency, null) diff --git a/modules/recovery_vault/outputs.tf b/modules/recovery_vault/outputs.tf index 7ddb9fc6b3..4213ffee07 100644 --- a/modules/recovery_vault/outputs.tf +++ b/modules/recovery_vault/outputs.tf @@ -16,7 +16,7 @@ output "backup_policies" { value = { virtual_machines = azurerm_backup_policy_vm.vm file_shares = azurerm_backup_policy_file_share.fs - vm_workloads = azurerm_backup_policy_vm_workload.vm_workload + vm_workloads = azurerm_backup_policy_vm_workload.vm_workload } } diff --git a/modules/roles/custom_roles/module.tf b/modules/roles/custom_roles/module.tf index 44cbc4d118..94a0a1747f 100644 --- a/modules/roles/custom_roles/module.tf +++ b/modules/roles/custom_roles/module.tf @@ -1,6 +1,6 @@ locals { - global_settings = merge(var.global_settings, try(var.custom_role.global_settings,{})) + global_settings = merge(var.global_settings, try(var.custom_role.global_settings, {})) } resource "azurecaf_name" "custom_role" { diff --git a/msssql_managed_instances.tf b/msssql_managed_instances.tf index e4e0b84ad3..373d445ec9 100644 --- a/msssql_managed_instances.tf +++ b/msssql_managed_instances.tf @@ -18,10 +18,10 @@ module "mssql_managed_instances" { base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups } module "mssql_managed_instances_secondary" { @@ -42,10 +42,10 @@ module "mssql_managed_instances_secondary" { subnet_id = can(each.value.networking.subnet_id) ? each.value.networking.subnet_id : local.combined_objects_networking[try(each.value.networking.lz_key, local.client_config.landingzone_key)][each.value.networking.vnet_key].subnets[each.value.networking.subnet_key].id primary_server_id = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups } module "mssql_mi_failover_groups" { diff --git a/msssql_managed_instances_v1.tf b/msssql_managed_instances_v1.tf index 9de5953861..93c0235fb4 100644 --- a/msssql_managed_instances_v1.tf +++ b/msssql_managed_instances_v1.tf @@ -34,10 +34,10 @@ module "mssql_managed_instances_v1" { keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] primary_server_id = null group_id = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) @@ -62,10 +62,10 @@ module "mssql_managed_instances_secondary_v1" { primary_server_id = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] group_id = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.administrators.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) From b7284798f261f178fb9b111c7e24245db2f06842 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Thu, 30 May 2024 14:47:56 +0200 Subject: [PATCH 086/244] Allows to use custom appinsights agent version --- modules/webapps/appservice/main.tf | 8 +++++--- modules/webapps/function_app/main.tf | 10 ++++++---- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/modules/webapps/appservice/main.tf b/modules/webapps/appservice/main.tf index cdd9aaa111..682442ae8c 100644 --- a/modules/webapps/appservice/main.tf +++ b/modules/webapps/appservice/main.tf @@ -27,12 +27,14 @@ locals { arm_filename = "${path.module}/arm_site_config.json" - app_settings = merge(try(var.app_settings, {}), try(local.dynamic_settings_to_process, {}), var.application_insight == null ? {} : - { + app_settings = merge( + var.application_insight == null ? {} : { "APPINSIGHTS_INSTRUMENTATIONKEY" = var.application_insight.instrumentation_key, "APPLICATIONINSIGHTS_CONNECTION_STRING" = var.application_insight.connection_string, "ApplicationInsightsAgent_EXTENSION_VERSION" = "~2" - } + }, + try(var.app_settings, {}), + try(local.dynamic_settings_to_process, {}) ) backup_storage_account = can(var.settings.backup) ? var.storage_accounts[try(var.settings.backup.lz_key, var.client_config.landingzone_key)][var.settings.backup.storage_account_key] : null diff --git a/modules/webapps/function_app/main.tf b/modules/webapps/function_app/main.tf index 1cc33b7edc..a401486a5e 100644 --- a/modules/webapps/function_app/main.tf +++ b/modules/webapps/function_app/main.tf @@ -27,12 +27,14 @@ locals { arm_filename = "${path.module}/arm_site_config.json" - app_settings = merge(try(var.app_settings, {}), try(local.dynamic_settings_to_process, {}), var.application_insight == null ? {} : - { + app_settings = merge( + var.application_insight == null ? {} : { "APPINSIGHTS_INSTRUMENTATIONKEY" = var.application_insight.instrumentation_key, "APPLICATIONINSIGHTS_CONNECTION_STRING" = var.application_insight.connection_string, "ApplicationInsightsAgent_EXTENSION_VERSION" = "~2" - } + }, + try(var.app_settings, {}), + try(local.dynamic_settings_to_process, {}) ) -} \ No newline at end of file +} From 5707eec10701285f386ffc96a74e2a23cdffdd98 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Sun, 2 Jun 2024 18:49:48 -0700 Subject: [PATCH 087/244] Simplify workflows --- .../{pr_dispatch.yaml => pr_lint.yaml} | 25 +-- .github/workflows/pr_tests-azuread.yaml | 95 +++++++++++ .github/workflows/pr_tests-compute.yaml | 95 +++++++++++ .github/workflows/pr_tests-dataplat.yaml | 101 +++++++++++ .github/workflows/pr_tests-networking.yaml | 95 +++++++++++ .github/workflows/pr_tests-scenarios.yaml | 91 ++++++++++ ...s-azuread.json => standalone-azuread.json} | 0 .github/workflows/standalone-compute.json | 5 +- .github/workflows/standalone-compute.yaml | 152 ----------------- .github/workflows/standalone-dataplat.json | 76 +++++++++ .github/workflows/standalone-networking.json | 15 +- .github/workflows/standalone-networking.yaml | 152 ----------------- .../workflows/standalone-regressor-tf100.yaml | 3 +- .../standalone-scenarios-additional.json | 5 - .../standalone-scenarios-longrunners.json | 41 ----- .github/workflows/standalone-scenarios.json | 109 ++++-------- .github/workflows/standalone-tf100.yaml | 161 ------------------ .github/workflows/weekly_dispatch.yaml | 34 ++++ ...{pr_workflow.yaml => weekly_workflow.yaml} | 23 ++- 19 files changed, 648 insertions(+), 630 deletions(-) rename .github/workflows/{pr_dispatch.yaml => pr_lint.yaml} (58%) create mode 100644 .github/workflows/pr_tests-azuread.yaml create mode 100644 .github/workflows/pr_tests-compute.yaml create mode 100644 .github/workflows/pr_tests-dataplat.yaml create mode 100644 .github/workflows/pr_tests-networking.yaml create mode 100644 .github/workflows/pr_tests-scenarios.yaml rename .github/workflows/{standalone-scenarios-azuread.json => standalone-azuread.json} (100%) delete mode 100644 .github/workflows/standalone-compute.yaml create mode 100644 .github/workflows/standalone-dataplat.json delete mode 100644 .github/workflows/standalone-networking.yaml delete mode 100644 .github/workflows/standalone-scenarios-longrunners.json delete mode 100644 .github/workflows/standalone-tf100.yaml create mode 100644 .github/workflows/weekly_dispatch.yaml rename .github/workflows/{pr_workflow.yaml => weekly_workflow.yaml} (97%) diff --git a/.github/workflows/pr_dispatch.yaml b/.github/workflows/pr_lint.yaml similarity index 58% rename from .github/workflows/pr_dispatch.yaml rename to .github/workflows/pr_lint.yaml index f478bd51ff..8e0d16a3d4 100644 --- a/.github/workflows/pr_dispatch.yaml +++ b/.github/workflows/pr_lint.yaml @@ -3,7 +3,7 @@ # Licensed under the MIT License. # -name: PR Dispatch Workflow +name: PR Tflint on: pull_request: @@ -12,6 +12,7 @@ on: env: TF_VERSION: "1.8.4" TF_LINT_VERSION: "v0.50.3" + jobs: linting: name: Format and Lint Checks @@ -35,30 +36,10 @@ jobs: with: tflint_version: ${{ env.TF_LINT_VERSION }} - - name: Run TFLint with reviewdog uses: reviewdog/action-tflint@v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} reporter: github-pr-check level: info - tflint_init: true - - dispatch: - runs-on: ubuntu-latest - strategy: - matrix: - scenario: - - standalone-scenarios-azuread.json - - standalone-scenarios.json - - standalone-compute.json - - standalone-networking.json - - standalone-scenarios-longrunners.json - - steps: - - name: Repository Dispatch - uses: peter-evans/repository-dispatch@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - event-type: pr-${{ matrix.scenario }} - client-payload: '{"scenario": "${{ (matrix.scenario) }}", "sha": "${{ github.event.pull_request.head.sha }}"}' + tflint_init: true \ No newline at end of file diff --git a/.github/workflows/pr_tests-azuread.yaml b/.github/workflows/pr_tests-azuread.yaml new file mode 100644 index 0000000000..60640e52ae --- /dev/null +++ b/.github/workflows/pr_tests-azuread.yaml @@ -0,0 +1,95 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: PR azuread-tests + +on: + pull_request: + types: [opened, synchronize, reopened] + paths: + - 'azuread*' + - 'modules/azuread/**' + - 'examples/azuread/**' + - '.github/workflows/*azuread.*' + +env: + scenario: standalone-azuread.json + TF_VERSION: "1.8.4" + TF_LINT_VERSION: "v0.50.3" + +jobs: + load_scenarios: + name: Load Test Scenarios Matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.load_scenarios.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + + - id: load_scenarios + run: | + cases=$(cat ./.github/workflows/${{ env.SCENARIO }} | jq -c .) + echo "matrix=${cases}" >> $GITHUB_OUTPUT + + mock_plan_scenarios: + name: ${{ matrix.config_files }} + runs-on: ubuntu-latest + needs: load_scenarios + + strategy: + fail-fast: false + matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Create environment variables + run: | + cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} + FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) + echo STATE_FILE=${HOME}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV + echo PLAN_FILE=${HOME}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV + echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV + echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: '20.x' + + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: Configure Terraform plugin cache + run: | + echo "TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache" >>"$GITHUB_ENV" + mkdir --parents "$HOME/.terraform.d/plugin-cache" + + - name: Cache Terraform + uses: actions/cache@v4 + with: + path: | + ~/.terraform.d/plugin-cache + key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform- + + - name: Terraform Init example + id: tf_init + run: | + terraform -chdir=examples \ + init + + - name: Terraform Test example + id: tf_test + run: | + terraform -chdir=examples \ + test \ + -test-directory=./tests/mock \ + ${{ env.PARAMETER_FILES }} \ + -verbose \ No newline at end of file diff --git a/.github/workflows/pr_tests-compute.yaml b/.github/workflows/pr_tests-compute.yaml new file mode 100644 index 0000000000..993d2269a0 --- /dev/null +++ b/.github/workflows/pr_tests-compute.yaml @@ -0,0 +1,95 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: PR compute-tests + +on: + pull_request: + types: [opened, synchronize, reopened] + paths: + - 'compute_*' + - 'modules/compute/**' + - 'examples/compute/**' + - '.github/workflows/*compute.*' + +env: + scenario: standalone-compute.json + TF_VERSION: "1.8.4" + TF_LINT_VERSION: "v0.50.3" + +jobs: + load_scenarios: + name: Load Test Scenarios Matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.load_scenarios.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + + - id: load_scenarios + run: | + cases=$(cat ./.github/workflows/${{ env.SCENARIO }} | jq -c .) + echo "matrix=${cases}" >> $GITHUB_OUTPUT + + mock_plan_scenarios: + name: ${{ matrix.config_files }} + runs-on: ubuntu-latest + needs: load_scenarios + + strategy: + fail-fast: false + matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Create environment variables + run: | + cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} + FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) + echo STATE_FILE=${HOME}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV + echo PLAN_FILE=${HOME}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV + echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV + echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: '20.x' + + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: Configure Terraform plugin cache + run: | + echo "TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache" >>"$GITHUB_ENV" + mkdir --parents "$HOME/.terraform.d/plugin-cache" + + - name: Cache Terraform + uses: actions/cache@v4 + with: + path: | + ~/.terraform.d/plugin-cache + key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform- + + - name: Terraform Init example + id: tf_init + run: | + terraform -chdir=examples \ + init + + - name: Terraform Test example + id: tf_test + run: | + terraform -chdir=examples \ + test \ + -test-directory=./tests/mock \ + ${{ env.PARAMETER_FILES }} \ + -verbose \ No newline at end of file diff --git a/.github/workflows/pr_tests-dataplat.yaml b/.github/workflows/pr_tests-dataplat.yaml new file mode 100644 index 0000000000..5aaabd1a60 --- /dev/null +++ b/.github/workflows/pr_tests-dataplat.yaml @@ -0,0 +1,101 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: PR dataplat-tests + +on: + pull_request: + types: [opened, synchronize, reopened] + paths: + - 'mssql*' + - 'modules/analytics/**' + - 'modules/databases/**' + - 'modules/data_factory/**' + - 'modules/purview/**' + - 'examples/analytics/**' + - 'examples/databases/**' + - 'examples/data_factory/**' + - 'examples/purview/**' + - '.github/workflows/*dataplat.*' + +env: + scenario: standalone-dataplat.json + TF_VERSION: "1.8.4" + TF_LINT_VERSION: "v0.50.3" + +jobs: + load_scenarios: + name: Load Test Scenarios Matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.load_scenarios.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + + - id: load_scenarios + run: | + cases=$(cat ./.github/workflows/${{ env.SCENARIO }} | jq -c .) + echo "matrix=${cases}" >> $GITHUB_OUTPUT + + mock_plan_scenarios: + name: ${{ matrix.config_files }} + runs-on: ubuntu-latest + needs: load_scenarios + + strategy: + fail-fast: false + matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Create environment variables + run: | + cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} + FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) + echo STATE_FILE=${HOME}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV + echo PLAN_FILE=${HOME}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV + echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV + echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: '20.x' + + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: Configure Terraform plugin cache + run: | + echo "TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache" >>"$GITHUB_ENV" + mkdir --parents "$HOME/.terraform.d/plugin-cache" + + - name: Cache Terraform + uses: actions/cache@v4 + with: + path: | + ~/.terraform.d/plugin-cache + key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform- + + - name: Terraform Init example + id: tf_init + run: | + terraform -chdir=examples \ + init + + - name: Terraform Test example + id: tf_test + run: | + terraform -chdir=examples \ + test \ + -test-directory=./tests/mock \ + ${{ env.PARAMETER_FILES }} \ + -verbose \ No newline at end of file diff --git a/.github/workflows/pr_tests-networking.yaml b/.github/workflows/pr_tests-networking.yaml new file mode 100644 index 0000000000..24a07e0855 --- /dev/null +++ b/.github/workflows/pr_tests-networking.yaml @@ -0,0 +1,95 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: PR networking-tests + +on: + pull_request: + types: [opened, synchronize, reopened] + paths: + - 'network*' + - 'modules/networking/**' + - 'examples/networking/**' + - '.github/workflows/*networking.*' + +env: + scenario: standalone-networking.json + TF_VERSION: "1.8.4" + TF_LINT_VERSION: "v0.50.3" + +jobs: + load_scenarios: + name: Load Test Scenarios Matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.load_scenarios.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + + - id: load_scenarios + run: | + cases=$(cat ./.github/workflows/${{ env.SCENARIO }} | jq -c .) + echo "matrix=${cases}" >> $GITHUB_OUTPUT + + mock_plan_scenarios: + name: ${{ matrix.config_files }} + runs-on: ubuntu-latest + needs: load_scenarios + + strategy: + fail-fast: false + matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Create environment variables + run: | + cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} + FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) + echo STATE_FILE=${HOME}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV + echo PLAN_FILE=${HOME}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV + echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV + echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: '20.x' + + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: Configure Terraform plugin cache + run: | + echo "TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache" >>"$GITHUB_ENV" + mkdir --parents "$HOME/.terraform.d/plugin-cache" + + - name: Cache Terraform + uses: actions/cache@v4 + with: + path: | + ~/.terraform.d/plugin-cache + key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform- + + - name: Terraform Init example + id: tf_init + run: | + terraform -chdir=examples \ + init + + - name: Terraform Test example + id: tf_test + run: | + terraform -chdir=examples \ + test \ + -test-directory=./tests/mock \ + ${{ env.PARAMETER_FILES }} \ + -verbose \ No newline at end of file diff --git a/.github/workflows/pr_tests-scenarios.yaml b/.github/workflows/pr_tests-scenarios.yaml new file mode 100644 index 0000000000..8bd8c90965 --- /dev/null +++ b/.github/workflows/pr_tests-scenarios.yaml @@ -0,0 +1,91 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: PR all-tests + +on: + pull_request: + types: [opened, synchronize, reopened] + +env: + scenario: standalone-scenarios.json + TF_VERSION: "1.8.4" + TF_LINT_VERSION: "v0.50.3" + +jobs: + load_scenarios: + name: Load Test Scenarios Matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.load_scenarios.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + + + - id: load_scenarios + run: | + cases=$(cat ./.github/workflows/${{ env.SCENARIO }} | jq -c .) + echo "matrix=${cases}" >> $GITHUB_OUTPUT + + mock_plan_scenarios: + name: ${{ matrix.config_files }} + runs-on: ubuntu-latest + needs: load_scenarios + + strategy: + fail-fast: false + matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Create environment variables + run: | + cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} + FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) + echo STATE_FILE=${HOME}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV + echo PLAN_FILE=${HOME}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV + echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV + echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: '20.x' + + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: Configure Terraform plugin cache + run: | + echo "TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache" >>"$GITHUB_ENV" + mkdir --parents "$HOME/.terraform.d/plugin-cache" + + - name: Cache Terraform + uses: actions/cache@v4 + with: + path: | + ~/.terraform.d/plugin-cache + key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform- + + - name: Terraform Init example + id: tf_init + run: | + terraform -chdir=examples \ + init + + - name: Terraform Test example + id: tf_test + run: | + terraform -chdir=examples \ + test \ + -test-directory=./tests/mock \ + ${{ env.PARAMETER_FILES }} \ + -verbose \ No newline at end of file diff --git a/.github/workflows/standalone-scenarios-azuread.json b/.github/workflows/standalone-azuread.json similarity index 100% rename from .github/workflows/standalone-scenarios-azuread.json rename to .github/workflows/standalone-azuread.json diff --git a/.github/workflows/standalone-compute.json b/.github/workflows/standalone-compute.json index 0ef269d56b..a1effb7e50 100644 --- a/.github/workflows/standalone-compute.json +++ b/.github/workflows/standalone-compute.json @@ -2,9 +2,9 @@ "config_files": [ "compute/availability_set/100-simple-availabilityset", "compute/availability_set/101-availabilityset-with-proximity-placement-group", - "compute/azure_virtual_desktop/wvd_resources", "compute/azure_redhat_openshift/101_basic_private_cluster", "compute/azure_redhat_openshift/102_basic_public_cluster", + "compute/azure_virtual_desktop/wvd_resources", "compute/batch/batch_account/100-batch-account-storage", "compute/batch/batch_account/100-batch-account", "compute/batch/batch_account/200-batch-account-private-endpoint", @@ -49,6 +49,7 @@ "compute/virtual_machine/214-vm-generic_extensions_complex", "compute/virtual_machine/215-vm-keyvault-for-windows-extension", "compute/virtual_machine/216-vm-linux_diagnostic_extensions", - "compute/virtual_machine/217-vm-disk-encryption-set-msi" + "compute/virtual_machine/217-vm-disk-encryption-set-msi", + "compute/vmware_cluster/101-vmware_cluster" ] } diff --git a/.github/workflows/standalone-compute.yaml b/.github/workflows/standalone-compute.yaml deleted file mode 100644 index 17696aa0e1..0000000000 --- a/.github/workflows/standalone-compute.yaml +++ /dev/null @@ -1,152 +0,0 @@ -# -# Copyright (c) Microsoft Corporation -# Licensed under the MIT License. -# - -name: standalone-compute - -on: - push: - paths: - - 'compute_*' - - 'modules/compute/**' - - 'examples/compute/**' - - '.github/workflows/*compute.*' - -env: - TF_CLI_ARGS: "-no-color" - TF_CLI_ARGS_destroy: "-auto-approve -refresh=false" - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} - TF_REGISTRY_DISCOVERY_RETRY: 5 - TF_REGISTRY_CLIENT_TIMEOUT: 15 - ROVER_RUNNER: true - -jobs: - load_scenarios: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.load_scenarios.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - id: load_scenarios - run: | - cases=$(cat ./.github/workflows/standalone-compute.json | jq -c .) - echo "matrix=${cases}" >> $GITHUB_OUTPUT - - testcases: - name: test - runs-on: ubuntu-latest - needs: load_scenarios - - strategy: - fail-fast: false - matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} - - container: - image: aztfmod/rover:1.8.4-2405.2306 - options: --user 0 - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Create environment variables - run: | - cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} - FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) - echo STATE_FILE=${TF_DATA_DIR}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV - echo PLAN_FILE=${TF_DATA_DIR}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV - echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV - echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV - - - name: Login azure - run: | - az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' - az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} - - - name: Terraform Init example - id: tf_init - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - init -upgrade=true | grep -P '^- (?=Downloading|Using|Finding|Installing)|^[^-]' - - - name: Terraform Plan example - id: tf_plan - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - plan \ - ${{ env.PARAMETER_FILES }} \ - -var tags='{testing_job_id='"${{ github.run_id }}"'}' \ - -var var_folder_path=${{ env.CURRENT_FOLDER }} \ - -refresh=true \ - -input=false \ - -state=${{ env.STATE_FILE }} \ - -out=${{ env.PLAN_FILE }} - - - name: Terraform Apply example - id: tf_apply - if: steps.tf_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - apply \ - -parallelism=30 \ - -state=${{ env.STATE_FILE }} \ - ${{ env.PLAN_FILE }} - - - name: Terraform Destroy planning example - id: tf_destroy_plan - if: steps.tf_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - plan \ - ${{ env.PARAMETER_FILES }} \ - -var tags='{testing_job_id='"${{ github.run_id }}"'}' \ - -var var_folder_path=${{ env.CURRENT_FOLDER }} \ - -refresh=true \ - -input=false \ - -destroy \ - -state=${{ env.STATE_FILE }} \ - -out=${{ env.PLAN_FILE }}-destroy - - - name: Terraform Destroy apply example - id: tf_destroy_apply - if: steps.tf_destroy_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - apply \ - -refresh=false \ - -parallelism=30 \ - -auto-approve \ - -state=${{ env.STATE_FILE }} \ - ${{ env.PLAN_FILE }}-destroy - - purge: - name: purge - runs-on: ubuntu-latest - if: ${{ failure() || cancelled() }} - - needs: [testcases] - - container: - image: aztfmod/rover:1.8.4-2405.2306 - options: --user 0 - - steps: - - name: Login azure - run: | - az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' - az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} - - - name: Complete purge - run: | - for i in `az monitor diagnostic-settings subscription list -o tsv --query "value[?contains(name, '${{ github.run_id }}' )].name"`; do echo "purging subscription diagnostic-settings: $i" && $(az monitor diagnostic-settings subscription delete --name $i --yes); done - for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done - for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].id" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done - for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done - for i in `az keyvault list-deleted --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done - for i in `az group list --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done - for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done - for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done diff --git a/.github/workflows/standalone-dataplat.json b/.github/workflows/standalone-dataplat.json new file mode 100644 index 0000000000..1a1a565a55 --- /dev/null +++ b/.github/workflows/standalone-dataplat.json @@ -0,0 +1,76 @@ +{ + "config_files": [ + "cosmos_db/100-cosmos-db-sql-role-mapping", + "cosmos_db/100-simple-cosmos-db-cassandra", + "cosmos_db/100-simple-cosmos-db-gremlin", + "cosmos_db/100-simple-cosmos-db-mongo", + "cosmos_db/100-simple-cosmos-db-sql", + "cosmos_db/100-simple-cosmos-db-table", + "cosmos_db/101-decomposed-cosmosdb-sql", + "cosmos_db/101-private-endpoint-cosmos-db", + "data_explorer/101-kusto_clusters_basic", + "data_explorer/102-kusto_clusters_vnet", + "data_explorer/103-kusto_clusters_identity", + "data_explorer/104-kusto_cluster_database", + "data_explorer/105-kusto_attached_database_configuration", + "data_explorer/106-database_principal_assignment", + "data_explorer/107-private-endpoint", + "data_factory/101-data_factory", + "data_factory/102-data_factory_pipeline", + "data_factory/103-data_factory_trigger_schedule", + "data_factory/104-data_factory_dataset_azure_blob", + "data_factory/105-data_factory_dataset_cosmosdb_sqlapi", + "data_factory/106-data_factory_dataset_delimited_text", + "data_factory/107-data_factory_dataset_http", + "data_factory/108-data_factory_dataset_json", + "data_factory/109-data_factory_dataset_mysql", + "data_factory/110-data_factory_dataset_postgresql", + "data_factory/111-data_factory_dataset_sql_server_table", + "data_factory/112-data_factory_integration_runtime_azure_ssis", + "data_factory/113-data_factory_integration_runtime_azure_ssis_mssql_server", + "data_factory/114-data_factory_integration_runtime_self_hosted", + "data_factory/115-data_factory_runtime_self_hoste_databricks", + "data_factory/116-data_factory_linked_service_azure_databricks", + "data_protection/100-backup-vault-blob-storage", + "data_protection/101-backup-vault-disk", + "database_migration_services/100-dms", + "databricks/100-standard-databricks-no-vnet", + "databricks/101-standard-databricks-vnet", + "databricks/102-premium-aml", + "databricks/102-premium-databricks-vnet-private-endpoint", + "datalake/101-datalake-storage", + "machine_learning/100-aml", + "machine_learning/101-aml-vnet", + "machine_learning/102-aml-compute_instance", + "mariadb_server/100-simple-mariadb", + "mariadb_server/101-vnet-rule-mariadb", + "mariadb_server/102-private-endpoint-mariadb", + "mariadb_server/103-private-endpoint-with-fw-rule-mariadb", + "mssql_mi/200-mi", + "mssql_server/101-sqlserver-simple", + "mssql_server/102-sqlserver-extend", + "mssql_server/104-sqlserver-elastic_pools", + "mssql_server/105-sqlserver-failover_groups", + "mssql_server/107-sqlserver-db-retention-policy", + "mssql_server/108-sqlserver-db-diagnostics", + "mssql_server/109-sqlserver-network-firewall-rule", + "mysql_flexible_server/100-simple-mysql-flexible", + "mysql_flexible_server/101-delegated-subnet-with-fw-rule", + "mysql_flexible_server/102-advanced-mysql-flexible", + "mysql_server/100-simple-mysql", + "mysql_server/101-vnet-rule-mysql", + "mysql_server/102-private-endpoint-mysql", + "mysql_server/103-private-endpoint-with-fw-rule-mysql", + "postgresql_flexible_server/100-simple-postgresql-flexible", + "postgresql_flexible_server/101-delegated-subnet-with-fw-rule", + "postgresql_flexible_server/102-advanced-postgresql-flexible", + "postgresql_flexible_server/104-private-endpoint", + "postgresql_server/100-simple-postgresql", + "postgresql_server/101-vnet-rule-postgresql", + "postgresql_server/102-private-endpoint-postgresql", + "postgresql_server/103-private-endpoint-with-fw-rule", + "powerbi_embedded/100-simple-powerbi", + "purview/100-purview_account", + "purview/101-purview_account_private_link" + ] +} diff --git a/.github/workflows/standalone-networking.json b/.github/workflows/standalone-networking.json index c1a3a787c9..0697afeee1 100644 --- a/.github/workflows/standalone-networking.json +++ b/.github/workflows/standalone-networking.json @@ -36,6 +36,10 @@ "networking/private_dns/100-private-dns-vnet-links", "networking/private_links/endpoints/centralized", "networking/private_links/endpoints/static_ip", + "networking/virtual_network_gateway/100-expressroute-gateway", + "networking/virtual_network_gateway/101-vpn-site-to-site", + "networking/virtual_network_gateway/102-vpn-site-to-site-active-active", + "networking/virtual_network_gateway/103-vpn-site-to-site-connection", "networking/virtual_network/100-import-rg", "networking/virtual_network/100-simple-vnet-subnets-nsgs", "networking/virtual_network/100-subnet-delegation", @@ -44,7 +48,16 @@ "networking/virtual_network/201-nsg-flow-logs-v1", "networking/virtual_subnets/100-simple-subnet-rbac", "networking/virtual_wan/100-vwan-multi-hubs", + "networking/virtual_wan/101-vwan-hub-firewall-legacy", + "networking/virtual_wan/102-vwan-hub-firewall-secured-vhub", + "networking/virtual_wan/102a-vwan-hub-firewall-secured-vhub-fw-mgr", + "networking/virtual_wan/103-vwan-hub-gw-legacy", + "networking/virtual_wan/104-vwan-hub-gw-spp", + "networking/virtual_wan/105-vwan-hub-route-table", "networking/virtual_wan/106-vwan-hub-routes", - "networking/virtual_wan/108-vwan-vpn-site" + "networking/virtual_wan/108-vwan-vpn-site", + "networking/virtual_wan/109-vwan-vpn-gateway-connection", + "networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert", + "networking/virtual_wan/111-vwan-vpn-gateway-connection-with-nat" ] } diff --git a/.github/workflows/standalone-networking.yaml b/.github/workflows/standalone-networking.yaml deleted file mode 100644 index 3ae0243874..0000000000 --- a/.github/workflows/standalone-networking.yaml +++ /dev/null @@ -1,152 +0,0 @@ -# -# Copyright (c) Microsoft Corporation -# Licensed under the MIT License. -# - -name: standalone-networking - -on: - push: - paths: - - 'network*' - - 'modules/networking/**' - - 'examples/networking/**' - - '.github/workflows/*networking.*' - -env: - TF_CLI_ARGS: "-no-color" - TF_CLI_ARGS_destroy: "-auto-approve -refresh=false" - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} - TF_REGISTRY_DISCOVERY_RETRY: 5 - TF_REGISTRY_CLIENT_TIMEOUT: 15 - ROVER_RUNNER: true - -jobs: - load_scenarios: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.load_scenarios.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - id: load_scenarios - run: | - cases=$(cat ./.github/workflows/standalone-networking.json | jq -c .) - echo "matrix=${cases}" >> $GITHUB_OUTPUT - - testcases: - name: test - runs-on: ubuntu-latest - needs: load_scenarios - - strategy: - fail-fast: false - matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} - - container: - image: aztfmod/rover:1.8.4-2405.2306 - options: --user 0 - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Create environment variables - run: | - cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} - FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) - echo STATE_FILE=${TF_DATA_DIR}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV - echo PLAN_FILE=${TF_DATA_DIR}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV - echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV - echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV - - - name: Login azure - run: | - az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' - az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} - - - name: Terraform Init example - id: tf_init - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - init -upgrade=true | grep -P '^- (?=Downloading|Using|Finding|Installing)|^[^-]' - - - name: Terraform Plan example - id: tf_plan - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - plan \ - ${{ env.PARAMETER_FILES }} \ - -var tags='{testing_job_id='"${{ github.run_id }}"'}' \ - -var var_folder_path=${{ env.CURRENT_FOLDER }} \ - -refresh=true \ - -input=false \ - -state=${{ env.STATE_FILE }} \ - -out=${{ env.PLAN_FILE }} - - - name: Terraform Apply example - id: tf_apply - if: steps.tf_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - apply \ - -parallelism=30 \ - -state=${{ env.STATE_FILE }} \ - ${{ env.PLAN_FILE }} - - - name: Terraform Destroy planning example - id: tf_destroy_plan - if: steps.tf_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - plan \ - ${{ env.PARAMETER_FILES }} \ - -var tags='{testing_job_id='"${{ github.run_id }}"'}' \ - -var var_folder_path=${{ env.CURRENT_FOLDER }} \ - -refresh=true \ - -input=false \ - -destroy \ - -state=${{ env.STATE_FILE }} \ - -out=${{ env.PLAN_FILE }}-destroy - - - name: Terraform Destroy apply example - id: tf_destroy_apply - if: steps.tf_destroy_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - apply \ - -refresh=false \ - -parallelism=30 \ - -auto-approve \ - -state=${{ env.STATE_FILE }} \ - ${{ env.PLAN_FILE }}-destroy - - purge: - name: purge - runs-on: ubuntu-latest - if: ${{ failure() || cancelled() }} - - needs: [testcases] - - container: - image: aztfmod/rover:1.8.0-2405.0203 - options: --user 0 - - steps: - - name: Login azure - run: | - az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' - az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} - - - name: Complete purge - run: | - for i in `az monitor diagnostic-settings subscription list -o tsv --query "value[?contains(name, '${{ github.run_id }}' )].name"`; do echo "purging subscription diagnostic-settings: $i" && $(az monitor diagnostic-settings subscription delete --name $i --yes); done - for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done - for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].id" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done - for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done - for i in `az keyvault list-deleted --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done - for i in `az group list --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done - for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done - for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done diff --git a/.github/workflows/standalone-regressor-tf100.yaml b/.github/workflows/standalone-regressor-tf100.yaml index 22a66c6458..60bf4d639b 100644 --- a/.github/workflows/standalone-regressor-tf100.yaml +++ b/.github/workflows/standalone-regressor-tf100.yaml @@ -18,11 +18,10 @@ on: type: choice default: 'standalone-scenarios.json' options: - - standalone-scenarios-azuread.json + - standalone-azuread.json - standalone-scenarios.json - standalone-compute.json - standalone-networking.json - - standalone-scenarios-longrunners.json env: TF_CLI_ARGS: '-no-color' diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json index 2e0450829d..5c141c24bd 100644 --- a/.github/workflows/standalone-scenarios-additional.json +++ b/.github/workflows/standalone-scenarios-additional.json @@ -14,11 +14,6 @@ "consumption_budget/105-consumption-budget-subscription-aks", "messaging/signalr/100-signalr-simple", "mssql_mi/200-mi-two-regions", - "networking/virtual_network_gateway/100-expressroute-gateway", - "networking/virtual_network_gateway/101-vpn-site-to-site", - "networking/virtual_network_gateway/102-vpn-site-to-site-active-active", - "networking/virtual_network_gateway/103-vpn-site-to-site-connection", - "networking/virtual_wan/100-vwan-multi-hubs", "networking/virtual_wan/101-vwan-hub-firewall-legacy", "networking/virtual_wan/102-vwan-hub-firewall-new", "networking/virtual_wan/103-vwan-hub-gw", diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json deleted file mode 100644 index 5712cd8f61..0000000000 --- a/.github/workflows/standalone-scenarios-longrunners.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "config_files": [ - "apim/100-basic", - "apim/101-api", - "apim/102-diagnostics", - "apim/103-api_operations", - "apim/104-backend", - "apim/105-api_policy", - "apim/106-api_operation_tag", - "apim/107-api_operation_policy", - "apim/108-api_management_user", - "apim/110-api_management_diagnostic", - "apim/111-api_management_certificate", - "apim/112-api_management_gateway", - "apim/113-api_management_gateway_api", - "apim/114-api-management-group", - "apim/115-api_management_private_virtual_network", - "apim/116-api_management_subscription", - "apim/117-api_management_product", - "apim/118-api_management_platform_stv2", - "compute/vmware_cluster/101-vmware_cluster", - "mssql_mi/200-mi", - "networking/virtual_network_gateway/100-expressroute-gateway", - "networking/virtual_network_gateway/101-vpn-site-to-site", - "networking/virtual_network_gateway/102-vpn-site-to-site-active-active", - "networking/virtual_network_gateway/103-vpn-site-to-site-connection", - "networking/virtual_wan/101-vwan-hub-firewall-legacy", - "networking/virtual_wan/102-vwan-hub-firewall-secured-vhub", - "networking/virtual_wan/102a-vwan-hub-firewall-secured-vhub-fw-mgr", - "networking/virtual_wan/103-vwan-hub-gw-legacy", - "networking/virtual_wan/104-vwan-hub-gw-spp", - "networking/virtual_wan/105-vwan-hub-route-table", - "networking/virtual_wan/109-vwan-vpn-gateway-connection", - "networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert", - "networking/virtual_wan/111-vwan-vpn-gateway-connection-with-nat", - "redis_cache/100-redis-standard", - "redis_cache/101-redis-diagnostics", - "redis_cache/102-redis-private", - "webapps/appservice-environment/102-simple_asev3" - ] -} diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index a7f95055b5..c0e560b63d 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -1,5 +1,23 @@ { "config_files": [ + "apim/100-basic", + "apim/101-api", + "apim/102-diagnostics", + "apim/103-api_operations", + "apim/104-backend", + "apim/105-api_policy", + "apim/106-api_operation_tag", + "apim/107-api_operation_policy", + "apim/108-api_management_user", + "apim/110-api_management_diagnostic", + "apim/111-api_management_certificate", + "apim/112-api_management_gateway", + "apim/113-api_management_gateway_api", + "apim/114-api-management-group", + "apim/115-api_management_private_virtual_network", + "apim/116-api_management_subscription", + "apim/117-api_management_product", + "apim/118-api_management_platform_stv2", "app_config/100-simple", "app_config/101-private-link", "app_insights/100-all-attributes", @@ -12,69 +30,30 @@ "automation/103-automation-private-endpoints", "automation/104-automation-schedule-runbook", "communication/communication_services/101-communication_service", - "cosmos_db/100-simple-cosmos-db-cassandra", - "cosmos_db/100-simple-cosmos-db-gremlin", - "cosmos_db/100-simple-cosmos-db-mongo", - "cosmos_db/100-simple-cosmos-db-sql", - "cosmos_db/100-simple-cosmos-db-table", - "cosmos_db/100-cosmos-db-sql-role-mapping", - "cosmos_db/101-decomposed-cosmosdb-sql", - "cosmos_db/101-private-endpoint-cosmos-db", - "data_explorer/101-kusto_clusters_basic", - "data_explorer/102-kusto_clusters_vnet", - "data_explorer/103-kusto_clusters_identity", - "data_explorer/104-kusto_cluster_database", - "data_explorer/105-kusto_attached_database_configuration", - "data_explorer/106-database_principal_assignment", - "data_explorer/107-private-endpoint", - "data_factory/101-data_factory", - "data_factory/102-data_factory_pipeline", - "data_factory/103-data_factory_trigger_schedule", - "data_factory/104-data_factory_dataset_azure_blob", - "data_factory/105-data_factory_dataset_cosmosdb_sqlapi", - "data_factory/106-data_factory_dataset_delimited_text", - "data_factory/107-data_factory_dataset_http", - "data_factory/108-data_factory_dataset_json", - "data_factory/109-data_factory_dataset_mysql", - "data_factory/110-data_factory_dataset_postgresql", - "data_factory/111-data_factory_dataset_sql_server_table", - "data_factory/112-data_factory_integration_runtime_azure_ssis", - "data_factory/113-data_factory_integration_runtime_azure_ssis_mssql_server", - "data_factory/114-data_factory_integration_runtime_self_hosted", - "data_factory/115-data_factory_runtime_self_hoste_databricks", - "data_factory/116-data_factory_linked_service_azure_databricks", - "data_protection/100-backup-vault-blob-storage", - "data_protection/101-backup-vault-disk", - "database_migration_services/100-dms", - "databricks/100-standard-databricks-no-vnet", - "databricks/101-standard-databricks-vnet", - "databricks/102-premium-aml", - "databricks/102-premium-databricks-vnet-private-endpoint", - "datalake/101-datalake-storage", + "diagnostics_profiles/100-multiple-destinations", "diagnostics_profiles/100-multiple-destinations", "diagnostics_profiles/101-log-analytics-destination-type-profile", "diagnostics_profiles/200-diagnostics-eventhub-namespaces", + "diagnostics_profiles/200-diagnostics-eventhub-namespaces", + "diagnostics_profiles/201-multi-eventhub-diagnostics", "diagnostics_profiles/201-multi-eventhub-diagnostics", "digital_twins/100-basic", "digital_twins/101-adt-servicebus", "digital_twins/102-digital_twins_instance_eventhub", - "diagnostics_profiles/100-multiple-destinations", - "diagnostics_profiles/200-diagnostics-eventhub-namespaces", - "diagnostics_profiles/201-multi-eventhub-diagnostics", "eventhub/100-simple-eventhub-namespace", "eventhub/101-evh-namespace-with-private-endpoint", "eventhub/102-namespace-and-evh-with-auth-rules", "eventhub/103-eventhub-consumer-groups", "eventhub/104-namespace-and-evh-with-storage", - "keyvault/101-keyvault-policies", - "keyvault/102-keyvault-cert-issuer", - "keyvault/104-keyvault-dynamic-secret", - "keyvault/105-keyvault-dynamic-certificate", "iot/100-iot-hub", "iot/101-iot-hub-endpoints-and-file-upload", "iot/103-iot-hub-with-dps", "iot/110-iot-central-application", "iot/111-iot-security-solution", + "keyvault/101-keyvault-policies", + "keyvault/102-keyvault-cert-issuer", + "keyvault/104-keyvault-dynamic-secret", + "keyvault/105-keyvault-dynamic-certificate", "load_test/100-load-test", "logic_app/100-logic_app_workflow", "logic_app/102-logic_app_integration_account", @@ -84,19 +63,12 @@ "logic_app/106-logic_app_trigger_recurrence", "logic_app/107-logic_app_trigger_custom", "logic_app/109-logic_app_standard_vnet_integration", - "machine_learning/100-aml", - "machine_learning/101-aml-vnet", - "machine_learning/102-aml-compute_instance", "maintenance_configuration/100-maintenance-configuration", "maintenance_configuration/101-maintenance-configuration-schedule", "maintenance_configuration/200-maintenance-configuration-assignment-vm-windows", "maintenance_configuration/201-maintenance-configuration-assignment-vm-linux", - "maps/101-azure-maps-account", "managed_service_identity/100-msi-levels", - "mariadb_server/100-simple-mariadb", - "mariadb_server/101-vnet-rule-mariadb", - "mariadb_server/102-private-endpoint-mariadb", - "mariadb_server/103-private-endpoint-with-fw-rule-mariadb", + "maps/101-azure-maps-account", "messaging/eventgrid/100-simple-eventgrid-topic", "messaging/eventgrid/101-simple-eventgrid-topic-private-endpoint", "messaging/eventgrid/102-eventgrid_subscription", @@ -111,33 +83,8 @@ "monitoring/102-monitor_activity_log_alert", "monitoring/103-monitor_metric_alert", "monitoring/104-log_analytics_storage_insights", - "mssql_server/101-sqlserver-simple", - "mssql_server/102-sqlserver-extend", - "mssql_server/104-sqlserver-elastic_pools", - "mssql_server/105-sqlserver-failover_groups", - "mssql_server/107-sqlserver-db-retention-policy", - "mssql_server/108-sqlserver-db-diagnostics", - "mssql_server/109-sqlserver-network-firewall-rule", - "mysql_flexible_server/100-simple-mysql-flexible", - "mysql_flexible_server/101-delegated-subnet-with-fw-rule", - "mysql_flexible_server/102-advanced-mysql-flexible", - "mysql_server/100-simple-mysql", - "mysql_server/101-vnet-rule-mysql", - "mysql_server/102-private-endpoint-mysql", - "mysql_server/103-private-endpoint-with-fw-rule-mysql", "netapp/101-nfs", "netapp/102-nfs-export-policy", - "postgresql_flexible_server/100-simple-postgresql-flexible", - "postgresql_flexible_server/101-delegated-subnet-with-fw-rule", - "postgresql_flexible_server/102-advanced-postgresql-flexible", - "postgresql_flexible_server/104-private-endpoint", - "postgresql_server/100-simple-postgresql", - "postgresql_server/101-vnet-rule-postgresql", - "postgresql_server/102-private-endpoint-postgresql", - "postgresql_server/103-private-endpoint-with-fw-rule", - "powerbi_embedded/100-simple-powerbi", - "purview/100-purview_account", - "purview/101-purview_account_private_link", "recovery_vault/101-simple-asrv", "recovery_vault/102-asr-protection", "recovery_vault/103-asr-with-private-endpoint", @@ -145,6 +92,9 @@ "recovery_vault/105-asr-with-network-mapping", "recovery_vault/106-backupvault-with-sqldatabase-saphana", "recovery_vault/107-asr-diagnostics", + "redis_cache/100-redis-standard", + "redis_cache/101-redis-diagnostics", + "redis_cache/102-redis-private", "redis_cache/103-redis-private-endpoints", "role_mapping/100-simple-role-mapping", "role_mapping/101-function-app-managed-identity", @@ -171,6 +121,7 @@ "storage_container/101-storage_container", "synapse_analytics/100-synapse", "synapse_analytics/101-synapse-sparkpool", + "webapps/appservice-environment/102-simple_asev3", "webapps/appservice/101-appservice-simple", "webapps/appservice/102-appservice-slots", "webapps/appservice/103-appservice-extend", diff --git a/.github/workflows/standalone-tf100.yaml b/.github/workflows/standalone-tf100.yaml deleted file mode 100644 index 3ba94fd09e..0000000000 --- a/.github/workflows/standalone-tf100.yaml +++ /dev/null @@ -1,161 +0,0 @@ -# -# Copyright (c) Microsoft Corporation -# Licensed under the MIT License. -# - -name: standalone-tf100 - -on: - workflow_dispatch: - inputs: - scenario: - description: "Select the scenario you want to run:" - required: false - type: choice - default: "standalone-scenarios.json" - options: - - standalone-scenarios-azuread.json - - standalone-scenarios.json - - standalone-compute.json - - standalone-networking.json - - standalone-scenarios-longrunners.json - -env: - TF_CLI_ARGS: "-no-color" - TF_CLI_ARGS_destroy: "-auto-approve -refresh=false" - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} - TF_REGISTRY_DISCOVERY_RETRY: 5 - TF_REGISTRY_CLIENT_TIMEOUT: 15 - ROVER_RUNNER: true - -jobs: - load_scenarios: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.load_scenarios.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - id: load_scenarios - run: | - cases=$(( - cat ./.github/workflows/${{ github.event.inputs.scenario }}) | jq -c .) - echo "matrix=${cases}" >> $GITHUB_OUTPUT - - testcases: - name: test - runs-on: ubuntu-latest - needs: load_scenarios - - strategy: - max-parallel: 20 - fail-fast: false - matrix: ${{fromJSON(needs.load_scenarios.outputs.matrix)}} - - container: - image: aztfmod/rover:1.8.4-2405.2306 - options: --user 0 - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Create environment variables - run: | - cd ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} - FILE_NAME=$(echo ${{ matrix.config_files }} | sed 's./..g' | xargs) - echo STATE_FILE=${TF_DATA_DIR}/tfstates/${FILE_NAME}.tfstate >> $GITHUB_ENV - echo PLAN_FILE=${TF_DATA_DIR}/tfstates/${FILE_NAME}.plan >> $GITHUB_ENV - echo CURRENT_FOLDER=${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} >> $GITHUB_ENV - echo PARAMETER_FILES=$(find ${GITHUB_WORKSPACE}/examples/${{ matrix.config_files }} | grep .tfvars | sed 's/.*/-var-file=&/' | xargs) >> $GITHUB_ENV - - - name: Login azure - run: | - az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' - az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} - - - name: Terraform Init example - id: tf_init - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - init -upgrade=true | grep -P '^- (?=Downloading|Using|Finding|Installing)|^[^-]' - - - name: Terraform Plan example - id: tf_plan - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - plan \ - ${{ env.PARAMETER_FILES }} \ - -var tags='{testing_job_id='"${{ github.run_id }}"'}' \ - -var var_folder_path=${{ env.CURRENT_FOLDER }} \ - -refresh=true \ - -input=false \ - -state=${{ env.STATE_FILE }} \ - -out=${{ env.PLAN_FILE }} - - - name: Terraform Apply example - id: tf_apply - if: steps.tf_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - apply \ - -parallelism=30 \ - -state=${{ env.STATE_FILE }} \ - ${{ env.PLAN_FILE }} - - - name: Terraform Destroy planning example - id: tf_destroy_plan - if: steps.tf_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - plan \ - ${{ env.PARAMETER_FILES }} \ - -var tags='{testing_job_id='"${{ github.run_id }}"'}' \ - -var var_folder_path=${{ env.CURRENT_FOLDER }} \ - -refresh=true \ - -input=false \ - -destroy \ - -state=${{ env.STATE_FILE }} \ - -out=${{ env.PLAN_FILE }}-destroy - - - name: Terraform Destroy apply example - id: tf_destroy_apply - if: steps.tf_destroy_plan.outcome == 'success' - run: | - terraform -chdir=${GITHUB_WORKSPACE}/examples \ - apply \ - -refresh=false \ - -parallelism=30 \ - -auto-approve \ - -state=${{ env.STATE_FILE }} \ - ${{ env.PLAN_FILE }}-destroy - - purge: - name: purge - runs-on: ubuntu-latest - if: ${{ failure() || cancelled() }} - - needs: [testcases] - - container: - image: aztfmod/rover:1.8.4-2405.2306 - options: --user 0 - - steps: - - name: Login azure - run: | - az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' - az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} - - - name: Complete purge - run: | - for i in `az monitor diagnostic-settings subscription list -o tsv --query "value[?contains(name, '${{ github.run_id }}' )].name"`; do echo "purging subscription diagnostic-settings: $i" && $(az monitor diagnostic-settings subscription delete --name $i --yes); done - for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done - for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].id" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done - for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done - for i in `az keyvault list-deleted --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done - for i in `az group list --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done - for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done - for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done diff --git a/.github/workflows/weekly_dispatch.yaml b/.github/workflows/weekly_dispatch.yaml new file mode 100644 index 0000000000..fc601ff4d7 --- /dev/null +++ b/.github/workflows/weekly_dispatch.yaml @@ -0,0 +1,34 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: PR Dispatch Workflow + +on: + schedule: + - cron: '0 5 * * 5' + +env: + TF_VERSION: "1.8.4" + TF_LINT_VERSION: "v0.50.3" + +jobs: + dispatch: + runs-on: ubuntu-latest + strategy: + matrix: + scenario: + - standalone-scenarios-azuread.json + - standalone-scenarios.json + - standalone-compute.json + - standalone-networking.json + - standalone-dataplat.json + + steps: + - name: Repository Dispatch + uses: peter-evans/repository-dispatch@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + event-type: int-${{ matrix.scenario }} + client-payload: '{"scenario": "${{ (matrix.scenario) }}", "sha": "${{ github.event.pull_request.head.sha }}"}' diff --git a/.github/workflows/pr_workflow.yaml b/.github/workflows/weekly_workflow.yaml similarity index 97% rename from .github/workflows/pr_workflow.yaml rename to .github/workflows/weekly_workflow.yaml index b5b6710518..ff2d792d7e 100644 --- a/.github/workflows/pr_workflow.yaml +++ b/.github/workflows/weekly_workflow.yaml @@ -7,7 +7,7 @@ name: PR tests on: repository_dispatch: - types: [pr-*] + types: [int-*] workflow_dispatch: inputs: scenario: @@ -22,10 +22,6 @@ on: - standalone-networking.json - standalone-scenarios-longrunners.json -permissions: - id-token: write - contents: read - env: DEFAULT_SCENARIO: "standalone-networking.json" TF_VERSION: "1.8.4" @@ -39,9 +35,6 @@ jobs: matrix: ${{ steps.load_scenarios.outputs.matrix }} steps: - uses: actions/checkout@v4 - with: - ref: ${{ github.event.client_payload.sha }} - - id: load_scenarios run: | echo "Scenario: ${{ github.event.client_payload.scenario }}" @@ -64,8 +57,6 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - with: - ref: ${{ github.event.client_payload.sha }} - name: Create environment variables run: | @@ -116,6 +107,10 @@ jobs: -verbose terraform_integration_tests: + permissions: + id-token: write + contents: read + name: Integration-${{ matrix.config_files }} runs-on: ubuntu-latest if: always() @@ -131,8 +126,6 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - with: - ref: ${{ github.event.client_payload.sha }} - name: Create environment variables run: | @@ -161,7 +154,7 @@ jobs: key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} restore-keys: | ${{ runner.os }}-terraform- - + - name: Azure Login uses: azure/login@v2 with: @@ -221,6 +214,10 @@ jobs: ${{ env.PLAN_FILE }}-destroy purge: + permissions: + id-token: write + contents: read + name: Purge Integration Environment runs-on: ubuntu-latest if: ${{ failure() || cancelled() }} From d6a1b21d67f35f211ff2098697a8af185de3be52 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Sun, 2 Jun 2024 19:16:27 -0700 Subject: [PATCH 088/244] Case --- .github/workflows/pr_tests-azuread.yaml | 2 +- .github/workflows/pr_tests-compute.yaml | 2 +- .github/workflows/pr_tests-dataplat.yaml | 2 +- .github/workflows/pr_tests-networking.yaml | 2 +- .github/workflows/pr_tests-scenarios.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr_tests-azuread.yaml b/.github/workflows/pr_tests-azuread.yaml index 60640e52ae..29c6f826ec 100644 --- a/.github/workflows/pr_tests-azuread.yaml +++ b/.github/workflows/pr_tests-azuread.yaml @@ -15,7 +15,7 @@ on: - '.github/workflows/*azuread.*' env: - scenario: standalone-azuread.json + SCENARIO: standalone-azuread.json TF_VERSION: "1.8.4" TF_LINT_VERSION: "v0.50.3" diff --git a/.github/workflows/pr_tests-compute.yaml b/.github/workflows/pr_tests-compute.yaml index 993d2269a0..aed5733f49 100644 --- a/.github/workflows/pr_tests-compute.yaml +++ b/.github/workflows/pr_tests-compute.yaml @@ -15,7 +15,7 @@ on: - '.github/workflows/*compute.*' env: - scenario: standalone-compute.json + SCENARIO: standalone-compute.json TF_VERSION: "1.8.4" TF_LINT_VERSION: "v0.50.3" diff --git a/.github/workflows/pr_tests-dataplat.yaml b/.github/workflows/pr_tests-dataplat.yaml index 5aaabd1a60..1724b6a6a6 100644 --- a/.github/workflows/pr_tests-dataplat.yaml +++ b/.github/workflows/pr_tests-dataplat.yaml @@ -21,7 +21,7 @@ on: - '.github/workflows/*dataplat.*' env: - scenario: standalone-dataplat.json + SCENARIO: standalone-dataplat.json TF_VERSION: "1.8.4" TF_LINT_VERSION: "v0.50.3" diff --git a/.github/workflows/pr_tests-networking.yaml b/.github/workflows/pr_tests-networking.yaml index 24a07e0855..94fc434ece 100644 --- a/.github/workflows/pr_tests-networking.yaml +++ b/.github/workflows/pr_tests-networking.yaml @@ -15,7 +15,7 @@ on: - '.github/workflows/*networking.*' env: - scenario: standalone-networking.json + SCENARIO: standalone-networking.json TF_VERSION: "1.8.4" TF_LINT_VERSION: "v0.50.3" diff --git a/.github/workflows/pr_tests-scenarios.yaml b/.github/workflows/pr_tests-scenarios.yaml index 8bd8c90965..16b6ed9843 100644 --- a/.github/workflows/pr_tests-scenarios.yaml +++ b/.github/workflows/pr_tests-scenarios.yaml @@ -10,7 +10,7 @@ on: types: [opened, synchronize, reopened] env: - scenario: standalone-scenarios.json + SCENARIO: standalone-scenarios.json TF_VERSION: "1.8.4" TF_LINT_VERSION: "v0.50.3" From 6e0e579e5b66783688388601ca60177236a93377 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Sun, 2 Jun 2024 19:27:52 -0700 Subject: [PATCH 089/244] Add workflow_dispatch --- .github/workflows/pr_lint.yaml | 1 + .github/workflows/pr_tests-azuread.yaml | 1 + .github/workflows/pr_tests-compute.yaml | 1 + .github/workflows/pr_tests-dataplat.yaml | 1 + .github/workflows/pr_tests-networking.yaml | 1 + .github/workflows/pr_tests-scenarios.yaml | 1 + 6 files changed, 6 insertions(+) diff --git a/.github/workflows/pr_lint.yaml b/.github/workflows/pr_lint.yaml index 8e0d16a3d4..55fd1a3a91 100644 --- a/.github/workflows/pr_lint.yaml +++ b/.github/workflows/pr_lint.yaml @@ -6,6 +6,7 @@ name: PR Tflint on: + workflow_dispatch: pull_request: types: [opened, synchronize, reopened] diff --git a/.github/workflows/pr_tests-azuread.yaml b/.github/workflows/pr_tests-azuread.yaml index 29c6f826ec..4b82311ca0 100644 --- a/.github/workflows/pr_tests-azuread.yaml +++ b/.github/workflows/pr_tests-azuread.yaml @@ -6,6 +6,7 @@ name: PR azuread-tests on: + workflow_dispatch: pull_request: types: [opened, synchronize, reopened] paths: diff --git a/.github/workflows/pr_tests-compute.yaml b/.github/workflows/pr_tests-compute.yaml index aed5733f49..7b4678b323 100644 --- a/.github/workflows/pr_tests-compute.yaml +++ b/.github/workflows/pr_tests-compute.yaml @@ -6,6 +6,7 @@ name: PR compute-tests on: + workflow_dispatch: pull_request: types: [opened, synchronize, reopened] paths: diff --git a/.github/workflows/pr_tests-dataplat.yaml b/.github/workflows/pr_tests-dataplat.yaml index 1724b6a6a6..6c1ed84706 100644 --- a/.github/workflows/pr_tests-dataplat.yaml +++ b/.github/workflows/pr_tests-dataplat.yaml @@ -6,6 +6,7 @@ name: PR dataplat-tests on: + workflow_dispatch: pull_request: types: [opened, synchronize, reopened] paths: diff --git a/.github/workflows/pr_tests-networking.yaml b/.github/workflows/pr_tests-networking.yaml index 94fc434ece..0f8579c651 100644 --- a/.github/workflows/pr_tests-networking.yaml +++ b/.github/workflows/pr_tests-networking.yaml @@ -6,6 +6,7 @@ name: PR networking-tests on: + workflow_dispatch: pull_request: types: [opened, synchronize, reopened] paths: diff --git a/.github/workflows/pr_tests-scenarios.yaml b/.github/workflows/pr_tests-scenarios.yaml index 16b6ed9843..5c1f2c2f55 100644 --- a/.github/workflows/pr_tests-scenarios.yaml +++ b/.github/workflows/pr_tests-scenarios.yaml @@ -6,6 +6,7 @@ name: PR all-tests on: + workflow_dispatch: pull_request: types: [opened, synchronize, reopened] From a58c5dde1395483c8c99f0fdafa28e07e5333d6c Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Sun, 2 Jun 2024 21:38:31 -0700 Subject: [PATCH 090/244] Updating servicebus testcases --- .github/workflows/standalone-scenarios.json | 1 + .../configuration.tfvars | 0 .../configuration.tfvars | 243 ------------------ 3 files changed, 1 insertion(+), 243 deletions(-) rename examples/{ => messaging}/servicebus/200-servicebus-privatelink/configuration.tfvars (100%) delete mode 100644 examples/servicebus/100-servicebus-simple/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index c0e560b63d..36d5c48490 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -74,6 +74,7 @@ "messaging/eventgrid/102-eventgrid_subscription", "messaging/eventgrid/200-simple-eventgrid-domain-topic", "messaging/servicebus/100-servicebus-services", + "messaging/servicebus/200-servicebus-privatelink", "messaging/web_pubsub/100-simple-web-pubsub", "messaging/web_pubsub/101-web-pubsub-hub", "messaging/web_pubsub/102-web-pubsub-usermsi", diff --git a/examples/servicebus/200-servicebus-privatelink/configuration.tfvars b/examples/messaging/servicebus/200-servicebus-privatelink/configuration.tfvars similarity index 100% rename from examples/servicebus/200-servicebus-privatelink/configuration.tfvars rename to examples/messaging/servicebus/200-servicebus-privatelink/configuration.tfvars diff --git a/examples/servicebus/100-servicebus-simple/configuration.tfvars b/examples/servicebus/100-servicebus-simple/configuration.tfvars deleted file mode 100644 index ac6557c032..0000000000 --- a/examples/servicebus/100-servicebus-simple/configuration.tfvars +++ /dev/null @@ -1,243 +0,0 @@ -global_settings = { - default_region = "region1" - regions = { - region1 = "australiaeast" - } -} - - -resource_groups = { - rg1 = { - name = "servicebus-rg" - } -} - -vnets = { - vnet1 = { - resource_group_key = "rg1" - vnet = { - name = "servicebus-vnet" - address_space = ["172.33.0.0/16"] - } - subnets = { - subnet1 = { - name = "subnet1" - cidr = ["172.33.100.0/24"] - service_endpoints = ["Microsoft.ServiceBus"] - } - } - } -} - -servicebus_namespaces = { - namespace1 = { - resource_group = { - # lz_key = "" - key = "rg1" - } - name = "jstestbusaztfmod" - sku = "Premium" # Basic | standard | Premium - capacity = 1 # capacity only for Premium: 1,2,4,8,16 otherwise 0 - # zone_redundant = false # only true for Premium - # tags = {} # optional - namespace_auth_rules = { - rule1 = { - name = "rule1" - listen = true - send = true - manage = false - } - } - - network_rule_sets = { # created in terraform but not reflected in azure? - ruleset1 = { - default_action = "Allow" - ip_rules = ["1.1.1.1"] - network_rules = { - subnet1 = { - # lz_key = "" - vnet_key = "vnet1" - subnet_key = "subnet1" - ignore_missing_vnet_service_endpoint = false - } - } - } - } - - } -} - -servicebus_topics = { - topic1 = { - # resource_group = { # Default to follow the namespace resource group when not specified - # # lz_key = "" - # key = "rg1" - # } - servicebus_namespace = { - # lz_key = "" - key = "namespace1" - } - name = "topic1" - - # auto_delete_on_idle = "P0Y0M0DT0H5M0S" - # default_message_ttl = "P0Y0M0DT0H5M0S" - # duplicate_detection_history_time_window = "P0Y0M0DT0H5M0S" - enable_batched_operations = false - enable_express = false - enable_partitioning = false - max_size_in_megabytes = 1024 - requires_duplicate_detection = false - support_ordering = false - - topic_auth_rules = { - rule1 = { - name = "authrule1" - listen = true - send = false - manage = false # requires both listen and send - } - } - - subscriptions = { - sub1 = { - name = "subtest1" - max_delivery_count = 1 - - auto_delete_on_idle = "P14DT5M" - default_message_ttl = "P14D" - lock_duration = "PT30S" - dead_lettering_on_message_expiration = false - dead_lettering_on_filter_evaluation_error = true - enable_batched_operations = false - requires_session = false - status = "Active" # ReceiveDisabled, Disabled, Active (default) - - # forward_to = { - # # queue_name = "" # full name of the queue - # # topic_name = "" # full name of the topic - # queue = { # key reference only works for remote landingzone - # # name = "" - # # lz_key = "" - # # key = "" - # } - # # topic = { - # # # name = "" - # # lz_key = "" - # # key = "" - # # } - # } - - # forward_dead_lettered_messages_to = { - # # queue_name = "" # full name of the queue - # # topic_name = "" # full name of the topic - # queue = { # key reference only works for remote landingzone - # # name = "" - # # lz_key = "" - # # key = "" - # } - # # topic = { - # # # name = "" - # # lz_key = "" - # # key = "" - # # } - # } - - subscription_rules = { - - correlation_filter_rules = { - rule1 = { - name = "testrule1" - # action = "" # in sql syntax against BrokeredMessage - correlation_filter = { - correlation_id = "high" - label = "red" - properties = { - custom1 = "value" - } - } - } - } - - sql_filter_rules = { - rule1 = { - name = "testrule2" - # action = "" - filter_type = "SqlFilter" - sql_filter = "x=1" - } - } - - } - - } - } - } -} - -servicebus_queues = { - queue1 = { - name = "testqueue1" - servicebus_namespace = { - # lz_key = "" - key = "namespace1" - } - # resource_group = { # default to namespace rg - # lz_key = "" - # key = "" - # } - - # lock_duration = "PT30S" - # max_size_in_megabytes = 1024 - # requires_duplicate_detection = false - # requires_session = false - # default_message_ttl = "P14D" - # dead_lettering_on_message_expiration = false - # duplicate_detection_history_time_window = "PT10M" - # max_delivery_count = 1 - # status = "Active" # Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, SendDisabled, Unknown - # enable_batched_operations = true - # auto_delete_on_idle = "PT5M" - # enable_partitioning = false - # enable_express = false - - # forward_to = { - # # queue_name = "" # full name of the queue - # # topic_name = "" # full name of the topic - # queue = { # key reference only works for remote landingzone - # # name = "" - # # lz_key = "" - # # key = "" - # } - # # topic = { - # # # name = "" - # # lz_key = "" - # # key = "" - # # } - # } - - # forward_dead_lettered_messages_to = { - # # queue_name = "" # full name of the queue - # # topic_name = "" # full name of the topic - # queue = { # key reference only works for remote landingzone - # # name = "" - # # lz_key = "" - # # key = "" - # } - # # topic = { - # # # name = "" - # # lz_key = "" - # # key = "" - # # } - # } - - queue_auth_rules = { - rule1 = { - name = "qauthrule1" - listen = true - send = false - manage = false - - } - } - } -} From 078b1010773ad37c9052403ad93acd63ff4f83a8 Mon Sep 17 00:00:00 2001 From: Joseph Hangali <134838289+JoDexsph@users.noreply.github.com> Date: Mon, 3 Jun 2024 07:39:53 +0300 Subject: [PATCH 091/244] Update sb namespace to support pep (#1891) --- messaging_servicebus_namespaces.tf | 3 ++- .../messaging/servicebus/namespace/main.tf | 2 +- .../servicebus/namespace/namespace.tf | 9 +++++-- .../servicebus/namespace/private_endpoints.tf | 24 ++++++++++--------- .../servicebus/namespace/variables.tf | 4 ++++ 5 files changed, 27 insertions(+), 15 deletions(-) diff --git a/messaging_servicebus_namespaces.tf b/messaging_servicebus_namespaces.tf index 9bbf40c3d9..9dfcbfa09c 100644 --- a/messaging_servicebus_namespaces.tf +++ b/messaging_servicebus_namespaces.tf @@ -3,11 +3,12 @@ module "servicebus_namespaces" { source = "./modules/messaging/servicebus/namespace" for_each = local.messaging.servicebus_namespaces + base_tags = local.global_settings.inherit_tags global_settings = local.global_settings client_config = local.client_config settings = each.value - resource_groups = local.combined_objects_resource_groups + resource_groups = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] remote_objects = { resource_groups = local.combined_objects_resource_groups diff --git a/modules/messaging/servicebus/namespace/main.tf b/modules/messaging/servicebus/namespace/main.tf index 2ae16770c0..048a981951 100644 --- a/modules/messaging/servicebus/namespace/main.tf +++ b/modules/messaging/servicebus/namespace/main.tf @@ -10,5 +10,5 @@ terraform { locals { location = can(var.settings.location) ? var.settings.location : var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].location resource_group_name = can(var.settings.resource_group_name) || can(var.settings.resource_group.name) ? try(var.settings.resource_group_name, var.settings.resource_group.name) : var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name - base_tags = try(var.global_settings.inherit_tags, false) ? var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].tags : {} + tags = var.base_tags ? merge(var.global_settings.tags, try(var.resource_groups.tags, null), try(var.settings.tags, null)) : try(var.settings.tags, null) } \ No newline at end of file diff --git a/modules/messaging/servicebus/namespace/namespace.tf b/modules/messaging/servicebus/namespace/namespace.tf index 7a6094806e..fbd10178f6 100644 --- a/modules/messaging/servicebus/namespace/namespace.tf +++ b/modules/messaging/servicebus/namespace/namespace.tf @@ -1,5 +1,10 @@ -# azure_caf +locals { + # Need to update the tags if the environment tag is updated with the rover command line + caf_tags = can(var.settings.tags.caf_environment) || can(var.settings.tags.environment) ? merge(lookup(var.settings, "tags", {}), { "caf_environment" : var.global_settings.environment }) : {} +} + +# naming convention azure_caf resource "azurecaf_name" "namespace" { name = var.settings.name resource_type = "azurerm_servicebus_namespace" @@ -15,7 +20,7 @@ resource "azurerm_servicebus_namespace" "namespace" { sku = var.settings.sku capacity = try(var.settings.capacity, null) zone_redundant = try(var.settings.zone_redundant, null) - tags = merge(local.base_tags, try(var.settings.tags, {})) + tags = merge(local.tags, try(var.settings.tags, null), local.caf_tags) location = local.location resource_group_name = local.resource_group_name } diff --git a/modules/messaging/servicebus/namespace/private_endpoints.tf b/modules/messaging/servicebus/namespace/private_endpoints.tf index 1d3d4b1c8b..7d6b7d7ac6 100644 --- a/modules/messaging/servicebus/namespace/private_endpoints.tf +++ b/modules/messaging/servicebus/namespace/private_endpoints.tf @@ -1,15 +1,17 @@ module "private_endpoint" { source = "../../../networking/private_endpoint" - for_each = try(var.settings.private_endpoints, {}) + #for_each = try(var.settings.private_endpoints, {}) + for_each = lookup(var.settings, "private_endpoints", {}) - base_tags = local.base_tags - client_config = var.client_config - global_settings = var.global_settings - location = local.location - name = each.value.name - private_dns = can(each.value.private_dns) ? var.remote_objects.private_dns : {} - resource_groups = var.resource_groups - resource_id = azurerm_servicebus_namespace.namespace.id - settings = each.value - subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.remote_objects.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + base_tags = var.base_tags + tags = local.tags + client_config = var.client_config + global_settings = var.global_settings + location = local.location + name = each.value.name + private_dns = can(each.value.private_dns) ? var.remote_objects.private_dns : {} + resource_group_name = local.resource_group_name + resource_id = azurerm_servicebus_namespace.namespace.id + settings = each.value + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.remote_objects.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id } diff --git a/modules/messaging/servicebus/namespace/variables.tf b/modules/messaging/servicebus/namespace/variables.tf index b2e6c4bc4f..bb45a8b066 100644 --- a/modules/messaging/servicebus/namespace/variables.tf +++ b/modules/messaging/servicebus/namespace/variables.tf @@ -15,3 +15,7 @@ variable "resource_groups" { description = "Combined resource groups object." default = {} } +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} \ No newline at end of file From 26d05545b144c661333409286fde51be42c572ba Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 3 Jun 2024 05:47:07 +0000 Subject: [PATCH 092/244] FMT --- .../configuration.tfvars | 40 +++++++++---------- .../aks.tfvars | 2 +- .../configuration.tfvars | 12 +++--- .../configuration.tfvars | 18 ++++----- .../configuration.tfvars | 2 +- .../configuration.tfvars | 20 +++++----- examples/mssql_mi/200-mi/configuration.tfvars | 2 +- examples/mssql_mi/200-mi/nsg.tfvars | 2 +- .../configuration.tfvars | 22 +++++----- .../recovery_vaults.tfvars | 30 +++++++------- .../configuration.tfvars | 8 ++-- .../configuration.tfvars | 4 +- .../configuration.tfvars | 2 +- examples/tests/mock/e2e_plan.tftest.hcl | 2 +- examples/variables.tf | 2 +- .../configuration.tfvars | 16 ++++---- 16 files changed, 92 insertions(+), 92 deletions(-) diff --git a/examples/apim/118-api_management_platform_stv2/configuration.tfvars b/examples/apim/118-api_management_platform_stv2/configuration.tfvars index 605fed4e7d..59892b21df 100644 --- a/examples/apim/118-api_management_platform_stv2/configuration.tfvars +++ b/examples/apim/118-api_management_platform_stv2/configuration.tfvars @@ -26,20 +26,20 @@ vnets = { region = "region1" vnet = { name = "example-uks" # prefix-vnet-example-uks - address_space = ["10.0.0.0/16"] + address_space = ["10.0.0.0/16"] } subnets = { - + # Example subnet for APIM private endpoint - + snet_example_apim_uks = { - name = "example-apim-uks" #prefix-snet-example-apim-uks - cidr = ["10.0.1.0/24"] - nsg_key = "nsg_example_apim_uks" - # route_table_key = "" + name = "example-apim-uks" #prefix-snet-example-apim-uks + cidr = ["10.0.1.0/24"] + nsg_key = "nsg_example_apim_uks" + # route_table_key = "" service_endpoints = ["Microsoft.KeyVault", "Microsoft.Storage", "Microsoft.Sql", "Microsoft.EventHub", "Microsoft.ServiceBus"] # service endpoints required for APIM } - } + } } } @@ -142,31 +142,31 @@ public_ip_addresses = { api_management = { apim_uks = { - name = "example-uks" # prefix-apim-example-uks - resource_group_key = "rg_example_apim_uks" - publisher_name = "apim.example.sre.com" - publisher_email = "example.apim@sre.com" - sku_name = "Developer_1" # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management#sku_name - region = "region1" + name = "example-uks" # prefix-apim-example-uks + resource_group_key = "rg_example_apim_uks" + publisher_name = "apim.example.sre.com" + publisher_email = "example.apim@sre.com" + sku_name = "Developer_1" # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management#sku_name + region = "region1" # Required to deploy APIM on platform verions stv2.* - public_ip_address = { - key = "pip_apim_uks" - # lz_key = "" - } + public_ip_address = { + key = "pip_apim_uks" + # lz_key = "" + } virtual_network_type = "Internal" # The type of virtual network you want to use, valid values include: None, External, Internal. Defaults to None. virtual_network_configuration = { vnet_key = "vnet_example_uks" subnet_key = "snet_example_apim_uks" - # lz_key = "" + # lz_key = "" } identity = { type = "UserAssigned" managed_identity_keys = ["msi_apim_uks"] } - + portal = { host_name = "example.apim.com" } diff --git a/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars b/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars index f147de340c..da406c0403 100644 --- a/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars +++ b/examples/compute/kubernetes_services/108-single-cluster-remote-adgroup-admin/aks.tfvars @@ -39,7 +39,7 @@ aks_clusters = { addon_profile = { oms_agent = { - log_analytics_key = "central_logs_region1" + log_analytics_key = "central_logs_region1" msi_auth_for_monitoring_enabled = true } } diff --git a/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars b/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars index 35822f8398..42b9ea57b3 100644 --- a/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars +++ b/examples/compute/virtual_machine/113-single-linux-custom-data-template/configuration.tfvars @@ -63,23 +63,23 @@ virtual_machines = { disable_password_authentication = true custom_data = { - templatefile = "compute/virtual_machine/113-single-linux-custom-data-template/custom_data.tpl" - my_value = "my_value" + templatefile = "compute/virtual_machine/113-single-linux-custom-data-template/custom_data.tpl" + my_value = "my_value" } dynamic_custom_data = { vnets = { - vnet_region1 ={} + vnet_region1 = {} } storage_accounts = { sa1 = { - file_share = "share1" - file_share_directory = "dir1" + file_share = "share1" + file_share_directory = "dir1" } } keyvault_keys = { key1 = { keyvault_key = "example_vm_rg1" - name = "disk-key" + name = "disk-key" } } } diff --git a/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars b/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars index b3dd3e7fb8..e7ece91817 100644 --- a/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars +++ b/examples/databricks_access_connectors/100-databricks_access_connectors/configuration.tfvars @@ -13,16 +13,16 @@ resource_groups = { databricks_access_connectors = { dac_1 = { - name = "example-name" - resource_group_key = "dac_test" - identity = { - type = "UserAssigned" #SystemAssigned - managed_identity_keys = ["dac_test"] + name = "example-name" + resource_group_key = "dac_test" + identity = { + type = "UserAssigned" #SystemAssigned + managed_identity_keys = ["dac_test"] + } + tags = { + test = "test" + test1 = "test1" } - tags = { - test = "test" - test1 = "test1" - } } } diff --git a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars index dae867700e..dc7b8369b2 100644 --- a/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars +++ b/examples/maintenance_configuration/200-maintenance-configuration-assignment-vm-windows/configuration.tfvars @@ -94,7 +94,7 @@ virtual_machines = { priority = "Spot" eviction_policy = "Deallocate" - patch_mode = "AutomaticByPlatform" + patch_mode = "AutomaticByPlatform" bypass_platform_safety_checks_on_user_schedule_enabled = true # When you want to load the file from the folder in the custom_data always use the relative path from the caf_solution in landing zones custom_data = "../../examples/compute/virtual_machine/101-single-windows-vm/scripts/custom.ps1" diff --git a/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars b/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars index fa7f0951d4..2da8bdcddc 100644 --- a/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars +++ b/examples/maintenance_configuration/201-maintenance-configuration-assignment-vm-linux/configuration.tfvars @@ -6,7 +6,7 @@ global_settings = { } inherit_tags = true - + resource_defaults = { virtual_machines = { # set the below to enable az managed boot diagostics for vms @@ -70,17 +70,17 @@ virtual_machines = { # Spot VM to save money priority = "Spot" eviction_policy = "Deallocate" - - patch_mode = "AutomaticByPlatform" + + patch_mode = "AutomaticByPlatform" bypass_platform_safety_checks_on_user_schedule_enabled = true # Value of the nic keys to attach the VM. The first one in the list is the default nic network_interface_keys = ["nic0"] os_disk = { - name = "example_vm1-os" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" + name = "example_vm1-os" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" } identity = { type = "SystemAssigned" #SystemAssigned OR UserAssigned OR SystemAssigned, UserAssigned @@ -105,10 +105,10 @@ virtual_machines = { name = "server1-data1" storage_account_type = "Standard_LRS" # Only Empty is supported. More community contributions required to cover other scenarios - create_option = "Empty" - disk_size_gb = "10" - lun = 1 - zones = ["1"] + create_option = "Empty" + disk_size_gb = "10" + lun = 1 + zones = ["1"] } } } diff --git a/examples/mssql_mi/200-mi/configuration.tfvars b/examples/mssql_mi/200-mi/configuration.tfvars index 962c048b99..8eea3a3122 100644 --- a/examples/mssql_mi/200-mi/configuration.tfvars +++ b/examples/mssql_mi/200-mi/configuration.tfvars @@ -21,7 +21,7 @@ vnets = { resource_group_key = "networking_region1" vnet = { name = "sqlmi-rg1" - address_space = ["172.25.88.0/21","10.2.0.0/24"] + address_space = ["172.25.88.0/21", "10.2.0.0/24"] } subnets = { sqlmi1 = { diff --git a/examples/mssql_mi/200-mi/nsg.tfvars b/examples/mssql_mi/200-mi/nsg.tfvars index d07e9224d5..d5bb2718bb 100644 --- a/examples/mssql_mi/200-mi/nsg.tfvars +++ b/examples/mssql_mi/200-mi/nsg.tfvars @@ -84,6 +84,6 @@ network_security_group_definition = { ] } subnet02 = { - nsg= [] + nsg = [] } } diff --git a/examples/networking/private_links/endpoints/100-azure-open-ai-private-endpoint/configuration.tfvars b/examples/networking/private_links/endpoints/100-azure-open-ai-private-endpoint/configuration.tfvars index 73220fa1ca..e694349351 100644 --- a/examples/networking/private_links/endpoints/100-azure-open-ai-private-endpoint/configuration.tfvars +++ b/examples/networking/private_links/endpoints/100-azure-open-ai-private-endpoint/configuration.tfvars @@ -16,9 +16,9 @@ cognitive_services_account = { resource_group = { key = "rg1" } - name = "pineconellmdemoopenai1" - kind = "OpenAI" - sku_name = "S0" + name = "pineconellmdemoopenai1" + kind = "OpenAI" + sku_name = "S0" custom_subdomain_name = "cs-alz-caf-test-b" #log_analytics_key = "la1" } @@ -34,9 +34,9 @@ vnets = { specialsubnets = {} subnets = { private_endpoints_subnet = { - name = "PrivateEndpoints" - cidr = ["10.0.16.0/24"] - enforce_private_endpoint_network_policies = true + name = "PrivateEndpoints" + cidr = ["10.0.16.0/24"] + enforce_private_endpoint_network_policies = true enforce_private_link_endpoint_network_policies = false } } @@ -58,12 +58,12 @@ private_dns = { private_endpoints = { vnet1 = { - vnet_key = "vnet1" - subnet_keys = ["private_endpoints_subnet"] + vnet_key = "vnet1" + subnet_keys = ["private_endpoints_subnet"] resource_group_key = "rg1" - cognitive_services_account = { - my_account = { - private_service_connection = { + cognitive_services_account = { + my_account = { + private_service_connection = { name = "CognitiveServicesPrivateEndpoint" } private_dns = { diff --git a/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars b/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars index b744f026c2..b740c02701 100644 --- a/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars +++ b/examples/recovery_vault/106-backupvault-with-sqldatabase-saphana/recovery_vaults.tfvars @@ -10,11 +10,11 @@ recovery_vaults = { backup_policies = { vm_workloads = { sql = { - name = "SQLTest" - workload_type = "SQLDataBase" - vault_key = "asr1" - rg_key = "primary" - timezone = "UTC" + name = "SQLTest" + workload_type = "SQLDataBase" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" compression_enabled = false protection_policies = { sqlfull = { @@ -23,8 +23,8 @@ recovery_vaults = { frequency = "Daily" time = "15:00" } - retention_daily = { - count = 8 + retention_daily = { + count = 8 } } sqllog = { @@ -39,11 +39,11 @@ recovery_vaults = { } } saphana = { - name = "SAPHANATest" - workload_type = "SAPHanaDatabase" - vault_key = "asr1" - rg_key = "primary" - timezone = "UTC" + name = "SAPHANATest" + workload_type = "SAPHanaDatabase" + vault_key = "asr1" + rg_key = "primary" + timezone = "UTC" compression_enabled = false protection_policies = { saphanafull = { @@ -52,8 +52,8 @@ recovery_vaults = { frequency = "Daily" time = "15:00" } - retention_daily = { - count = 8 + retention_daily = { + count = 8 } } saphanalog = { @@ -65,7 +65,7 @@ recovery_vaults = { count = 8 } } - } + } } } } diff --git a/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars b/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars index 875f053a47..873eb25a94 100644 --- a/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars +++ b/examples/role_mapping/102-azure-openai-managed-identity/configuration.tfvars @@ -16,16 +16,16 @@ cognitive_services_account = { resource_group = { key = "rg1" } - name = "pinecone-llm-demoopenai" - kind = "OpenAI" - sku_name = "S0" + name = "pinecone-llm-demoopenai" + kind = "OpenAI" + sku_name = "S0" custom_subdomain_name = "cs-alz-caf-llm-demoopenai" } } managed_identities = { workload-msi = { - name = "example-msi-openai-rolemap-msi" + name = "example-msi-openai-rolemap-msi" resource_group_key = "rg1" } } diff --git a/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars b/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars index 2d302c73f8..a849c3cfca 100644 --- a/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars +++ b/examples/search_service/100-search-service-both-apikeys-and-azuread/configuration.tfvars @@ -25,8 +25,8 @@ vnets = { } subnets = { default = { - name = "default" - cidr = ["10.5.1.0/24"] + name = "default" + cidr = ["10.5.1.0/24"] } } } diff --git a/examples/search_service/102-search-service-only-azuread/configuration.tfvars b/examples/search_service/102-search-service-only-azuread/configuration.tfvars index fa4190a82c..fd91a13b81 100644 --- a/examples/search_service/102-search-service-only-azuread/configuration.tfvars +++ b/examples/search_service/102-search-service-only-azuread/configuration.tfvars @@ -22,7 +22,7 @@ search_services = { identity = { type = "SystemAssigned" } - local_authentication_enabled = false + local_authentication_enabled = false # public_network_access_enabled = true # allowed_ips = ["13.478.57.73"] } diff --git a/examples/tests/mock/e2e_plan.tftest.hcl b/examples/tests/mock/e2e_plan.tftest.hcl index a9d1cb2780..213502c713 100644 --- a/examples/tests/mock/e2e_plan.tftest.hcl +++ b/examples/tests/mock/e2e_plan.tftest.hcl @@ -3,7 +3,7 @@ mock_provider "azurerm" { } mock_provider "azurerm" { - alias = "vhub" + alias = "vhub" source = "./tests/mock_data" } diff --git a/examples/variables.tf b/examples/variables.tf index 0e46b8498f..53625d0dd2 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -1130,7 +1130,7 @@ variable "maintenance_assignment_virtual_machine" { default = {} } variable "search_services" { - default = {} + default = {} } variable "load_test" { default = {} diff --git a/examples/webapps/appservice/103-appservice-extend/configuration.tfvars b/examples/webapps/appservice/103-appservice-extend/configuration.tfvars index f4cd1fcc04..b01dcbc5a3 100644 --- a/examples/webapps/appservice/103-appservice-extend/configuration.tfvars +++ b/examples/webapps/appservice/103-appservice-extend/configuration.tfvars @@ -52,19 +52,19 @@ app_services = { ip_restriction = [ { - name = "deny-all-traffic" - action = "Deny" - ip_address = "0.0.0.0/0" - priority = 65000 + name = "deny-all-traffic" + action = "Deny" + ip_address = "0.0.0.0/0" + priority = 65000 } ] scm_ip_restriction = [ { - name = "allow-all-traffic" - action = "Allow" - ip_address = "0.0.0.0/0" - priority = 65000 + name = "allow-all-traffic" + action = "Allow" + ip_address = "0.0.0.0/0" + priority = 65000 } ] } From 3e6950897573dd2d61392a1f408516afb3823af1 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 3 Jun 2024 15:54:22 +0000 Subject: [PATCH 093/244] Fix mock tests for 100-service-health-alerts --- examples/tests/mock_data/data.tfmock.hcl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/examples/tests/mock_data/data.tfmock.hcl b/examples/tests/mock_data/data.tfmock.hcl index 09746fff75..2f54d771f3 100644 --- a/examples/tests/mock_data/data.tfmock.hcl +++ b/examples/tests/mock_data/data.tfmock.hcl @@ -32,4 +32,13 @@ mock_data "azuread_service_principal" { display_name = "mock_service_principal" object_id = "00000000-0000-0000-0000-000000000000" } -} \ No newline at end of file +} + +mock_data "azurerm_role_definition" { + defaults = { + id = "b24988ac-6180-42a0-ab88-20f7382dd24c" + description = "Contributor" + type = "BuiltInRole" + } + +} From 3faf7d7fa93dfc941fe121676221efb4a745ebd9 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 3 Jun 2024 09:42:52 -0700 Subject: [PATCH 094/244] Adding dependabot config --- .github/dependabot.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000000..09d6da5cd2 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,19 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "github-actions" # See documentation for possible values + directory: "/.github/workflows" # Location of package manifests + schedule: + interval: "weekly" + - package-ecosystem: "devcontainers" # See documentation for possible values + directory: "/.devcontainer" # Location of package manifests + schedule: + interval: "weekly" + - package-ecosystem: "terraform" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" \ No newline at end of file From 4efbccc2094187f2958e04648f2d35a5a790be82 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 Jun 2024 19:39:48 +0000 Subject: [PATCH 095/244] Bump release-drafter/release-drafter from 5 to 6 in /.github/workflows Bumps [release-drafter/release-drafter](https://github.com/release-drafter/release-drafter) from 5 to 6. - [Release notes](https://github.com/release-drafter/release-drafter/releases) - [Commits](https://github.com/release-drafter/release-drafter/compare/v5...v6) --- updated-dependencies: - dependency-name: release-drafter/release-drafter dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/release-drafter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 2fa5da4d75..322c5883d0 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@v5 + - uses: release-drafter/release-drafter@v6 #with: # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml # config-name: my-config.yml From c96c7b462f5ac4f3cad9d948d973604098adbe21 Mon Sep 17 00:00:00 2001 From: Viacheslav Kuzmenko <60648640+onlyillusion@users.noreply.github.com> Date: Wed, 12 Jun 2024 14:05:24 +0300 Subject: [PATCH 096/244] Update application_gateway.tf --- modules/networking/application_gateway/application_gateway.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/networking/application_gateway/application_gateway.tf b/modules/networking/application_gateway/application_gateway.tf index a0cbfb6feb..100b2c6c52 100644 --- a/modules/networking/application_gateway/application_gateway.tf +++ b/modules/networking/application_gateway/application_gateway.tf @@ -193,6 +193,7 @@ resource "azurerm_application_gateway" "agw" { affinity_cookie_name = try(backend_http_settings.value.affinity_cookie_name, null) port = backend_http_settings.value.port protocol = backend_http_settings.value.protocol + path = try(backend_http_settings.value.path, null) request_timeout = try(backend_http_settings.value.request_timeout, 30) pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false) trusted_root_certificate_names = try(backend_http_settings.value.trusted_root_certificate_names, null) From f343780e62f9b77ea667cf4981a010aaaaf68247 Mon Sep 17 00:00:00 2001 From: Vasil Nikolov <43233694+vnikolov4@users.noreply.github.com> Date: Fri, 14 Jun 2024 09:47:55 +0300 Subject: [PATCH 097/244] Fixed a Bug with Hourly VM Backup policy. (#2010) * Fixed a bug with hourly VM Backups. Included additional attributes. * Apply terraform fmt --------- Co-authored-by: GitHub Action --- compute_virtual_machines.tf | 2 +- compute_virtual_machines_scale_sets.tf | 2 +- databricks_access_connectors.tf | 12 ++--- .../databricks_access_connector/main.tf | 4 +- .../databricks_access_connector/module.tf | 2 +- modules/apim/api_management/module.tf | 2 +- .../container_app_dapr_component.tf | 12 ++--- .../virtual_machine/dynamic_custom_data.tf | 28 +++++------ modules/compute/virtual_machine/vm_disk.tf | 2 +- modules/compute/virtual_machine/vm_linux.tf | 50 +++++++++---------- .../assignment_virtual_machine/main.tf | 4 +- .../assignment_virtual_machine/module.tf | 2 +- modules/maintenance/configuration/module.tf | 6 +-- modules/maintenance/configuration/outputs.tf | 4 +- .../servicebus/namespace/private_endpoints.tf | 2 +- .../private_endpoint/private_endpoint.tf | 6 +-- modules/networking/virtual_wan/virtual_wan.tf | 2 +- modules/recovery_vault/backup_policies_vm.tf | 8 +-- .../backup_policies_vm_workload.tf | 2 +- modules/recovery_vault/outputs.tf | 2 +- modules/roles/custom_roles/module.tf | 2 +- msssql_managed_instances.tf | 16 +++--- msssql_managed_instances_v1.tf | 16 +++--- networking_private_links.tf | 36 ++++++------- 24 files changed, 113 insertions(+), 111 deletions(-) diff --git a/compute_virtual_machines.tf b/compute_virtual_machines.tf index 4152a9ecb0..267e87986a 100644 --- a/compute_virtual_machines.tf +++ b/compute_virtual_machines.tf @@ -14,7 +14,7 @@ module "virtual_machines" { module.storage_account_blobs, time_sleep.azurerm_role_assignment_for[0] ] - + for_each = local.compute.virtual_machines application_security_groups = local.combined_objects_application_security_groups diff --git a/compute_virtual_machines_scale_sets.tf b/compute_virtual_machines_scale_sets.tf index 175e213d33..da06e21d0a 100644 --- a/compute_virtual_machines_scale_sets.tf +++ b/compute_virtual_machines_scale_sets.tf @@ -15,7 +15,7 @@ module "virtual_machine_scale_sets" { module.proximity_placement_groups, time_sleep.azurerm_role_assignment_for[0] ] - + for_each = local.compute.virtual_machine_scale_sets availability_sets = local.combined_objects_availability_sets diff --git a/databricks_access_connectors.tf b/databricks_access_connectors.tf index 108aaf3e99..87975da0bb 100644 --- a/databricks_access_connectors.tf +++ b/databricks_access_connectors.tf @@ -2,12 +2,12 @@ module "databricks_access_connectors" { source = "./modules/analytics/databricks_access_connector" for_each = local.database.databricks_access_connectors - client_config = local.client_config - global_settings = local.global_settings - name = each.value.name - settings = each.value - resource_groups = local.combined_objects_resource_groups - base_tags = local.global_settings.inherit_tags + client_config = local.client_config + global_settings = local.global_settings + name = each.value.name + settings = each.value + resource_groups = local.combined_objects_resource_groups + base_tags = local.global_settings.inherit_tags remote_objects = { managed_identities = local.combined_objects_managed_identities } diff --git a/modules/analytics/databricks_access_connector/main.tf b/modules/analytics/databricks_access_connector/main.tf index 00369bb2be..f6a34ca013 100644 --- a/modules/analytics/databricks_access_connector/main.tf +++ b/modules/analytics/databricks_access_connector/main.tf @@ -5,8 +5,8 @@ locals { try(var.settings.tags, null) ) : try(var.settings.tags, null) - - resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] + + resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] } terraform { diff --git a/modules/analytics/databricks_access_connector/module.tf b/modules/analytics/databricks_access_connector/module.tf index 9da6636dfb..4b577f596f 100644 --- a/modules/analytics/databricks_access_connector/module.tf +++ b/modules/analytics/databricks_access_connector/module.tf @@ -11,5 +11,5 @@ resource "azurerm_databricks_access_connector" "databricks_access_connector" { identity_ids = concat(local.managed_identities, try(identity.value.identity_ids, [])) } } - + } diff --git a/modules/apim/api_management/module.tf b/modules/apim/api_management/module.tf index 65c1a777f1..59e188c6a6 100644 --- a/modules/apim/api_management/module.tf +++ b/modules/apim/api_management/module.tf @@ -17,7 +17,7 @@ resource "azurerm_api_management" "apim" { publisher_email = var.settings.publisher_email sku_name = var.settings.sku_name - public_ip_address_id = can(var.settings.public_ip_address_id) ? var.settings.public_ip_address_id : can(var.settings.public_ip_address.key) ? var.public_ip_addresses[try(var.settings.public_ip_address.lz_key, var.client_config.landingzone_key)][var.settings.public_ip_address.key].id : null + public_ip_address_id = can(var.settings.public_ip_address_id) ? var.settings.public_ip_address_id : can(var.settings.public_ip_address.key) ? var.public_ip_addresses[try(var.settings.public_ip_address.lz_key, var.client_config.landingzone_key)][var.settings.public_ip_address.key].id : null dynamic "additional_location" { for_each = try(var.settings.additional_location, null) != null ? [var.settings.additional_location] : [] diff --git a/modules/compute/container_app_dapr_component/container_app_dapr_component.tf b/modules/compute/container_app_dapr_component/container_app_dapr_component.tf index 5944658593..c3f47aef36 100644 --- a/modules/compute/container_app_dapr_component/container_app_dapr_component.tf +++ b/modules/compute/container_app_dapr_component/container_app_dapr_component.tf @@ -9,11 +9,11 @@ resource "azurerm_container_app_environment_dapr_component" "cadc" { dynamic "metadata" { for_each = try(var.settings.metadata, {}) - + content { - name = metadata.value.name - secret_name = try(metadata.value.secret_name, null) - value = try(metadata.value.value, null) + name = metadata.value.name + secret_name = try(metadata.value.secret_name, null) + value = try(metadata.value.value, null) } } @@ -21,8 +21,8 @@ resource "azurerm_container_app_environment_dapr_component" "cadc" { for_each = try(var.settings.secret, {}) content { - name = secret.value.name - value = secret.value.value + name = secret.value.name + value = secret.value.value } } } diff --git a/modules/compute/virtual_machine/dynamic_custom_data.tf b/modules/compute/virtual_machine/dynamic_custom_data.tf index c47299c4ee..2b2623b53e 100644 --- a/modules/compute/virtual_machine/dynamic_custom_data.tf +++ b/modules/compute/virtual_machine/dynamic_custom_data.tf @@ -1,6 +1,6 @@ data "azurerm_key_vault_secret" "custom_data" { - for_each = local.os_type == "linux" ? try({for k,v in local.dynamic_custom_data_to_process["keyvaults"]: k => v }, {}) : {} + for_each = local.os_type == "linux" ? try({ for k, v in local.dynamic_custom_data_to_process["keyvaults"] : k => v }, {}) : {} key_vault_id = var.keyvaults[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.keyvault_key].id name = each.value.name @@ -8,7 +8,7 @@ data "azurerm_key_vault_secret" "custom_data" { } data "azurerm_key_vault_key" "custom_data" { - for_each = local.os_type == "linux" ? try({for k,v in local.dynamic_custom_data_to_process["keyvault_keys"]: k =>v }, {}) : {} + for_each = local.os_type == "linux" ? try({ for k, v in local.dynamic_custom_data_to_process["keyvault_keys"] : k => v }, {}) : {} key_vault_id = var.keyvaults[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.keyvault_key].id name = each.value.name @@ -17,7 +17,7 @@ data "azurerm_key_vault_key" "custom_data" { } data "azurerm_key_vault_certificate" "custom_data" { - for_each = local.os_type == "linux" ? try({for k,v in local.dynamic_custom_data_to_process["keyvault_certificates"]: k => v }, {}) : {} + for_each = local.os_type == "linux" ? try({ for k, v in local.dynamic_custom_data_to_process["keyvault_certificates"] : k => v }, {}) : {} key_vault_id = var.keyvaults[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.keyvault_key].id name = each.value.name @@ -25,7 +25,7 @@ data "azurerm_key_vault_certificate" "custom_data" { } locals { - + palo_alto_connection_string = { for item in var.settings.virtual_machine_settings : item.name => base64encode("storage-account=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].name}, access-key=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].primary_access_key}, file-share=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].name}, share-directory=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].file_share[item.palo_alto_connection_string.file_share].file_share_directories[item.palo_alto_connection_string.file_share_directory].name}") @@ -33,14 +33,14 @@ locals { } combined_objects = { - storage_accounts = var.storage_accounts - keyvaults = var.keyvaults - keyvault_keys = try(data.azurerm_key_vault_key.custom_data,{}) - keyvault_secrets = try(data.azurerm_key_vault_secret.custom_data,{}) - keyvault_certificates = try(data.azurerm_key_vault_certificate.custom_data,{}) - vnets = var.vnets + storage_accounts = var.storage_accounts + keyvaults = var.keyvaults + keyvault_keys = try(data.azurerm_key_vault_key.custom_data, {}) + keyvault_secrets = try(data.azurerm_key_vault_secret.custom_data, {}) + keyvault_certificates = try(data.azurerm_key_vault_certificate.custom_data, {}) + vnets = var.vnets } - + dynamic_custom_data_to_process = { for setting in flatten([ @@ -55,10 +55,10 @@ locals { ]) : setting.key => setting.value } - dynamic_custom_data_combined_objects ={ - for key, value in local.dynamic_custom_data_to_process: key => + dynamic_custom_data_combined_objects = { + for key, value in local.dynamic_custom_data_to_process : key => { - for k,v in value: k => try(local.combined_objects[key][try(v.lz_key, var.client_config.landingzone_key)][k], local.combined_objects[key][k]) + for k, v in value : k => try(local.combined_objects[key][try(v.lz_key, var.client_config.landingzone_key)][k], local.combined_objects[key][k]) } } diff --git a/modules/compute/virtual_machine/vm_disk.tf b/modules/compute/virtual_machine/vm_disk.tf index 3195a8945a..506ad2e2a2 100644 --- a/modules/compute/virtual_machine/vm_disk.tf +++ b/modules/compute/virtual_machine/vm_disk.tf @@ -10,7 +10,7 @@ data "azurecaf_name" "disk" { use_slug = var.global_settings.use_slug } -resource "azurerm_managed_disk" "disk" { +resource "azurerm_managed_disk" "disk" { for_each = lookup(var.settings, "data_disks", {}) name = data.azurecaf_name.disk[each.key].result diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 5bd8b073e9..6703623b32 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -46,7 +46,7 @@ data "azurecaf_name" "os_disk_linux" { use_slug = var.global_settings.use_slug } resource "local_sensitive_file" "custom_data" { - for_each = local.os_type == "linux" ? try({for k,v in var.settings.virtual_machine_settings : k => v if can(v.custom_data.templatefile)} , {}) : {} + for_each = local.os_type == "linux" ? try({ for k, v in var.settings.virtual_machine_settings : k => v if can(v.custom_data.templatefile) }, {}) : {} content = templatefile(try(format("%s/%s", path.cwd, each.value.custom_data.templatefile), each.value.custom_data.templatefile), merge(each.value.custom_data, local.dynamic_custom_data)) filename = try(format("%s/%s.out", path.cwd, each.value.custom_data.templatefile), each.value.custom_data.templatefile) } @@ -54,37 +54,37 @@ resource "local_sensitive_file" "custom_data" { resource "azurerm_linux_virtual_machine" "vm" { for_each = local.os_type == "linux" ? var.settings.virtual_machine_settings : {} - admin_password = each.value.disable_password_authentication == false ? each.value.admin_password : null - admin_username = each.value.admin_username - allow_extension_operations = try(each.value.allow_extension_operations, null) - availability_set_id = can(each.value.availability_set_key) || can(each.value.availability_set.key) ? var.availability_sets[try(var.client_config.landingzone_key, each.value.availability_set.lz_key)][try(each.value.availability_set_key, each.value.availability_set.key)].id : try(each.value.availability_set.id, each.value.availability_set_id, null) - computer_name = data.azurecaf_name.linux_computer_name[each.key].result - disable_password_authentication = try(each.value.disable_password_authentication, true) - encryption_at_host_enabled = try(each.value.encryption_at_host_enabled, null) - eviction_policy = try(each.value.eviction_policy, null) - license_type = try(each.value.license_type, null) - location = local.location - max_bid_price = try(each.value.max_bid_price, null) - name = data.azurecaf_name.linux[each.key].result - network_interface_ids = local.nic_ids + admin_password = each.value.disable_password_authentication == false ? each.value.admin_password : null + admin_username = each.value.admin_username + allow_extension_operations = try(each.value.allow_extension_operations, null) + availability_set_id = can(each.value.availability_set_key) || can(each.value.availability_set.key) ? var.availability_sets[try(var.client_config.landingzone_key, each.value.availability_set.lz_key)][try(each.value.availability_set_key, each.value.availability_set.key)].id : try(each.value.availability_set.id, each.value.availability_set_id, null) + computer_name = data.azurecaf_name.linux_computer_name[each.key].result + disable_password_authentication = try(each.value.disable_password_authentication, true) + encryption_at_host_enabled = try(each.value.encryption_at_host_enabled, null) + eviction_policy = try(each.value.eviction_policy, null) + license_type = try(each.value.license_type, null) + location = local.location + max_bid_price = try(each.value.max_bid_price, null) + name = data.azurecaf_name.linux[each.key].result + network_interface_ids = local.nic_ids bypass_platform_safety_checks_on_user_schedule_enabled = try(each.value.bypass_platform_safety_checks_on_user_schedule_enabled, null) # (Optional) Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault. Defaults to ImageDefault. For more information on patch modes please see the product documentation. - patch_mode = try(each.value.patch_mode, "ImageDefault") - priority = try(each.value.priority, null) - provision_vm_agent = try(each.value.provision_vm_agent, true) - proximity_placement_group_id = can(each.value.proximity_placement_group_key) || can(each.value.proximity_placement_group.key) ? var.proximity_placement_groups[try(var.client_config.landingzone_key, var.client_config.landingzone_key)][try(each.value.proximity_placement_group_key, each.value.proximity_placement_group.key)].id : try(each.value.proximity_placement_group_id, each.value.proximity_placement_group.id, null) - resource_group_name = local.resource_group_name - size = each.value.size - tags = merge(local.tags, try(each.value.tags, null)) - zone = try(each.value.zone, null) - secure_boot_enabled = try(each.value.secure_boot_enabled, null) - vtpm_enabled = try(each.value.vtpm_enabled, null) + patch_mode = try(each.value.patch_mode, "ImageDefault") + priority = try(each.value.priority, null) + provision_vm_agent = try(each.value.provision_vm_agent, true) + proximity_placement_group_id = can(each.value.proximity_placement_group_key) || can(each.value.proximity_placement_group.key) ? var.proximity_placement_groups[try(var.client_config.landingzone_key, var.client_config.landingzone_key)][try(each.value.proximity_placement_group_key, each.value.proximity_placement_group.key)].id : try(each.value.proximity_placement_group_id, each.value.proximity_placement_group.id, null) + resource_group_name = local.resource_group_name + size = each.value.size + tags = merge(local.tags, try(each.value.tags, null)) + zone = try(each.value.zone, null) + secure_boot_enabled = try(each.value.secure_boot_enabled, null) + vtpm_enabled = try(each.value.vtpm_enabled, null) custom_data = try( try( try(local_sensitive_file.custom_data[each.key].content_base64, local.dynamic_custom_data[each.value.custom_data][each.value.name]), - try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data))), + try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data))), null) diff --git a/modules/maintenance/assignment_virtual_machine/main.tf b/modules/maintenance/assignment_virtual_machine/main.tf index 02833ea709..7c28cbbdb3 100644 --- a/modules/maintenance/assignment_virtual_machine/main.tf +++ b/modules/maintenance/assignment_virtual_machine/main.tf @@ -10,6 +10,6 @@ locals { module_tag = { "module" = basename(abspath(path.module)) } - tags = merge(var.base_tags, local.module_tag, try(var.tags, null)) - location = var.location + tags = merge(var.base_tags, local.module_tag, try(var.tags, null)) + location = var.location } \ No newline at end of file diff --git a/modules/maintenance/assignment_virtual_machine/module.tf b/modules/maintenance/assignment_virtual_machine/module.tf index 2ea9ff6338..8db2502a19 100644 --- a/modules/maintenance/assignment_virtual_machine/module.tf +++ b/modules/maintenance/assignment_virtual_machine/module.tf @@ -1,4 +1,4 @@ -resource "azurerm_maintenance_assignment_virtual_machine" "maintenance_assignment_virtual_machine" { +resource "azurerm_maintenance_assignment_virtual_machine" "maintenance_assignment_virtual_machine" { location = var.location maintenance_configuration_id = var.maintenance_configuration_id virtual_machine_id = var.virtual_machine_id diff --git a/modules/maintenance/configuration/module.tf b/modules/maintenance/configuration/module.tf index f28e7033c5..aa5e777aa1 100644 --- a/modules/maintenance/configuration/module.tf +++ b/modules/maintenance/configuration/module.tf @@ -14,10 +14,10 @@ resource "azurerm_maintenance_configuration" "maintenance_configuration" { location = var.location scope = var.scope visibility = try(var.visibility, null) - properties = try(var.properties, {}) + properties = try(var.properties, {}) in_guest_user_patch_mode = var.settings.scope == "InGuestPatch" ? var.in_guest_user_patch_mode : try(var.in_guest_user_patch_mode, null) - + dynamic "window" { for_each = try(var.settings.window, null) != null ? [var.settings.window] : [] content { @@ -52,7 +52,7 @@ resource "azurerm_maintenance_configuration" "maintenance_configuration" { } } - reboot = try(var.settings.install_patches.reboot, "IfRequired" ) + reboot = try(var.settings.install_patches.reboot, "IfRequired") } } diff --git a/modules/maintenance/configuration/outputs.tf b/modules/maintenance/configuration/outputs.tf index 701dd0eb94..3163ab4fa2 100644 --- a/modules/maintenance/configuration/outputs.tf +++ b/modules/maintenance/configuration/outputs.tf @@ -5,10 +5,10 @@ output "id" { output "maintenance_configuration_name" { description = "The name of the maintenance configuration." - value = azurerm_maintenance_configuration.maintenance_configuration.name + value = azurerm_maintenance_configuration.maintenance_configuration.name } output "maintenance_configuration_location" { description = "The location where the resource exists" - value = azurerm_maintenance_configuration.maintenance_configuration.location + value = azurerm_maintenance_configuration.maintenance_configuration.location } \ No newline at end of file diff --git a/modules/messaging/servicebus/namespace/private_endpoints.tf b/modules/messaging/servicebus/namespace/private_endpoints.tf index 7d6b7d7ac6..9cbab5ee22 100644 --- a/modules/messaging/servicebus/namespace/private_endpoints.tf +++ b/modules/messaging/servicebus/namespace/private_endpoints.tf @@ -1,5 +1,5 @@ module "private_endpoint" { - source = "../../../networking/private_endpoint" + source = "../../../networking/private_endpoint" #for_each = try(var.settings.private_endpoints, {}) for_each = lookup(var.settings, "private_endpoints", {}) diff --git a/modules/networking/private_endpoint/private_endpoint.tf b/modules/networking/private_endpoint/private_endpoint.tf index dd5a6ca7be..d74f19c6bd 100644 --- a/modules/networking/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_endpoint/private_endpoint.tf @@ -56,10 +56,10 @@ resource "azurerm_private_endpoint" "pep" { } resource "time_sleep" "delay" { - count = can(lookup(var.settings,var.settings.delay_time_after_creation,false)) ? 1: 0 - depends_on = [azurerm_private_endpoint.pep] + count = can(lookup(var.settings, var.settings.delay_time_after_creation, false)) ? 1 : 0 + depends_on = [azurerm_private_endpoint.pep] create_duration = var.settings.delay_time_after_creation lifecycle { - replace_triggered_by = [ azurerm_private_endpoint.pep ] + replace_triggered_by = [azurerm_private_endpoint.pep] } } \ No newline at end of file diff --git a/modules/networking/virtual_wan/virtual_wan.tf b/modules/networking/virtual_wan/virtual_wan.tf index b0bb2b03e8..11cb9a2bbd 100644 --- a/modules/networking/virtual_wan/virtual_wan.tf +++ b/modules/networking/virtual_wan/virtual_wan.tf @@ -34,6 +34,6 @@ module "hubs" { tags = merge(try(each.value.tags, null), local.tags) virtual_hub_config = each.value virtual_networks = var.virtual_networks - keyvaults = var.keyvaults + keyvaults = var.keyvaults vwan_id = azurerm_virtual_wan.vwan.id } diff --git a/modules/recovery_vault/backup_policies_vm.tf b/modules/recovery_vault/backup_policies_vm.tf index fd2b2847a4..da18ae313a 100644 --- a/modules/recovery_vault/backup_policies_vm.tf +++ b/modules/recovery_vault/backup_policies_vm.tf @@ -15,9 +15,11 @@ resource "azurerm_backup_policy_vm" "vm" { for_each = lookup(each.value, "backup", null) == null ? [] : [1] content { - frequency = lookup(each.value.backup, "frequency", null) - time = each.value.backup.time - weekdays = lookup(each.value.backup, "weekdays", null) + frequency = lookup(each.value.backup, "frequency", null) + hour_interval = lookup(each.value.backup, "hour_interval", null) + hour_duration = lookup(each.value.backup, "hour_duration", null) + time = each.value.backup.time + weekdays = lookup(each.value.backup, "weekdays", null) } } diff --git a/modules/recovery_vault/backup_policies_vm_workload.tf b/modules/recovery_vault/backup_policies_vm_workload.tf index b40bffdeda..83520e77c0 100644 --- a/modules/recovery_vault/backup_policies_vm_workload.tf +++ b/modules/recovery_vault/backup_policies_vm_workload.tf @@ -15,7 +15,7 @@ resource "azurerm_backup_policy_vm_workload" "vm_workload" { for_each = each.value.protection_policies content { - policy_type = protection_policy.value.policy_type + policy_type = protection_policy.value.policy_type backup { frequency = try(protection_policy.value.backup.frequency, null) diff --git a/modules/recovery_vault/outputs.tf b/modules/recovery_vault/outputs.tf index 7ddb9fc6b3..4213ffee07 100644 --- a/modules/recovery_vault/outputs.tf +++ b/modules/recovery_vault/outputs.tf @@ -16,7 +16,7 @@ output "backup_policies" { value = { virtual_machines = azurerm_backup_policy_vm.vm file_shares = azurerm_backup_policy_file_share.fs - vm_workloads = azurerm_backup_policy_vm_workload.vm_workload + vm_workloads = azurerm_backup_policy_vm_workload.vm_workload } } diff --git a/modules/roles/custom_roles/module.tf b/modules/roles/custom_roles/module.tf index 44cbc4d118..94a0a1747f 100644 --- a/modules/roles/custom_roles/module.tf +++ b/modules/roles/custom_roles/module.tf @@ -1,6 +1,6 @@ locals { - global_settings = merge(var.global_settings, try(var.custom_role.global_settings,{})) + global_settings = merge(var.global_settings, try(var.custom_role.global_settings, {})) } resource "azurecaf_name" "custom_role" { diff --git a/msssql_managed_instances.tf b/msssql_managed_instances.tf index e4e0b84ad3..373d445ec9 100644 --- a/msssql_managed_instances.tf +++ b/msssql_managed_instances.tf @@ -18,10 +18,10 @@ module "mssql_managed_instances" { base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups } module "mssql_managed_instances_secondary" { @@ -42,10 +42,10 @@ module "mssql_managed_instances_secondary" { subnet_id = can(each.value.networking.subnet_id) ? each.value.networking.subnet_id : local.combined_objects_networking[try(each.value.networking.lz_key, local.client_config.landingzone_key)][each.value.networking.vnet_key].subnets[each.value.networking.subnet_key].id primary_server_id = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups } module "mssql_mi_failover_groups" { diff --git a/msssql_managed_instances_v1.tf b/msssql_managed_instances_v1.tf index 9de5953861..93c0235fb4 100644 --- a/msssql_managed_instances_v1.tf +++ b/msssql_managed_instances_v1.tf @@ -34,10 +34,10 @@ module "mssql_managed_instances_v1" { keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] primary_server_id = null group_id = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) @@ -62,10 +62,10 @@ module "mssql_managed_instances_secondary_v1" { primary_server_id = local.combined_objects_mssql_managed_instances[try(each.value.primary_server.lz_key, local.client_config.landingzone_key)][each.value.primary_server.mi_server_key].id keyvault = can(each.value.administrator_login_password) ? null : local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][try(each.value.keyvault.key, each.value.keyvault_key)] group_id = can(each.value.administrators.azuread_group_id) || can(each.value.administrators.azuread_group_key) ? try(each.value.administrators.azuread_group_id, local.combined_objects_azuread_groups[try(each.value.administrators.lz_key, local.client_config.landingzone_key)][each.value.administrators.azuread_group_key].id) : null - vnets = local.combined_objects_networking - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + resource_groups = local.combined_objects_resource_groups base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} inherit_tags = try(local.global_settings.inherit_tags, false) diff --git a/networking_private_links.tf b/networking_private_links.tf index a3fc27d0de..2971f91eb5 100644 --- a/networking_private_links.tf +++ b/networking_private_links.tf @@ -15,25 +15,25 @@ module "private_endpoints" { diagnostic_storage_accounts = local.combined_diagnostics.storage_accounts diagnostic_event_hub_namespaces = local.combined_diagnostics.event_hub_namespaces - aks_clusters = local.combined_objects_aks_clusters - app_config = local.combined_objects_app_config - batch_accounts = local.combined_objects_batch_accounts - azure_container_registries = local.combined_objects_azure_container_registries + aks_clusters = local.combined_objects_aks_clusters + app_config = local.combined_objects_app_config + batch_accounts = local.combined_objects_batch_accounts + azure_container_registries = local.combined_objects_azure_container_registries cognitive_services_accounts = local.combined_objects_cognitive_services_accounts - cosmos_dbs = local.combined_objects_cosmos_dbs - data_factory = local.combined_objects_data_factory - event_hub_namespaces = local.combined_objects_event_hub_namespaces - keyvaults = local.combined_objects_keyvaults - machine_learning = local.combined_objects_machine_learning - mssql_servers = local.combined_objects_mssql_servers - mysql_servers = local.combined_objects_mysql_servers - networking = local.combined_objects_networking - postgresql_servers = local.combined_objects_postgresql_servers - recovery_vaults = local.combined_objects_recovery_vaults - redis_caches = local.combined_objects_redis_caches - storage_accounts = local.combined_objects_storage_accounts - synapse_workspaces = local.combined_objects_synapse_workspaces - signalr_services = local.combined_objects_signalr_services + cosmos_dbs = local.combined_objects_cosmos_dbs + data_factory = local.combined_objects_data_factory + event_hub_namespaces = local.combined_objects_event_hub_namespaces + keyvaults = local.combined_objects_keyvaults + machine_learning = local.combined_objects_machine_learning + mssql_servers = local.combined_objects_mssql_servers + mysql_servers = local.combined_objects_mysql_servers + networking = local.combined_objects_networking + postgresql_servers = local.combined_objects_postgresql_servers + recovery_vaults = local.combined_objects_recovery_vaults + redis_caches = local.combined_objects_redis_caches + storage_accounts = local.combined_objects_storage_accounts + synapse_workspaces = local.combined_objects_synapse_workspaces + signalr_services = local.combined_objects_signalr_services } } From d2ba77db8d010d106449fb29628ba9f88f30aa20 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Thu, 20 Jun 2024 13:26:19 +0000 Subject: [PATCH 098/244] feat(invoice-sections): adding invoice section creation and updating subscription creation to be able to reference them --- billing_invoice_section.tf | 13 ++++++++ .../configuration.tfvars | 31 +++++++++++++++++++ locals.combined_objects.tf | 1 + modules/billing/invoice_sections/main.tf | 18 +++++++++++ modules/billing/invoice_sections/module.tf | 29 +++++++++++++++++ modules/billing/invoice_sections/variables.tf | 13 ++++++++ modules/subscriptions/subscriptions.tf | 14 ++++++--- modules/subscriptions/variables.tf | 4 ++- subscriptions.tf | 4 +++ variables.tf | 5 ++- 10 files changed, 126 insertions(+), 6 deletions(-) create mode 100644 billing_invoice_section.tf create mode 100644 examples/subscriptions/102-create-subscription-with-mca-invoice-section/configuration.tfvars create mode 100644 modules/billing/invoice_sections/main.tf create mode 100644 modules/billing/invoice_sections/module.tf create mode 100644 modules/billing/invoice_sections/variables.tf diff --git a/billing_invoice_section.tf b/billing_invoice_section.tf new file mode 100644 index 0000000000..59eaf7f725 --- /dev/null +++ b/billing_invoice_section.tf @@ -0,0 +1,13 @@ +module "invoice_section" { + source = "./modules/billing/invoice_sections" + for_each = var.invoice_sections + + global_settings = local.global_settings + client_config = local.client_config + settings = each.value + base_tags = local.global_settings.inherit_tags +} + +output "invoice_sections" { + value = module.invoice_section +} \ No newline at end of file diff --git a/examples/subscriptions/102-create-subscription-with-mca-invoice-section/configuration.tfvars b/examples/subscriptions/102-create-subscription-with-mca-invoice-section/configuration.tfvars new file mode 100644 index 0000000000..539224c2b1 --- /dev/null +++ b/examples/subscriptions/102-create-subscription-with-mca-invoice-section/configuration.tfvars @@ -0,0 +1,31 @@ +subscriptions = { + + sandbox = { + name = "my-sandbox" + create_alias = true + billing_account_name = "0000000-0000-0000-0000-0000000:000000-0000-0000-0000-00000000_2019-05-31" + billing_profile_name = "XXXX-XXXX-XXX-XXX" + #invoice_section_name = "XXXX-XXXX-XXX-XXX" + invoice_section_key = "section_1" + #invoice_section_lz_key = "" + management_group_id = "caf-sandbox-landingzones" + workload = "DevTest" + tags = { + owner = "Cloud Platform Team" + } + } +} + +invoice_sections = { + section_1 = { + name = "sandbox-automation-invoice-section" + billing_account_id = "0000000-0000-0000-0000-0000000:000000-0000-0000-0000-00000000_2019-05-31" + billing_profile_id = "XXXX-XXXX-XXX-XXX" + labels = { + "foo" = "baz" + } + tags = { + "tagA" = "valueA" + } + } +} \ No newline at end of file diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 7cdda987c7..696f6e568b 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -179,6 +179,7 @@ locals { combined_objects_cost_anomaly_alert = merge(tomap({ (local.client_config.landingzone_key) = module.cost_anomaly_alert }), try(var.remote_objects.cost_anomaly_alert, {})) combined_objects_gallery_application = merge(tomap({ (local.client_config.landingzone_key) = module.gallery_application }), try(var.remote_objects.gallery_application, {})) combined_objects_gallery_application_version = merge(tomap({ (local.client_config.landingzone_key) = module.gallery_application_version }), try(var.remote_objects.gallery_application_version, {})) + combined_objects_invoice_sections = merge(tomap({ (local.client_config.landingzone_key) = module.invoice_section }), try(var.remote_objects.invoice_sections, {})) combined_objects_subscriptions = merge( tomap( diff --git a/modules/billing/invoice_sections/main.tf b/modules/billing/invoice_sections/main.tf new file mode 100644 index 0000000000..4b5407c44a --- /dev/null +++ b/modules/billing/invoice_sections/main.tf @@ -0,0 +1,18 @@ +locals { + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.settings.tags, null) + ) : try(var.settings.tags, null) +} + +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + azapi = { + source = "azure/azapi" + version = "~> 1.6.0" + } + } +} diff --git a/modules/billing/invoice_sections/module.tf b/modules/billing/invoice_sections/module.tf new file mode 100644 index 0000000000..0a49d498df --- /dev/null +++ b/modules/billing/invoice_sections/module.tf @@ -0,0 +1,29 @@ +resource "azapi_resource" "invoice_section" { + type = "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections@2020-05-01" + name = var.settings.name + parent_id = format("/providers/Microsoft.Billing/billingAccounts/%s/billingProfiles/%s", var.settings.billing_account_id, var.settings.billing_profile_id) + response_export_values = ["properties.displayName"] + body = jsonencode({ + properties = { + displayName = var.settings.name + labels = try(var.settings.labels, null) + tags = local.tags + } + }) +} + +output "id" { + value = azapi_resource.invoice_section.id +} +output "name" { + value = var.settings.name +} +output "display_name" { + value = jsondecode(azapi_resource.invoice_section.output).properties.displayName +} +output "billing_account_id" { + value = var.settings.billing_account_id +} +output "billing_profile_id" { + value = var.settings.billing_profile_id +} diff --git a/modules/billing/invoice_sections/variables.tf b/modules/billing/invoice_sections/variables.tf new file mode 100644 index 0000000000..e3f1e1db50 --- /dev/null +++ b/modules/billing/invoice_sections/variables.tf @@ -0,0 +1,13 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "client_config" { + description = "Client configuration object (see module README.md)." +} + +variable "settings" {} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} \ No newline at end of file diff --git a/modules/subscriptions/subscriptions.tf b/modules/subscriptions/subscriptions.tf index 433fc473e8..7c4d6b1592 100644 --- a/modules/subscriptions/subscriptions.tf +++ b/modules/subscriptions/subscriptions.tf @@ -6,7 +6,7 @@ data "azurerm_billing_enrollment_account_scope" "sub" { } data "azurerm_billing_mca_account_scope" "sub" { - count = try(var.settings.subscription_id, null) == null && var.subscription_key != "logged_in_subscription" && try(var.settings.billing_profile_name, null) != null ? 1 : 0 + count = !can(var.settings.subscription_id) && var.subscription_key != "logged_in_subscription" && can(var.settings.billing_profile_name) && !can(var.settings.invoice_section_key) ? 1 : 0 billing_account_name = var.settings.billing_account_name billing_profile_name = var.settings.billing_profile_name @@ -19,9 +19,10 @@ resource "azurerm_subscription" "sub" { alias = try(var.settings.alias, null) == null ? var.subscription_key : var.settings.alias subscription_name = var.settings.name subscription_id = try(var.settings.subscription_id, null) != null ? var.settings.subscription_id : null - billing_scope_id = try(var.settings.billing_scope_id, null) == null ? try(data.azurerm_billing_enrollment_account_scope.sub.0.id, data.azurerm_billing_mca_account_scope.sub.0.id, null) : var.settings.billing_scope_id - workload = try(var.settings.workload, null) - tags = try(var.tags, null) + billing_scope_id = can(local.billing_scope_id) ? local.billing_scope_id : try(data.azurerm_billing_enrollment_account_scope.sub.0.id, data.azurerm_billing_mca_account_scope.sub.0.id, null) + + workload = try(var.settings.workload, null) + tags = try(var.tags, null) lifecycle { ignore_changes = [ @@ -29,6 +30,11 @@ resource "azurerm_subscription" "sub" { ] } } +locals { + billing_scope_by_name = try(data.azurerm_billing_enrollment_account_scope.sub.0.id, data.azurerm_billing_mca_account_scope.sub.0.id, null) + billing_scope_by_key = try((can(var.billing_scope_id) ? var.billing_scope_id : null), (can(var.settings.billing_scope_id) ? var.settings.billing_scope_id : null), null) + billing_scope_id = try(coalesce(local.billing_scope_by_name, local.billing_scope_by_key), null) +} resource "null_resource" "refresh_access_token" { diff --git a/modules/subscriptions/variables.tf b/modules/subscriptions/variables.tf index c8b3fb97fe..1cfadf5e64 100644 --- a/modules/subscriptions/variables.tf +++ b/modules/subscriptions/variables.tf @@ -10,7 +10,9 @@ variable "client_config" {} variable "global_settings" { description = "Global settings object (see module README.md)" } - +variable "billing_scope_id" { + default = {} +} # For diagnostics settings variable "diagnostics" { default = {} diff --git a/subscriptions.tf b/subscriptions.tf index fd8bc0abbc..4d9dda29bf 100644 --- a/subscriptions.tf +++ b/subscriptions.tf @@ -7,11 +7,14 @@ module "subscriptions" { global_settings = local.global_settings subscription_key = each.key settings = each.value + # billing_scope_id can also be set by tfvars (var.settings). This is only the way to inject billing_scope_id by key + billing_scope_id = can(each.value.invoice_section_key) ? local.combined_objects_invoice_sections[try(each.value.invoice_section_lz_key, local.client_config.landingzone_key)][each.value.invoice_section_key].id : null client_config = local.client_config diagnostics = local.combined_diagnostics tags = merge(var.tags, lookup(each.value, "tags", {})) } + module "subscription_billing_role_assignments" { source = "./modules/subscription_billing_role_assignment" for_each = var.subscription_billing_role_assignments @@ -31,3 +34,4 @@ module "subscription_billing_role_assignments" { output "subscriptions" { value = module.subscriptions } + diff --git a/variables.tf b/variables.tf index 8bc92383b8..f6206c5d81 100644 --- a/variables.tf +++ b/variables.tf @@ -440,4 +440,7 @@ variable "powerbi_embedded" { } variable "cost_anomaly_alert" { default = {} -} \ No newline at end of file +} +variable "invoice_sections" { + default = {} +} From 92cf52c35a3714ee6f7ccc121605c5974628f194 Mon Sep 17 00:00:00 2001 From: Nick Metz Date: Wed, 26 Jun 2024 10:31:53 +0200 Subject: [PATCH 099/244] feat(private-dns-outputs): Add outputs for all type of private zone records --- modules/networking/private-dns/output.tf | 31 +++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/modules/networking/private-dns/output.tf b/modules/networking/private-dns/output.tf index f77ac5d4b3..46bcce2667 100644 --- a/modules/networking/private-dns/output.tf +++ b/modules/networking/private-dns/output.tf @@ -1,18 +1,43 @@ output "id" { value = azurerm_private_dns_zone.private_dns.id - } output "name" { value = azurerm_private_dns_zone.private_dns.name - } output "resource_group_name" { value = local.resource_group_name - } output "base_tags" { value = local.tags +} + +output "a" { + value = azurerm_private_dns_a_record.a_records +} + +output "aaaa" { + value = azurerm_private_dns_aaaa_record.aaaa_records +} + +output "cname" { + value = azurerm_private_dns_cname_record.cname_records +} + +output "mx" { + value = azurerm_private_dns_mx_record.mx_records +} + +output "ptr" { + value = azurerm_private_dns_ptr_record.ptr_records +} + +output "srv" { + value = azurerm_private_dns_srv_record.srv_records +} + +output "txt" { + value = azurerm_private_dns_txt_record.txt_records } \ No newline at end of file From ab3b6c7650e4511185bae5f6eda918d6f0c36d36 Mon Sep 17 00:00:00 2001 From: Joseph Hangali <134838289+JoDexsph@users.noreply.github.com> Date: Mon, 1 Jul 2024 04:43:29 +0300 Subject: [PATCH 100/244] Feat: Enhancement cognitive services (#2019) * Add Identity block * Add Identity block * FMT + Outputs * Add Public Network access * Fix Identity Output * Add tags * Revert "Add tags" This reverts commit 8af5155130574465c84e43311944ac2c325344d0. * Revert "Revert "Add tags"" This reverts commit 6a0f3fb356665c36ff31b7629550b86e07841652. modified: cognitive_service.tf modified: modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf modified: modules/cognitive_services/cognitive_services_account/main.tf modified: modules/cognitive_services/cognitive_services_account/variables.tf * Add Resource Group ref --- .../standalone-scenarios-additional.json | 1 + cognitive_service.tf | 4 ++ .../configuration.tfvars | 71 +++++++++++++++++++ .../cognitive_service_account.tf | 28 +++++--- .../cognitive_services_account/main.tf | 8 +++ .../cognitive_services_account/output.tf | 9 +++ .../cognitive_services_account/variables.tf | 14 +++- 7 files changed, 123 insertions(+), 12 deletions(-) create mode 100644 examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json index 5c141c24bd..61d601e344 100644 --- a/.github/workflows/standalone-scenarios-additional.json +++ b/.github/workflows/standalone-scenarios-additional.json @@ -1,6 +1,7 @@ { "config_files": [ "cognitive_services/100-cognitive-services-account", + "cognitive_services/101-cognitive-services-account-managed-identity", "compute/batch/batch_certificate/100-batch-certificate - path", "compute/batch/batch_job/100-batch-job - quotas", "compute/batch/batch_pool/100-batch-pool - quotas", diff --git a/cognitive_service.tf b/cognitive_service.tf index 04659f9f28..1eebac5c8c 100644 --- a/cognitive_service.tf +++ b/cognitive_service.tf @@ -4,9 +4,13 @@ module "cognitive_services_account" { client_config = local.client_config global_settings = local.global_settings + base_tags = local.global_settings.inherit_tags + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] settings = each.value + + managed_identities = local.combined_objects_managed_identities } output "cognitive_services_account" { diff --git a/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars b/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars new file mode 100644 index 0000000000..79f8ab921a --- /dev/null +++ b/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars @@ -0,0 +1,71 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "westus" + } + random_length = 5 +} + +resource_groups = { + test-rg = { + name = "rg-cognitive-test" + } +} + +managed_identities = { + cognitive_msi = { + name = "cognitive-msi" + resource_group_key = "test-rg" + } +} + +cognitive_services_account = { + test_account-1 = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + name = "cs-test-1" + kind = "OpenAI" + sku_name = "S0" + public_network_access_enabled = true + + identity = { + type = "SystemAssigned, UserAssigned" // Can be "SystemAssigned, UserAssigned" or "SystemAssigned" or "UserAssigned" + key = "cognitive_msi" // A must with "SystemAssigned, UserAssigned" and "UserAssigned" + } + + tags = { + env = "test" + } + # custom_subdomain_name = "cs-test-1" + # network_acls = { + # default_action = "Allow" + # ip_rules = ["10.10.10.0/16"] + # } + } + test_account-2 = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + name = "cs-test-2" + kind = "QnAMaker" + sku_name = "F0" + + identity = { + type = "SystemAssigned" + } + + tags = { + env = "test" + } + qna_runtime_endpoint = "https://cs-alz-caf-test-2.azurewebsites.net" + + } +} + diff --git a/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf b/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf index c61ddf1707..2f3a24ff40 100644 --- a/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf +++ b/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf @@ -9,13 +9,23 @@ resource "azurecaf_name" "service" { } resource "azurerm_cognitive_account" "service" { - name = azurecaf_name.service.result - location = var.location - resource_group_name = var.resource_group_name - kind = var.settings.kind - sku_name = var.settings.sku_name - - qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null) + name = azurecaf_name.service.result + location = var.location + resource_group_name = var.resource_group_name + kind = var.settings.kind + sku_name = var.settings.sku_name + public_network_access_enabled = try(var.settings.public_network_access_enabled, true) + custom_subdomain_name = try(var.settings.custom_subdomain_name, null) + tags = merge(local.tags, try(var.settings.tags, null)) + qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null) + + dynamic "identity" { + for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] + content { + type = lookup(var.settings.identity, "type", null) + identity_ids = can(var.settings.identity.ids) ? var.settings.identity.ids : can(var.settings.identity.key) ? [var.managed_identities[try(var.settings.identity.lz_key, var.client_config.landingzone_key)][var.settings.identity.key].id] : null + } + } dynamic "network_acls" { for_each = can(var.settings.network_acls) ? [var.settings.network_acls] : [] @@ -42,8 +52,4 @@ resource "azurerm_cognitive_account" "service" { } } } - - custom_subdomain_name = try(var.settings.custom_subdomain_name, null) - - tags = try(var.settings.tags, {}) } \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/main.tf b/modules/cognitive_services/cognitive_services_account/main.tf index b34ed51903..b58d11de39 100644 --- a/modules/cognitive_services/cognitive_services_account/main.tf +++ b/modules/cognitive_services/cognitive_services_account/main.tf @@ -4,4 +4,12 @@ terraform { source = "aztfmod/azurecaf" } } +} + +locals { + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.resource_group.tags, null), + try(var.settings.tags, null) + ) : try(var.settings.tags, null) } \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/output.tf b/modules/cognitive_services/cognitive_services_account/output.tf index fd2a6239a4..4e37bd9072 100644 --- a/modules/cognitive_services/cognitive_services_account/output.tf +++ b/modules/cognitive_services/cognitive_services_account/output.tf @@ -6,4 +6,13 @@ output "id" { output "endpoint" { description = "The endpoint used to connect to the Cognitive Service Account." value = azurerm_cognitive_account.service.endpoint +} + +output "rbac_id" { + description = "The Principal ID of the Cognetive Services for Role Mapping" + value = try(azurerm_cognitive_account.service.identity[0].principal_id, null) +} + +output "identity" { + value = try(azurerm_cognitive_account.service.identity, null) } \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/variables.tf b/modules/cognitive_services/cognitive_services_account/variables.tf index 6a1d64e03b..5c70771326 100644 --- a/modules/cognitive_services/cognitive_services_account/variables.tf +++ b/modules/cognitive_services/cognitive_services_account/variables.tf @@ -9,10 +9,22 @@ variable "location" { type = string } +variable "resource_group" { + description = "Resource group object to deploy the resource" +} + variable "resource_group_name" { - description = "Name of the existing resource group to deploy the virtual machine" + description = "Name of the existing resource group to deploy the resource" type = string } variable "settings" {} +variable "managed_identities" { + default = {} +} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} \ No newline at end of file From f26b3ff2deea3206d7ba823d59f0827cf034c5c9 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Mon, 1 Jul 2024 04:10:34 +0200 Subject: [PATCH 101/244] Upstream/fix storage account access tier (#1999) * fix(examples): fix permissions and key_opts * fix(storage_account): access_tier only for specific kinds --------- Co-authored-by: Simon Schneider --- .../configuration.tfvars | 30 ++++++++++++++++++- .../keyvaults.tfvars | 12 ++++---- modules/storage_account/storage_account.tf | 2 +- 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars b/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars index 385a92463c..031178e512 100644 --- a/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars +++ b/examples/storage_accounts/100-simple-storage-account-blob-container/configuration.tfvars @@ -45,6 +45,34 @@ storage_accounts = { } } + enable_system_msi = true + customer_managed_key = { + keyvault_key = "stg_byok" + + # Reference to the var.keyvault_keys + keyvault_key_key = "byok" + } + } + sa2 = { + name = "sa2dev" + resource_group_key = "test" + # Account types are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2 + account_kind = "BlockBlobStorage" + # Account Tier options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. + account_tier = "Premium" + # Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS + account_replication_type = "ZRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy + tags = { + environment = "dev" + team = "IT" + ## + } + containers = { + dev = { + name = "random" + } + } + enable_system_msi = true customer_managed_key = { keyvault_key = "stg_byok" @@ -79,4 +107,4 @@ diagnostic_storage_accounts = { keyvault_key_key = "diabyok" } } -} \ No newline at end of file +} diff --git a/examples/storage_accounts/100-simple-storage-account-blob-container/keyvaults.tfvars b/examples/storage_accounts/100-simple-storage-account-blob-container/keyvaults.tfvars index 6840a0a559..0b81d66e32 100644 --- a/examples/storage_accounts/100-simple-storage-account-blob-container/keyvaults.tfvars +++ b/examples/storage_accounts/100-simple-storage-account-blob-container/keyvaults.tfvars @@ -13,16 +13,16 @@ keyvault_access_policies = { stg_byok = { stg = { storage_account_key = "sa1" - key_permissions = ["get", "create", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "Encrypt", "Decrypt", "Sign", "Verify"] + key_permissions = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"] secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } diastg = { diagnostic_storage_account_key = "dsa1" - key_permissions = ["get", "create", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "Encrypt", "Decrypt", "Sign", "Verify"] + key_permissions = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"] secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } logged_in_user = { - key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "Encrypt", "Decrypt", "Sign", "Verify"] + key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"] secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } } @@ -34,13 +34,13 @@ keyvault_keys = { keyvault_key = "stg_byok" key_type = "RSA" key_size = 2048 - key_opts = ["Decrypt", "Encrypt", "Sign", "UnwrapKey", "Verify", "WrapKey"] + key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"] } diabyok = { name = "diagnosticstorage" keyvault_key = "stg_byok" key_type = "RSA" key_size = 2048 - key_opts = ["Decrypt", "Encrypt", "Sign", "UnwrapKey", "Verify", "WrapKey"] + key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"] } -} \ No newline at end of file +} diff --git a/modules/storage_account/storage_account.tf b/modules/storage_account/storage_account.tf index c8e73baa30..17701d7039 100644 --- a/modules/storage_account/storage_account.tf +++ b/modules/storage_account/storage_account.tf @@ -22,7 +22,7 @@ resource "azurerm_storage_account" "stg" { account_tier = try(var.storage_account.account_tier, "Standard") account_replication_type = try(var.storage_account.account_replication_type, "LRS") account_kind = try(var.storage_account.account_kind, "StorageV2") - access_tier = try(var.storage_account.access_tier, "Hot") + access_tier = contains(["BlobStorage", "FileStorage", "StorageV2"], try(var.storage_account.account_kind, "StorageV2")) ? try(var.storage_account.access_tier, "Hot") : null allow_nested_items_to_be_public = try(var.storage_account.allow_nested_items_to_be_public, var.storage_account.allow_blob_public_access, false) cross_tenant_replication_enabled = try(var.storage_account.cross_tenant_replication_enabled, null) edge_zone = try(var.storage_account.edge_zone, null) From 36863f03604f46ce933e058d936b370b31db4166 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Mon, 1 Jul 2024 09:49:43 +0000 Subject: [PATCH 102/244] feat(azuread_application): random id for oauth2_permission_scope --- .../configuration.tfvars | 7 +++++++ modules/azuread/applications_v1/azuread_application.tf | 9 ++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/examples/azuread/107-azuread-application-with-single-page-application/configuration.tfvars b/examples/azuread/107-azuread-application-with-single-page-application/configuration.tfvars index 60ddaeb879..be32857be7 100644 --- a/examples/azuread/107-azuread-application-with-single-page-application/configuration.tfvars +++ b/examples/azuread/107-azuread-application-with-single-page-application/configuration.tfvars @@ -51,6 +51,13 @@ azuread_applications = { id = "d4c3605a-b327-35c5-f04d-77f7fcdd4995" type = "Admin" value = "app" + }, + { + admin_consent_description = "Allow to administer app2." + admin_consent_display_name = "Administer app2" + enabled = true + type = "Admin" + value = "app2" } ] } diff --git a/modules/azuread/applications_v1/azuread_application.tf b/modules/azuread/applications_v1/azuread_application.tf index 900ea16d26..db440f8153 100644 --- a/modules/azuread/applications_v1/azuread_application.tf +++ b/modules/azuread/applications_v1/azuread_application.tf @@ -36,7 +36,7 @@ resource "azuread_application" "app" { content { admin_consent_description = oauth2_permission_scope.value.admin_consent_description admin_consent_display_name = oauth2_permission_scope.value.admin_consent_display_name - id = oauth2_permission_scope.value.id + id = try(oauth2_permission_scope.value.id, random_uuid.oauth2_permission_scopes[oauth2_permission_scope.key].id) enabled = try(oauth2_permission_scope.value.enabled, null) type = try(oauth2_permission_scope.value.type, null) user_consent_description = try(oauth2_permission_scope.value.user_consent_description, null) @@ -131,3 +131,10 @@ resource "random_uuid" "app_role_id" { if try(value.id, null) == null } } + +resource "random_uuid" "oauth2_permission_scopes" { + for_each = { + for key, value in try(var.settings.api.oauth2_permission_scopes, {}) : key => value + if try(value.id, null) == null + } +} From 8d9b8d338508387affbbc3e2170c2fe115eb1135 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Fri, 5 Jul 2024 07:25:42 +0000 Subject: [PATCH 103/244] fix(combined_objects): replace try() with lookup() try() tends to introduce inconsistencies when building the resource graph, leading to replacements of resources due to changes in reference maps ( e.g. https://github.com/aztfmod/terraform-azurerm-caf/issues/965 ). This is covering a edge case, when referencing remote_objects from within the same terraform run --- locals.combined_objects.tf | 364 ++++++++++++++++++------------------- 1 file changed, 182 insertions(+), 182 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 8505d87082..49e3609a5b 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -1,187 +1,187 @@ locals { # CAF landing zones can retrieve remote objects from a different landing zone and the # combined_objects will merge it with the local objects - combined_objects_aadb2c_directory = merge(tomap({ (local.client_config.landingzone_key) = module.aadb2c_directory }), try(var.remote_objects.aadb2c_directory, {})) - combined_objects_aks_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.aks_clusters }), try(var.remote_objects.aks_clusters, {}), try(var.data_sources.aks_clusters, {})) - combined_objects_api_management = merge(tomap({ (local.client_config.landingzone_key) = module.api_management }), try(var.remote_objects.api_management, {}), try(var.data_sources.api_management, {})) - combined_objects_api_management_api = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_api }), try(var.remote_objects.api_management_api, {}), try(var.data_sources.api_management_api, {})) - combined_objects_api_management_api_operation = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_api_operation }), try(var.remote_objects.api_management_api_operation, {})) - combined_objects_api_management_gateway = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_gateway }), try(var.remote_objects.api_management_gateway, {}), try(var.data_sources.api_management_gateway, {})) - combined_objects_api_management_logger = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_logger }), try(var.remote_objects.api_management_logger, {})) - combined_objects_api_management_product = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_product }), try(var.remote_objects.api_management_product, {})) - combined_objects_app_config = merge(tomap({ (local.client_config.landingzone_key) = module.app_config }), try(var.remote_objects.app_config, {}), try(var.data_sources.app_config, {})) - combined_objects_app_service_environments = merge(tomap({ (local.client_config.landingzone_key) = module.app_service_environments }), try(var.remote_objects.app_service_environments, {}), try(var.data_sources.app_service_environments, {})) + combined_objects_aadb2c_directory = merge(tomap({ (local.client_config.landingzone_key) = module.aadb2c_directory }), lookup(var.remote_objects, "aadb2c_directory", {})) + combined_objects_aks_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.aks_clusters }), lookup(var.remote_objects, "aks_clusters", {}), lookup(var.data_sources, "aks_clusters", {})) + combined_objects_api_management = merge(tomap({ (local.client_config.landingzone_key) = module.api_management }), lookup(var.remote_objects, "api_management", {}), lookup(var.data_sources, "api_management", {})) + combined_objects_api_management_api = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_api }), lookup(var.remote_objects, "api_management_api", {}), lookup(var.data_sources, "api_management_api", {})) + combined_objects_api_management_api_operation = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_api_operation }), lookup(var.remote_objects, "api_management_api_operation", {})) + combined_objects_api_management_gateway = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_gateway }), lookup(var.remote_objects, "api_management_gateway", {}), lookup(var.data_sources, "api_management_gateway", {})) + combined_objects_api_management_logger = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_logger }), lookup(var.remote_objects, "api_management_logger", {})) + combined_objects_api_management_product = merge(tomap({ (local.client_config.landingzone_key) = module.api_management_product }), lookup(var.remote_objects, "api_management_product", {})) + combined_objects_app_config = merge(tomap({ (local.client_config.landingzone_key) = module.app_config }), lookup(var.remote_objects, "app_config", {}), lookup(var.data_sources, "app_config", {})) + combined_objects_app_service_environments = merge(tomap({ (local.client_config.landingzone_key) = module.app_service_environments }), lookup(var.remote_objects, "app_service_environments", {}), lookup(var.data_sources, "app_service_environments", {})) combined_objects_app_service_environments_all = merge(local.combined_objects_app_service_environments, local.combined_objects_app_service_environments_v3) - combined_objects_app_service_environments_v3 = merge(tomap({ (local.client_config.landingzone_key) = merge(module.app_service_environments_v3, try(var.data_sources.app_service_environments_v3, {})) }), try(var.remote_objects.app_service_environments_v3, {})) - combined_objects_app_service_plans = merge(tomap({ (local.client_config.landingzone_key) = merge(module.app_service_plans, try(var.data_sources.app_service_plans, {})) }), try(var.remote_objects.app_service_plans, {})) - combined_objects_app_services = merge(tomap({ (local.client_config.landingzone_key) = module.app_services }), try(var.remote_objects.app_services, {}), try(var.data_sources.app_services, {})) - combined_objects_application_gateway_platforms = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateway_platforms }), try(var.remote_objects.application_gateway_platforms, {})) - combined_objects_application_gateway_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateway_waf_policies }), try(var.remote_objects.application_gateway_waf_policies, {})) - combined_objects_application_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateways }), try(var.remote_objects.application_gateways, {}), try(var.data_sources.application_gateways, {})) - combined_objects_application_insights = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights }), try(var.remote_objects.azurerm_application_insights, {}), try(var.data_sources.azurerm_application_insights, {})) - combined_objects_application_insights_standard_web_test = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights_standard_web_test }), try(var.remote_objects.azurerm_application_insights_standard_web_test, {})) - combined_objects_application_insights_web_test = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights_web_test }), try(var.remote_objects.azurerm_application_insights_web_test, {})) - combined_objects_application_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.application_security_groups }), try(var.remote_objects.application_security_groups, {})) - combined_objects_automations = merge(tomap({ (local.client_config.landingzone_key) = module.automations }), try(var.remote_objects.automations, {})) - combined_objects_availability_sets = merge(tomap({ (local.client_config.landingzone_key) = module.availability_sets }), try(var.remote_objects.availability_sets, {})) - combined_objects_azure_container_registries = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {})) - combined_objects_azuread_administrative_units = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_administrative_unit }), try(var.remote_objects.administrative_units, {})) - combined_objects_azuread_applications = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_applications_v1 }), try(var.remote_objects.azuread_applications, {})) - combined_objects_azuread_apps = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_applications }), try(var.remote_objects.azuread_apps, {})) - combined_objects_azuread_groups = merge(tomap({ (local.client_config.landingzone_key) = merge(module.azuread_groups, try(var.data_sources.azuread_groups, {})) }), try(var.remote_objects.azuread_groups, {})) - combined_objects_azuread_service_principal_passwords = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_service_principal_passwords }), try(var.remote_objects.azuread_service_principal_passwords, {})) - combined_objects_azuread_service_principals = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_service_principals }), try(var.remote_objects.azuread_service_principals, {}), try(var.data_sources.azuread_service_principals, {})) - combined_objects_azuread_users = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_users }), try(var.remote_objects.azuread_users, {}), try(var.data_sources.azuread_users, {})) - combined_objects_azurerm_firewall_policies = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewall_policies }), try(var.remote_objects.azurerm_firewall_policies, {}), try(var.data_sources.azurerm_firewall_policies, {})) - combined_objects_azurerm_firewalls = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewalls }), try(var.remote_objects.azurerm_firewalls, {}), try(var.data_sources.azurerm_firewalls, {})) - combined_objects_backup_vault_instances = merge(tomap({ (local.client_config.landingzone_key) = local.backup_vault_instances }), try(var.remote_objects.backup_vault_instances, {})) - combined_objects_backup_vault_policies = merge(tomap({ (local.client_config.landingzone_key) = local.backup_vault_policies }), try(var.remote_objects.backup_vault_policies, {})) - combined_objects_backup_vaults = merge(tomap({ (local.client_config.landingzone_key) = module.backup_vaults }), try(var.remote_objects.backup_vaults, {})) - combined_objects_batch_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.batch_accounts }), try(var.remote_objects.batch_accounts, {})) - combined_objects_batch_applications = merge(tomap({ (local.client_config.landingzone_key) = module.batch_applications }), try(var.remote_objects.batch_applications, {})) - combined_objects_batch_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.batch_certificates }), try(var.remote_objects.batch_certificates, {})) - combined_objects_batch_jobs = merge(tomap({ (local.client_config.landingzone_key) = module.batch_jobs }), try(var.remote_objects.batch_jobs, {})) - combined_objects_batch_pools = merge(tomap({ (local.client_config.landingzone_key) = module.batch_pools }), try(var.remote_objects.batch_pools, {})) - combined_objects_cdn_profile = merge(tomap({ (local.client_config.landingzone_key) = module.cdn_profile }), try(var.remote_objects.cdn_profile, {}), try(var.data_sources.cdn_profile, {})) - combined_objects_cognitive_services_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_services_account }), try(var.remote_objects.cognitive_services_account, {}), try(var.data_sources.cognitive_services_account, {})) - combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), try(var.remote_objects.consumption_budgets_resource_groups, {}), try(var.data_sources.consumption_budgets_resource_groups, {})) - combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), try(var.remote_objects.consumption_budgets_subscriptions, {}), try(var.data_sources.consumption_budgets_subscriptions, {})) - combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {}), try(var.data_sources.container_registry, {})) - combined_objects_container_app_environments = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environments }), try(var.remote_objects.container_app_environments, {})) - combined_objects_container_app_environment_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_certificates }), try(var.remote_objects.container_app_environment_certificates, {})) - combined_objects_container_app_environment_storages = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_storages }), try(var.remote_objects.container_app_environment_storages, {})) - combined_objects_cosmos_dbs = merge(tomap({ (local.client_config.landingzone_key) = module.cosmos_dbs }), try(var.remote_objects.cosmos_dbs, {}), try(var.data_sources.cosmos_dbs, {})) - combined_objects_cosmosdb_sql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.cosmosdb_sql_databases }), try(var.remote_objects.cosmosdb_sql_databases, {})) - combined_objects_data_factory = merge(tomap({ (local.client_config.landingzone_key) = merge(module.data_factory, try(var.data_sources.data_factory, {})) }), try(var.remote_objects.data_factory, {})) - combined_objects_data_factory_integration_runtime_azure_ssis = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_azure_ssis }), try(var.remote_objects.combined_objects_data_factory_integration_runtime_azure_ssis, {})) - combined_objects_data_factory_integration_runtime_self_hosted = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_self_hosted }), try(var.remote_objects.data_factory_integration_runtime_self_hosted, {})) - combined_objects_data_factory_linked_service_azure_blob_storage = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_azure_blob_storage }), try(var.remote_objects.data_factory_linked_service_azure_blob_storage, {})) - combined_objects_data_factory_linked_service_cosmosdb = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_cosmosdb }), try(var.remote_objects.data_factory_linked_service_cosmosdb, {})) - combined_objects_data_factory_linked_service_mysql = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_mysql }), try(var.remote_objects.data_factory_linked_service_mysql, {})) - combined_objects_data_factory_linked_service_postgresql = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_postgresql }), try(var.remote_objects.data_factory_linked_service_postgresql, {})) - combined_objects_data_factory_linked_service_sql_server = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_sql_server }), try(var.remote_objects.data_factory_linked_service_sql_server, {})) - combined_objects_data_factory_linked_service_web = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_web }), try(var.remote_objects.data_factory_linked_service_web, {})) - combined_objects_data_factory_pipeline = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_pipeline }), try(var.remote_objects.data_factory_pipeline, {})) - combined_objects_database_migration_services = merge(tomap({ (local.client_config.landingzone_key) = module.database_migration_services }), try(var.remote_objects.database_migration_services, {})) - combined_objects_databricks_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_workspaces }), try(var.remote_objects.databricks_workspaces, {}), try(var.data_sources.databricks_workspaces, {})) - combined_objects_databricks_access_connectors = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_access_connectors }), try(var.remote_objects.databricks_access_connectors, {}), try(var.data_sources.databricks_access_connectors, {})) - combined_objects_ddos_services = merge(tomap({ (local.client_config.landingzone_key) = azurerm_network_ddos_protection_plan.ddos_protection_plan }), try(var.remote_objects.ddos_services, {}), try(var.remote_objects.ddos_services, {})) - combined_objects_dedicated_host_groups = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_host_groups }), try(var.remote_objects.dedicated_host_groups, {}), try(var.data_sources.dedicated_host_groups, {})) - combined_objects_dedicated_hosts = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_hosts }), try(var.remote_objects.dedicated_hosts, {}), try(var.data_sources.dedicated_hosts, {})) - combined_objects_diagnostic_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.diagnostic_storage_accounts }), try(var.remote_objects.diagnostic_storage_accounts, {})) - combined_objects_digital_twins_instances = merge(tomap({ (local.client_config.landingzone_key) = module.digital_twins_instances }), try(var.remote_objects.digital_twins_instances, {})) - combined_objects_disk_encryption_sets = merge(tomap({ (local.client_config.landingzone_key) = merge(module.disk_encryption_sets, module.disk_encryption_sets_external) }), try(var.remote_objects.disk_encryption_sets, {}), try(var.remote_objects.disk_encryption_sets_external, {}), try(var.data_sources.disk_encryption_sets, {})) - combined_objects_dns_zones = merge(tomap({ (local.client_config.landingzone_key) = module.dns_zones }), try(var.remote_objects.dns_zones, {}), try(var.data_sources.dns_zones, {})) - combined_objects_domain_name_registrations = merge(tomap({ (local.client_config.landingzone_key) = module.domain_name_registrations }), try(var.remote_objects.domain_name_registrations, {})) - combined_objects_event_hub_auth_rules = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_auth_rules }), try(var.remote_objects.event_hub_auth_rules, {})) - combined_objects_event_hub_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_namespaces }), try(var.remote_objects.event_hub_namespaces, {}), try(var.data_sources.event_hub_namespaces, {})) - combined_objects_event_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.event_hubs }), try(var.remote_objects.event_hubs, {})) - combined_objects_eventgrid_domains = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_domain }), try(var.remote_objects.eventgrid_domain, {})) - combined_objects_eventgrid_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_topic }), try(var.remote_objects.eventgrid_topic, {})) - combined_objects_express_route_circuit_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_authorizations }), try(var.remote_objects.express_route_circuit_authorizations, {})) - combined_objects_express_route_circuit_peerings = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_peerings }), try(var.remote_objects.express_route_circuit_peerings, {})) - combined_objects_express_route_circuits = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuits }), try(var.remote_objects.express_route_circuits, {}), try(var.data_sources.express_route_circuits, {})) - combined_objects_front_door = merge(tomap({ (local.client_config.landingzone_key) = module.front_doors }), try(var.remote_objects.front_doors, {})) - combined_objects_front_door_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.front_door_waf_policies }), try(var.remote_objects.front_door_waf_policies, {})) - combined_objects_function_apps = merge(tomap({ (local.client_config.landingzone_key) = module.function_apps }), try(var.remote_objects.function_apps, {})) - combined_objects_image_definitions = merge(tomap({ (local.client_config.landingzone_key) = module.image_definitions }), try(var.remote_objects.image_definitions, {})) - combined_objects_integration_service_environment = merge(tomap({ (local.client_config.landingzone_key) = module.integration_service_environment }), try(var.remote_objects.integration_service_environment, {})) - combined_objects_iot_central_application = merge(tomap({ (local.client_config.landingzone_key) = module.iot_central_application }), try(var.remote_objects.iot_central_application, {})) - combined_objects_iot_dps_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_certificate }), try(var.remote_objects.iot_dps_certificate, {})) - combined_objects_iot_dps_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_shared_access_policy }), try(var.remote_objects.iot_dps_shared_access_policy, {})) - combined_objects_iot_hub = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub }), try(var.remote_objects.iot_hub, {})) - combined_objects_iot_hub_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_certificate }), try(var.remote_objects.iot_hub_certificate, {})) - combined_objects_iot_hub_consumer_groups = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_consumer_groups }), try(var.remote_objects.iot_hub_consumer_groups, {})) - combined_objects_iot_hub_dps = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_dps }), try(var.remote_objects.iot_hub_dps, {})) - combined_objects_iot_hub_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_shared_access_policy }), try(var.remote_objects.iot_hub_shared_access_policy, {})) - combined_objects_iot_security_device_group = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_device_group }), try(var.remote_objects.iot_security_device_group, {})) - combined_objects_iot_security_solution = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_solution }), try(var.remote_objects.iot_security_solution, {})) - combined_objects_keyvault_certificate_requests = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificate_requests }), try(var.remote_objects.keyvault_certificate_requests, {})) - combined_objects_keyvault_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificates }), try(var.remote_objects.keyvault_certificates, {}), try(var.data_sources.keyvault_certificates, {})) - combined_objects_keyvault_keys = merge(tomap({ (local.client_config.landingzone_key) = merge(module.keyvault_keys, try(var.data_sources.keyvault_keys, {})) }), try(var.remote_objects.keyvault_keys, {}), try(var.data_sources.keyvault_keys, {})) - combined_objects_keyvaults = merge(tomap({ (local.client_config.landingzone_key) = merge(module.keyvaults, try(var.data_sources.keyvaults, {})) }), try(var.remote_objects.keyvaults, {})) - combined_objects_kusto_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_clusters }), try(var.remote_objects.kusto_clusters, {}), try(var.data_sources.kusto_clusters, {})) - combined_objects_kusto_databases = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_databases }), try(var.remote_objects.kusto_databases, {})) - combined_objects_lb = merge(tomap({ (local.client_config.landingzone_key) = module.lb }), try(var.remote_objects.lb, {}), try(var.data_sources.load_balancers, {})) - combined_objects_lb_backend_address_pool = merge(tomap({ (local.client_config.landingzone_key) = module.lb_backend_address_pool }), try(var.remote_objects.lb_backend_address_pool, {})) - combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), try(var.remote_objects.lb_probe, {})) - combined_objects_load_balancers = merge(tomap({ (local.client_config.landingzone_key) = module.load_balancers }), try(var.remote_objects.load_balancers, {}), try(var.data_sources.load_balancers, {})) - combined_objects_load_test = merge(tomap({ (local.client_config.landingzone_key) = module.load_test }), try(var.remote_objects.load_test, {}), try(var.data_sources.load_test, {})) - combined_objects_log_analytics = merge(tomap({ (local.client_config.landingzone_key) = module.log_analytics }), try(var.remote_objects.log_analytics, {}), try(var.data_sources.log_analytics, {})) - combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), try(var.remote_objects.logic_app_integration_account, {}), try(var.data_sources.logic_app_integration_account, {})) - combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) - combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), try(var.remote_objects.logic_app_workflow, {}), try(var.data_sources.logic_app_workflow, {})) - combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {}), try(var.data_sources.machine_learning_workspaces, {})) - combined_objects_maintenance_configuration = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_configuration }), try(var.remote_objects.maintenance_configuration, {})) - combined_objects_maintenance_assignment_virtual_machine = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_assignment_virtual_machine }), try(var.remote_objects.maintenance_assignment_virtual_machine, {})) - combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {}), try(var.data_sources.managed_identities, {})) - combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), try(var.remote_objects.maps_accounts, {})) - combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), try(var.remote_objects.monitor_action_groups, {}), try(var.data_sources.monitor_action_groups, {})) - combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), try(var.remote_objects.mssql_databases, {}), try(var.data_sources.mssql_databases, {})) - combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_elastic_pools, try(var.data_sources.mssql_elastic_pools, {})) }), try(var.remote_objects.mssql_elastic_pools, {})) - combined_objects_mssql_managed_databases = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_databases, module.mssql_managed_databases_v1) }), try(var.remote_objects.mssql_managed_databases, {}), try(var.data_sources.mssql_managed_databases, {})) - combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances, module.mssql_managed_instances_v1, try(var.data_sources.mssql_managed_instances, {})) }), try(var.remote_objects.mssql_managed_instances, {}), try(var.data_sources.mssql_managed_instances, {})) - combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances_secondary, module.mssql_managed_instances_secondary_v1, try(var.data_sources.mssql_managed_instances_secondary, {})) }), try(var.remote_objects.mssql_managed_instances_secondary, {}), try(var.remote_objects.mssql_managed_instances_secondary, {})) - combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_servers, try(var.data_sources.mssql_servers, {})) }), try(var.remote_objects.mssql_servers, {})) - combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), try(var.remote_objects.mysql_flexible_server, {})) - combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), try(var.remote_objects.mysql_servers, {}), try(var.data_sources.mysql_servers, {})) - combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), try(var.remote_objects.nat_gateways, {}), try(var.data_sources.nat_gateways, {})) - combined_objects_network_profiles = merge(tomap({ (local.client_config.landingzone_key) = module.network_profiles }), try(var.remote_objects.network_profiles, {})) - combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), try(var.remote_objects.network_security_groups, {}), try(var.data_sources.network_security_groups, {})) - combined_objects_network_watchers = merge(tomap({ (local.client_config.landingzone_key) = module.network_watchers }), try(var.remote_objects.network_watchers, {}), try(var.data_sources.network_watchers, {})) - combined_objects_networking = merge(tomap({ (local.client_config.landingzone_key) = merge(module.networking, try(var.data_sources.vnets, {})) }), try(var.remote_objects.vnets, {})) - combined_objects_postgresql_flexible_servers = merge(tomap({ (local.client_config.landingzone_key) = module.postgresql_flexible_servers }), try(var.remote_objects.postgresql_flexible_servers, {})) - combined_objects_postgresql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.postgresql_servers }), try(var.remote_objects.postgresql_servers, {}), try(var.data_sources.postgresql_servers, {})) - combined_objects_private_dns = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns }), try(var.remote_objects.private_dns, {}), try(var.data_sources.private_dns, {})) - combined_objects_private_dns_resolver_dns_forwarding_rulesets = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_dns_forwarding_rulesets }), try(var.remote_objects.private_dns_resolver_dns_forwarding_rulesets, {})) - combined_objects_private_dns_resolver_inbound_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_inbound_endpoints }), try(var.remote_objects.private_dns_resolver_inbound_endpoints, {})) - combined_objects_private_dns_resolver_outbound_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_outbound_endpoints }), try(var.remote_objects.private_dns_resolver_outbound_endpoints, {})) - combined_objects_private_dns_resolvers = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolvers }), try(var.remote_objects.private_dns_resolvers, {})) - combined_objects_private_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_endpoints }), try(var.remote_objects.private_endpoints, {})) - combined_objects_proximity_placement_groups = merge(tomap({ (local.client_config.landingzone_key) = module.proximity_placement_groups }), try(var.remote_objects.proximity_placement_groups, {}), try(var.data_sources.proximity_placement_groups, {})) - combined_objects_public_ip_addresses = merge(tomap({ (local.client_config.landingzone_key) = module.public_ip_addresses }), try(var.remote_objects.public_ip_addresses, {}), try(var.data_sources.public_ip_addresses, {})) - combined_objects_public_ip_prefixes = merge(tomap({ (local.client_config.landingzone_key) = module.public_ip_prefixes }), try(var.remote_objects.public_ip_prefixes, {})) - combined_objects_purview_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.purview_accounts }), try(var.remote_objects.purview_accounts, {})) - combined_objects_recovery_vaults = merge(tomap({ (local.client_config.landingzone_key) = merge(module.recovery_vaults, try(var.data_sources.recovery_vaults, {})) }), try(var.remote_objects.recovery_vaults, {})) - combined_objects_redis_caches = merge(tomap({ (local.client_config.landingzone_key) = module.redis_caches }), try(var.remote_objects.redis_caches, {}), try(var.data_sources.redis_caches, {})) - combined_objects_relay_hybrid_connection = merge(tomap({ (local.client_config.landingzone_key) = module.relay_hybrid_connection }), try(var.remote_objects.relay_hybrid_connection, {})) - combined_objects_relay_namespace = merge(tomap({ (local.client_config.landingzone_key) = module.relay_namespace }), try(var.remote_objects.relay_namespace, {})) - combined_objects_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = merge(local.resource_groups, try(var.data_sources.resource_groups, {})) }), try(var.remote_objects.resource_groups, {})) - combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) - combined_objects_search_services = merge(tomap({ (local.client_config.landingzone_key) = module.search_service }), try(var.remote_objects.search_services, {}), try(var.data_sources.search_services, {})) - combined_objects_sentinel_watchlists = merge(tomap({ (local.client_config.landingzone_key) = module.sentinel_watchlists }), try(var.remote_objects.sentinel_watchlists, {})) - combined_objects_servicebus_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_namespaces }), try(var.remote_objects.servicebus_namespaces, {}), try(var.data_sources.servicebus_namespaces, {})) - combined_objects_servicebus_queues = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_queues }), try(var.remote_objects.servicebus_queues, {}), try(var.data_sources.servicebus_queues, {})) - combined_objects_servicebus_topics = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_topics }), try(var.remote_objects.servicebus_topics, {}), try(var.data_sources.servicebus_topics, {})) - combined_objects_signalr_services = merge(tomap({ (local.client_config.landingzone_key) = module.signalr_services }), try(var.remote_objects.signalr_services, {}), try(var.data_sources.signalr_services, {})) - combined_objects_storage_account_file_shares = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_file_shares }), try(var.remote_objects.storage_account_file_shares, {})) - combined_objects_storage_account_queues = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_queues }), try(var.remote_objects.storage_account_queues, {})) - combined_objects_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = merge(module.storage_accounts, try(var.data_sources.storage_accounts, {})) }), try(var.remote_objects.storage_accounts, {})) - combined_objects_storage_containers = merge(tomap({ (local.client_config.landingzone_key) = module.storage_containers }), try(var.remote_objects.storage_containers, {}), try(var.data_sources.storage_containers, {})) - combined_objects_synapse_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.synapse_workspaces }), try(var.remote_objects.synapse_workspaces, {}), try(var.data_sources.synapse_workspaces, {})) - combined_objects_traffic_manager_azure_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_azure_endpoint }), try(var.remote_objects.traffic_manager_azure_endpoint, {})) - combined_objects_traffic_manager_external_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_external_endpoint }), try(var.remote_objects.traffic_manager_external_endpoint, {})) - combined_objects_traffic_manager_nested_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_nested_endpoint }), try(var.remote_objects.traffic_manager_nested_endpoint, {})) - combined_objects_traffic_manager_profile = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_profile }), try(var.remote_objects.traffic_manager_profile, {})) - combined_objects_virtual_hub_connections = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_connection.vhub_connection }), try(var.remote_objects.vhub_peerings, {}), try(var.remote_objects.virtual_hub_connections, {})) - combined_objects_virtual_hub_route_tables = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_route_table.route_table }), try(var.remote_objects.virtual_hub_route_tables, {})) - combined_objects_virtual_wans = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_wans, try(var.data_sources.virtual_wans, {})) }), try(var.remote_objects.virtual_wans, {}), try(var.data_sources.virtual_wans, {})) - combined_objects_virtual_hubs = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_hubs, try(var.data_sources.virtual_hubs, {})) }), try(var.remote_objects.virtual_hubs, {}), try(var.data_sources.virtual_hubs, {})) - combined_objects_virtual_machine_scale_sets = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_machine_scale_sets }), try(var.remote_objects.virtual_machine_scale_sets, {}), try(var.data_sources.virtual_machine_scale_sets, {})) - combined_objects_virtual_machines = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_machines }), try(var.remote_objects.virtual_machines, {}), try(var.data_sources.virtual_machines, {})) - combined_objects_virtual_subnets = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_subnets, try(var.data_sources.virtual_subnets, {})) }), try(var.remote_objects.virtual_subnets, {})) - combined_objects_vmware_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_clusters }), try(var.remote_objects.vmware_clusters, {})) - combined_objects_vmware_express_route_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_express_route_authorizations }), try(var.remote_objects.vmware_express_route_authorizations, {})) - combined_objects_vmware_private_clouds = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_private_clouds }), try(var.remote_objects.vmware_private_clouds, {}), try(var.data_sources.vmware_private_clouds, {})) - combined_objects_vpn_gateway_connections = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), try(var.remote_objects.vpn_gateway_connections, {})) - combined_objects_vpn_gateway_nat_rules = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_nat_rules }), try(var.remote_objects.vpn_gateway_nat_rules, {})) - combined_objects_vpn_sites = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), try(var.remote_objects.vpn_sites, {})) - combined_objects_web_pubsub_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsub_hubs }), try(var.remote_objects.web_pubsub_hubs, {})) - combined_objects_web_pubsubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsubs }), try(var.remote_objects.web_pubsubs, {})) - combined_objects_wvd_application_groups = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_application_groups }), try(var.remote_objects.wvd_application_groups, {})) - combined_objects_wvd_applications = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_applications }), try(var.remote_objects.wvd_applications, {})) - combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), try(var.remote_objects.wvd_host_pools, {})) - combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), try(var.remote_objects.wvd_workspaces, {})) + combined_objects_app_service_environments_v3 = merge(tomap({ (local.client_config.landingzone_key) = merge(module.app_service_environments_v3, lookup(var.data_sources, "app_service_environments_v3", {})) }), lookup(var.remote_objects, "app_service_environments_v3", {})) + combined_objects_app_service_plans = merge(tomap({ (local.client_config.landingzone_key) = merge(module.app_service_plans, lookup(var.data_sources, "app_service_plans", {})) }), lookup(var.remote_objects, "app_service_plans", {})) + combined_objects_app_services = merge(tomap({ (local.client_config.landingzone_key) = module.app_services }), lookup(var.remote_objects, "app_services", {}), lookup(var.data_sources, "app_services", {})) + combined_objects_application_gateway_platforms = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateway_platforms }), lookup(var.remote_objects, "application_gateway_platforms", {})) + combined_objects_application_gateway_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateway_waf_policies }), lookup(var.remote_objects, "application_gateway_waf_policies", {})) + combined_objects_application_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateways }), lookup(var.remote_objects, "application_gateways", {}), lookup(var.data_sources, "application_gateways", {})) + combined_objects_application_insights = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights }), lookup(var.remote_objects, "azurerm_application_insights", {}), lookup(var.data_sources, "azurerm_application_insights", {})) + combined_objects_application_insights_standard_web_test = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights_standard_web_test }), lookup(var.remote_objects, "azurerm_application_insights_standard_web_test", {})) + combined_objects_application_insights_web_test = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights_web_test }), lookup(var.remote_objects, "azurerm_application_insights_web_test", {})) + combined_objects_application_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.application_security_groups }), lookup(var.remote_objects, "application_security_groups", {})) + combined_objects_automations = merge(tomap({ (local.client_config.landingzone_key) = module.automations }), lookup(var.remote_objects, "automations", {})) + combined_objects_availability_sets = merge(tomap({ (local.client_config.landingzone_key) = module.availability_sets }), lookup(var.remote_objects, "availability_sets", {})) + combined_objects_azure_container_registries = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), lookup(var.remote_objects, "container_registry", {})) + combined_objects_azuread_administrative_units = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_administrative_unit }), lookup(var.remote_objects, "administrative_units", {})) + combined_objects_azuread_applications = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_applications_v1 }), lookup(var.remote_objects, "azuread_applications", {})) + combined_objects_azuread_apps = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_applications }), lookup(var.remote_objects, "azuread_apps", {})) + combined_objects_azuread_groups = merge(tomap({ (local.client_config.landingzone_key) = merge(module.azuread_groups, lookup(var.data_sources, "azuread_groups", {})) }), lookup(var.remote_objects, "azuread_groups", {})) + combined_objects_azuread_service_principal_passwords = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_service_principal_passwords }), lookup(var.remote_objects, "azuread_service_principal_passwords", {})) + combined_objects_azuread_service_principals = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_service_principals }), lookup(var.remote_objects, "azuread_service_principals", {}), lookup(var.data_sources, "azuread_service_principals", {})) + combined_objects_azuread_users = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_users }), lookup(var.remote_objects, "azuread_users", {}), lookup(var.data_sources, "azuread_users", {})) + combined_objects_azurerm_firewall_policies = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewall_policies }), lookup(var.remote_objects, "azurerm_firewall_policies", {}), lookup(var.data_sources, "azurerm_firewall_policies", {})) + combined_objects_azurerm_firewalls = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewalls }), lookup(var.remote_objects, "azurerm_firewalls", {}), lookup(var.data_sources, "azurerm_firewalls", {})) + combined_objects_backup_vault_instances = merge(tomap({ (local.client_config.landingzone_key) = local.backup_vault_instances }), lookup(var.remote_objects, "backup_vault_instances", {})) + combined_objects_backup_vault_policies = merge(tomap({ (local.client_config.landingzone_key) = local.backup_vault_policies }), lookup(var.remote_objects, "backup_vault_policies", {})) + combined_objects_backup_vaults = merge(tomap({ (local.client_config.landingzone_key) = module.backup_vaults }), lookup(var.remote_objects, "backup_vaults", {})) + combined_objects_batch_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.batch_accounts }), lookup(var.remote_objects, "batch_accounts", {})) + combined_objects_batch_applications = merge(tomap({ (local.client_config.landingzone_key) = module.batch_applications }), lookup(var.remote_objects, "batch_applications", {})) + combined_objects_batch_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.batch_certificates }), lookup(var.remote_objects, "batch_certificates", {})) + combined_objects_batch_jobs = merge(tomap({ (local.client_config.landingzone_key) = module.batch_jobs }), lookup(var.remote_objects, "batch_jobs", {})) + combined_objects_batch_pools = merge(tomap({ (local.client_config.landingzone_key) = module.batch_pools }), lookup(var.remote_objects, "batch_pools", {})) + combined_objects_cdn_profile = merge(tomap({ (local.client_config.landingzone_key) = module.cdn_profile }), lookup(var.remote_objects, "cdn_profile", {}), lookup(var.data_sources, "cdn_profile", {})) + combined_objects_cognitive_services_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_services_account }), lookup(var.remote_objects, "cognitive_services_account", {}), lookup(var.data_sources, "cognitive_services_account", {})) + combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), lookup(var.remote_objects, "consumption_budgets_resource_groups", {}), lookup(var.data_sources, "consumption_budgets_resource_groups", {})) + combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), lookup(var.remote_objects, "consumption_budgets_subscriptions", {}), lookup(var.data_sources, "consumption_budgets_subscriptions", {})) + combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), lookup(var.remote_objects, "container_registry", {}), lookup(var.data_sources, "container_registry", {})) + combined_objects_container_app_environments = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environments }), lookup(var.remote_objects, "container_app_environments", {})) + combined_objects_container_app_environment_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_certificates }), lookup(var.remote_objects, "container_app_environment_certificates", {})) + combined_objects_container_app_environment_storages = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_storages }), lookup(var.remote_objects, "container_app_environment_storages", {})) + combined_objects_cosmos_dbs = merge(tomap({ (local.client_config.landingzone_key) = module.cosmos_dbs }), lookup(var.remote_objects, "cosmos_dbs", {}), lookup(var.data_sources, "cosmos_dbs", {})) + combined_objects_cosmosdb_sql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.cosmosdb_sql_databases }), lookup(var.remote_objects, "cosmosdb_sql_databases", {})) + combined_objects_data_factory = merge(tomap({ (local.client_config.landingzone_key) = merge(module.data_factory, lookup(var.data_sources, "data_factory", {})) }), lookup(var.remote_objects, "data_factory", {})) + combined_objects_data_factory_integration_runtime_azure_ssis = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_azure_ssis }), lookup(var.remote_objects, "combined_objects_data_factory_integration_runtime_azure_ssis", {})) + combined_objects_data_factory_integration_runtime_self_hosted = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_self_hosted }), lookup(var.remote_objects, "data_factory_integration_runtime_self_hosted", {})) + combined_objects_data_factory_linked_service_azure_blob_storage = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_azure_blob_storage }), lookup(var.remote_objects, "data_factory_linked_service_azure_blob_storage", {})) + combined_objects_data_factory_linked_service_cosmosdb = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_cosmosdb }), lookup(var.remote_objects, "data_factory_linked_service_cosmosdb", {})) + combined_objects_data_factory_linked_service_mysql = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_mysql }), lookup(var.remote_objects, "data_factory_linked_service_mysql", {})) + combined_objects_data_factory_linked_service_postgresql = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_postgresql }), lookup(var.remote_objects, "data_factory_linked_service_postgresql", {})) + combined_objects_data_factory_linked_service_sql_server = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_sql_server }), lookup(var.remote_objects, "data_factory_linked_service_sql_server", {})) + combined_objects_data_factory_linked_service_web = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_web }), lookup(var.remote_objects, "data_factory_linked_service_web", {})) + combined_objects_data_factory_pipeline = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_pipeline }), lookup(var.remote_objects, "data_factory_pipeline", {})) + combined_objects_database_migration_services = merge(tomap({ (local.client_config.landingzone_key) = module.database_migration_services }), lookup(var.remote_objects, "database_migration_services", {})) + combined_objects_databricks_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_workspaces }), lookup(var.remote_objects, "databricks_workspaces", {}), lookup(var.data_sources, "databricks_workspaces", {})) + combined_objects_databricks_access_connectors = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_access_connectors }), lookup(var.remote_objects, "databricks_access_connectors", {}), lookup(var.data_sources, "databricks_access_connectors", {})) + combined_objects_ddos_services = merge(tomap({ (local.client_config.landingzone_key) = azurerm_network_ddos_protection_plan.ddos_protection_plan }), lookup(var.remote_objects, "ddos_services", {}), lookup(var.remote_objects, "ddos_services", {})) + combined_objects_dedicated_host_groups = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_host_groups }), lookup(var.remote_objects, "dedicated_host_groups", {}), lookup(var.data_sources, "dedicated_host_groups", {})) + combined_objects_dedicated_hosts = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_hosts }), lookup(var.remote_objects, "dedicated_hosts", {}), lookup(var.data_sources, "dedicated_hosts", {})) + combined_objects_diagnostic_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.diagnostic_storage_accounts }), lookup(var.remote_objects, "diagnostic_storage_accounts", {})) + combined_objects_digital_twins_instances = merge(tomap({ (local.client_config.landingzone_key) = module.digital_twins_instances }), lookup(var.remote_objects, "digital_twins_instances", {})) + combined_objects_disk_encryption_sets = merge(tomap({ (local.client_config.landingzone_key) = merge(module.disk_encryption_sets, module.disk_encryption_sets_external) }), lookup(var.remote_objects, "disk_encryption_sets", {}), lookup(var.remote_objects, "disk_encryption_sets_external", {}), lookup(var.data_sources, "disk_encryption_sets", {})) + combined_objects_dns_zones = merge(tomap({ (local.client_config.landingzone_key) = module.dns_zones }), lookup(var.remote_objects, "dns_zones", {}), lookup(var.data_sources, "dns_zones", {})) + combined_objects_domain_name_registrations = merge(tomap({ (local.client_config.landingzone_key) = module.domain_name_registrations }), lookup(var.remote_objects, "domain_name_registrations", {})) + combined_objects_event_hub_auth_rules = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_auth_rules }), lookup(var.remote_objects, "event_hub_auth_rules", {})) + combined_objects_event_hub_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_namespaces }), lookup(var.remote_objects, "event_hub_namespaces", {}), lookup(var.data_sources, "event_hub_namespaces", {})) + combined_objects_event_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.event_hubs }), lookup(var.remote_objects, "event_hubs", {})) + combined_objects_eventgrid_domains = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_domain }), lookup(var.remote_objects, "eventgrid_domain", {})) + combined_objects_eventgrid_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_topic }), lookup(var.remote_objects, "eventgrid_topic", {})) + combined_objects_express_route_circuit_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_authorizations }), lookup(var.remote_objects, "express_route_circuit_authorizations", {})) + combined_objects_express_route_circuit_peerings = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_peerings }), lookup(var.remote_objects, "express_route_circuit_peerings", {})) + combined_objects_express_route_circuits = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuits }), lookup(var.remote_objects, "express_route_circuits", {}), lookup(var.data_sources, "express_route_circuits", {})) + combined_objects_front_door = merge(tomap({ (local.client_config.landingzone_key) = module.front_doors }), lookup(var.remote_objects, "front_doors", {})) + combined_objects_front_door_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.front_door_waf_policies }), lookup(var.remote_objects, "front_door_waf_policies", {})) + combined_objects_function_apps = merge(tomap({ (local.client_config.landingzone_key) = module.function_apps }), lookup(var.remote_objects, "function_apps", {})) + combined_objects_image_definitions = merge(tomap({ (local.client_config.landingzone_key) = module.image_definitions }), lookup(var.remote_objects, "image_definitions", {})) + combined_objects_integration_service_environment = merge(tomap({ (local.client_config.landingzone_key) = module.integration_service_environment }), lookup(var.remote_objects, "integration_service_environment", {})) + combined_objects_iot_central_application = merge(tomap({ (local.client_config.landingzone_key) = module.iot_central_application }), lookup(var.remote_objects, "iot_central_application", {})) + combined_objects_iot_dps_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_certificate }), lookup(var.remote_objects, "iot_dps_certificate", {})) + combined_objects_iot_dps_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_shared_access_policy }), lookup(var.remote_objects, "iot_dps_shared_access_policy", {})) + combined_objects_iot_hub = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub }), lookup(var.remote_objects, "iot_hub", {})) + combined_objects_iot_hub_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_certificate }), lookup(var.remote_objects, "iot_hub_certificate", {})) + combined_objects_iot_hub_consumer_groups = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_consumer_groups }), lookup(var.remote_objects, "iot_hub_consumer_groups", {})) + combined_objects_iot_hub_dps = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_dps }), lookup(var.remote_objects, "iot_hub_dps", {})) + combined_objects_iot_hub_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_shared_access_policy }), lookup(var.remote_objects, "iot_hub_shared_access_policy", {})) + combined_objects_iot_security_device_group = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_device_group }), lookup(var.remote_objects, "iot_security_device_group", {})) + combined_objects_iot_security_solution = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_solution }), lookup(var.remote_objects, "iot_security_solution", {})) + combined_objects_keyvault_certificate_requests = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificate_requests }), lookup(var.remote_objects, "keyvault_certificate_requests", {})) + combined_objects_keyvault_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificates }), lookup(var.remote_objects, "keyvault_certificates", {}), lookup(var.data_sources, "keyvault_certificates", {})) + combined_objects_keyvault_keys = merge(tomap({ (local.client_config.landingzone_key) = merge(module.keyvault_keys, lookup(var.data_sources, "keyvault_keys", {})) }), lookup(var.remote_objects, "keyvault_keys", {}), lookup(var.data_sources, "keyvault_keys", {})) + combined_objects_keyvaults = merge(tomap({ (local.client_config.landingzone_key) = merge(module.keyvaults, lookup(var.data_sources, "keyvaults", {})) }), lookup(var.remote_objects, "keyvaults", {})) + combined_objects_kusto_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_clusters }), lookup(var.remote_objects, "kusto_clusters", {}), lookup(var.data_sources, "kusto_clusters", {})) + combined_objects_kusto_databases = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_databases }), lookup(var.remote_objects, "kusto_databases", {})) + combined_objects_lb = merge(tomap({ (local.client_config.landingzone_key) = module.lb }), lookup(var.remote_objects, "lb", {}), lookup(var.data_sources, "load_balancers", {})) + combined_objects_lb_backend_address_pool = merge(tomap({ (local.client_config.landingzone_key) = module.lb_backend_address_pool }), lookup(var.remote_objects, "lb_backend_address_pool", {})) + combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), lookup(var.remote_objects, "lb_probe", {})) + combined_objects_load_balancers = merge(tomap({ (local.client_config.landingzone_key) = module.load_balancers }), lookup(var.remote_objects, "load_balancers", {}), lookup(var.data_sources, "load_balancers", {})) + combined_objects_load_test = merge(tomap({ (local.client_config.landingzone_key) = module.load_test }), lookup(var.remote_objects, "load_test", {}), lookup(var.data_sources, "load_test", {})) + combined_objects_log_analytics = merge(tomap({ (local.client_config.landingzone_key) = module.log_analytics }), lookup(var.remote_objects, "log_analytics", {}), lookup(var.data_sources, "log_analytics", {})) + combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), lookup(var.remote_objects, "logic_app_integration_account", {}), lookup(var.data_sources, "logic_app_integration_account", {})) + combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), lookup(var.remote_objects, "logic_app_standard", {})) + combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), lookup(var.remote_objects, "logic_app_workflow", {}), lookup(var.data_sources, "logic_app_workflow", {})) + combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), lookup(var.remote_objects, "machine_learning_workspaces", {}), lookup(var.data_sources, "machine_learning_workspaces", {})) + combined_objects_maintenance_configuration = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_configuration }), lookup(var.remote_objects, "maintenance_configuration", {})) + combined_objects_maintenance_assignment_virtual_machine = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_assignment_virtual_machine }), lookup(var.remote_objects, "maintenance_assignment_virtual_machine", {})) + combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), lookup(var.remote_objects, "managed_identities", {}), lookup(var.data_sources, "managed_identities", {})) + combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), lookup(var.remote_objects, "maps_accounts", {})) + combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), lookup(var.remote_objects, "monitor_action_groups", {}), lookup(var.data_sources, "monitor_action_groups", {})) + combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), lookup(var.remote_objects, "mssql_databases", {}), lookup(var.data_sources, "mssql_databases", {})) + combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_elastic_pools, lookup(var.data_sources, "mssql_elastic_pools", {})) }), lookup(var.remote_objects, "mssql_elastic_pools", {})) + combined_objects_mssql_managed_databases = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_databases, module.mssql_managed_databases_v1) }), lookup(var.remote_objects, "mssql_managed_databases", {}), lookup(var.data_sources, "mssql_managed_databases", {})) + combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances, module.mssql_managed_instances_v1, lookup(var.data_sources, "mssql_managed_instances", {})) }), lookup(var.remote_objects, "mssql_managed_instances", {}), lookup(var.data_sources, "mssql_managed_instances", {})) + combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances_secondary, module.mssql_managed_instances_secondary_v1, lookup(var.data_sources, "mssql_managed_instances_secondary", {})) }), lookup(var.remote_objects, "mssql_managed_instances_secondary", {}), lookup(var.remote_objects, "mssql_managed_instances_secondary", {})) + combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_servers, lookup(var.data_sources, "mssql_servers", {})) }), lookup(var.remote_objects, "mssql_servers", {})) + combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), lookup(var.remote_objects, "mysql_flexible_server", {})) + combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), lookup(var.remote_objects, "mysql_servers", {}), lookup(var.data_sources, "mysql_servers", {})) + combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), lookup(var.remote_objects, "nat_gateways", {}), lookup(var.data_sources, "nat_gateways", {})) + combined_objects_network_profiles = merge(tomap({ (local.client_config.landingzone_key) = module.network_profiles }), lookup(var.remote_objects, "network_profiles", {})) + combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), lookup(var.remote_objects, "network_security_groups", {}), lookup(var.data_sources, "network_security_groups", {})) + combined_objects_network_watchers = merge(tomap({ (local.client_config.landingzone_key) = module.network_watchers }), lookup(var.remote_objects, "network_watchers", {}), lookup(var.data_sources, "network_watchers", {})) + combined_objects_networking = merge(tomap({ (local.client_config.landingzone_key) = merge(module.networking, lookup(var.data_sources, "vnets", {})) }), lookup(var.remote_objects, "vnets", {})) + combined_objects_postgresql_flexible_servers = merge(tomap({ (local.client_config.landingzone_key) = module.postgresql_flexible_servers }), lookup(var.remote_objects, "postgresql_flexible_servers", {})) + combined_objects_postgresql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.postgresql_servers }), lookup(var.remote_objects, "postgresql_servers", {}), lookup(var.data_sources, "postgresql_servers", {})) + combined_objects_private_dns = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns }), lookup(var.remote_objects, "private_dns", {}), lookup(var.data_sources, "private_dns", {})) + combined_objects_private_dns_resolver_dns_forwarding_rulesets = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_dns_forwarding_rulesets }), lookup(var.remote_objects, "private_dns_resolver_dns_forwarding_rulesets", {})) + combined_objects_private_dns_resolver_inbound_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_inbound_endpoints }), lookup(var.remote_objects, "private_dns_resolver_inbound_endpoints", {})) + combined_objects_private_dns_resolver_outbound_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_outbound_endpoints }), lookup(var.remote_objects, "private_dns_resolver_outbound_endpoints", {})) + combined_objects_private_dns_resolvers = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolvers }), lookup(var.remote_objects, "private_dns_resolvers", {})) + combined_objects_private_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_endpoints }), lookup(var.remote_objects, "private_endpoints", {})) + combined_objects_proximity_placement_groups = merge(tomap({ (local.client_config.landingzone_key) = module.proximity_placement_groups }), lookup(var.remote_objects, "proximity_placement_groups", {}), lookup(var.data_sources, "proximity_placement_groups", {})) + combined_objects_public_ip_addresses = merge(tomap({ (local.client_config.landingzone_key) = module.public_ip_addresses }), lookup(var.remote_objects, "public_ip_addresses", {}), lookup(var.data_sources, "public_ip_addresses", {})) + combined_objects_public_ip_prefixes = merge(tomap({ (local.client_config.landingzone_key) = module.public_ip_prefixes }), lookup(var.remote_objects, "public_ip_prefixes", {})) + combined_objects_purview_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.purview_accounts }), lookup(var.remote_objects, "purview_accounts", {})) + combined_objects_recovery_vaults = merge(tomap({ (local.client_config.landingzone_key) = merge(module.recovery_vaults, lookup(var.data_sources, "recovery_vaults", {})) }), lookup(var.remote_objects, "recovery_vaults", {})) + combined_objects_redis_caches = merge(tomap({ (local.client_config.landingzone_key) = module.redis_caches }), lookup(var.remote_objects, "redis_caches", {}), lookup(var.data_sources, "redis_caches", {})) + combined_objects_relay_hybrid_connection = merge(tomap({ (local.client_config.landingzone_key) = module.relay_hybrid_connection }), lookup(var.remote_objects, "relay_hybrid_connection", {})) + combined_objects_relay_namespace = merge(tomap({ (local.client_config.landingzone_key) = module.relay_namespace }), lookup(var.remote_objects, "relay_namespace", {})) + combined_objects_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = merge(local.resource_groups, lookup(var.data_sources, "resource_groups", {})) }), lookup(var.remote_objects, "resource_groups", {})) + combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), lookup(var.remote_objects, "route_tables", {})) + combined_objects_search_services = merge(tomap({ (local.client_config.landingzone_key) = module.search_service }), lookup(var.remote_objects, "search_services", {}), lookup(var.data_sources, "search_services", {})) + combined_objects_sentinel_watchlists = merge(tomap({ (local.client_config.landingzone_key) = module.sentinel_watchlists }), lookup(var.remote_objects, "sentinel_watchlists", {})) + combined_objects_servicebus_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_namespaces }), lookup(var.remote_objects, "servicebus_namespaces", {}), lookup(var.data_sources, "servicebus_namespaces", {})) + combined_objects_servicebus_queues = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_queues }), lookup(var.remote_objects, "servicebus_queues", {}), lookup(var.data_sources, "servicebus_queues", {})) + combined_objects_servicebus_topics = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_topics }), lookup(var.remote_objects, "servicebus_topics", {}), lookup(var.data_sources, "servicebus_topics", {})) + combined_objects_signalr_services = merge(tomap({ (local.client_config.landingzone_key) = module.signalr_services }), lookup(var.remote_objects, "signalr_services", {}), lookup(var.data_sources, "signalr_services", {})) + combined_objects_storage_account_file_shares = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_file_shares }), lookup(var.remote_objects, "storage_account_file_shares", {})) + combined_objects_storage_account_queues = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_queues }), lookup(var.remote_objects, "storage_account_queues", {})) + combined_objects_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = merge(module.storage_accounts, lookup(var.data_sources, "storage_accounts", {})) }), lookup(var.remote_objects, "storage_accounts", {})) + combined_objects_storage_containers = merge(tomap({ (local.client_config.landingzone_key) = module.storage_containers }), lookup(var.remote_objects, "storage_containers", {}), lookup(var.data_sources, "storage_containers", {})) + combined_objects_synapse_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.synapse_workspaces }), lookup(var.remote_objects, "synapse_workspaces", {}), lookup(var.data_sources, "synapse_workspaces", {})) + combined_objects_traffic_manager_azure_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_azure_endpoint }), lookup(var.remote_objects, "traffic_manager_azure_endpoint", {})) + combined_objects_traffic_manager_external_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_external_endpoint }), lookup(var.remote_objects, "traffic_manager_external_endpoint", {})) + combined_objects_traffic_manager_nested_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_nested_endpoint }), lookup(var.remote_objects, "traffic_manager_nested_endpoint", {})) + combined_objects_traffic_manager_profile = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_profile }), lookup(var.remote_objects, "traffic_manager_profile", {})) + combined_objects_virtual_hub_connections = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_connection.vhub_connection }), lookup(var.remote_objects, "vhub_peerings", {}), lookup(var.remote_objects, "virtual_hub_connections", {})) + combined_objects_virtual_hub_route_tables = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_route_table.route_table }), lookup(var.remote_objects, "virtual_hub_route_tables", {})) + combined_objects_virtual_wans = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_wans, lookup(var.data_sources, "virtual_wans", {})) }), lookup(var.remote_objects, "virtual_wans", {}), lookup(var.data_sources, "virtual_wans", {})) + combined_objects_virtual_hubs = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_hubs, lookup(var.data_sources, "virtual_hubs", {})) }), lookup(var.remote_objects, "virtual_hubs", {}), lookup(var.data_sources, "virtual_hubs", {})) + combined_objects_virtual_machine_scale_sets = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_machine_scale_sets }), lookup(var.remote_objects, "virtual_machine_scale_sets", {}), lookup(var.data_sources, "virtual_machine_scale_sets", {})) + combined_objects_virtual_machines = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_machines }), lookup(var.remote_objects, "virtual_machines", {}), lookup(var.data_sources, "virtual_machines", {})) + combined_objects_virtual_subnets = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_subnets, lookup(var.data_sources, "virtual_subnets", {})) }), lookup(var.remote_objects, "virtual_subnets", {})) + combined_objects_vmware_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_clusters }), lookup(var.remote_objects, "vmware_clusters", {})) + combined_objects_vmware_express_route_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_express_route_authorizations }), lookup(var.remote_objects, "vmware_express_route_authorizations", {})) + combined_objects_vmware_private_clouds = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_private_clouds }), lookup(var.remote_objects, "vmware_private_clouds", {}), lookup(var.data_sources, "vmware_private_clouds", {})) + combined_objects_vpn_gateway_connections = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), lookup(var.remote_objects, "vpn_gateway_connections", {})) + combined_objects_vpn_gateway_nat_rules = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_nat_rules }), lookup(var.remote_objects, "vpn_gateway_nat_rules", {})) + combined_objects_vpn_sites = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), lookup(var.remote_objects, "vpn_sites", {})) + combined_objects_web_pubsub_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsub_hubs }), lookup(var.remote_objects, "web_pubsub_hubs", {})) + combined_objects_web_pubsubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsubs }), lookup(var.remote_objects, "web_pubsubs", {})) + combined_objects_wvd_application_groups = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_application_groups }), lookup(var.remote_objects, "wvd_application_groups", {})) + combined_objects_wvd_applications = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_applications }), lookup(var.remote_objects, "wvd_applications", {})) + combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), lookup(var.remote_objects, "wvd_host_pools", {})) + combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), lookup(var.remote_objects, "wvd_workspaces", {})) combined_objects_subscriptions = merge( tomap( @@ -189,11 +189,11 @@ locals { (local.client_config.landingzone_key) = merge( module.subscriptions, { ("logged_in_subscription") = { id = data.azurerm_subscription.primary.id } }, - try(var.data_sources.subscriptions, {}) + lookup(var.data_sources, "subscriptions", {}) ) } ), - try(var.remote_objects.subscriptions, {}) + lookup(var.remote_objects, "subscriptions", {}) ) } From 6e1ca3f7074fc0cf7d54f24bedee490e35cb449a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 15:30:37 +0000 Subject: [PATCH 104/244] Update hashicorp/azurerm requirement from ~> 3.105.0 to ~> 3.113.0 Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/terraform-provider-azurerm/compare/v3.105.0...v3.113.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 605b96986c..e1a11128fc 100644 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.105.0" + version = "~> 3.113.0" configuration_aliases = [ azurerm.vhub ] From edf2616537e736a64b947495d76ee5fd5ce6db30 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Tue, 23 Jul 2024 08:00:01 +0200 Subject: [PATCH 105/244] Add storage defender support (#2030) * Add storage defender support * Update modules/storage_account/storage_defender.tf Co-authored-by: Arnaud Lheureux * Update modules/storage_account/storage_defender.tf Co-authored-by: Arnaud Lheureux * Update modules/storage_account/storage_defender.tf Co-authored-by: Arnaud Lheureux * Update modules/storage_account/storage_defender.tf Co-authored-by: Arnaud Lheureux * Added example --------- Co-authored-by: Arnaud Lheureux --- .github/workflows/standalone-scenarios.json | 1 + .../configuration.tfvars | 49 +++++++++++++++++++ modules/storage_account/storage_defender.tf | 9 ++++ 3 files changed, 59 insertions(+) create mode 100644 examples/storage_accounts/112-storage-account-with-defender/configuration.tfvars create mode 100644 modules/storage_account/storage_defender.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 36d5c48490..f8812951b1 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -119,6 +119,7 @@ "storage_accounts/107-storage-account-management-policy", "storage_accounts/109-storage-account-advanced-options-cmk", "storage_accounts/110-file-share-with-acl", + "storage_accounts/112-storage-account-with-defender", "storage_container/101-storage_container", "synapse_analytics/100-synapse", "synapse_analytics/101-synapse-sparkpool", diff --git a/examples/storage_accounts/112-storage-account-with-defender/configuration.tfvars b/examples/storage_accounts/112-storage-account-with-defender/configuration.tfvars new file mode 100644 index 0000000000..9aa028164b --- /dev/null +++ b/examples/storage_accounts/112-storage-account-with-defender/configuration.tfvars @@ -0,0 +1,49 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "australiaeast" + } +} + +resource_groups = { + test = { + name = "storage-account-defender" + } +} + +# https://docs.microsoft.com/en-us/azure/storage/ +storage_accounts = { + sa1 = { + name = "sa1dev" + # This option is to enable remote RG reference + # resource_group = { + # lz_key = "" + # key = "" + # } + + resource_group_key = "test" + # Account types are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2 + account_kind = "BlobStorage" + # Account Tier options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. + account_tier = "Standard" + # Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS + account_replication_type = "LRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy + tags = { + environment = "dev" + team = "IT" + ## + } + containers = { + dev = { + name = "random" + } + } + + defender = { + override_subscription_settings = true + malware_scanning_on_upload = true + malware_scanning_on_upload_cap_gb_per_month = 10 + sensitive_data_discovery_enabled = false + } + } +} diff --git a/modules/storage_account/storage_defender.tf b/modules/storage_account/storage_defender.tf new file mode 100644 index 0000000000..8857e914e1 --- /dev/null +++ b/modules/storage_account/storage_defender.tf @@ -0,0 +1,9 @@ +resource "azurerm_security_center_storage_defender" "defender" { + count = can(var.storage_account.defender) ? 1 : 0 + + storage_account_id = azurerm_storage_account.stg.id + override_subscription_settings_enabled = try(var.storage_account.defender.override_subscription_settings, null) + malware_scanning_on_upload_enabled = try(var.storage_account.defender.malware_scanning_on_upload, null) + malware_scanning_on_upload_cap_gb_per_month = try(var.storage_account.defender.malware_scanning_on_upload_cap_gb_per_month, null) + sensitive_data_discovery_enabled = try(var.storage_account.defender.sensitive_data_discovery_enabled, null) +} From 33184225d0c52772a692ebeaed3f70c1153b6bf8 Mon Sep 17 00:00:00 2001 From: kevindelmont <133667252+kevindelmont@users.noreply.github.com> Date: Tue, 23 Jul 2024 08:05:48 +0200 Subject: [PATCH 106/244] New combined objects and new output signalr (#2034) * Apply terraform fmt * add new combined objects and new output signalR * fix --------- Co-authored-by: GitHub Action --- locals.tf | 2 ++ modules/messaging/signalr_service/output.tf | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/locals.tf b/locals.tf index f6038e943f..13df3d21a2 100644 --- a/locals.tf +++ b/locals.tf @@ -197,12 +197,14 @@ locals { app_config = local.combined_objects_app_config azure_container_registries = local.combined_objects_azure_container_registries client_config = tomap({ (local.client_config.landingzone_key) = { config = local.client_config } }) + cosmos_dbs = local.combined_objects_cosmos_dbs keyvaults = local.combined_objects_keyvaults machine_learning_workspaces = local.combined_objects_machine_learning managed_identities = local.combined_objects_managed_identities mssql_databases = local.combined_objects_mssql_databases mssql_servers = local.combined_objects_mssql_servers maintenance_configuration = local.combined_objects_maintenance_configuration + signalr_services = local.combined_objects_signalr_services storage_accounts = local.combined_objects_storage_accounts networking = local.combined_objects_networking } diff --git a/modules/messaging/signalr_service/output.tf b/modules/messaging/signalr_service/output.tf index 336e66e8d7..55f7108a04 100644 --- a/modules/messaging/signalr_service/output.tf +++ b/modules/messaging/signalr_service/output.tf @@ -8,6 +8,16 @@ output "name" { value = azurerm_signalr_service.signalr_service.name } +output "primary_connection_string" { + description = "The primary connection string of the SignalR Service" + value = azurerm_signalr_service.signalr_service.primary_connection_string +} + +output "secondary_connection_string" { + description = "The secondary connection string of the SignalR Service" + value = azurerm_signalr_service.signalr_service.secondary_connection_string +} + output "resource_group_name" { description = "The resource group name of the SignalR Service" value = local.resource_group_name From 909377ea52e09a4c0b9d9abfb279a2b67ef2a576 Mon Sep 17 00:00:00 2001 From: kevindelmont <133667252+kevindelmont@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:02:10 +0200 Subject: [PATCH 107/244] Support for the cost_analysis_enabled property on Aks (#2042) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Apply terraform fmt * add public_network_access_enabled for azurerm_postgresql_flexible_server (#21) add new argument public_network_access_enabled = try(var.settings.public_network_access_enabled, null) * Revert "add public_network_access_enabled for azurerm_postgresql_flexible_ser…" (#25) This reverts commit 79b2fdb48e53fb20a16a3349b52ecdad13f21216. * add cost_analysis_enabled * Updated example * fixed indentation * fix --------- Co-authored-by: GitHub Action --- .../compute/kubernetes_services/101-single-cluster/aks.tfvars | 2 ++ modules/compute/aks/aks.tf | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars b/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars index a55d375ee9..87218b10ff 100644 --- a/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars +++ b/examples/compute/kubernetes_services/101-single-cluster/aks.tfvars @@ -18,6 +18,8 @@ aks_clusters = { resource_group_key = "aks_re1" os_type = "Linux" + cost_analysis_enabled = true + identity = { type = "SystemAssigned" } diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 3ac8887a23..0ace42bb06 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -161,7 +161,7 @@ resource "azurerm_kubernetes_cluster" "aks" { subnet_name = aci_connector_linux.value.subnet_name } } - + cost_analysis_enabled = try(var.settings.cost_analysis_enabled, null) azure_policy_enabled = can(var.settings.addon_profile.azure_policy) || can(var.settings.azure_policy_enabled) == false ? try(var.settings.addon_profile.azure_policy.0.enabled, null) : var.settings.azure_policy_enabled http_application_routing_enabled = can(var.settings.addon_profile.http_application_routing) || can(var.settings.http_application_routing_enabled) == false ? try(var.settings.addon_profile.http_application_routing.0.enabled, null) : var.settings.http_application_routing_enabled From f0f5d470289f467d0d92ed3f63bed56d17dfe193 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Mon, 29 Jul 2024 08:56:53 +0000 Subject: [PATCH 108/244] fix: inconsistent types in conditional MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 2024/07/29 06:57:53 Error: Inconsistent conditional result types 2024/07/29 06:57:53 2024/07/29 06:57:53 on /home/AzDevOps_azpcontainer/.terraform/modules/stage2/modules/messaging/web_pubsub/private_endpoint.tf line 11, in module "private_endpoint": 2024/07/29 06:57:53 11: private_dns = can(each.value.private_dns) ? var.remote_objects.private_dns : {} 2024/07/29 06:57:53 ├──────────────── 2024/07/29 06:57:53 │ each.value.private_dns is object with 2 attributes 2024/07/29 06:57:53 │ var.remote_objects.private_dns is object with 5 attributes 2024/07/29 06:57:53 2024/07/29 06:57:53 The true and false result expressions must have consistent types. The 'true' 2024/07/29 06:57:53 value includes object attribute "devops", which is absent in the 'false' We don't need the condition here, as the private_dns variable will only act as a resource reference and the decision making will be done by the var.settings.private_dns parameter --- modules/messaging/web_pubsub/private_endpoint.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/messaging/web_pubsub/private_endpoint.tf b/modules/messaging/web_pubsub/private_endpoint.tf index ae1d455277..9d95616fa1 100644 --- a/modules/messaging/web_pubsub/private_endpoint.tf +++ b/modules/messaging/web_pubsub/private_endpoint.tf @@ -8,7 +8,7 @@ module "private_endpoint" { global_settings = var.global_settings location = local.location name = each.value.name - private_dns = can(each.value.private_dns) ? var.remote_objects.private_dns : {} + private_dns = var.remote_objects.private_dns resource_groups = var.remote_objects.resource_groups resource_id = azurerm_web_pubsub.wps.id settings = each.value From 384114bc2fecf4e9944af2952d40ec0e968d5a6c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 15:52:02 +0000 Subject: [PATCH 109/244] Update hashicorp/azurerm requirement from ~> 3.113.0 to ~> 3.114.0 Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/terraform-provider-azurerm/compare/v3.113.0...v3.114.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e1a11128fc..62592bce80 100644 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.113.0" + version = "~> 3.114.0" configuration_aliases = [ azurerm.vhub ] From 47cd1cd0174c2264ed14146b45fb45bebec2527f Mon Sep 17 00:00:00 2001 From: chian <91816369+chianw@users.noreply.github.com> Date: Fri, 6 Sep 2024 08:25:09 +0800 Subject: [PATCH 110/244] Add private endpoint support for mysql flexible server (#2052) * Apply terraform fmt * add private endpoint for mysql flexible server try 1 * removed base_tags from mysqlflexibleserver variables * update mysql_flexible_servers.tf * change base_tag variable to boolean * changed base_tags to bool * add inherit_base_tags bool * change location and resourcegroupname for private endpoint * test change location and resource_group_name for private_endpoint * add location and resource_group_name to main.tf for mysql flexible server * revert changes to location and resource_group_name for private endpoiint and main.tf * add example for mysql-flexible-server-private-endpoint --------- Co-authored-by: GitHub Action --- .../configuration.tfvars | 8 +- .../configuration.tfvars | 110 ++++++++++++++++++ .../databases/mysql_flexible_server/main.tf | 1 - .../private_endpoints.tf | 20 ++++ .../mysql_flexible_server/variables.tf | 17 +++ mysql_flexible_servers.tf | 6 +- 6 files changed, 156 insertions(+), 6 deletions(-) create mode 100644 examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars create mode 100644 modules/databases/mysql_flexible_server/private_endpoints.tf diff --git a/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars b/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars index 79f8ab921a..62c98ec3e1 100644 --- a/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars +++ b/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars @@ -27,14 +27,14 @@ cognitive_services_account = { # lz_key = "examples" key = "test-rg" } - name = "cs-test-1" - kind = "OpenAI" - sku_name = "S0" + name = "cs-test-1" + kind = "OpenAI" + sku_name = "S0" public_network_access_enabled = true identity = { type = "SystemAssigned, UserAssigned" // Can be "SystemAssigned, UserAssigned" or "SystemAssigned" or "UserAssigned" - key = "cognitive_msi" // A must with "SystemAssigned, UserAssigned" and "UserAssigned" + key = "cognitive_msi" // A must with "SystemAssigned, UserAssigned" and "UserAssigned" } tags = { diff --git a/examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars b/examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars new file mode 100644 index 0000000000..f65925a736 --- /dev/null +++ b/examples/mysql_flexible_server/103-mysql-flexible-private-endpoint/configuration.tfvars @@ -0,0 +1,110 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "australiaeast" + } +} + +resource_groups = { + mysql_region1 = { + name = "mysql-region1" + region = "region1" + } + security_region1 = { + name = "security-region1" + } +} + +mysql_flexible_server = { + primary_region1 = { + name = "vks-flexible-testservers" + version = "8.0.21" #Possible values are 5.7, and 8.0.21 + sku_name = "GP_Standard_D2ds_v4" + zone = 1 + resource_group = { + key = "mysql_region1" + # lz_key = "" # Set the lz_key if the resource group is remote. + } + + private_dns_zone_id = "dns_zone1" + + # Auto-generated administrator credentials stored in azure keyvault when not set (recommended). + #administrator_username = "psqladmin" + #administrator_password = "ComplxP@ssw0rd!" + keyvault = { + key = "mysql_region1" # (Required) when auto-generated administrator credentials needed. + # lz_key = "" # Set the lz_key if the keyvault is remote. + } + + # [Optional] Server Configurations + mysql_configurations = { + mysql_configurations = { + name = "interactive_timeout" + value = "600" + } + + } + # [Optional] Database Configurations + mysql_databases = { + flex_mysql_database = { + name = "exampledb" + collation = "utf8mb3_unicode_ci" + charset = "utf8mb3" + } + } + + tags = { + server = "MysqlFlexible" + } + + private_endpoints = { + private-link-level4 = { + name = "sales-sql-rg1" + vnet_key = "vnet_region1" + subnet_key = "private_dns" + resource_group_key = "sql_region1" + + private_service_connection = { + name = "sales-sql-rg1" + is_manual_connection = false + subresource_names = ["mysqlServer"] + } + } + } + + } + +} + +keyvaults = { + mysql_region1 = { + name = "mysql-region123" + resource_group_key = "security_region1" + sku_name = "standard" + soft_delete_enabled = true + creation_policies = { + logged_in_user = { + secret_permissions = ["Set", "Get", "List", "Delete", "Purge"] + } + } + } +} + +vnets = { + vnet_region1 = { + resource_group_key = "mysql_region1" + region = "region1" + vnet = { + name = "mysql" + address_space = ["10.10.0.0/24"] + } + subnets = { + private_dns = { + name = "private-dns" + cidr = ["10.10.0.0/25"] + enforce_private_link_endpoint_network_policies = true + enforce_private_link_service_network_policies = false + } + } + } +} \ No newline at end of file diff --git a/modules/databases/mysql_flexible_server/main.tf b/modules/databases/mysql_flexible_server/main.tf index 2e1918847f..e8019f6ebf 100644 --- a/modules/databases/mysql_flexible_server/main.tf +++ b/modules/databases/mysql_flexible_server/main.tf @@ -12,4 +12,3 @@ locals { } tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null)) } - diff --git a/modules/databases/mysql_flexible_server/private_endpoints.tf b/modules/databases/mysql_flexible_server/private_endpoints.tf new file mode 100644 index 0000000000..c77476562c --- /dev/null +++ b/modules/databases/mysql_flexible_server/private_endpoints.tf @@ -0,0 +1,20 @@ +module "private_endpoint" { + source = "../../networking/private_endpoint" + for_each = var.private_endpoints + + resource_id = azurerm_mysql_flexible_server.mysql.id + name = each.value.name + # location = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + # resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + location = var.location + resource_group_name = var.resource_group_name + + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + + settings = each.value + global_settings = var.global_settings + base_tags = var.inherit_base_tags + tags = local.tags + private_dns = var.private_dns + client_config = var.client_config +} diff --git a/modules/databases/mysql_flexible_server/variables.tf b/modules/databases/mysql_flexible_server/variables.tf index 790831d1d0..c5717d2735 100644 --- a/modules/databases/mysql_flexible_server/variables.tf +++ b/modules/databases/mysql_flexible_server/variables.tf @@ -31,4 +31,21 @@ variable "settings" { variable "location" { description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." type = string +} + +variable "private_dns" { + default = {} +} + +variable "private_endpoints" {} + +variable "resource_groups" {} + +variable "resource_group" {} + +variable "vnets" {} + +variable "inherit_base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool } \ No newline at end of file diff --git a/mysql_flexible_servers.tf b/mysql_flexible_servers.tf index 3e396f8e63..afdcc69bee 100644 --- a/mysql_flexible_servers.tf +++ b/mysql_flexible_servers.tf @@ -15,7 +15,11 @@ module "mysql_flexible_server" { resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name location = can(local.global_settings.regions[each.value.region]) || can(each.value.region) ? try(local.global_settings.regions[each.value.region], each.value.region) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location - + private_endpoints = try(each.value.private_endpoints, {}) + resource_groups = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] + vnets = local.combined_objects_networking + inherit_base_tags = local.global_settings.inherit_tags remote_objects = { subnet_id = can(each.value.vnet.subnet_key) ? local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][each.value.vnet.key].subnets[each.value.vnet.subnet_key].id : null private_dns_zone_id = can(each.value.private_dns_zone.key) ? local.combined_objects_private_dns[try(each.value.private_dns_zone.lz_key, local.client_config.landingzone_key)][each.value.private_dns_zone.key].id : null From aae1ce2a5fe880b4f3bdfa4ba17bd8619183a533 Mon Sep 17 00:00:00 2001 From: caiovbraga Date: Fri, 6 Sep 2024 02:08:39 +0100 Subject: [PATCH 111/244] Add io_scaling_enabled option to MySQL Flexible (#2039) * Add io_scaling_enabled option to MySQL Flexible * do not set iops, size when io_scaling_enable is true --------- Co-authored-by: Caio Venturini Braga --- modules/databases/mysql_flexible_server/server.tf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/databases/mysql_flexible_server/server.tf b/modules/databases/mysql_flexible_server/server.tf index d2b82d4ef9..50b1dc36fc 100644 --- a/modules/databases/mysql_flexible_server/server.tf +++ b/modules/databases/mysql_flexible_server/server.tf @@ -52,9 +52,10 @@ resource "azurerm_mysql_flexible_server" "mysql" { for_each = try(var.settings.storage, null) == null ? [] : [var.settings.storage] content { - auto_grow_enabled = try(var.settings.storage.auto_grow_enabled, "True") - iops = try(var.settings.storage.iops, "360") - size_gb = try(var.settings.storage.size_gb, "20") + auto_grow_enabled = try(var.settings.storage.auto_grow_enabled, "True") + io_scaling_enabled = try(var.settings.storage.io_scaling_enabled, "False") + iops = var.settings.storage.io_scaling_enabled ? null : try(var.settings.storage.iops, "360") + size_gb = var.settings.storage.io_scaling_enabled ? null : try(var.settings.storage.size_gb, "20") } } @@ -116,4 +117,4 @@ resource "azurerm_key_vault_secret" "mysql_fqdn" { name = format("%s-mysql-fqdn", azurecaf_name.mysql_flexible_server.result) value = azurerm_mysql_flexible_server.mysql.fqdn key_vault_id = var.remote_objects.keyvault_id -} \ No newline at end of file +} From bc03cb66ca89eb4e63633fc65a2028648f594203 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:15:07 +0200 Subject: [PATCH 112/244] Enhanced cognitive services: private endpoint support, diagnostic settings, more outputs (#2047) * Apply terraform fmt * Enhanced cognitive services: private endpoint support, diagnostic settings, more outputs --------- Co-authored-by: GitHub Action --- cognitive_service.tf | 6 ++++++ .../cognitive_services_account/diagnostics.tf | 9 +++++++++ .../cognitive_services_account/main.tf | 3 ++- .../cognitive_services_account/output.tf | 12 ++++++++++- .../private_endpoints.tf | 20 +++++++++++++++++++ .../cognitive_services_account/variables.tf | 19 +++++++++++++++++- 6 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 modules/cognitive_services/cognitive_services_account/diagnostics.tf create mode 100644 modules/cognitive_services/cognitive_services_account/private_endpoints.tf diff --git a/cognitive_service.tf b/cognitive_service.tf index 1eebac5c8c..b920b21464 100644 --- a/cognitive_service.tf +++ b/cognitive_service.tf @@ -9,6 +9,12 @@ module "cognitive_services_account" { resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] settings = each.value + resource_groups = local.combined_objects_resource_groups + vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + diagnostics = local.combined_diagnostics + diagnostic_profiles = try(each.value.diagnostic_profiles, {}) managed_identities = local.combined_objects_managed_identities } diff --git a/modules/cognitive_services/cognitive_services_account/diagnostics.tf b/modules/cognitive_services/cognitive_services_account/diagnostics.tf new file mode 100644 index 0000000000..3d7118951f --- /dev/null +++ b/modules/cognitive_services/cognitive_services_account/diagnostics.tf @@ -0,0 +1,9 @@ +module "diagnostics" { + source = "../../diagnostics" + count = var.diagnostic_profiles == null ? 0 : 1 + + resource_id = azurerm_cognitive_account.service.id + resource_location = local.location + diagnostics = var.diagnostics + profiles = var.diagnostic_profiles +} diff --git a/modules/cognitive_services/cognitive_services_account/main.tf b/modules/cognitive_services/cognitive_services_account/main.tf index b58d11de39..e2fd2ccc7f 100644 --- a/modules/cognitive_services/cognitive_services_account/main.tf +++ b/modules/cognitive_services/cognitive_services_account/main.tf @@ -7,9 +7,10 @@ terraform { } locals { + location = coalesce(var.location, var.resource_group.location) tags = var.base_tags ? merge( var.global_settings.tags, try(var.resource_group.tags, null), try(var.settings.tags, null) ) : try(var.settings.tags, null) -} \ No newline at end of file +} diff --git a/modules/cognitive_services/cognitive_services_account/output.tf b/modules/cognitive_services/cognitive_services_account/output.tf index 4e37bd9072..c548874b0b 100644 --- a/modules/cognitive_services/cognitive_services_account/output.tf +++ b/modules/cognitive_services/cognitive_services_account/output.tf @@ -8,6 +8,16 @@ output "endpoint" { value = azurerm_cognitive_account.service.endpoint } +output "primary_access_key" { + description = "The primary_access_key used to connect to the Cognitive Service Account." + value = azurerm_cognitive_account.service.primary_access_key +} + +output "secondary_access_key" { + description = "The secondary_access_key used to connect to the Cognitive Service Account." + value = azurerm_cognitive_account.service.secondary_access_key +} + output "rbac_id" { description = "The Principal ID of the Cognetive Services for Role Mapping" value = try(azurerm_cognitive_account.service.identity[0].principal_id, null) @@ -15,4 +25,4 @@ output "rbac_id" { output "identity" { value = try(azurerm_cognitive_account.service.identity, null) -} \ No newline at end of file +} diff --git a/modules/cognitive_services/cognitive_services_account/private_endpoints.tf b/modules/cognitive_services/cognitive_services_account/private_endpoints.tf new file mode 100644 index 0000000000..9c34adb305 --- /dev/null +++ b/modules/cognitive_services/cognitive_services_account/private_endpoints.tf @@ -0,0 +1,20 @@ +# +# Private endpoint +# + +module "private_endpoint" { + source = "../../networking/private_endpoint" + for_each = var.private_endpoints + + resource_id = azurerm_cognitive_account.service.id + name = each.value.name + location = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group_name = var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name + subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + tags = local.tags + private_dns = var.private_dns + client_config = var.client_config +} diff --git a/modules/cognitive_services/cognitive_services_account/variables.tf b/modules/cognitive_services/cognitive_services_account/variables.tf index 5c70771326..87b5679e0d 100644 --- a/modules/cognitive_services/cognitive_services_account/variables.tf +++ b/modules/cognitive_services/cognitive_services_account/variables.tf @@ -18,13 +18,30 @@ variable "resource_group_name" { type = string } +variable "diagnostic_profiles" { + default = {} +} +variable "diagnostics" { + default = {} +} + variable "settings" {} variable "managed_identities" { default = {} } +variable "vnets" {} + +variable "resource_groups" {} + +variable "private_endpoints" {} + +variable "private_dns" { + default = {} +} + variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = bool -} \ No newline at end of file +} From 5c9c51fc17ecd7fe75393ef57d4dc83c67d29511 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:25:33 +0200 Subject: [PATCH 113/244] Add eventgrid system topics support (#2053) * Apply terraform fmt * Feat/add eventgrid system topic (#28) --------- Co-authored-by: GitHub Action --- .github/workflows/standalone-scenarios.json | 1 + eventgrid.tf | 39 +++ .../configuration.tfvars | 64 +++++ locals.combined_objects.tf | 1 + locals.tf | 22 +- .../main.tf | 7 + .../module.tf | 235 ++++++++++++++++++ .../output.tf | 4 + .../variables.tf | 18 ++ .../eventgrid/eventgrid_system_topic/main.tf | 14 ++ .../eventgrid_system_topic/module.tf | 52 ++++ .../eventgrid_system_topic/output.tf | 12 + .../eventgrid_system_topic/variables.tf | 22 ++ 13 files changed, 481 insertions(+), 10 deletions(-) create mode 100644 examples/messaging/eventgrid/300-simple-eventgrid-system-topic/configuration.tfvars create mode 100644 modules/messaging/eventgrid/eventgrid_system_event_subscription/main.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_event_subscription/module.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_event_subscription/output.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_event_subscription/variables.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_topic/main.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_topic/module.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_topic/output.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_topic/variables.tf diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index f8812951b1..2bd6a3da02 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -73,6 +73,7 @@ "messaging/eventgrid/101-simple-eventgrid-topic-private-endpoint", "messaging/eventgrid/102-eventgrid_subscription", "messaging/eventgrid/200-simple-eventgrid-domain-topic", + "messaging/eventgrid/300-simple-eventgrid-system-topic", "messaging/servicebus/100-servicebus-services", "messaging/servicebus/200-servicebus-privatelink", "messaging/web_pubsub/100-simple-web-pubsub", diff --git a/eventgrid.tf b/eventgrid.tf index c26e4a05d2..82e50f1178 100755 --- a/eventgrid.tf +++ b/eventgrid.tf @@ -77,3 +77,42 @@ module "eventgrid_domain_topic" { output "eventgrid_domain_topic" { value = module.eventgrid_domain_topic } + +module "eventgrid_system_topic" { + source = "./modules/messaging/eventgrid/eventgrid_system_topic" + for_each = local.messaging.eventgrid_system_topic + + global_settings = local.global_settings + client_config = local.client_config + settings = each.value + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + + remote_objects = local.remote_objects +} +output "eventgrid_system_topic" { + value = module.eventgrid_system_topic +} +module "eventgrid_system_event_subscription" { + source = "./modules/messaging/eventgrid/eventgrid_system_event_subscription" + for_each = local.messaging.eventgrid_system_event_subscription + + global_settings = local.global_settings + client_config = local.client_config + settings = each.value + + remote_objects = merge( + local.remote_objects, + { + functions = local.combined_objects_function_apps, + eventhubs = local.combined_objects_event_hubs, + eventgrid_system_topics = local.combined_objects_eventgrid_system_topics, + hybrid_connections = local.combined_objects_relay_hybrid_connection, + storage_account_queues = local.combined_objects_storage_account_queues + } + ) +} +output "eventgrid_system_event_subscription" { + value = module.eventgrid_system_event_subscription +} diff --git a/examples/messaging/eventgrid/300-simple-eventgrid-system-topic/configuration.tfvars b/examples/messaging/eventgrid/300-simple-eventgrid-system-topic/configuration.tfvars new file mode 100644 index 0000000000..02a3923f16 --- /dev/null +++ b/examples/messaging/eventgrid/300-simple-eventgrid-system-topic/configuration.tfvars @@ -0,0 +1,64 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + evg_examples = { + name = "eventgrid" + region = "region1" + } +} + +storage_accounts = { + sa1 = { + name = "0665ba08d3ae" + resource_group_key = "evg_examples" + account_kind = "BlobStorage" + account_tier = "Standard" + # account_replication_type = "LRS" + containers = { + dev = { + name = "random" + } + } + } +} + +eventgrid_system_topic = { + egt1 = { + name = "egt1" + resource_group = { + key = "evg_examples" + } + region = "region1" + + # topic_type can be one of these, more resource types can be supported + # Microsoft.AppConfiguration.ConfigurationStores + # Microsoft.Communication.CommunicationServices + # Microsoft.ContainerRegistry.Registries + # Microsoft.Devices.IoTHubs + # Microsoft.EventGrid.Domains + # Microsoft.EventGrid.Topics + # Microsoft.Eventhub.Namespaces + # Microsoft.KeyVault.vaults + # Microsoft.MachineLearningServices.Workspaces + # Microsoft.Maps.Accounts + # Microsoft.Media.MediaServices + # Microsoft.Resources.ResourceGroups + # Microsoft.Resources.Subscriptions + # Microsoft.ServiceBus.Namespaces + # Microsoft.SignalRService.SignalR + # Microsoft.Storage.StorageAccounts + # Microsoft.Web.ServerFarms + # Microsoft.Web.Sites + topic_type = "Microsoft.Storage.StorageAccounts" + + source_resource = { + type = "storage_accounts" + key = "sa1" + } + } +} diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 49e3609a5b..8c2f27186a 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -78,6 +78,7 @@ locals { combined_objects_event_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.event_hubs }), lookup(var.remote_objects, "event_hubs", {})) combined_objects_eventgrid_domains = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_domain }), lookup(var.remote_objects, "eventgrid_domain", {})) combined_objects_eventgrid_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_topic }), lookup(var.remote_objects, "eventgrid_topic", {})) + combined_objects_eventgrid_system_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_system_topic }), lookup(var.remote_objects, "eventgrid_system_topic", {})) combined_objects_express_route_circuit_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_authorizations }), lookup(var.remote_objects, "express_route_circuit_authorizations", {})) combined_objects_express_route_circuit_peerings = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_peerings }), lookup(var.remote_objects, "express_route_circuit_peerings", {})) combined_objects_express_route_circuits = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuits }), lookup(var.remote_objects, "express_route_circuits", {}), lookup(var.data_sources, "express_route_circuits", {})) diff --git a/locals.tf b/locals.tf index 13df3d21a2..e81350b46f 100644 --- a/locals.tf +++ b/locals.tf @@ -257,16 +257,18 @@ locals { maps_accounts = try(var.maps.maps_accounts, {}) } messaging = { - signalr_services = try(var.messaging.signalr_services, {}) - servicebus_namespaces = try(var.messaging.servicebus_namespaces, {}) - servicebus_queues = try(var.messaging.servicebus_queues, {}) - servicebus_topics = try(var.messaging.servicebus_topics, {}) - eventgrid_domain = try(var.messaging.eventgrid_domain, {}) - eventgrid_topic = try(var.messaging.eventgrid_topic, {}) - eventgrid_event_subscription = try(var.messaging.eventgrid_event_subscription, {}) - eventgrid_domain_topic = try(var.messaging.eventgrid_domain_topic, {}) - web_pubsubs = try(var.messaging.web_pubsubs, {}) - web_pubsub_hubs = try(var.messaging.web_pubsub_hubs, {}) + signalr_services = try(var.messaging.signalr_services, {}) + servicebus_namespaces = try(var.messaging.servicebus_namespaces, {}) + servicebus_queues = try(var.messaging.servicebus_queues, {}) + servicebus_topics = try(var.messaging.servicebus_topics, {}) + eventgrid_domain = try(var.messaging.eventgrid_domain, {}) + eventgrid_topic = try(var.messaging.eventgrid_topic, {}) + eventgrid_event_subscription = try(var.messaging.eventgrid_event_subscription, {}) + eventgrid_domain_topic = try(var.messaging.eventgrid_domain_topic, {}) + eventgrid_system_topic = try(var.messaging.eventgrid_system_topic, {}) + eventgrid_system_event_subscription = try(var.messaging.eventgrid_system_event_subscription, {}) + web_pubsubs = try(var.messaging.web_pubsubs, {}) + web_pubsub_hubs = try(var.messaging.web_pubsub_hubs, {}) } networking = { diff --git a/modules/messaging/eventgrid/eventgrid_system_event_subscription/main.tf b/modules/messaging/eventgrid/eventgrid_system_event_subscription/main.tf new file mode 100644 index 0000000000..1fbfa06797 --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_event_subscription/main.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} diff --git a/modules/messaging/eventgrid/eventgrid_system_event_subscription/module.tf b/modules/messaging/eventgrid/eventgrid_system_event_subscription/module.tf new file mode 100644 index 0000000000..7e41458075 --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_event_subscription/module.tf @@ -0,0 +1,235 @@ + +resource "azurecaf_name" "eges" { + name = var.settings.name + resource_type = "azurerm_eventgrid_event_subscription" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} +resource "azurerm_eventgrid_system_topic_event_subscription" "eges" { + name = azurecaf_name.eges.result + resource_group_name = can(var.settings.resource_group.name) ? var.settings.resource_group.name : var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name + system_topic = var.remote_objects.eventgrid_system_topics[try(var.settings.eventgrid_system_topic.lz_key, var.client_config.landingzone_key)][var.settings.eventgrid_system_topic.key].name + eventhub_endpoint_id = can(var.settings.eventhub.id) ? var.settings.eventhub.id : can(var.remote_objects.eventhubs[try(var.settings.eventhub.lz_key, var.client_config.landingzone_key)][var.settings.eventhub.key].id) ? var.remote_objects.eventhubs[try(var.settings.eventhub.lz_key, var.client_config.landingzone_key)][var.settings.eventhub.key].id : null + hybrid_connection_endpoint_id = can(var.settings.hybrid_connection.id) ? var.settings.hybrid_connection.id : can(var.remote_objects.hybrid_connections[try(var.settings.hybrid_connection.lz_key, var.client_config.landingzone_key)][var.settings.hybrid_connection.key].id) ? var.remote_objects.hybrid_connections[try(var.settings.hybrid_connection.lz_key, var.client_config.landingzone_key)][var.settings.hybrid_connection.key].id : null + service_bus_queue_endpoint_id = can(var.settings.servicebus_queues.id) ? var.settings.servicebus_queues.id : can(var.remote_objects.servicebus_queues[try(var.settings.servicebus_queues.lz_key, var.client_config.landingzone_key)][var.settings.servicebus_queues.key].id) ? var.remote_objects.servicebus_queues[try(var.settings.servicebus_queues.lz_key, var.client_config.landingzone_key)][var.settings.servicebus_queues.key].id : null + service_bus_topic_endpoint_id = can(var.settings.servicebus_topic.id) ? var.settings.servicebus_topic.id : can(var.remote_objects.servicebus_topic[try(var.settings.servicebus_topic.lz_key, var.client_config.landingzone_key)][var.settings.servicebus_topic.key].id) ? var.remote_objects.servicebus_topic[try(var.settings.servicebus_topic.lz_key, var.client_config.landingzone_key)][var.settings.servicebus_topic.key].id : null + expiration_time_utc = try(var.settings.expiration_time_utc, null) + event_delivery_schema = try(var.settings.event_delivery_schema, null) + + dynamic "azure_function_endpoint" { + for_each = try(var.settings.azure_function_endpoint, null) != null ? [var.settings.azure_function_endpoint] : [] + content { + function_id = can(azure_function_endpoint.value.function_app.id) ? azure_function_endpoint.value.function_app.id : can(var.remote_objects.functions[try(azure_function_endpoint.value.function_app.lz_key, var.client_config.landingzone_key)][azure_function_endpoint.value.function_app.key].id) ? "${var.remote_objects.functions[try(azure_function_endpoint.value.function_app.lz_key, var.client_config.landingzone_key)][azure_function_endpoint.value.function_app.key].id}/functions/${azure_function_endpoint.value.function_name}" : null + max_events_per_batch = try(azure_function_endpoint.value.max_events_per_batch, null) + preferred_batch_size_in_kilobytes = try(azure_function_endpoint.value.preferred_batch_size_in_kilobytes, null) + } + } + dynamic "storage_queue_endpoint" { + for_each = try(var.settings.storage_queue_endpoint, null) != null ? [var.settings.storage_queue_endpoint] : [] + content { + storage_account_id = can(storage_queue_endpoint.value.queue_endpoint.storage_account.id) ? storage_queue_endpoint.value.queue_endpoint.storage_account.id : var.remote_objects.storage_accounts[try(storage_queue_endpoint.value.storage_account.lz_key, var.client_config.landingzone_key)][storage_queue_endpoint.value.storage_account.key].id + queue_name = can(storage_queue_endpoint.value.queue.name) ? storage_queue_endpoint.value.queue.name : var.remote_objects.storage_account_queues[try(storage_queue_endpoint.value.queue.lz_key, var.client_config.landingzone_key)][storage_queue_endpoint.value.queue.key].name + queue_message_time_to_live_in_seconds = try(storage_queue_endpoint.value.queue_message_time_to_live_in_seconds, null) + } + } + dynamic "webhook_endpoint" { + for_each = try(var.settings.webhook_endpoint, null) != null ? [var.settings.webhook_endpoint] : [] + content { + url = try(webhook_endpoint.value.url, null) + base_url = try(webhook_endpoint.value.base_url, null) + max_events_per_batch = try(webhook_endpoint.value.max_events_per_batch, null) + preferred_batch_size_in_kilobytes = try(webhook_endpoint.value.preferred_batch_size_in_kilobytes, null) + active_directory_tenant_id = try(webhook_endpoint.value.active_directory_tenant_id, null) + active_directory_app_id_or_uri = try(webhook_endpoint.value.active_directory_app_id_or_uri, null) + } + } + included_event_types = try(var.settings.included_event_types, null) + + dynamic "advanced_filter" { + for_each = try(var.settings.advanced_filter, null) != null ? [var.settings.advanced_filter] : [] + content { + dynamic "bool_equals" { + for_each = try(var.settings.bool_equals, null) != null ? [var.settings.bool_equals] : [] + content { + key = try(bool_equals.value.subject_begins_with, null) + value = try(bool_equals.value.subject_ends_with, null) + } + } + dynamic "number_greater_than" { + for_each = try(var.settings.number_greater_than, null) != null ? [var.settings.number_greater_than] : [] + content { + key = try(number_greater_than.value.subject_begins_with, null) + value = try(number_greater_than.value.subject_ends_with, null) + + } + } + dynamic "number_greater_than_or_equals" { + for_each = try(var.settings.number_greater_than_or_equals, null) != null ? [var.settings.number_greater_than_or_equals] : [] + content { + key = try(number_greater_than_or_equals.value.subject_begins_with, null) + value = try(number_greater_than_or_equals.value.subject_ends_with, null) + } + } + dynamic "number_less_than" { + for_each = try(var.settings.number_less_than, null) != null ? [var.settings.number_less_than] : [] + content { + key = try(number_less_than.value.subject_begins_with, null) + value = try(number_less_than.value.subject_ends_with, null) + } + } + dynamic "number_less_than_or_equals" { + for_each = try(var.settings.number_less_than_or_equals, null) != null ? [var.settings.number_less_than_or_equals] : [] + content { + key = try(number_less_than.value.number_less_than_or_equals, null) + value = try(number_less_than.value.number_less_than_or_equals, null) + } + } + dynamic "number_in" { + for_each = try(var.settings.number_in, null) != null ? [var.settings.number_in] : [] + content { + key = try(number_less_than.value.number_in, null) + values = try(number_less_than.value.number_in, null) + } + } + dynamic "number_not_in" { + for_each = try(var.settings.number_not_in, null) != null ? [var.settings.number_not_in] : [] + content { + key = try(number_less_than.value.number_not_in, null) + values = try(number_less_than.value.number_not_in, null) + } + } + dynamic "number_in_range" { + for_each = try(var.settings.number_in_range, null) != null ? [var.settings.number_in_range] : [] + content { + key = try(number_less_than.value.number_in_range, null) + values = try(number_less_than.value.number_in_range, null) + } + } + dynamic "number_not_in_range" { + for_each = try(var.settings.number_not_in_range, null) != null ? [var.settings.number_not_in_range] : [] + content { + key = try(number_less_than.value.number_not_in_range, null) + values = try(number_less_than.value.number_not_in_range, null) + } + } + dynamic "string_begins_with" { + for_each = try(var.settings.string_begins_with, null) != null ? [var.settings.string_begins_with] : [] + content { + key = try(number_less_than.value.string_begins_with, null) + values = try(number_less_than.value.string_begins_with, null) + } + } + dynamic "string_not_begins_with" { + for_each = try(var.settings.string_not_begins_with, null) != null ? [var.settings.string_not_begins_with] : [] + content { + key = try(number_less_than.value.string_not_begins_with, null) + values = try(number_less_than.value.string_not_begins_with, null) + } + } + dynamic "string_ends_with" { + for_each = try(var.settings.string_ends_with, null) != null ? [var.settings.string_ends_with] : [] + content { + key = try(number_less_than.value.string_ends_with, null) + values = try(number_less_than.value.string_ends_with, null) + } + } + dynamic "string_not_ends_with" { + for_each = try(var.settings.string_not_ends_with, null) != null ? [var.settings.string_not_ends_with] : [] + content { + key = try(number_less_than.value.string_not_ends_with, null) + values = try(number_less_than.value.string_not_ends_with, null) + } + } + dynamic "string_contains" { + for_each = try(var.settings.string_contains, null) != null ? [var.settings.string_contains] : [] + content { + key = try(number_less_than.value.string_contains, null) + values = try(number_less_than.value.string_contains, null) + } + } + dynamic "string_not_contains" { + for_each = try(var.settings.string_not_contains, null) != null ? [var.settings.string_not_contains] : [] + content { + key = try(number_less_than.value.string_not_contains, null) + values = try(number_less_than.value.string_not_contains, null) + } + } + dynamic "string_in" { + for_each = try(var.settings.string_in, null) != null ? [var.settings.string_in] : [] + content { + key = try(number_less_than.value.string_in, null) + values = try(number_less_than.value.string_in, null) + } + } + dynamic "string_not_in" { + for_each = try(var.settings.string_not_in, null) != null ? [var.settings.string_not_in] : [] + content { + key = try(number_less_than.value.string_not_in, null) + values = try(number_less_than.value.string_not_in, null) + } + } + dynamic "is_not_null" { + for_each = try(var.settings.is_not_null, null) != null ? [var.settings.is_not_null] : [] + content { + key = try(number_less_than.value.is_not_null, null) + } + } + dynamic "is_null_or_undefined" { + for_each = try(var.settings.is_null_or_undefined, null) != null ? [var.settings.is_null_or_undefined] : [] + content { + key = try(number_less_than.value.is_null_or_undefined, null) + } + } + } + } + dynamic "delivery_identity" { + for_each = try(var.settings.delivery_identity, null) != null ? [var.settings.delivery_identity] : [] + content { + type = try(delivery_identity.value.type, null) + user_assigned_identity = try(delivery_identity.value.user_assigned_identity, null) + } + } + dynamic "delivery_property" { + for_each = try(var.settings.delivery_property, null) != null ? [var.settings.delivery_property] : [] + content { + header_name = try(delivery_property.value.header_name, null) + type = try(delivery_property.value.type, null) + value = try(delivery_property.value.value, null) + source_field = try(delivery_property.value.source_field, null) + secret = try(delivery_property.value.secret, null) + } + } + dynamic "dead_letter_identity" { + for_each = try(var.settings.dead_letter_identity, null) != null ? [var.settings.dead_letter_identity] : [] + content { + type = try(dead_letter_identity.value.type, null) + user_assigned_identity = try(dead_letter_identity.value.user_assigned_identity, null) + } + } + dynamic "storage_blob_dead_letter_destination" { + for_each = try(var.settings.storage_blob_dead_letter_destination, null) != null ? [var.settings.storage_blob_dead_letter_destination] : [] + content { + storage_account_id = try(storage_blob_dead_letter_destination.value.storage_account_id, null) + storage_blob_container_name = try(storage_blob_dead_letter_destination.value.storage_blob_container_name, null) + } + } + dynamic "storage_blob_dead_letter_destination" { + for_each = try(var.settings.storage_blob_dead_letter_destination, null) != null ? [var.settings.storage_blob_dead_letter_destination] : [] + content { + storage_account_id = try(storage_blob_dead_letter_destination.value.storage_account_id, null) + storage_blob_container_name = try(storage_blob_dead_letter_destination.value.storage_blob_container_name, null) + } + } + dynamic "retry_policy" { + for_each = try(var.settings.retry_policy, null) != null ? [var.settings.retry_policy] : [] + content { + max_delivery_attempts = try(retry_policy.value.max_delivery_attempts, null) + event_time_to_live = try(retry_policy.value.event_time_to_live, null) + } + } + labels = try(var.settings.labels, null) + advanced_filtering_on_arrays_enabled = try(var.settings.advanced_filtering_on_arrays_enabled, null) +} diff --git a/modules/messaging/eventgrid/eventgrid_system_event_subscription/output.tf b/modules/messaging/eventgrid/eventgrid_system_event_subscription/output.tf new file mode 100644 index 0000000000..979f441b76 --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_event_subscription/output.tf @@ -0,0 +1,4 @@ +output "id" { + value = azurerm_eventgrid_system_topic_event_subscription.eges.id + description = "The ID of the EventGrid System Event Subscription." +} diff --git a/modules/messaging/eventgrid/eventgrid_system_event_subscription/variables.tf b/modules/messaging/eventgrid/eventgrid_system_event_subscription/variables.tf new file mode 100644 index 0000000000..b9514b9172 --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_event_subscription/variables.tf @@ -0,0 +1,18 @@ +variable "global_settings" { + description = "Global settings object" +} +variable "client_config" { + description = "Client configuration object." +} +variable "settings" { + description = "(Required) Used to handle passthrough paramenters." +} +variable "remote_objects" { + description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + default = {} +} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) + default = {} +} diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf new file mode 100644 index 0000000000..836b88d404 --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } + +} +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null)) +} diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/module.tf b/modules/messaging/eventgrid/eventgrid_system_topic/module.tf new file mode 100644 index 0000000000..eb281653dd --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_topic/module.tf @@ -0,0 +1,52 @@ +resource "azurecaf_name" "egt" { + name = var.settings.name + resource_type = "azurerm_eventgrid_topic" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} + +resource "azurerm_eventgrid_system_topic" "egt" { + name = azurecaf_name.egt.result + resource_group_name = can(var.settings.resource_group.name) ? var.settings.resource_group.name : var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name + location = var.location + + source_arm_resource_id = try( + var.settings.source_resource_id, + var.remote_objects[var.settings.source_resource.type][try(var.settings.source_resource.lz_key, var.client_config.landingzone_key)][var.settings.source_resource.key].id, + null + ) + + # topic_type can be one of these, more resource types can be supported + # Microsoft.AppConfiguration.ConfigurationStores + # Microsoft.Communication.CommunicationServices + # Microsoft.ContainerRegistry.Registries + # Microsoft.Devices.IoTHubs + # Microsoft.EventGrid.Domains + # Microsoft.EventGrid.Topics + # Microsoft.Eventhub.Namespaces + # Microsoft.KeyVault.vaults + # Microsoft.MachineLearningServices.Workspaces + # Microsoft.Maps.Accounts + # Microsoft.Media.MediaServices + # Microsoft.Resources.ResourceGroups + # Microsoft.Resources.Subscriptions + # Microsoft.ServiceBus.Namespaces + # Microsoft.SignalRService.SignalR + # Microsoft.Storage.StorageAccounts + # Microsoft.Web.ServerFarms + # Microsoft.Web.Sites + topic_type = var.settings.topic_type + + dynamic "identity" { + for_each = try(var.settings.identity, null) != null ? [var.settings.identity] : [] + content { + type = try(identity.value.type, null) + identity_ids = try(identity.value.identity_ids, null) + } + } + + tags = local.tags +} diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/output.tf b/modules/messaging/eventgrid/eventgrid_system_topic/output.tf new file mode 100644 index 0000000000..8306f0555f --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_topic/output.tf @@ -0,0 +1,12 @@ +output "id" { + value = azurerm_eventgrid_system_topic.egt.id + description = "The EventGrid System Topic ID." +} +output "name" { + value = azurerm_eventgrid_system_topic.egt.name + description = "The EventGrid System Topic Name." +} +output "identity" { + value = azurerm_eventgrid_system_topic.egt.identity + description = "An `identity` block as defined below, which contains the Managed Service Identity information for this Event Grid System Topic." +} diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/variables.tf b/modules/messaging/eventgrid/eventgrid_system_topic/variables.tf new file mode 100644 index 0000000000..62afdf0290 --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_topic/variables.tf @@ -0,0 +1,22 @@ +variable "global_settings" { + description = "Global settings object" +} +variable "client_config" { + description = "Client configuration object." +} +variable "settings" { + description = "(Required) Used to handle passthrough paramenters." +} +variable "remote_objects" { + description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + default = {} +} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) + default = {} +} +variable "location" { + description = "Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + default = null +} From ab3a3d4c8d4c8f3cae6f5a2b1f8afb9ad07b4af5 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Thu, 10 Nov 2022 13:39:56 +0000 Subject: [PATCH 114/244] adding option to reference a group id in azuread_groups_membership adding option to use services_roles for scopes shared_image_galleries and virtual_machine_scale_sets adding combined objects --- azuread_groups.tf | 2 +- locals.combined_objects.tf | 2 ++ .../groups_members/azuread_groups_membership.tf | 4 ++-- roles.tf | 13 +++++++++---- 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/azuread_groups.tf b/azuread_groups.tf index acadabbd69..90cc7d4ac4 100644 --- a/azuread_groups.tf +++ b/azuread_groups.tf @@ -41,7 +41,7 @@ module "azuread_groups_membership" { client_config = local.client_config group_key = try(each.value.key, each.key) # Make it possible to have orphen name of top level keys, useful when you have group keys with same name in different LZs settings = each.value - group_id = local.combined_objects_azuread_groups[try(each.value.group_lz_key, local.client_config.landingzone_key)][each.key].id + group_id = try(try(try(module.azuread_groups[each.key].id, local.combined_objects_azuread_groups[try(each.value.group_lz_key, null)][each.key].id), each.value.group_id, null)) azuread_groups = local.combined_objects_azuread_groups azuread_service_principals = local.combined_objects_azuread_service_principals managed_identities = local.combined_objects_managed_identities diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 8c2f27186a..10ec67949b 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -52,6 +52,7 @@ locals { combined_objects_container_app_environment_storages = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_storages }), lookup(var.remote_objects, "container_app_environment_storages", {})) combined_objects_cosmos_dbs = merge(tomap({ (local.client_config.landingzone_key) = module.cosmos_dbs }), lookup(var.remote_objects, "cosmos_dbs", {}), lookup(var.data_sources, "cosmos_dbs", {})) combined_objects_cosmosdb_sql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.cosmosdb_sql_databases }), lookup(var.remote_objects, "cosmosdb_sql_databases", {})) + combined_objects_custom_roles = merge(tomap({ (local.client_config.landingzone_key) = module.custom_roles }), try(var.remote_objects.custom_roles, {})) combined_objects_data_factory = merge(tomap({ (local.client_config.landingzone_key) = merge(module.data_factory, lookup(var.data_sources, "data_factory", {})) }), lookup(var.remote_objects, "data_factory", {})) combined_objects_data_factory_integration_runtime_azure_ssis = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_azure_ssis }), lookup(var.remote_objects, "combined_objects_data_factory_integration_runtime_azure_ssis", {})) combined_objects_data_factory_integration_runtime_self_hosted = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_self_hosted }), lookup(var.remote_objects, "data_factory_integration_runtime_self_hosted", {})) @@ -156,6 +157,7 @@ locals { combined_objects_servicebus_topics = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_topics }), lookup(var.remote_objects, "servicebus_topics", {}), lookup(var.data_sources, "servicebus_topics", {})) combined_objects_signalr_services = merge(tomap({ (local.client_config.landingzone_key) = module.signalr_services }), lookup(var.remote_objects, "signalr_services", {}), lookup(var.data_sources, "signalr_services", {})) combined_objects_storage_account_file_shares = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_file_shares }), lookup(var.remote_objects, "storage_account_file_shares", {})) + combined_objects_shared_image_galleries = merge(tomap({ (local.client_config.landingzone_key) = module.shared_image_galleries }), try(var.remote_objects.shared_image_galleries, {})) combined_objects_storage_account_queues = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_queues }), lookup(var.remote_objects, "storage_account_queues", {})) combined_objects_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = merge(module.storage_accounts, lookup(var.data_sources, "storage_accounts", {})) }), lookup(var.remote_objects, "storage_accounts", {})) combined_objects_storage_containers = merge(tomap({ (local.client_config.landingzone_key) = module.storage_containers }), lookup(var.remote_objects, "storage_containers", {}), lookup(var.data_sources, "storage_containers", {})) diff --git a/modules/azuread/groups_members/azuread_groups_membership.tf b/modules/azuread/groups_members/azuread_groups_membership.tf index 6d02f337dc..fbd295f91c 100644 --- a/modules/azuread/groups_members/azuread_groups_membership.tf +++ b/modules/azuread/groups_members/azuread_groups_membership.tf @@ -17,7 +17,7 @@ module "azuread_service_principals_membership" { azuread_service_principals = var.azuread_service_principals[try(each.value.lz_key, var.client_config.landingzone_key)] members = each.value - group_object_id = var.azuread_groups[try(each.value.group_lz_key, var.client_config.landingzone_key)][var.group_key].id + group_object_id = can(var.group_id) ? var.group_id : var.azuread_groups[try(var.settings.group_lz_key, var.client_config.landingzone_key)][var.group_key].id } module "managed_identities_membership" { @@ -27,7 +27,7 @@ module "managed_identities_membership" { managed_identities = var.managed_identities[try(each.value.lz_key, var.client_config.landingzone_key)] members = each.value - group_object_id = var.azuread_groups[try(each.value.group_lz_key, var.client_config.landingzone_key)][var.group_key].id + group_object_id = can(var.group_id) ? var.group_id : var.azuread_groups[try(var.settings.group_lz_key, var.client_config.landingzone_key)][var.group_key].id } module "mssql_servers_membership" { diff --git a/roles.tf b/roles.tf index 987f4b8b54..c2dbbda358 100644 --- a/roles.tf +++ b/roles.tf @@ -21,7 +21,7 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null + role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } @@ -33,7 +33,7 @@ resource "azurerm_role_assignment" "for_deferred" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null + role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles_deferred[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles_deferred[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } @@ -98,7 +98,9 @@ locals { # Nested objects that must be processed after the services_roles services_roles_deferred = { - storage_containers = local.combined_objects_storage_containers + storage_containers = local.combined_objects_storage_containers + azuread_groups = local.combined_objects_azuread_groups + azuread_service_principals = local.combined_objects_azuread_service_principals storage_account_file_shares = local.combined_objects_storage_account_file_shares } @@ -158,12 +160,14 @@ locals { purview_accounts = local.combined_objects_purview_accounts recovery_vaults = local.combined_objects_recovery_vaults resource_groups = local.combined_objects_resource_groups + shared_image_galleries = local.combined_objects_shared_image_galleries route_tables = local.combined_objects_route_tables servicebus_namespaces = local.combined_objects_servicebus_namespaces servicebus_topics = local.combined_objects_servicebus_topics storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces + virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets virtual_subnets = local.combined_objects_virtual_subnets wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications @@ -227,13 +231,14 @@ locals { mode = key_mode # "mode" = "built_in_role_mapping" scope_resource_key = key scope_lz_key = try(role_mapping.lz_key, null) + role_lz_key = try(resources.role_lz_key, null) scope_key_resource = scope_key_resource role_definition_name = role_definition_name object_id_resource_type = object_id_key object_id_key_resource = object_id_key_resource # "object_id_key_resource" = "aks_admins" object_id_lz_key = try(object_resources.lz_key, null) } - ] + ] if object_id_key != "role_lz_key" ] if role_definition_name != "lz_key" ] ] From 7d2d343543c4fed3c7f367f9afa4b941e70e6119 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Thu, 10 Nov 2022 13:58:23 +0000 Subject: [PATCH 115/244] adding example --- .../104-azuread-group-membership/configuration.tfvars | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/examples/azuread/104-azuread-group-membership/configuration.tfvars b/examples/azuread/104-azuread-group-membership/configuration.tfvars index e6eb427fe4..62bbae67ba 100644 --- a/examples/azuread/104-azuread-group-membership/configuration.tfvars +++ b/examples/azuread/104-azuread-group-membership/configuration.tfvars @@ -51,6 +51,14 @@ azuread_groups_membership = { } } } + ad_group_referenced_by_id = { + group_id = "xxxxxxx-yyyy-zzzz-92e4-e32193379dbf" + managed_identities = { + managed_identities = { + keys = ["level4_provisioner"] + } + } + } # ad_group2 = { # ad group key # # group_lz_key = "" # group lz_key # members = { From 35cea494a9889e035a13e6e65c87c529527d8361 Mon Sep 17 00:00:00 2001 From: Nick Metz Date: Fri, 4 Nov 2022 11:41:56 +0100 Subject: [PATCH 116/244] Add vm-linux_diagnostic_extensions #1423 --- .github/workflows/standalone-scenarios.json | 78 +++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 2bd6a3da02..1f8d6fce8b 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -31,6 +31,84 @@ "automation/104-automation-schedule-runbook", "communication/communication_services/101-communication_service", "diagnostics_profiles/100-multiple-destinations", + "compute/availability_set/100-simple-availabilityset", + "compute/availability_set/101-availabilityset-with-proximity-placement-group", + "compute/azure_virtual_desktop/wvd_resources", + "compute/azure_redhat_openshift/101_basic_private_cluster", + "compute/azure_redhat_openshift/102_basic_public_cluster", + "compute/batch/batch_account/100-batch-account-storage", + "compute/batch/batch_account/100-batch-account", + "compute/batch/batch_account/200-batch-account-private-endpoint", + "compute/batch/batch_application/100-batch-application", + "compute/container_groups/100-aci-rover-github-runner", + "compute/container_groups/101-aci-nginx", + "compute/container_registry/100-simple-acr", + "compute/container_registry/200-acr-private-link", + "compute/container_registry/200-acr-vnet", + "compute/dedicated_hosts/101-dedicated-host", + "compute/dedicated_hosts/102-dedicated-host-vms", + "compute/kubernetes_services/101-single-cluster", + "compute/kubernetes_services/102-multi-nodepools", + "compute/kubernetes_services/103-multi-clusters", + "compute/kubernetes_services/104-private-cluster", + "compute/kubernetes_services/105-cluster-usermsi", + "compute/kubernetes_services/107-agic-brownfield", + "compute/proximity_placement_group", + "compute/virtual_machine_scale_set/100-linux-win-vmss-lb", + "compute/virtual_machine_scale_set/101-linux-win-vmss-agw", + "compute/virtual_machine_scale_set/102-linux-win-vmss-custom-script-extension", + "compute/virtual_machine_scale_set/104-linux-win-vmss-as-lb", + "compute/virtual_machine_scale_set/106-linux-win-vmss-lb", + "compute/virtual_machine_scale_set/106-vmss_monitoring", + "compute/virtual_machine_scale_set/107-linux-win-vmss-application-health-extension", + "compute/virtual_machine_scale_set/108-linux-win-vmss-keyvault-extension", + "compute/virtual_machine/101-single-windows-vm", + "compute/virtual_machine/102-single-vm-data-disks", + "compute/virtual_machine/104-single-windows-backup", + "compute/virtual_machine/108-mssql-vm", + "compute/virtual_machine/110-win-linuxvm-custom-script-extension", + "compute/virtual_machine/210-vm-bastion-winrm", + "compute/virtual_machine/213-vm_generic_extensions", + "compute/virtual_machine/214-vm-generic_extensions_complex", + "compute/virtual_machine/215-vm-keyvault-for-windows-extension", + "compute/virtual_machine/216-vm-linux_diagnostic_extensions", + "cosmos_db/100-simple-cosmos-db-cassandra", + "cosmos_db/100-simple-cosmos-db-gremlin", + "cosmos_db/100-simple-cosmos-db-mongo", + "cosmos_db/100-simple-cosmos-db-sql", + "cosmos_db/100-simple-cosmos-db-table", + "cosmos_db/101-decomposed-cosmosdb-sql", + "cosmos_db/101-private-endpoint-cosmos-db", + "data_explorer/101-kusto_clusters_basic", + "data_explorer/102-kusto_clusters_vnet", + "data_explorer/103-kusto_clusters_identity", + "data_explorer/104-kusto_cluster_database", + "data_explorer/105-kusto_attached_database_configuration", + "data_explorer/106-database_principal_assignment", + "data_factory/101-data_factory", + "data_factory/102-data_factory_pipeline", + "data_factory/103-data_factory_trigger_schedule", + "data_factory/104-data_factory_dataset_azure_blob", + "data_factory/105-data_factory_dataset_cosmosdb_sqlapi", + "data_factory/106-data_factory_dataset_delimited_text", + "data_factory/107-data_factory_dataset_http", + "data_factory/108-data_factory_dataset_json", + "data_factory/109-data_factory_dataset_mysql", + "data_factory/110-data_factory_dataset_postgresql", + "data_factory/111-data_factory_dataset_sql_server_table", + "data_factory/112-data_factory_integration_runtime_azure_ssis", + "data_factory/113-data_factory_integration_runtime_azure_ssis_mssql_server", + "data_factory/114-data_factory_integration_runtime_self_hosted", + "data_factory/115-data_factory_runtime_self_hoste_databricks", + "data_factory/116-data_factory_linked_service_azure_databricks", + "data_protection/100-backup-vault-blob-storage", + "data_protection/101-backup-vault-disk", + "database_migration_services/100-dms", + "databricks/100-standard-databricks-no-vnet", + "databricks/101-standard-databricks-vnet", + "databricks/102-premium-aml", + "databricks/102-premium-databricks-vnet-private-endpoint", + "datalake/101-datalake-storage", "diagnostics_profiles/100-multiple-destinations", "diagnostics_profiles/101-log-analytics-destination-type-profile", "diagnostics_profiles/200-diagnostics-eventhub-namespaces", From c919c3290e92cc7f8a939df5eaf689431404684f Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Fri, 11 Nov 2022 07:37:19 +0100 Subject: [PATCH 117/244] Add optional_claims for azuread applications (#1414) * add optional_claims for azuread applications * no optional_claims struct when empty Co-authored-by: Simon Schneider --- .github/workflows/standalone-scenarios.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index 1f8d6fce8b..6f6380c0bf 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -29,6 +29,15 @@ "automation/102-automation-msi", "automation/103-automation-private-endpoints", "automation/104-automation-schedule-runbook", + "azuread/100-azuread-application-with-sevice-principle-with-builtin-roles", + "azuread/100-sevice-principle-with-builtin-roles", + "azuread/101-azuread-application-with-service-principle-with-custom-roles", + "azuread/101-service-principle-with-custom-roles", + "azuread/102-password-rotation", + "azuread/103-service-principal-only", + "azuread/104-azuread-group-membership", + "azuread/105-azuread-application-with-optional-claims", + "azuread/201-groups-and-roles", "communication/communication_services/101-communication_service", "diagnostics_profiles/100-multiple-destinations", "compute/availability_set/100-simple-availabilityset", From 010f9c041d400aaecbfdca450d7ae6ed7fc24deb Mon Sep 17 00:00:00 2001 From: Adam Cain Date: Mon, 17 Oct 2022 18:03:02 +0100 Subject: [PATCH 118/244] Add Logic App Standard with vnet integration --- .../configuration.tfvars | 4 ++-- locals.combined_objects.tf | 1 + modules/logic_app/standard/module.tf | 8 +++----- modules/logic_app/standard/private_endpoint.tf | 11 +++++------ 4 files changed, 11 insertions(+), 13 deletions(-) diff --git a/examples/logic_app/109-logic_app_standard_vnet_integration/configuration.tfvars b/examples/logic_app/109-logic_app_standard_vnet_integration/configuration.tfvars index 56b3759d83..9cf6ed3f61 100644 --- a/examples/logic_app/109-logic_app_standard_vnet_integration/configuration.tfvars +++ b/examples/logic_app/109-logic_app_standard_vnet_integration/configuration.tfvars @@ -6,7 +6,7 @@ global_settings = { } resource_groups = { - rg1 = { # Provisioned by platform team @ level 3 for your shared resorces + rg1 = { # Provisioned by platform team @ level 3 for your shared resorces name = "rg-logic-app" } } @@ -48,7 +48,7 @@ logic_app_standard = { } app_settings = { - "FUNCTIONS_WORKER_RUNTIME" = "node", + "FUNCTIONS_WORKER_RUNTIME" = "node", "WEBSITE_NODE_DEFAULT_VERSION" = "~14", } diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 10ec67949b..df43e59145 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -113,6 +113,7 @@ locals { combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), lookup(var.remote_objects, "logic_app_integration_account", {}), lookup(var.data_sources, "logic_app_integration_account", {})) combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), lookup(var.remote_objects, "logic_app_standard", {})) combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), lookup(var.remote_objects, "logic_app_workflow", {}), lookup(var.data_sources, "logic_app_workflow", {})) + combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), lookup(var.remote_objects, "machine_learning_workspaces", {}), lookup(var.data_sources, "machine_learning_workspaces", {})) combined_objects_maintenance_configuration = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_configuration }), lookup(var.remote_objects, "maintenance_configuration", {})) combined_objects_maintenance_assignment_virtual_machine = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_assignment_virtual_machine }), lookup(var.remote_objects, "maintenance_assignment_virtual_machine", {})) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 5f0b47d1bc..d9362c1ad3 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -45,11 +45,9 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) - + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index d46c41e327..67a8defb52 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -14,10 +14,9 @@ module "private_endpoint" { try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value - global_settings = var.global_settings - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config - + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + private_dns = var.private_dns + client_config = var.client_config } \ No newline at end of file From 0846f96bc5d0c84f148a88408cc7f7f334148f60 Mon Sep 17 00:00:00 2001 From: Adam Cain Date: Tue, 18 Oct 2022 09:52:32 +0100 Subject: [PATCH 119/244] Add count conditional --- modules/logic_app/standard/module.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index d9362c1ad3..3c93589a93 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -46,6 +46,7 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, From 69ae91e5c46cd1f511df9dc0a633f435516362c2 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 11 Nov 2022 07:57:38 +0000 Subject: [PATCH 120/244] Iterate on #1395 --- modules/logic_app/standard/module.tf | 8 ++++---- modules/logic_app/standard/private_endpoint.tf | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 3c93589a93..277e81dc13 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -45,10 +45,10 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index 67a8defb52..ec7bfdace4 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -14,9 +14,9 @@ module "private_endpoint" { try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value - global_settings = var.global_settings - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + private_dns = var.private_dns + client_config = var.client_config } \ No newline at end of file From 413674cc8fc4af01b98e9247de282e63adfc6aad Mon Sep 17 00:00:00 2001 From: Adam Cain <72016306+adamcaino@users.noreply.github.com> Date: Fri, 11 Nov 2022 08:03:33 +0000 Subject: [PATCH 121/244] Add Logic App Standard with vnet integration (#1395) Co-authored-by: Arnaud Lheureux --- modules/logic_app/standard/module.tf | 9 +++++---- modules/logic_app/standard/private_endpoint.tf | 10 +++++----- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 277e81dc13..a2391387a2 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -45,10 +45,11 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index ec7bfdace4..67a8defb52 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -14,9 +14,9 @@ module "private_endpoint" { try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value - global_settings = var.global_settings - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + private_dns = var.private_dns + client_config = var.client_config } \ No newline at end of file From 3be0c15c7a7370c293c14c6ea192021bcc64c516 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Wed, 16 Nov 2022 10:43:37 +0000 Subject: [PATCH 122/244] removing virtual_machine_scale_sets from roles.tf - it is causing cyclic dependencies --- locals.combined_objects.tf | 1 + .../groups_members/membership/membership.tf | 2 +- roles.tf | 14 +++++++++----- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index df43e59145..5146c160dc 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -201,3 +201,4 @@ locals { ) } + \ No newline at end of file diff --git a/modules/azuread/groups_members/membership/membership.tf b/modules/azuread/groups_members/membership/membership.tf index b543a572d7..ceec908b2d 100644 --- a/modules/azuread/groups_members/membership/membership.tf +++ b/modules/azuread/groups_members/membership/membership.tf @@ -24,4 +24,4 @@ resource "azuread_group_member" "mssql_server_ids" { group_object_id = var.group_object_id member_object_id = var.mssql_servers[each.key].rbac_id -} \ No newline at end of file +} diff --git a/roles.tf b/roles.tf index c2dbbda358..9fe6ff25a4 100644 --- a/roles.tf +++ b/roles.tf @@ -8,6 +8,10 @@ module "custom_roles" { assignable_scopes = local.assignable_scopes[each.key] } +output "custom_roles" { + value = module.custom_roles +} + # # Roles assignments # @@ -21,11 +25,12 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null + role_definition_id = each.value.mode == "custom_role_mapping" ? local.combined_objects_custom_roles[each.value.role_lz_key != null ? each.value.role_lz_key : var.current_landingzone_key][each.value.role_definition_name].role_definition_resource_id : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } + resource "azurerm_role_assignment" "for_deferred" { for_each = { for key, value in try(local.roles_to_process, {}) : key => value @@ -98,9 +103,9 @@ locals { # Nested objects that must be processed after the services_roles services_roles_deferred = { - storage_containers = local.combined_objects_storage_containers - azuread_groups = local.combined_objects_azuread_groups - azuread_service_principals = local.combined_objects_azuread_service_principals + storage_containers = local.combined_objects_storage_containers + azuread_groups = local.combined_objects_azuread_groups + azuread_service_principals = local.combined_objects_azuread_service_principals storage_account_file_shares = local.combined_objects_storage_account_file_shares } @@ -167,7 +172,6 @@ locals { storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces - virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets virtual_subnets = local.combined_objects_virtual_subnets wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications From c961345fe6ee7e134fd9af2025270fd02e174c87 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Fri, 25 Nov 2022 15:42:03 +0000 Subject: [PATCH 123/244] this works for me right now --- roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles.tf b/roles.tf index 9fe6ff25a4..95eb219756 100644 --- a/roles.tf +++ b/roles.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? local.combined_objects_custom_roles[each.value.role_lz_key != null ? each.value.role_lz_key : var.current_landingzone_key][each.value.role_definition_name].role_definition_resource_id : null + role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } From 3f705b332190d9046b23afbe9da913f62eb2c722 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Mon, 28 Nov 2022 12:22:12 +0000 Subject: [PATCH 124/244] adding group_lz_key on service_principals object --- modules/azuread/groups_members/azuread_groups_membership.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/azuread/groups_members/azuread_groups_membership.tf b/modules/azuread/groups_members/azuread_groups_membership.tf index fbd295f91c..36abb36f36 100644 --- a/modules/azuread/groups_members/azuread_groups_membership.tf +++ b/modules/azuread/groups_members/azuread_groups_membership.tf @@ -17,7 +17,7 @@ module "azuread_service_principals_membership" { azuread_service_principals = var.azuread_service_principals[try(each.value.lz_key, var.client_config.landingzone_key)] members = each.value - group_object_id = can(var.group_id) ? var.group_id : var.azuread_groups[try(var.settings.group_lz_key, var.client_config.landingzone_key)][var.group_key].id + group_object_id = var.group_id != null ? var.group_id : try(try(var.azuread_groups[var.settings.group_lz_key], var.azuread_groups[var.settings["azuread_service_principals"][each.key].group_lz_key]), var.azuread_groups[var.client_config.landingzone_key])[var.group_key].id } module "managed_identities_membership" { @@ -27,7 +27,7 @@ module "managed_identities_membership" { managed_identities = var.managed_identities[try(each.value.lz_key, var.client_config.landingzone_key)] members = each.value - group_object_id = can(var.group_id) ? var.group_id : var.azuread_groups[try(var.settings.group_lz_key, var.client_config.landingzone_key)][var.group_key].id + group_object_id = var.group_id != null ? var.group_id : try(try(var.azuread_groups[var.settings.group_lz_key], var.azuread_groups[var.settings["managed_identities"][each.key].group_lz_key]), var.azuread_groups[var.client_config.landingzone_key])[var.group_key].id } module "mssql_servers_membership" { @@ -37,7 +37,7 @@ module "mssql_servers_membership" { mssql_servers = var.mssql_servers[try(each.value.lz_key, var.client_config.landingzone_key)] members = each.value - group_object_id = var.azuread_groups[try(each.value.group_lz_key, var.client_config.landingzone_key)][var.group_key].id + group_object_id = var.group_id != null ? var.group_id : try(try(var.azuread_groups[var.settings.group_lz_key], var.azuread_groups[var.settings["mssql_servers"][each.key].group_lz_key]), var.azuread_groups[var.client_config.landingzone_key])[var.group_key].id } module "membership_object_id" { From 9691b0575ea4444cb0926c32219936c1877941c2 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 11:17:12 +0200 Subject: [PATCH 125/244] Nailing the components which lead to cycle error --- roles.tf | 2 ++ virtual_machines_scale_sets.tf | 48 ++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 virtual_machines_scale_sets.tf diff --git a/roles.tf b/roles.tf index 95eb219756..58e81dfd73 100644 --- a/roles.tf +++ b/roles.tf @@ -177,6 +177,8 @@ locals { wvd_applications = local.combined_objects_wvd_applications wvd_host_pools = local.combined_objects_wvd_host_pools wvd_workspaces = local.combined_objects_wvd_workspaces + virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets + log_analytics = local.current_objects_log_analytics } current_objects_log_analytics = tomap( diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf new file mode 100644 index 0000000000..1fd18fa5f8 --- /dev/null +++ b/virtual_machines_scale_sets.tf @@ -0,0 +1,48 @@ + + +module "virtual_machine_scale_sets" { + source = "./modules/compute/virtual_machine_scale_set" + depends_on = [ + module.availability_sets, + module.dynamic_keyvault_secrets, + module.keyvault_access_policies, + module.keyvault_access_policies_azuread_apps, + module.proximity_placement_groups, + # module.load_balancers, # This is used in line #32 and therefore should have the same issue + module.application_gateways, + module.application_security_groups, + #module.packer_service_principal, # This leads to cycle as well + #module.packer_build,# This leads to cycle as well + module.proximity_placement_groups + ] + for_each = local.compute.virtual_machine_scale_sets + + availability_sets = local.combined_objects_availability_sets + application_gateways = local.combined_objects_application_gateways + application_security_groups = local.combined_objects_application_security_groups + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + boot_diagnostics_storage_account = try(local.combined_diagnostics.storage_accounts[each.value.boot_diagnostics_storage_account_key].primary_blob_endpoint, {}) + client_config = local.client_config + diagnostics = local.combined_diagnostics + disk_encryption_sets = local.combined_objects_disk_encryption_sets + global_settings = local.global_settings + image_definitions = local.combined_objects_image_definitions + keyvaults = local.combined_objects_keyvaults + load_balancers = "x" #local.combined_objects_load_balancers # Enabling this leads to cycle error + lbs = local.combined_objects_lb + lb_backend_address_pool = local.combined_objects_lb_backend_address_pool + managed_identities = local.combined_objects_managed_identities + network_security_groups = try(module.network_security_groups, {}) + proximity_placement_groups = local.combined_objects_proximity_placement_groups + public_ip_addresses = local.combined_objects_public_ip_addresses + recovery_vaults = local.combined_objects_recovery_vaults + settings = each.value + vnets = local.combined_objects_networking + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name +} + + +output "virtual_machine_scale_sets" { + value = module.virtual_machine_scale_sets +} From 116a0552a814c42dcf30c1000a0e58acbf845621 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 12:45:09 +0200 Subject: [PATCH 126/244] Removed direct dependency for role assignment to fix cycle error --- shared_image_gallery.tf | 6 +++--- storage_account_blobs.tf | 2 +- virtual_machines_scale_sets.tf | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/shared_image_gallery.tf b/shared_image_gallery.tf index 9c8afaa8a8..f21b3b9035 100644 --- a/shared_image_gallery.tf +++ b/shared_image_gallery.tf @@ -50,7 +50,7 @@ module "packer_service_principal" { depends_on = [ module.shared_image_galleries, module.image_definitions, - azurerm_role_assignment.for, + #azurerm_role_assignment.for, # NOTE: Deactivated this direct dependency due to Cycle error ] } @@ -75,6 +75,6 @@ module "packer_build" { depends_on = [ module.shared_image_galleries, module.image_definitions, - azurerm_role_assignment.for, + #azurerm_role_assignment.for, # NOTE: Deactivated this direct dependency due to Cycle error ] -} \ No newline at end of file +} diff --git a/storage_account_blobs.tf b/storage_account_blobs.tf index 4136b5a14e..763417a63c 100644 --- a/storage_account_blobs.tf +++ b/storage_account_blobs.tf @@ -3,7 +3,7 @@ # resource "time_sleep" "delay" { - depends_on = [azurerm_role_assignment.for_deferred] + #depends_on = [azurerm_role_assignment.for_deferred] # NOTE: Deactivated this direct dependency due to Cycle error for_each = local.storage.storage_account_blobs create_duration = try(each.value.dealy.create_duration, "300s") diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index 1fd18fa5f8..cb70ed9d19 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -8,11 +8,11 @@ module "virtual_machine_scale_sets" { module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, - # module.load_balancers, # This is used in line #32 and therefore should have the same issue + module.load_balancers, module.application_gateways, module.application_security_groups, - #module.packer_service_principal, # This leads to cycle as well - #module.packer_build,# This leads to cycle as well + module.packer_service_principal, + module.packer_build, module.proximity_placement_groups ] for_each = local.compute.virtual_machine_scale_sets @@ -28,7 +28,7 @@ module "virtual_machine_scale_sets" { global_settings = local.global_settings image_definitions = local.combined_objects_image_definitions keyvaults = local.combined_objects_keyvaults - load_balancers = "x" #local.combined_objects_load_balancers # Enabling this leads to cycle error + load_balancers = local.combined_objects_load_balancers lbs = local.combined_objects_lb lb_backend_address_pool = local.combined_objects_lb_backend_address_pool managed_identities = local.combined_objects_managed_identities From 8b03a47e68ec123502800476aa4263e31bbde430 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 12:58:55 +0200 Subject: [PATCH 127/244] Removed whitespace --- virtual_machines_scale_sets.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index cb70ed9d19..d012281d5f 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -17,11 +17,11 @@ module "virtual_machine_scale_sets" { ] for_each = local.compute.virtual_machine_scale_sets - availability_sets = local.combined_objects_availability_sets - application_gateways = local.combined_objects_application_gateways - application_security_groups = local.combined_objects_application_security_groups - base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} - boot_diagnostics_storage_account = try(local.combined_diagnostics.storage_accounts[each.value.boot_diagnostics_storage_account_key].primary_blob_endpoint, {}) + availability_sets = local.combined_objects_availability_sets + application_gateways = local.combined_objects_application_gateways + application_security_groups = local.combined_objects_application_security_groups + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + boot_diagnostics_storage_account = try(local.combined_diagnostics.storage_accounts[each.value.boot_diagnostics_storage_account_key].primary_blob_endpoint, {}) client_config = local.client_config diagnostics = local.combined_diagnostics disk_encryption_sets = local.combined_objects_disk_encryption_sets From 590403e5d5a4f026b38d29831a28458208829336 Mon Sep 17 00:00:00 2001 From: Bastian Karstaedt <2082580+bkarstaedt@users.noreply.github.com> Date: Wed, 24 Aug 2022 11:54:40 +0000 Subject: [PATCH 128/244] fix(compute/virtual_machine): attach subnet to vnet via landingzone key --- compute_virtual_machines.tf | 1 + modules/compute/virtual_machine/network_interface.tf | 2 +- modules/compute/virtual_machine/variables.tf | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/compute_virtual_machines.tf b/compute_virtual_machines.tf index 267e87986a..7ef0c5465f 100644 --- a/compute_virtual_machines.tf +++ b/compute_virtual_machines.tf @@ -37,6 +37,7 @@ module "virtual_machines" { virtual_subnets = local.combined_objects_virtual_subnets resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)] base_tags = local.global_settings.inherit_tags + virtual_subnets = local.combined_objects_virtual_subnets # if boot_diagnostics_storage_account_key is points to a valid storage account, pass the endpoint # if boot_diagnostics_storage_account_key is empty string, pass empty string diff --git a/modules/compute/virtual_machine/network_interface.tf b/modules/compute/virtual_machine/network_interface.tf index f6d5f0240c..ba20ece0b6 100644 --- a/modules/compute/virtual_machine/network_interface.tf +++ b/modules/compute/virtual_machine/network_interface.tf @@ -55,7 +55,7 @@ resource "azurerm_network_interface" "nic" { ip_configuration { name = azurecaf_name.nic[each.key].result - subnet_id = can(each.value.subnet_id) || can(each.value.vnet_key) == false ? try(each.value.subnet_id, var.virtual_subnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.subnet_key].id) : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id + subnet_id = can(each.value.subnet_id) || can(each.value.vnet_key) == false ? try(each.value.subnet_id, var.virtual_subnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.subnet_key].id) : try(var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id, var.virtual_subnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.subnet_key].id) private_ip_address_allocation = lookup(each.value, "private_ip_address_allocation", "Dynamic") private_ip_address_version = lookup(each.value, "private_ip_address_version", null) private_ip_address = lookup(each.value, "private_ip_address", null) diff --git a/modules/compute/virtual_machine/variables.tf b/modules/compute/virtual_machine/variables.tf index af91b2eabf..3f3efee0e4 100644 --- a/modules/compute/virtual_machine/variables.tf +++ b/modules/compute/virtual_machine/variables.tf @@ -27,6 +27,8 @@ variable "settings" {} variable "vnets" {} +variable "virtual_subnets" {} + # Security variable "public_key_pem_file" { default = "" From c6b9f50ed8ed261693020f39a52b9451fd35b730 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 12 Sep 2022 17:09:52 +0200 Subject: [PATCH 129/244] Allow to reference a newly created subnet, depending on a remote virtual network, as gateway subnet. --- application_gateways.tf | 3 +-- .../networking/application_gateway/locals.networking.tf | 9 +++++++++ modules/networking/application_gateway/variable.tf | 4 +++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/application_gateways.tf b/application_gateways.tf index 573f6c7027..1962a2092f 100644 --- a/application_gateways.tf +++ b/application_gateways.tf @@ -19,6 +19,7 @@ module "application_gateways" { sku_name = each.value.sku_name sku_tier = each.value.sku_tier vnets = local.combined_objects_networking + virtual_subnets = local.combined_objects_virtual_subnets application_gateway_applications = { for key, value in local.networking.application_gateway_applications : key => value @@ -33,10 +34,8 @@ module "application_gateways" { output "application_gateways" { value = module.application_gateways - } output "application_gateway_applications" { value = local.networking.application_gateway_applications - } diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 3c24df4f58..8ee3ea117c 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -5,6 +5,10 @@ locals { try(var.vnets[var.client_config.landingzone_key][var.settings.subnet.vnet_key], null) ), null) + gateway_virtual_subnets_local = try(coalesce( + try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.subnet_key], null), + ), null) + private_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.vnet_key], null) @@ -13,6 +17,10 @@ locals { try(var.vnets[var.settings.subnet.lz_key][var.settings.subnet.vnet_key], null) ), null) + gateway_virtual_subnets_remote = try(coalesce( + try(var.virtual_subnets[var.settings.subnet.lz_key][var.settings.subnet.subnet_key], null) + ), null) + private_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.vnet_key], null) @@ -24,6 +32,7 @@ locals { gateway = { subnet_id = coalesce( try(local.gateway_vnet.subnets[var.settings.subnet_key].id, null), + try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.subnet_key]), try(var.settings.subnet_id, null) ) } diff --git a/modules/networking/application_gateway/variable.tf b/modules/networking/application_gateway/variable.tf index 0b2e46ab19..f9f3f8ccdf 100644 --- a/modules/networking/application_gateway/variable.tf +++ b/modules/networking/application_gateway/variable.tf @@ -27,7 +27,9 @@ variable "app_services" { variable "vnets" { default = {} } - +variable "virtual_subnets" { + default = {} +} variable "sku_name" { type = string default = "Standard_v2" From 68f4a9cbc6a202e33948152b59ce0cf5a8d3ed3c Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 12 Sep 2022 17:17:06 +0200 Subject: [PATCH 130/244] Now it goes --- modules/networking/application_gateway/locals.networking.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 8ee3ea117c..7371bc1cc6 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -32,7 +32,7 @@ locals { gateway = { subnet_id = coalesce( try(local.gateway_vnet.subnets[var.settings.subnet_key].id, null), - try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.subnet_key]), + try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.subnet_key].id, null), try(var.settings.subnet_id, null) ) } From e8963b62ebb90d99123012bf29eb3671b214b861 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Tue, 13 Sep 2022 12:53:11 +0200 Subject: [PATCH 131/244] Removing deprecation warning for azurerm 3.0 while maintaining compatibility Increasing readability --- .../apim/api_management_custom_domain/module.tf | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/modules/apim/api_management_custom_domain/module.tf b/modules/apim/api_management_custom_domain/module.tf index 52e359baf1..dda6143c4b 100644 --- a/modules/apim/api_management_custom_domain/module.tf +++ b/modules/apim/api_management_custom_domain/module.tf @@ -41,7 +41,19 @@ resource "azurerm_api_management_custom_domain" "apim" { } dynamic "gateway" { - for_each = can(var.settings.proxy) || can(var.settings.gateways) ? try(var.settings.proxy, var.settings.gateways) : [] + for_each = ( + try( + coalesce( + var.settings.gateway, + var.settings.proxy + ), + null) != null + ? [coalesce( + var.settings.gateway, + var.settings.proxy + )] + : [] + ) content { host_name = try(gateway.value.host_name, null) certificate = try(gateway.value.certificate, null) From 20f2c3c5eaca4b56a8e88e43f65e37ca26f0e225 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Tue, 13 Sep 2022 13:19:26 +0200 Subject: [PATCH 132/244] Reverting --- .../api_management_custom_domain/module.tf | 38 +++++++------------ 1 file changed, 13 insertions(+), 25 deletions(-) diff --git a/modules/apim/api_management_custom_domain/module.tf b/modules/apim/api_management_custom_domain/module.tf index dda6143c4b..7a11654cba 100644 --- a/modules/apim/api_management_custom_domain/module.tf +++ b/modules/apim/api_management_custom_domain/module.tf @@ -40,37 +40,25 @@ resource "azurerm_api_management_custom_domain" "apim" { } } - dynamic "gateway" { - for_each = ( - try( - coalesce( - var.settings.gateway, - var.settings.proxy - ), - null) != null - ? [coalesce( - var.settings.gateway, - var.settings.proxy - )] - : [] - ) + dynamic "proxy" { + for_each = try(var.settings.proxy, null) != null ? [var.settings.proxy] : [] content { - host_name = try(gateway.value.host_name, null) - certificate = try(gateway.value.certificate, null) - certificate_password = try(gateway.value.certificate_password, null) - default_ssl_binding = try(gateway.value.default_ssl_binding, null) - #key_vault_id = var.remote_objects.keyvault_certificates[var.client_config.landingzone_key][gateway.value.key_vault_certificate.certificate_key].secret_id + host_name = try(proxy.value.host_name, null) + certificate = try(proxy.value.certificate, null) + certificate_password = try(proxy.value.certificate_password, null) + default_ssl_binding = try(proxy.value.default_ssl_binding, null) + #key_vault_id = var.remote_objects.keyvault_certificates[var.client_config.landingzone_key][proxy.value.key_vault_certificate.certificate_key].secret_id key_vault_id = try( #data.azurerm_key_vault_certificate.manual_certs[each.key].secret_id, - try(var.remote_objects.keyvault_certificates[gateway.value.key_vault_certificate.lz_key][gateway.value.key_vault_certificate.certificate_key].secret_id, null), - try(var.remote_objects.keyvault_certificates[var.client_config.landingzone_key][gateway.value.key_vault_certificate.certificate_key].secret_id, null), - try(var.remote_objects.keyvault_certificate_requests[var.client_config.landingzone_key][gateway.value.certificate_request_key].secret_id, null), - try(var.remote_objects.keyvault_certificate_requests[gateway.value.key_vault_certificate.lz_key][gateway.value.certificate_request_key].secret_id, null), - try(gateway.value.key_vault_id, null), + try(var.remote_objects.keyvault_certificates[proxy.value.key_vault_certificate.lz_key][proxy.value.key_vault_certificate.certificate_key].secret_id, null), + try(var.remote_objects.keyvault_certificates[var.client_config.landingzone_key][proxy.value.key_vault_certificate.certificate_key].secret_id, null), + try(var.remote_objects.keyvault_certificate_requests[var.client_config.landingzone_key][proxy.value.certificate_request_key].secret_id, null), + try(var.remote_objects.keyvault_certificate_requests[proxy.value.key_vault_certificate.lz_key][proxy.value.certificate_request_key].secret_id, null), + try(proxy.value.key_vault_id, null), null ) - negotiate_client_certificate = try(gateway.value.negotiate_client_certificate, null) + negotiate_client_certificate = try(proxy.value.negotiate_client_certificate, null) } } From 3e5c2dee6b3d3fd6318c6f67ecb345f77c11e078 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Tue, 13 Sep 2022 21:48:05 +0200 Subject: [PATCH 133/244] Adoptiong use case "locallly created subnet in externally created vnet" --- .../101-private-public/application_gateways.tfvars | 4 ++-- .../application_gateway/locals.networking.tf | 14 +++++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars index 8161426f77..a3d2b6b036 100644 --- a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars @@ -25,7 +25,7 @@ application_gateways = { name = "private" vnet_key = "vnet_region1" subnet_key = "app_gateway_private" - subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet + subnet_cidr_index = 0 # It is possible to have more than one cidr block per vnet private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address private_ip_address_allocation = "Static" } @@ -54,4 +54,4 @@ application_gateways = { } } } -} \ No newline at end of file +} diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 7371bc1cc6..6c7f955e22 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -12,6 +12,9 @@ locals { private_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.vnet_key], null) + private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.subnet_key], null) + public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.subnet_key], null) + gateway_vnet_remote = try(coalesce( try(var.vnets[var.settings.lz_key][var.settings.vnet_key], null), try(var.vnets[var.settings.subnet.lz_key][var.settings.subnet.vnet_key], null) @@ -24,9 +27,15 @@ locals { private_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.vnet_key], null) + private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.subnet_key], null) + public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.subnet_key], null) + + gateway_vnet = merge(local.gateway_vnet_local, local.gateway_vnet_remote) private_vnet = merge(local.private_vnet_local, local.private_vnet_remote) public_vnet = merge(local.public_vnet_local, local.public_vnet_remote) + private_subnets = merge(local.private_subnets_local, local.private_subnets_remote) + public_subnets = merge(local.public_subnets_local, local.public_subnets_remote) ip_configuration = { gateway = { @@ -39,22 +48,25 @@ locals { private = { subnet_id = try(coalesce( try(local.private_vnet.subnets[var.settings.front_end_ip_configurations.private.subnet_key].id, null), + try(local.private_subnets[var.settings.front_end_ip_configurations.private.subnet_key].id, null), try(var.settings.front_end_ip_configurations.private.subnet_id, null) ), null) cidr = try(coalesce( try(local.private_vnet.subnets[var.settings.front_end_ip_configurations.private.subnet_key].cidr, null), + try(local.private_subnets[var.settings.front_end_ip_configurations.private.subnet_key].cidr, null), try(var.settings.front_end_ip_configurations.private.subnet_cidr, null) ), null) } public = { subnet_id = try( local.public_vnet.subnets[var.settings.front_end_ip_configurations.public.subnet_key].id, + local.public_subnets[var.settings.front_end_ip_configurations.public.subnet_key].id, var.settings.front_end_ip_configurations.public.subnet_id, null ) ip_address_id = try(coalesce( - try(var.public_ip_addresses[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, var.public_ip_addresses[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, null), + try(var.public_ip_addresses[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, var.public_ip_addresses[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, null), try(var.settings.front_end_ip_configurations.public.public_ip_id, null) ), null) } From 40c68a1853e69514b80e9aa0f7a75ade10ab9818 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Wed, 14 Sep 2022 14:34:27 +0200 Subject: [PATCH 134/244] Fix for adopting use case "locallly created subnet in externally created vnet" --- .../101-private-public/application_gateways.tfvars | 2 +- .../application_gateway/locals.networking.tf | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars index a3d2b6b036..c316602800 100644 --- a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars @@ -25,7 +25,7 @@ application_gateways = { name = "private" vnet_key = "vnet_region1" subnet_key = "app_gateway_private" - subnet_cidr_index = 0 # It is possible to have more than one cidr block per vnet + subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address private_ip_address_allocation = "Static" } diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 6c7f955e22..3c5b847432 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -12,8 +12,8 @@ locals { private_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.subnet_key], null) - public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.subnet_key], null) + private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) + public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) gateway_vnet_remote = try(coalesce( try(var.vnets[var.settings.lz_key][var.settings.vnet_key], null), @@ -27,9 +27,8 @@ locals { private_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.subnet_key], null) - public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.subnet_key], null) - + private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key], null) + public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key], null) gateway_vnet = merge(local.gateway_vnet_local, local.gateway_vnet_remote) private_vnet = merge(local.private_vnet_local, local.private_vnet_remote) @@ -45,6 +44,7 @@ locals { try(var.settings.subnet_id, null) ) } + private = { subnet_id = try(coalesce( try(local.private_vnet.subnets[var.settings.front_end_ip_configurations.private.subnet_key].id, null), @@ -56,6 +56,8 @@ locals { try(local.private_subnets[var.settings.front_end_ip_configurations.private.subnet_key].cidr, null), try(var.settings.front_end_ip_configurations.private.subnet_cidr, null) ), null) + + } public = { subnet_id = try( @@ -66,7 +68,7 @@ locals { ) ip_address_id = try(coalesce( - try(var.public_ip_addresses[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, var.public_ip_addresses[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, null), + try(var.public_ip_addresses[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, var.public_ip_addresses[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, null), try(var.settings.front_end_ip_configurations.public.public_ip_id, null) ), null) } From 866fac954d377130c4949f7ec9a45469704c6093 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 12 Sep 2022 17:33:04 +0200 Subject: [PATCH 135/244] Allow to reference locally created subnets from remotely created virtual networks as network for AGW and VMs --- compute_virtual_machines.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/compute_virtual_machines.tf b/compute_virtual_machines.tf index 7ef0c5465f..267e87986a 100644 --- a/compute_virtual_machines.tf +++ b/compute_virtual_machines.tf @@ -37,7 +37,6 @@ module "virtual_machines" { virtual_subnets = local.combined_objects_virtual_subnets resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)] base_tags = local.global_settings.inherit_tags - virtual_subnets = local.combined_objects_virtual_subnets # if boot_diagnostics_storage_account_key is points to a valid storage account, pass the endpoint # if boot_diagnostics_storage_account_key is empty string, pass empty string From 0cfce8f67b0bc72e9065912659fbdb62c7c40377 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Thu, 10 Nov 2022 16:47:51 +0100 Subject: [PATCH 136/244] Add output for event hubs --- event_hubs.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/event_hubs.tf b/event_hubs.tf index 821acd542a..052558890c 100644 --- a/event_hubs.tf +++ b/event_hubs.tf @@ -109,9 +109,6 @@ module "event_hubs" { resource_group_name = local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name } -output "event_hubs" { - value = module.event_hubs -} module "event_hub_auth_rules" { source = "./modules/event_hubs/hubs/auth_rules" From e8e9e25cffced9c8a0f571d05a7956b36c03e9c3 Mon Sep 17 00:00:00 2001 From: najeebvv Date: Mon, 13 Feb 2023 18:05:14 +0100 Subject: [PATCH 137/244] - acr premium sku features --- compute_container_registry.tf | 11 ++- .../200-acr-vnet/configuration.tfvars | 12 +++ .../300-acr-premium/configuration.tfvars | 83 +++++++++++++++++++ .../compute/container_registry/registry.tf | 15 ++++ .../compute/container_registry/variables.tf | 35 +++++--- 5 files changed, 139 insertions(+), 17 deletions(-) create mode 100644 examples/compute/container_registry/300-acr-premium/configuration.tfvars diff --git a/compute_container_registry.tf b/compute_container_registry.tf index 8a3714c79b..671d490e5b 100644 --- a/compute_container_registry.tf +++ b/compute_container_registry.tf @@ -19,12 +19,11 @@ module "container_registry" { settings = each.value public_network_access_enabled = try(each.value.public_network_access_enabled, "true") - - base_tags = local.global_settings.inherit_tags - resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] - resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null - location = try(local.global_settings.regions[each.value.region], null) - + quarantine_policy_enabled = try(each.value.quarantine_policy_enabled, false) + zone_redundancy_enabled = try(each.value.zone_redundancy_enabled, false) + export_policy_enabled = try(each.value.export_policy_enabled, true) + trust_policy = try(each.value.trust_policy, {}) + retention_policy = try(each.value.retention_policy, {}) } output "azure_container_registries" { diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 98d29c455e..5a5f1d126b 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -27,18 +27,30 @@ azure_container_registries = { #public_network_access_enabled = "false" #Only able to control when sku = "premium" + zone_redundancy_enabled = false + quarantine_policy_enabled = true + trust_policy = { + enabled = true + } + retention_policy = { + enabled = true + days = 7 + } + georeplications = { region2 = { tags = { region = "australiacentral" type = "acr_replica" } + regional_endpoint_enabled = true } region3 = { tags = { region = "westeurope" type = "acr_replica" } + regional_endpoint_enabled = false } } network_rule_set = { diff --git a/examples/compute/container_registry/300-acr-premium/configuration.tfvars b/examples/compute/container_registry/300-acr-premium/configuration.tfvars new file mode 100644 index 0000000000..b02e7f1486 --- /dev/null +++ b/examples/compute/container_registry/300-acr-premium/configuration.tfvars @@ -0,0 +1,83 @@ +global_settings = { + default_region = "region1" + environment = "test" + regions = { + region1 = "australiaeast" + region2 = "australiacentral" + region3 = "westeurope" + } +} + + +resource_groups = { + # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" + acr_region1 = { + name = "acr" + } + vnet_region1 = { + name = "acr-vnet" + } +} + +azure_container_registries = { + acr1 = { + name = "acr-test" + resource_group_key = "acr_region1" + sku = "Premium" + + public_network_access_enabled = "false" #Only able to control when sku = "premium" + + georeplications = { + region2 = { + tags = { + region = "australiacentral" + type = "acr_replica" + } + } + region3 = { + tags = { + region = "westeurope" + type = "acr_replica" + } + } + } + network_rule_set = { + rule1 = { + default_action = "Allow" + # ip_rules = { + # rule1 = { + # ip_range = [""] + # } + # } + virtual_networks = { + acr1_jumphost = { + vnet_key = "hub_rg1" + subnet_key = "jumphost" + } + } + } + } + + } +} + + +vnets = { + hub_rg1 = { + resource_group_key = "vnet_region1" + vnet = { + name = "hub" + address_space = ["100.64.100.0/22"] + } + specialsubnets = {} + subnets = { + jumphost = { + name = "jumphost" + cidr = ["100.64.103.0/27"] + service_endpoints = ["Microsoft.ContainerRegistry"] + } + } + } + +} + diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index ca0d8757af..84fa43a94c 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -18,6 +18,20 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = var.public_network_access_enabled + quarantine_policy_enabled = var.quarantine_policy_enabled + zone_redundancy_enabled = var.zone_redundancy_enabled + export_policy_enabled = var.export_policy_enabled + + trust_policy { + enabled = lookup(var.trust_policy, "enabled", false) + } + + retention_policy { + enabled = lookup(var.retention_policy, "enabled", false) + days = lookup(var.retention_policy, "days", 7) + } + + dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) @@ -48,6 +62,7 @@ resource "azurerm_container_registry" "acr" { content { location = var.global_settings.regions[georeplications.key] + regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) tags = try(georeplications.value.tags) } } diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index f22eb1e96e..f975ea241c 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -63,18 +63,31 @@ variable "private_dns" { variable "public_network_access_enabled" { default = "true" } -variable "location" { - description = "location of the resource if different from the resource group." - default = null + +variable "quarantine_policy_enabled" { + type = bool + default = false +} + +variable "regional_endpoint_enabled" { + type = bool + default = false +} + +variable "retention_policy" { + default = {} } -variable "resource_group_name" { - description = "Resource group object to deploy the virtual machine" - default = null + +variable "trust_policy" { + default = {} } -variable "resource_group" { - description = "Resource group object to deploy the virtual machine" + +variable "zone_redundancy_enabled" { + type = bool + default = false } -variable "base_tags" { - description = "Base tags for the resource to be inherited from the resource group." - type = bool + +variable "export_policy_enabled" { + type = bool + default = true } \ No newline at end of file From da8f4dd092f0e79f176e461fff8e58710ddf1753 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 15 Feb 2023 11:57:29 +0100 Subject: [PATCH 138/244] -reverting changes on 200-acr-vnet --- .../200-acr-vnet/configuration.tfvars | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 5a5f1d126b..98d29c455e 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -27,30 +27,18 @@ azure_container_registries = { #public_network_access_enabled = "false" #Only able to control when sku = "premium" - zone_redundancy_enabled = false - quarantine_policy_enabled = true - trust_policy = { - enabled = true - } - retention_policy = { - enabled = true - days = 7 - } - georeplications = { region2 = { tags = { region = "australiacentral" type = "acr_replica" } - regional_endpoint_enabled = true } region3 = { tags = { region = "westeurope" type = "acr_replica" } - regional_endpoint_enabled = false } } network_rule_set = { From aa126951e621a267d371fe39804a7b8a11152442 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 15 Feb 2023 12:08:32 +0100 Subject: [PATCH 139/244] - variable region endpoint is not required until version 3.0.0 --- modules/compute/container_registry/variables.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index f975ea241c..b8893d8bfd 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -69,11 +69,6 @@ variable "quarantine_policy_enabled" { default = false } -variable "regional_endpoint_enabled" { - type = bool - default = false -} - variable "retention_policy" { default = {} } From 132484bcf27a3f4e7aa64c7c5d8de256509392df Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 16 Mar 2023 18:40:48 +0100 Subject: [PATCH 140/244] - custom_data improvements - additional private endpoints for aks - role assignment for route tables --- locals.combined_objects.tf | 2 +- modules/compute/virtual_machine/vm_linux.tf | 2 +- roles.tf | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 5146c160dc..4d4aac28c7 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -186,6 +186,7 @@ locals { combined_objects_wvd_applications = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_applications }), lookup(var.remote_objects, "wvd_applications", {})) combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), lookup(var.remote_objects, "wvd_host_pools", {})) combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), lookup(var.remote_objects, "wvd_workspaces", {})) + combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) combined_objects_subscriptions = merge( tomap( @@ -201,4 +202,3 @@ locals { ) } - \ No newline at end of file diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 6703623b32..82d0095d96 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -92,7 +92,7 @@ resource "azurerm_linux_virtual_machine" "vm" { # Create local ssh key dynamic "admin_ssh_key" { - for_each = lookup(each.value, "disable_password_authentication", true) == true && local.create_sshkeys ? [1] : [] + for_each = lookup(each.value, "disable_password_authentication", true) == true && can(var.settings.public_key_pem_file) ? [1] : [] content { username = each.value.admin_username diff --git a/roles.tf b/roles.tf index 58e81dfd73..90481bd0c1 100644 --- a/roles.tf +++ b/roles.tf @@ -179,6 +179,7 @@ locals { wvd_workspaces = local.combined_objects_wvd_workspaces virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets log_analytics = local.current_objects_log_analytics + route_tables = local.combined_objects_route_tables } current_objects_log_analytics = tomap( From e5d8c936144481a380a70c85b101cb54e125b22e Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Fri, 17 Mar 2023 10:22:24 +0100 Subject: [PATCH 141/244] Revert "Feat/acr enhancements" --- compute_container_registry.tf | 6 +- .../300-acr-premium/configuration.tfvars | 83 ------------------- .../compute/container_registry/registry.tf | 15 ---- .../compute/container_registry/variables.tf | 23 ----- 4 files changed, 1 insertion(+), 126 deletions(-) delete mode 100644 examples/compute/container_registry/300-acr-premium/configuration.tfvars diff --git a/compute_container_registry.tf b/compute_container_registry.tf index 671d490e5b..40aefbd92c 100644 --- a/compute_container_registry.tf +++ b/compute_container_registry.tf @@ -19,11 +19,7 @@ module "container_registry" { settings = each.value public_network_access_enabled = try(each.value.public_network_access_enabled, "true") - quarantine_policy_enabled = try(each.value.quarantine_policy_enabled, false) - zone_redundancy_enabled = try(each.value.zone_redundancy_enabled, false) - export_policy_enabled = try(each.value.export_policy_enabled, true) - trust_policy = try(each.value.trust_policy, {}) - retention_policy = try(each.value.retention_policy, {}) + } output "azure_container_registries" { diff --git a/examples/compute/container_registry/300-acr-premium/configuration.tfvars b/examples/compute/container_registry/300-acr-premium/configuration.tfvars deleted file mode 100644 index b02e7f1486..0000000000 --- a/examples/compute/container_registry/300-acr-premium/configuration.tfvars +++ /dev/null @@ -1,83 +0,0 @@ -global_settings = { - default_region = "region1" - environment = "test" - regions = { - region1 = "australiaeast" - region2 = "australiacentral" - region3 = "westeurope" - } -} - - -resource_groups = { - # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" - acr_region1 = { - name = "acr" - } - vnet_region1 = { - name = "acr-vnet" - } -} - -azure_container_registries = { - acr1 = { - name = "acr-test" - resource_group_key = "acr_region1" - sku = "Premium" - - public_network_access_enabled = "false" #Only able to control when sku = "premium" - - georeplications = { - region2 = { - tags = { - region = "australiacentral" - type = "acr_replica" - } - } - region3 = { - tags = { - region = "westeurope" - type = "acr_replica" - } - } - } - network_rule_set = { - rule1 = { - default_action = "Allow" - # ip_rules = { - # rule1 = { - # ip_range = [""] - # } - # } - virtual_networks = { - acr1_jumphost = { - vnet_key = "hub_rg1" - subnet_key = "jumphost" - } - } - } - } - - } -} - - -vnets = { - hub_rg1 = { - resource_group_key = "vnet_region1" - vnet = { - name = "hub" - address_space = ["100.64.100.0/22"] - } - specialsubnets = {} - subnets = { - jumphost = { - name = "jumphost" - cidr = ["100.64.103.0/27"] - service_endpoints = ["Microsoft.ContainerRegistry"] - } - } - } - -} - diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index 84fa43a94c..ca0d8757af 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -18,20 +18,6 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = var.public_network_access_enabled - quarantine_policy_enabled = var.quarantine_policy_enabled - zone_redundancy_enabled = var.zone_redundancy_enabled - export_policy_enabled = var.export_policy_enabled - - trust_policy { - enabled = lookup(var.trust_policy, "enabled", false) - } - - retention_policy { - enabled = lookup(var.retention_policy, "enabled", false) - days = lookup(var.retention_policy, "days", 7) - } - - dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) @@ -62,7 +48,6 @@ resource "azurerm_container_registry" "acr" { content { location = var.global_settings.regions[georeplications.key] - regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) tags = try(georeplications.value.tags) } } diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index b8893d8bfd..f688219b8f 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -62,27 +62,4 @@ variable "private_dns" { variable "public_network_access_enabled" { default = "true" -} - -variable "quarantine_policy_enabled" { - type = bool - default = false -} - -variable "retention_policy" { - default = {} -} - -variable "trust_policy" { - default = {} -} - -variable "zone_redundancy_enabled" { - type = bool - default = false -} - -variable "export_policy_enabled" { - type = bool - default = true } \ No newline at end of file From 52401e4dbfaa31fb89b2eec9ea3977bf425a6c1f Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Fri, 9 Jun 2023 10:08:24 +0000 Subject: [PATCH 142/244] feat:#1652 adding network_connection_monitor module --- .../configuration.tfvars | 146 ++++++++++++++++++ locals.tf | 1 + .../network_connection_monitor/main.tf | 14 ++ .../network_connection_monitor/module.tf | 139 +++++++++++++++++ .../network_connection_monitor/output.tf | 1 + .../network_connection_monitor/variables.tf | 45 ++++++ networking_connection_monitor.tf | 33 ++++ 7 files changed, 379 insertions(+) create mode 100644 examples/networking/network_connection_monitors/configuration.tfvars create mode 100644 modules/networking/network_connection_monitor/main.tf create mode 100644 modules/networking/network_connection_monitor/module.tf create mode 100644 modules/networking/network_connection_monitor/output.tf create mode 100644 modules/networking/network_connection_monitor/variables.tf create mode 100644 networking_connection_monitor.tf diff --git a/examples/networking/network_connection_monitors/configuration.tfvars b/examples/networking/network_connection_monitors/configuration.tfvars new file mode 100644 index 0000000000..d8690a0103 --- /dev/null +++ b/examples/networking/network_connection_monitors/configuration.tfvars @@ -0,0 +1,146 @@ +log_analytics = { + law1 = { + name = "networking_monitoring_amsterdam" + resource_group_key = "networking_test_amsterdam_infra" + } +} + +network_connection_monitors = { + monitor1 = { + name = "ping-test" + notes = "room for notes..." + region = "region1" + #network_watcher_resource_group_name = "" // optional, can be guessed + #network_watcher_name = "" // optional, can be guessed + + output_workspaces = { + workspace_1 = { + key = "law1" + #lz_key = "levelX" //(optional) + } + #workspace_2 = { + # id = "foo/baz/id" //(optional) + #} + } + + + + endpoints = { + #endpoint_key_1 = { + # name = "endpoint_name_1" + # address = "1.1.1.1" //(optional) + # coverage_level = "Default" //(optional) + # excluded_ip_addresses = ["2.2.2.2"] //(optional) + # included_ip_addresses = ["1.1.1.1"] //(optional) + # target_resource_id = "foo/bar/baz/3423432423" //(optional) + # target_resource_type = "AzureVM" //(optional) resource_type as expected by azurerm_network_connection_monitor - target_resource_type + # target_resource_key = "vm_1" //(optional) + # target_resource_lz_key = "level1" //(optional) + # target_resource_key_caf_type = "level1" //(optional) resource_type as expected by caf for state lookups + #} + test_vm_1 = { + name = "endpoint_vm_1" + target_resource_type = "AzureVM" //(optional) resource_type as expected by azurerm_network_connection_monitor - target_resource_type + target_resource_key = "amsterdam_vm" //(optional) + #target_resource_lz_key = "level1" //(optional) + target_resource_key_caf_type = "virtual_machines" //(optional) resource_type as expected by caf for state lookups + } + test_vm_2 = { + name = "endpoint_vm_2" + target_resource_type = "AzureVM" //(optional) + target_resource_key = "frankfurt_vm" //(optional) + #target_resource_lz_key = "level1" //(optional) + target_resource_key_caf_type = "virtual_machines" //(optional) + } + } + test_configurations = { + test_configuration_key_1 = { + name = "test_configuration_name_1" + protocol = "Icmp" + test_frequency_in_seconds = "60" //(optional) + icmp_configuration = { //(optional) + trace_route_enabled = true //(optional) + } + preferred_ip_version = "IPv4" //(optional) + success_threshold = { + checks_failed_percent = 90 + round_trip_time_ms = 20 + } + } + + test_configuration_key_2 = { + name = "test_configuration_name_2" + protocol = "Tcp" + test_frequency_in_seconds = "60" //(optional) + tcp_configuration = { + port = 22 + trace_route_enabled = true //(optional) + destination_port_behavior = "ListenIfAvailable" + } + preferred_ip_version = "IPv4" //(optional) + } + test_configuration_key_3 = { + name = "test_configuration_name_3" + protocol = "Http" + test_frequency_in_seconds = "60" //(optional) + http_configuration = { + port = 80 //(optional) + method = "Get" //(optional) + path = "/" //(optional) + prefer_https = false //(optional) + valid_status_code_ranges = ["2xx"] //(optional) + request_headers = { + key1 = { + header_name = "foo" + header_value = "baz" + } + key2 = { + header_name = "auth" + header_value = "nope" + } + } + } + preferred_ip_version = "IPv4" //(optional) + } + } + + test_groups = { + test_group_1 = { + name = "foo-test-group" + source_endpoint_names = ["endpoint_vm_1"] + destination_endpoint_names = ["endpoint_vm_2"] + test_configuration_names = ["test_configuration_name_1"] + enabled = true //(optional) + } + test_group_2 = { + name = "tcp-test-group" + source_endpoint_names = ["endpoint_vm_1"] + destination_endpoint_names = ["endpoint_vm_2"] + test_configuration_names = ["test_configuration_name_2"] + enabled = true //(optional) + } + test_group_3 = { + name = "http-test-group" + source_endpoint_names = ["endpoint_vm_1"] + destination_endpoint_names = ["endpoint_vm_2"] + test_configuration_names = ["test_configuration_name_3"] + enabled = true //(optional) + } + } + + } +} + +//add the networking-watcher vm-extension to the utilized VMs +# virtual_machine_extensions = { +# generic_extensions = { +# NW = { +# publisher = "Microsoft.Azure.NetworkWatcher" +# name = "NetworkWatcher" +# type = "NetworkWatcherAgentLinux" +# type_handler_version = "1.4" +# autoUpgradeMinorVersion = true +# } +# } +# } + diff --git a/locals.tf b/locals.tf index e81350b46f..acff4178a8 100644 --- a/locals.tf +++ b/locals.tf @@ -311,6 +311,7 @@ locals { load_balancers = try(var.networking.load_balancers, {}) local_network_gateways = try(var.networking.local_network_gateways, {}) nat_gateways = try(var.networking.nat_gateways, {}) + network_connection_monitors = try(var.networking.network_connection_monitors, {}) network_interface_backend_address_pool_association = try(var.networking.network_interface_backend_address_pool_association, {}) network_profiles = try(var.networking.network_profiles, {}) network_security_group_definition = try(var.networking.network_security_group_definition, {}) diff --git a/modules/networking/network_connection_monitor/main.tf b/modules/networking/network_connection_monitor/main.tf new file mode 100644 index 0000000000..f1858e8a31 --- /dev/null +++ b/modules/networking/network_connection_monitor/main.tf @@ -0,0 +1,14 @@ +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null)) +} + +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } +} \ No newline at end of file diff --git a/modules/networking/network_connection_monitor/module.tf b/modules/networking/network_connection_monitor/module.tf new file mode 100644 index 0000000000..ad7ad397fd --- /dev/null +++ b/modules/networking/network_connection_monitor/module.tf @@ -0,0 +1,139 @@ +resource "azurerm_network_connection_monitor" "connection_monitor" { + name = var.name // caf_name requires: https://github.com/aztfmod/terraform-provider-azurecaf/issues/241 + notes = var.settings.notes + network_watcher_id = var.network_watcher_id != null ? var.network_watcher_id : data.azurerm_network_watcher.watcher.id + location = data.azurerm_network_watcher.watcher.location + output_workspace_resource_ids = local.workspace_ids + tags = local.tags + + dynamic "endpoint" { + for_each = var.settings.endpoints + content { + name = endpoint.value.name + address = try(endpoint.value.address, null) + coverage_level = try(endpoint.value.coverage_level, null) + excluded_ip_addresses = try(endpoint.value.excluded_ip_addresses, null) + included_ip_addresses = try(endpoint.value.included_ip_addresses, null) + target_resource_id = try( + try(endpoint.target_resource_id, + var.endpoint_objects[endpoint.value.target_resource_key_caf_type][try(endpoint.value.target_resource_lz_key, var.client_config.landingzone_key)][endpoint.value.target_resource_key].id, + null)) + target_resource_type = try(endpoint.value.target_resource_type, null) + } + } + + dynamic "test_configuration" { + for_each = { for k, v in var.settings.test_configurations : k => v if v.protocol == "Icmp" } + content { + name = test_configuration.value.name + protocol = try(test_configuration.value.protocol, null) + test_frequency_in_seconds = try(test_configuration.value.test_frequency_in_seconds, null) + + icmp_configuration { + trace_route_enabled = test_configuration.value.icmp_configuration.trace_route_enabled + } + dynamic "success_threshold" { + for_each = try(test_configuration.value.success_threshold, null) != null ? { "yes" = true } : {} + content { + checks_failed_percent = try(test_configuration.value.success_threshold.checks_failed_percent, null) + round_trip_time_ms = try(test_configuration.value.success_threshold.round_trip_time_ms, null) + } + } + } + + } + + dynamic "test_configuration" { + for_each = { for k, v in var.settings.test_configurations : k => v if v.protocol == "Tcp" } + content { + name = test_configuration.value.name + protocol = try(test_configuration.value.protocol, null) + test_frequency_in_seconds = try(test_configuration.value.test_frequency_in_seconds, null) + + tcp_configuration { + port = test_configuration.value.tcp_configuration.port + trace_route_enabled = try(test_configuration.value.tcp_configuration.trace_route_enabled, null) + destination_port_behavior = try(test_configuration.value.tcp_configuration.destination_port_behavior, null) + } + dynamic "success_threshold" { + for_each = try(test_configuration.value.success_threshold, null) != null ? { "yes" = true } : {} + content { + checks_failed_percent = try(test_configuration.value.success_threshold.checks_failed_percent, null) + round_trip_time_ms = try(test_configuration.value.success_threshold.round_trip_time_ms, null) + } + } + } + } + dynamic "test_configuration" { + for_each = { for k, v in var.settings.test_configurations : k => v if v.protocol == "Http" } + content { + name = test_configuration.value.name + protocol = try(test_configuration.value.protocol, null) + test_frequency_in_seconds = try(test_configuration.value.test_frequency_in_seconds, null) + + http_configuration { + method = try(test_configuration.value.http_configuration.method, null) + port = try(test_configuration.value.http_configuration.port, null) + path = try(test_configuration.value.http_configuration.path, null) + prefer_https = try(test_configuration.value.http_configuration.prefer_https, null) + valid_status_code_ranges = try(test_configuration.value.http_configuration.valid_status_code_ranges, null) + dynamic "request_header" { + for_each = test_configuration.value.http_configuration.request_headers + content { + name = request_header.value.header_name + value = request_header.value.header_value + } + } + } + dynamic "success_threshold" { + for_each = try(test_configuration.value.success_threshold, null) != null ? { "yes" = true } : {} + content { + checks_failed_percent = try(test_configuration.value.success_threshold.checks_failed_percent, null) + round_trip_time_ms = try(test_configuration.value.success_threshold.round_trip_time_ms, null) + } + } + } + } + + dynamic "test_group" { + for_each = var.settings.test_groups + content { + + name = test_group.value.name + destination_endpoints = test_group.value.destination_endpoint_names + source_endpoints = test_group.value.source_endpoint_names + test_configuration_names = test_group.value.test_configuration_names + enabled = try(test_group.value.enabled, null) + } + } +} + + + +// Guess network watcher_name if no info is supplied +// NetworkWatcherRG +// NetworkWatcher_germanywestcentral +data "azurerm_network_watcher" "watcher" { + name = var.network_watcher_name != null ? var.network_watcher_name : format("NetworkWatcher_%s", var.location) + resource_group_name = var.network_watcher_resource_group_name != null ? var.network_watcher_resource_group_name : "NetworkWatcherRG" +} + + + + +locals { + workspace_ids_from_keys = { for key, value in var.settings.output_workspaces : + key => var.combined_objects_log_analytics[try(value.lz_key, var.client_config.landingzone_key)][value.key].id + if try(value.key, null) != null + } + workspace_from_ids = { for key, value in var.settings.output_workspaces : + key => value.id + if try(value.id, null) != null + } + workspace_ids = concat(values(local.workspace_ids_from_keys), values(local.workspace_from_ids)) + name = var.network_watcher_name != null ? var.network_watcher_name : format("NetworkWatcher_%s", var.location) + resource_group_name = var.network_watcher_resource_group_name != null ? var.network_watcher_resource_group_name : "NetworkWatcherRG" + + +} + diff --git a/modules/networking/network_connection_monitor/output.tf b/modules/networking/network_connection_monitor/output.tf new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/modules/networking/network_connection_monitor/output.tf @@ -0,0 +1 @@ + diff --git a/modules/networking/network_connection_monitor/variables.tf b/modules/networking/network_connection_monitor/variables.tf new file mode 100644 index 0000000000..872b685bac --- /dev/null +++ b/modules/networking/network_connection_monitor/variables.tf @@ -0,0 +1,45 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "name" { + description = "(Required) Name of the IP Group to be created" +} + +variable "tags" { + description = "(Required) Tags of the IP Group to be created" +} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) +} + +variable "location" {} + +variable "network_watcher_name" { + description = "Name of the resource_watcher ressource (optional)" + type = string + default = null +} +variable "network_watcher_resource_group_name" { + description = "Name of the resource_watcher resource group (optional)" + type = string + default = null +} +variable "network_watcher_id" { + description = "ID of the resource_watcher ressource (optional)" + type = string + default = null +} +variable "combined_objects_log_analytics" {} + + +variable "endpoint_objects" { + description = "map of possible endpoint objects from caf" + type = map(any) +} + + +variable "settings" {} + +variable "client_config" {} diff --git a/networking_connection_monitor.tf b/networking_connection_monitor.tf new file mode 100644 index 0000000000..1104635bb9 --- /dev/null +++ b/networking_connection_monitor.tf @@ -0,0 +1,33 @@ + + +module "network_connection_monitors" { + source = "./modules/networking/network_connection_monitor" + for_each = local.networking.network_connection_monitors + + global_settings = local.global_settings + client_config = local.client_config + location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location + + tags = try(each.value.tags, null) + + name = each.value.name + network_watcher_resource_group_name = try(each.value.network_watcher_resource_group_name, null) + network_watcher_name = try(each.value.network_watcher_name, null) + + combined_objects_log_analytics = local.combined_objects_log_analytics + + endpoint_objects = { + virtual_subnets = local.combined_objects_virtual_subnets + virtual_machines = local.combined_objects_virtual_machines + vnets = local.combined_objects_networking + } + + settings = each.value + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} +} + + + +output "network_connection_monitors" { + value = module.network_connection_monitors +} From 0a720ad35261d49cf2f1c99080bcfc53dc71eb90 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Mon, 12 Jun 2023 10:09:21 +0000 Subject: [PATCH 143/244] fix(network-monitor): adding outputs to be referenced --- local.remote_objects.tf | 1 + locals.combined_objects.tf | 1 + modules/networking/network_connection_monitor/output.tf | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/local.remote_objects.tf b/local.remote_objects.tf index 76de44f2cd..4c9760893f 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -101,6 +101,7 @@ locals { mysql_servers = try(local.combined_objects_mysql_servers, null) mysql_flexible_server = try(local.combined_objects_mysql_flexible_server, null) nat_gateways = try(local.combined_objects_nat_gateways, null) + network_connection_monitors = try(local.combined_objects_network_connection_monitors, null) network_security_groups = try(local.combined_objects_network_security_groups, null) network_watchers = try(local.combined_objects_network_watchers, null) networking = try(local.combined_objects_networking, null) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 4d4aac28c7..a988afa638 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -129,6 +129,7 @@ locals { combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), lookup(var.remote_objects, "mysql_flexible_server", {})) combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), lookup(var.remote_objects, "mysql_servers", {}), lookup(var.data_sources, "mysql_servers", {})) combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), lookup(var.remote_objects, "nat_gateways", {}), lookup(var.data_sources, "nat_gateways", {})) + combined_objects_network_connection_monitors = merge(tomap({ (local.client_config.landingzone_key) = module.network_connection_monitors }), try(var.remote_objects.network_connection_monitors, {})) combined_objects_network_profiles = merge(tomap({ (local.client_config.landingzone_key) = module.network_profiles }), lookup(var.remote_objects, "network_profiles", {})) combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), lookup(var.remote_objects, "network_security_groups", {}), lookup(var.data_sources, "network_security_groups", {})) combined_objects_network_watchers = merge(tomap({ (local.client_config.landingzone_key) = module.network_watchers }), lookup(var.remote_objects, "network_watchers", {}), lookup(var.data_sources, "network_watchers", {})) diff --git a/modules/networking/network_connection_monitor/output.tf b/modules/networking/network_connection_monitor/output.tf index 8b13789179..cd271d9f24 100644 --- a/modules/networking/network_connection_monitor/output.tf +++ b/modules/networking/network_connection_monitor/output.tf @@ -1 +1,5 @@ +output "id" { + value = azurerm_network_connection_monitor.connection_monitor.id + description = "The ID of the onnection_monitor" +} From 5e2a60cb2dabffeba8127433583d28e8d783a784 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Thu, 10 Nov 2022 13:39:56 +0000 Subject: [PATCH 144/244] adding option to reference a group id in azuread_groups_membership adding option to use services_roles for scopes shared_image_galleries and virtual_machine_scale_sets adding combined objects --- roles.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles.tf b/roles.tf index 90481bd0c1..35e3576370 100644 --- a/roles.tf +++ b/roles.tf @@ -37,7 +37,7 @@ resource "azurerm_role_assignment" "for_deferred" { if contains(keys(local.services_roles_deferred), value.scope_resource_key) } - principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id + principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles_deferred[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles_deferred[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles_deferred[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles_deferred[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id @@ -172,6 +172,7 @@ locals { storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces + virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets virtual_subnets = local.combined_objects_virtual_subnets wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications @@ -179,7 +180,6 @@ locals { wvd_workspaces = local.combined_objects_wvd_workspaces virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets log_analytics = local.current_objects_log_analytics - route_tables = local.combined_objects_route_tables } current_objects_log_analytics = tomap( From 3d4cf997a8f43e66e846ec2908b1b26f50f10e5c Mon Sep 17 00:00:00 2001 From: Nick Metz Date: Fri, 4 Nov 2022 11:41:56 +0100 Subject: [PATCH 145/244] Add vm-linux_diagnostic_extensions #1423 --- compute_virtual_machines_extensions.tf | 63 +- .../configurations.tfvars | 6 +- .../diagnostics/ladcfg.json | 778 +++++++++--------- .../LinuxDiagnostic.tf | 14 - 4 files changed, 396 insertions(+), 465 deletions(-) diff --git a/compute_virtual_machines_extensions.tf b/compute_virtual_machines_extensions.tf index a200bffdee..b058ac506b 100644 --- a/compute_virtual_machines_extensions.tf +++ b/compute_virtual_machines_extensions.tf @@ -136,63 +136,8 @@ module "vm_extension_linux_diagnostic" { extension_name = "linux_diagnostic" settings = { - var_folder_path = var.var_folder_path - diagnostics = local.combined_diagnostics - diagnostic_storage_account = local.combined_objects_diagnostic_storage_accounts[try(each.value.storage_account.lz_key, local.client_config.landingzone_key)][each.value.virtual_machine_extensions.linux_diagnostic.diagnostic_storage_account_key] - } -} - -module "vm_extensions_devops_selfhosted_agent" { - source = "./modules/compute/virtual_machine_extensions" - - for_each = { - for key, value in local.compute.virtual_machines : key => value - if can(value.virtual_machine_extensions.devops_selfhosted_agent) - } - - client_config = local.client_config - virtual_machine_id = module.virtual_machines[each.key].id - extension = each.value.virtual_machine_extensions.devops_selfhosted_agent - extension_name = "devops_selfhosted_agent" - - settings = { - devops_selfhosted_agent = { - var_folder_path = var.var_folder_path - storage_accounts = module.storage_accounts - admin_username = each.value.virtual_machine_settings[each.value.os_type].admin_username - storage_account_blobs_urls = can(each.value.virtual_machine_extensions.devops_selfhosted_agent.storage_account_blobs) ? [ - for key in try(each.value.virtual_machine_extensions.devops_selfhosted_agent.storage_account_blobs, []) : module.storage_account_blobs[key].url - ] : each.value.virtual_machine_extensions.devops_selfhosted_agent.storage_account_blobs_urls - managed_identities = local.combined_objects_managed_identities - keyvaults = local.combined_objects_keyvaults - } - } -} - - -module "vm_extensions_tfcloud_selfhosted_agent" { - source = "./modules/compute/virtual_machine_extensions" - - for_each = { - for key, value in local.compute.virtual_machines : key => value - if can(value.virtual_machine_extensions.tfcloud_selfhosted_agent) - } - - client_config = local.client_config - virtual_machine_id = module.virtual_machines[each.key].id - extension = each.value.virtual_machine_extensions.tfcloud_selfhosted_agent - extension_name = "tfcloud_selfhosted_agent" - - settings = { - tfcloud_selfhosted_agent = { - var_folder_path = var.var_folder_path - storage_accounts = module.storage_accounts - admin_username = each.value.virtual_machine_settings[each.value.os_type].admin_username - storage_account_blobs_urls = can(each.value.virtual_machine_extensions.tfcloud_selfhosted_agent.storage_account_blobs) ? [ - for key in try(each.value.virtual_machine_extensions.tfcloud_selfhosted_agent.storage_account_blobs, []) : module.storage_account_blobs[key].url - ] : each.value.virtual_machine_extensions.tfcloud_selfhosted_agent.storage_account_blobs_urls - managed_identities = local.combined_objects_managed_identities - keyvaults = local.combined_objects_keyvaults - } + var_folder_path = var.var_folder_path + diagnostics = local.combined_diagnostics + diagnostic_storage_account = local.combined_objects_diagnostic_storage_accounts[try(each.value.storage_account.lz_key, local.client_config.landingzone_key)][each.value.virtual_machine_extensions.linux_diagnostic.diagnostic_storage_account_key] } -} +} \ No newline at end of file diff --git a/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/configurations.tfvars b/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/configurations.tfvars index 8e14922276..24c82a14ad 100644 --- a/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/configurations.tfvars +++ b/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/configurations.tfvars @@ -102,9 +102,9 @@ diagnostic_storage_accounts = { keyvaults = { example_vm_rg1 = { - name = "vmlinuxdiac" - resource_group_key = "vm_region1" - sku_name = "standard" + name = "vmlinuxdiac" + resource_group_key = "vm_region1" + sku_name = "standard" creation_policies = { logged_in_user = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] diff --git a/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/diagnostics/ladcfg.json b/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/diagnostics/ladcfg.json index 6263dc360b..7e84858a5d 100644 --- a/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/diagnostics/ladcfg.json +++ b/examples/compute/virtual_machine/216-vm-linux_diagnostic_extensions/diagnostics/ladcfg.json @@ -1,698 +1,698 @@ { "diagnosticMonitorConfiguration": { - "eventVolume": "Medium", + "eventVolume": "Medium", "metrics": { "metricAggregation": [ { "scheduledTransferPeriod": "PT1H" - }, + }, { "scheduledTransferPeriod": "PT1M" } - ], + ], "resourceId": "${virtual_machine_id}" - }, + }, "performanceCounters": { "performanceCounterConfiguration": [ { "annotation": [ { - "displayName": "Disk read guest OS", + "displayName": "Disk read guest OS", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "readbytespersecond", - "counterSpecifier": "/builtin/disk/readbytespersecond", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "readbytespersecond", + "counterSpecifier": "/builtin/disk/readbytespersecond", + "type": "builtin", "unit": "BytesPerSecond" - }, + }, { "annotation": [ { - "displayName": "Disk writes", + "displayName": "Disk writes", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "writespersecond", - "counterSpecifier": "/builtin/disk/writespersecond", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "writespersecond", + "counterSpecifier": "/builtin/disk/writespersecond", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Disk transfer time", + "displayName": "Disk transfer time", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "averagetransfertime", - "counterSpecifier": "/builtin/disk/averagetransfertime", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "averagetransfertime", + "counterSpecifier": "/builtin/disk/averagetransfertime", + "type": "builtin", "unit": "Seconds" - }, + }, { "annotation": [ { - "displayName": "Disk transfers", + "displayName": "Disk transfers", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "transferspersecond", - "counterSpecifier": "/builtin/disk/transferspersecond", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "transferspersecond", + "counterSpecifier": "/builtin/disk/transferspersecond", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Disk write guest OS", + "displayName": "Disk write guest OS", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "writebytespersecond", - "counterSpecifier": "/builtin/disk/writebytespersecond", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "writebytespersecond", + "counterSpecifier": "/builtin/disk/writebytespersecond", + "type": "builtin", "unit": "BytesPerSecond" - }, + }, { "annotation": [ { - "displayName": "Disk read time", + "displayName": "Disk read time", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "averagereadtime", - "counterSpecifier": "/builtin/disk/averagereadtime", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "averagereadtime", + "counterSpecifier": "/builtin/disk/averagereadtime", + "type": "builtin", "unit": "Seconds" - }, + }, { "annotation": [ { - "displayName": "Disk write time", + "displayName": "Disk write time", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "averagewritetime", - "counterSpecifier": "/builtin/disk/averagewritetime", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "averagewritetime", + "counterSpecifier": "/builtin/disk/averagewritetime", + "type": "builtin", "unit": "Seconds" - }, + }, { "annotation": [ { - "displayName": "Disk total bytes", + "displayName": "Disk total bytes", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "bytespersecond", - "counterSpecifier": "/builtin/disk/bytespersecond", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "bytespersecond", + "counterSpecifier": "/builtin/disk/bytespersecond", + "type": "builtin", "unit": "BytesPerSecond" - }, + }, { "annotation": [ { - "displayName": "Disk reads", + "displayName": "Disk reads", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "readspersecond", - "counterSpecifier": "/builtin/disk/readspersecond", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "readspersecond", + "counterSpecifier": "/builtin/disk/readspersecond", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Disk queue length", + "displayName": "Disk queue length", "locale": "en-us" } - ], - "class": "disk", - "condition": "IsAggregate=TRUE", - "counter": "averagediskqueuelength", - "counterSpecifier": "/builtin/disk/averagediskqueuelength", - "type": "builtin", + ], + "class": "disk", + "condition": "IsAggregate=TRUE", + "counter": "averagediskqueuelength", + "counterSpecifier": "/builtin/disk/averagediskqueuelength", + "type": "builtin", "unit": "Count" - }, + }, { "annotation": [ { - "displayName": "Network in guest OS", + "displayName": "Network in guest OS", "locale": "en-us" } - ], - "class": "network", - "counter": "bytesreceived", - "counterSpecifier": "/builtin/network/bytesreceived", - "type": "builtin", + ], + "class": "network", + "counter": "bytesreceived", + "counterSpecifier": "/builtin/network/bytesreceived", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Network total bytes", + "displayName": "Network total bytes", "locale": "en-us" } - ], - "class": "network", - "counter": "bytestotal", - "counterSpecifier": "/builtin/network/bytestotal", - "type": "builtin", + ], + "class": "network", + "counter": "bytestotal", + "counterSpecifier": "/builtin/network/bytestotal", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Network out guest OS", + "displayName": "Network out guest OS", "locale": "en-us" } - ], - "class": "network", - "counter": "bytestransmitted", - "counterSpecifier": "/builtin/network/bytestransmitted", - "type": "builtin", + ], + "class": "network", + "counter": "bytestransmitted", + "counterSpecifier": "/builtin/network/bytestransmitted", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Network collisions", + "displayName": "Network collisions", "locale": "en-us" } - ], - "class": "network", - "counter": "totalcollisions", - "counterSpecifier": "/builtin/network/totalcollisions", - "type": "builtin", + ], + "class": "network", + "counter": "totalcollisions", + "counterSpecifier": "/builtin/network/totalcollisions", + "type": "builtin", "unit": "Count" - }, + }, { "annotation": [ { - "displayName": "Packets received errors", + "displayName": "Packets received errors", "locale": "en-us" } - ], - "class": "network", - "counter": "totalrxerrors", - "counterSpecifier": "/builtin/network/totalrxerrors", - "type": "builtin", + ], + "class": "network", + "counter": "totalrxerrors", + "counterSpecifier": "/builtin/network/totalrxerrors", + "type": "builtin", "unit": "Count" - }, + }, { "annotation": [ { - "displayName": "Packets sent", + "displayName": "Packets sent", "locale": "en-us" } - ], - "class": "network", - "counter": "packetstransmitted", - "counterSpecifier": "/builtin/network/packetstransmitted", - "type": "builtin", + ], + "class": "network", + "counter": "packetstransmitted", + "counterSpecifier": "/builtin/network/packetstransmitted", + "type": "builtin", "unit": "Count" - }, + }, { "annotation": [ { - "displayName": "Packets received", + "displayName": "Packets received", "locale": "en-us" } - ], - "class": "network", - "counter": "packetsreceived", - "counterSpecifier": "/builtin/network/packetsreceived", - "type": "builtin", + ], + "class": "network", + "counter": "packetsreceived", + "counterSpecifier": "/builtin/network/packetsreceived", + "type": "builtin", "unit": "Count" - }, + }, { "annotation": [ { - "displayName": "Packets sent errors", + "displayName": "Packets sent errors", "locale": "en-us" } - ], - "class": "network", - "counter": "totaltxerrors", - "counterSpecifier": "/builtin/network/totaltxerrors", - "type": "builtin", + ], + "class": "network", + "counter": "totaltxerrors", + "counterSpecifier": "/builtin/network/totaltxerrors", + "type": "builtin", "unit": "Count" - }, + }, { "annotation": [ { - "displayName": "Filesystem transfers/sec", + "displayName": "Filesystem transfers/sec", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "transferspersecond", - "counterSpecifier": "/builtin/filesystem/transferspersecond", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "transferspersecond", + "counterSpecifier": "/builtin/filesystem/transferspersecond", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Filesystem % free space", + "displayName": "Filesystem % free space", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "percentfreespace", - "counterSpecifier": "/builtin/filesystem/percentfreespace", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "percentfreespace", + "counterSpecifier": "/builtin/filesystem/percentfreespace", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "Filesystem % used space", + "displayName": "Filesystem % used space", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "percentusedspace", - "counterSpecifier": "/builtin/filesystem/percentusedspace", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "percentusedspace", + "counterSpecifier": "/builtin/filesystem/percentusedspace", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "Filesystem used space", + "displayName": "Filesystem used space", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "usedspace", - "counterSpecifier": "/builtin/filesystem/usedspace", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "usedspace", + "counterSpecifier": "/builtin/filesystem/usedspace", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Filesystem read bytes/sec", + "displayName": "Filesystem read bytes/sec", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "bytesreadpersecond", - "counterSpecifier": "/builtin/filesystem/bytesreadpersecond", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "bytesreadpersecond", + "counterSpecifier": "/builtin/filesystem/bytesreadpersecond", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Filesystem free space", + "displayName": "Filesystem free space", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "freespace", - "counterSpecifier": "/builtin/filesystem/freespace", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "freespace", + "counterSpecifier": "/builtin/filesystem/freespace", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Filesystem % free inodes", + "displayName": "Filesystem % free inodes", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "percentfreeinodes", - "counterSpecifier": "/builtin/filesystem/percentfreeinodes", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "percentfreeinodes", + "counterSpecifier": "/builtin/filesystem/percentfreeinodes", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "Filesystem bytes/sec", + "displayName": "Filesystem bytes/sec", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "bytespersecond", - "counterSpecifier": "/builtin/filesystem/bytespersecond", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "bytespersecond", + "counterSpecifier": "/builtin/filesystem/bytespersecond", + "type": "builtin", "unit": "BytesPerSecond" - }, + }, { "annotation": [ { - "displayName": "Filesystem reads/sec", + "displayName": "Filesystem reads/sec", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "readspersecond", - "counterSpecifier": "/builtin/filesystem/readspersecond", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "readspersecond", + "counterSpecifier": "/builtin/filesystem/readspersecond", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Filesystem write bytes/sec", + "displayName": "Filesystem write bytes/sec", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "byteswrittenpersecond", - "counterSpecifier": "/builtin/filesystem/byteswrittenpersecond", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "byteswrittenpersecond", + "counterSpecifier": "/builtin/filesystem/byteswrittenpersecond", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Filesystem writes/sec", + "displayName": "Filesystem writes/sec", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "writespersecond", - "counterSpecifier": "/builtin/filesystem/writespersecond", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "writespersecond", + "counterSpecifier": "/builtin/filesystem/writespersecond", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Filesystem % used inodes", + "displayName": "Filesystem % used inodes", "locale": "en-us" } - ], - "class": "filesystem", - "condition": "IsAggregate=TRUE", - "counter": "percentusedinodes", - "counterSpecifier": "/builtin/filesystem/percentusedinodes", - "type": "builtin", + ], + "class": "filesystem", + "condition": "IsAggregate=TRUE", + "counter": "percentusedinodes", + "counterSpecifier": "/builtin/filesystem/percentusedinodes", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "CPU IO wait time", + "displayName": "CPU IO wait time", "locale": "en-us" } - ], - "class": "processor", - "condition": "IsAggregate=TRUE", - "counter": "percentiowaittime", - "counterSpecifier": "/builtin/processor/percentiowaittime", - "type": "builtin", + ], + "class": "processor", + "condition": "IsAggregate=TRUE", + "counter": "percentiowaittime", + "counterSpecifier": "/builtin/processor/percentiowaittime", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "CPU user time", + "displayName": "CPU user time", "locale": "en-us" } - ], - "class": "processor", - "condition": "IsAggregate=TRUE", - "counter": "percentusertime", - "counterSpecifier": "/builtin/processor/percentusertime", - "type": "builtin", + ], + "class": "processor", + "condition": "IsAggregate=TRUE", + "counter": "percentusertime", + "counterSpecifier": "/builtin/processor/percentusertime", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "CPU nice time", + "displayName": "CPU nice time", "locale": "en-us" } - ], - "class": "processor", - "condition": "IsAggregate=TRUE", - "counter": "percentnicetime", - "counterSpecifier": "/builtin/processor/percentnicetime", - "type": "builtin", + ], + "class": "processor", + "condition": "IsAggregate=TRUE", + "counter": "percentnicetime", + "counterSpecifier": "/builtin/processor/percentnicetime", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "CPU percentage guest OS", + "displayName": "CPU percentage guest OS", "locale": "en-us" } - ], - "class": "processor", - "condition": "IsAggregate=TRUE", - "counter": "percentprocessortime", - "counterSpecifier": "/builtin/processor/percentprocessortime", - "type": "builtin", + ], + "class": "processor", + "condition": "IsAggregate=TRUE", + "counter": "percentprocessortime", + "counterSpecifier": "/builtin/processor/percentprocessortime", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "CPU interrupt time", + "displayName": "CPU interrupt time", "locale": "en-us" } - ], - "class": "processor", - "condition": "IsAggregate=TRUE", - "counter": "percentinterrupttime", - "counterSpecifier": "/builtin/processor/percentinterrupttime", - "type": "builtin", + ], + "class": "processor", + "condition": "IsAggregate=TRUE", + "counter": "percentinterrupttime", + "counterSpecifier": "/builtin/processor/percentinterrupttime", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "CPU idle time", + "displayName": "CPU idle time", "locale": "en-us" } - ], - "class": "processor", - "condition": "IsAggregate=TRUE", - "counter": "percentidletime", - "counterSpecifier": "/builtin/processor/percentidletime", - "type": "builtin", + ], + "class": "processor", + "condition": "IsAggregate=TRUE", + "counter": "percentidletime", + "counterSpecifier": "/builtin/processor/percentidletime", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "CPU privileged time", + "displayName": "CPU privileged time", "locale": "en-us" } - ], - "class": "processor", - "condition": "IsAggregate=TRUE", - "counter": "percentprivilegedtime", - "counterSpecifier": "/builtin/processor/percentprivilegedtime", - "type": "builtin", + ], + "class": "processor", + "condition": "IsAggregate=TRUE", + "counter": "percentprivilegedtime", + "counterSpecifier": "/builtin/processor/percentprivilegedtime", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "Memory available", + "displayName": "Memory available", "locale": "en-us" } - ], - "class": "memory", - "counter": "availablememory", - "counterSpecifier": "/builtin/memory/availablememory", - "type": "builtin", + ], + "class": "memory", + "counter": "availablememory", + "counterSpecifier": "/builtin/memory/availablememory", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Swap percent used", + "displayName": "Swap percent used", "locale": "en-us" } - ], - "class": "memory", - "counter": "percentusedswap", - "counterSpecifier": "/builtin/memory/percentusedswap", - "type": "builtin", + ], + "class": "memory", + "counter": "percentusedswap", + "counterSpecifier": "/builtin/memory/percentusedswap", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "Memory used", + "displayName": "Memory used", "locale": "en-us" } - ], - "class": "memory", - "counter": "usedmemory", - "counterSpecifier": "/builtin/memory/usedmemory", - "type": "builtin", + ], + "class": "memory", + "counter": "usedmemory", + "counterSpecifier": "/builtin/memory/usedmemory", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Page reads", + "displayName": "Page reads", "locale": "en-us" } - ], - "class": "memory", - "counter": "pagesreadpersec", - "counterSpecifier": "/builtin/memory/pagesreadpersec", - "type": "builtin", + ], + "class": "memory", + "counter": "pagesreadpersec", + "counterSpecifier": "/builtin/memory/pagesreadpersec", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Swap available", + "displayName": "Swap available", "locale": "en-us" } - ], - "class": "memory", - "counter": "availableswap", - "counterSpecifier": "/builtin/memory/availableswap", - "type": "builtin", + ], + "class": "memory", + "counter": "availableswap", + "counterSpecifier": "/builtin/memory/availableswap", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Swap percent available", + "displayName": "Swap percent available", "locale": "en-us" } - ], - "class": "memory", - "counter": "percentavailableswap", - "counterSpecifier": "/builtin/memory/percentavailableswap", - "type": "builtin", + ], + "class": "memory", + "counter": "percentavailableswap", + "counterSpecifier": "/builtin/memory/percentavailableswap", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "Mem. percent available", + "displayName": "Mem. percent available", "locale": "en-us" } - ], - "class": "memory", - "counter": "percentavailablememory", - "counterSpecifier": "/builtin/memory/percentavailablememory", - "type": "builtin", + ], + "class": "memory", + "counter": "percentavailablememory", + "counterSpecifier": "/builtin/memory/percentavailablememory", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "Pages", + "displayName": "Pages", "locale": "en-us" } - ], - "class": "memory", - "counter": "pagespersec", - "counterSpecifier": "/builtin/memory/pagespersec", - "type": "builtin", + ], + "class": "memory", + "counter": "pagespersec", + "counterSpecifier": "/builtin/memory/pagespersec", + "type": "builtin", "unit": "CountPerSecond" - }, + }, { "annotation": [ { - "displayName": "Swap used", + "displayName": "Swap used", "locale": "en-us" } - ], - "class": "memory", - "counter": "usedswap", - "counterSpecifier": "/builtin/memory/usedswap", - "type": "builtin", + ], + "class": "memory", + "counter": "usedswap", + "counterSpecifier": "/builtin/memory/usedswap", + "type": "builtin", "unit": "Bytes" - }, + }, { "annotation": [ { - "displayName": "Memory percentage", + "displayName": "Memory percentage", "locale": "en-us" } - ], - "class": "memory", - "counter": "percentusedmemory", - "counterSpecifier": "/builtin/memory/percentusedmemory", - "type": "builtin", + ], + "class": "memory", + "counter": "percentusedmemory", + "counterSpecifier": "/builtin/memory/percentusedmemory", + "type": "builtin", "unit": "Percent" - }, + }, { "annotation": [ { - "displayName": "Page writes", + "displayName": "Page writes", "locale": "en-us" } - ], - "class": "memory", - "counter": "pageswrittenpersec", - "counterSpecifier": "/builtin/memory/pageswrittenpersec", - "type": "builtin", + ], + "class": "memory", + "counter": "pageswrittenpersec", + "counterSpecifier": "/builtin/memory/pageswrittenpersec", + "type": "builtin", "unit": "CountPerSecond" } ] - }, + }, "syslogEvents": { "syslogEventConfiguration": { - "LOG_AUTH": "LOG_DEBUG", - "LOG_AUTHPRIV": "LOG_DEBUG", - "LOG_CRON": "LOG_DEBUG", - "LOG_DAEMON": "LOG_DEBUG", - "LOG_FTP": "LOG_DEBUG", - "LOG_KERN": "LOG_DEBUG", - "LOG_LOCAL0": "LOG_DEBUG", - "LOG_LOCAL1": "LOG_DEBUG", - "LOG_LOCAL2": "LOG_DEBUG", - "LOG_LOCAL3": "LOG_DEBUG", - "LOG_LOCAL4": "LOG_DEBUG", - "LOG_LOCAL5": "LOG_DEBUG", - "LOG_LOCAL6": "LOG_DEBUG", - "LOG_LOCAL7": "LOG_DEBUG", - "LOG_LPR": "LOG_DEBUG", - "LOG_MAIL": "LOG_DEBUG", - "LOG_NEWS": "LOG_DEBUG", - "LOG_SYSLOG": "LOG_DEBUG", - "LOG_USER": "LOG_DEBUG", + "LOG_AUTH": "LOG_DEBUG", + "LOG_AUTHPRIV": "LOG_DEBUG", + "LOG_CRON": "LOG_DEBUG", + "LOG_DAEMON": "LOG_DEBUG", + "LOG_FTP": "LOG_DEBUG", + "LOG_KERN": "LOG_DEBUG", + "LOG_LOCAL0": "LOG_DEBUG", + "LOG_LOCAL1": "LOG_DEBUG", + "LOG_LOCAL2": "LOG_DEBUG", + "LOG_LOCAL3": "LOG_DEBUG", + "LOG_LOCAL4": "LOG_DEBUG", + "LOG_LOCAL5": "LOG_DEBUG", + "LOG_LOCAL6": "LOG_DEBUG", + "LOG_LOCAL7": "LOG_DEBUG", + "LOG_LPR": "LOG_DEBUG", + "LOG_MAIL": "LOG_DEBUG", + "LOG_NEWS": "LOG_DEBUG", + "LOG_SYSLOG": "LOG_DEBUG", + "LOG_USER": "LOG_DEBUG", "LOG_UUCP": "LOG_DEBUG" } } - }, + }, "sampleRateInSeconds": 15 } \ No newline at end of file diff --git a/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf b/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf index dbbc6a7570..ed9cde7c2a 100644 --- a/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf +++ b/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf @@ -19,18 +19,6 @@ resource "azurerm_virtual_machine_extension" "linux_diagnostic" { "storageAccountSasToken" = data.azurerm_storage_account_sas.token[each.key].sas "storageAccountEndPoint" = try(var.settings.storage_account_endpoint, "https://core.windows.net") }) - - lifecycle { - precondition { - condition = anytrue( - [ - for status in jsondecode(data.azapi_resource_action.azurerm_virtual_machine_status.output).statuses : "true" - if status.code == "PowerState/running" - ] - ) - error_message = format("The virtual machine (%s) must be in running state to be able to deploy or modify the vm extension.", var.virtual_machine_id) - } - } } locals { @@ -71,7 +59,5 @@ data "azurerm_storage_account_sas" "token" { create = true update = true process = true - filter = true - tag = true } } \ No newline at end of file From b022b598cba6b1cd9bf9368ece4c4d2d6c4070b7 Mon Sep 17 00:00:00 2001 From: Adam Cain Date: Mon, 17 Oct 2022 18:03:02 +0100 Subject: [PATCH 146/244] Add Logic App Standard with vnet integration --- .../configuration.tfvars | 2 +- modules/logic_app/standard/main.tf | 30 +++++++++++++++---- modules/logic_app/standard/module.tf | 17 +++++------ .../logic_app/standard/private_endpoint.tf | 1 - 4 files changed, 34 insertions(+), 16 deletions(-) diff --git a/examples/logic_app/109-logic_app_standard_vnet_integration/configuration.tfvars b/examples/logic_app/109-logic_app_standard_vnet_integration/configuration.tfvars index 9cf6ed3f61..0780b07e80 100644 --- a/examples/logic_app/109-logic_app_standard_vnet_integration/configuration.tfvars +++ b/examples/logic_app/109-logic_app_standard_vnet_integration/configuration.tfvars @@ -52,7 +52,7 @@ logic_app_standard = { "WEBSITE_NODE_DEFAULT_VERSION" = "~14", } - } + } } vnets = { diff --git a/modules/logic_app/standard/main.tf b/modules/logic_app/standard/main.tf index b65cd0084b..bd1fe0a3db 100644 --- a/modules/logic_app/standard/main.tf +++ b/modules/logic_app/standard/main.tf @@ -7,9 +7,29 @@ terraform { } locals { - resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] - storage_account = var.storage_accounts[try(var.settings.lz_key, var.settings.storage_account.lz_key, var.client_config.landingzone_key)][try(var.settings.storage_account.key, var.settings.storage_account_key)] - app_service_plan = var.app_service_plans[try(var.settings.app_service_plan.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.app_service_plan.key, var.settings.app_service_plan_key)] - app_settings = try(var.app_settings, null) - subnet_id = can(var.settings.vnet_integration.subnet_id) || can(var.settings.vnet_integration.subnet_key) == false ? try(var.settings.vnet_integration.subnet_id, null) : var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id + resource_group = coalesce( + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group_key], null), + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group.key], null), + try(var.resource_groups[var.settings.lz_key][var.settings.resource_group_key], null), + try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group.key], null) + ) + + storage_account = coalesce( + try(var.storage_accounts[var.client_config.landingzone_key][var.settings.storage_account_key], null), + try(var.storage_accounts[var.client_config.landingzone_key][var.settings.storage_account.key], null), + try(var.storage_accounts[var.settings.lz_key][var.settings.storage_account_key], null), + try(var.storage_accounts[var.settings.storage_account.lz_key][var.settings.storage_account.key], null) + ) + + app_service_plan = coalesce( + try(var.app_service_plans[var.client_config.landingzone_key][var.settings.app_service_plan_key], null), + try(var.app_service_plans[var.client_config.landingzone_key][var.settings.app_service_plan.key], null), + try(var.app_service_plans[var.settings.lz_key][var.settings.app_service_plan_key], null), + try(var.app_service_plans[var.settings.app_service_plan.lz_key][var.settings.app_service_plan.key], null) + ) + + app_settings = try(var.app_settings, null) + + subnet_id = try(var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, null) + } \ No newline at end of file diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index a2391387a2..3b5722c5dc 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -22,15 +22,16 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] content { - always_on = lookup(var.settings.site_config, "enabled", null) + # numberOfWorkers = lookup(each.value.site_config, "numberOfWorkers", 1) # defined in ARM template below + always_on = lookup(var.settings.site_config, "enabled", false) dotnet_framework_version = lookup(var.settings.site_config, "dotnet_framework_version", null) - ftps_state = lookup(var.settings.site_config, "ftps_state", null) - http2_enabled = lookup(var.settings.site_config, "http2_enabled", null) + ftps_state = lookup(var.settings.site_config, "ftps_state", "FtpsOnly") + http2_enabled = lookup(var.settings.site_config, "http2_enabled", false) linux_fx_version = lookup(var.settings.site_config, "linux_fx_version", null) - min_tls_version = lookup(var.settings.site_config, "min_tls_version", null) - use_32_bit_worker_process = lookup(var.settings.site_config, "use_32_bit_worker_process", null) - vnet_route_all_enabled = lookup(var.settings.site_config, "enabled", null) - websockets_enabled = lookup(var.settings.site_config, "enabled", null) + min_tls_version = lookup(var.settings.site_config, "min_tls_version", "1.2") + use_32_bit_worker_process = lookup(var.settings.site_config, "use_32_bit_worker_process", false) + vnet_route_all_enabled = lookup(var.settings.site_config, "enabled", false) + websockets_enabled = lookup(var.settings.site_config, "enabled", false) dynamic "cors" { for_each = lookup(var.settings.site_config, "cors", {}) != {} ? [1] : [] @@ -46,10 +47,8 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) - } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index 67a8defb52..b01846c314 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -13,7 +13,6 @@ module "private_endpoint" { try(var.virtual_subnets[var.client_config.landingzone_key][each.value.subnet_key].id, null), try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value global_settings = var.global_settings base_tags = var.base_tags From b557d404bed41f1fbc043f7292ca7bbab638ffe6 Mon Sep 17 00:00:00 2001 From: Adam Cain Date: Tue, 18 Oct 2022 09:52:32 +0100 Subject: [PATCH 147/244] Add count conditional --- modules/logic_app/standard/module.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 3b5722c5dc..5bba1d93bc 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -47,6 +47,7 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, From c688fb45e37c3791c61a03bce86c3398da226d37 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 11 Nov 2022 07:57:38 +0000 Subject: [PATCH 148/244] Iterate on #1395 --- modules/logic_app/standard/main.tf | 29 ++++--------------- modules/logic_app/standard/module.tf | 23 +++++++-------- .../logic_app/standard/private_endpoint.tf | 10 +++---- 3 files changed, 21 insertions(+), 41 deletions(-) diff --git a/modules/logic_app/standard/main.tf b/modules/logic_app/standard/main.tf index bd1fe0a3db..48d75dcf70 100644 --- a/modules/logic_app/standard/main.tf +++ b/modules/logic_app/standard/main.tf @@ -7,29 +7,10 @@ terraform { } locals { - resource_group = coalesce( - try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group_key], null), - try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group.key], null), - try(var.resource_groups[var.settings.lz_key][var.settings.resource_group_key], null), - try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group.key], null) - ) - - storage_account = coalesce( - try(var.storage_accounts[var.client_config.landingzone_key][var.settings.storage_account_key], null), - try(var.storage_accounts[var.client_config.landingzone_key][var.settings.storage_account.key], null), - try(var.storage_accounts[var.settings.lz_key][var.settings.storage_account_key], null), - try(var.storage_accounts[var.settings.storage_account.lz_key][var.settings.storage_account.key], null) - ) - - app_service_plan = coalesce( - try(var.app_service_plans[var.client_config.landingzone_key][var.settings.app_service_plan_key], null), - try(var.app_service_plans[var.client_config.landingzone_key][var.settings.app_service_plan.key], null), - try(var.app_service_plans[var.settings.lz_key][var.settings.app_service_plan_key], null), - try(var.app_service_plans[var.settings.app_service_plan.lz_key][var.settings.app_service_plan.key], null) - ) - - app_settings = try(var.app_settings, null) - - subnet_id = try(var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, null) + resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] + storage_account = var.storage_accounts[try(var.settings.lz_key, var.settings.storage_account.lz_key, var.client_config.landingzone_key)][try(var.settings.storage_account.key, var.settings.storage_account_key)] + app_service_plan = var.app_service_plans[try(var.settings.app_service_plan.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.app_service_plan.key, var.settings.app_service_plan_key)] + app_settings = try(var.app_settings, null) + subnet_id = can(var.settings.vnet_integration.subnet_id) || can(var.settings.vnet_integration.subnet_key) == false ? try(var.settings.vnet_integration.subnet_id, null) : var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id } \ No newline at end of file diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 5bba1d93bc..277e81dc13 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -22,16 +22,15 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] content { - # numberOfWorkers = lookup(each.value.site_config, "numberOfWorkers", 1) # defined in ARM template below - always_on = lookup(var.settings.site_config, "enabled", false) + always_on = lookup(var.settings.site_config, "enabled", null) dotnet_framework_version = lookup(var.settings.site_config, "dotnet_framework_version", null) - ftps_state = lookup(var.settings.site_config, "ftps_state", "FtpsOnly") - http2_enabled = lookup(var.settings.site_config, "http2_enabled", false) + ftps_state = lookup(var.settings.site_config, "ftps_state", null) + http2_enabled = lookup(var.settings.site_config, "http2_enabled", null) linux_fx_version = lookup(var.settings.site_config, "linux_fx_version", null) - min_tls_version = lookup(var.settings.site_config, "min_tls_version", "1.2") - use_32_bit_worker_process = lookup(var.settings.site_config, "use_32_bit_worker_process", false) - vnet_route_all_enabled = lookup(var.settings.site_config, "enabled", false) - websockets_enabled = lookup(var.settings.site_config, "enabled", false) + min_tls_version = lookup(var.settings.site_config, "min_tls_version", null) + use_32_bit_worker_process = lookup(var.settings.site_config, "use_32_bit_worker_process", null) + vnet_route_all_enabled = lookup(var.settings.site_config, "enabled", null) + websockets_enabled = lookup(var.settings.site_config, "enabled", null) dynamic "cors" { for_each = lookup(var.settings.site_config, "cors", {}) != {} ? [1] : [] @@ -46,10 +45,10 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index b01846c314..dd14a40905 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -13,9 +13,9 @@ module "private_endpoint" { try(var.virtual_subnets[var.client_config.landingzone_key][each.value.subnet_key].id, null), try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value - global_settings = var.global_settings - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + private_dns = var.private_dns + client_config = var.client_config } \ No newline at end of file From 79459d86689f9c2b396e8c65bb03b0ed62488f1b Mon Sep 17 00:00:00 2001 From: Adam Cain <72016306+adamcaino@users.noreply.github.com> Date: Fri, 11 Nov 2022 08:03:33 +0000 Subject: [PATCH 149/244] Add Logic App Standard with vnet integration (#1395) Co-authored-by: Arnaud Lheureux --- modules/logic_app/standard/main.tf | 1 - modules/logic_app/standard/module.tf | 9 +++++---- modules/logic_app/standard/private_endpoint.tf | 12 +++++++----- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/modules/logic_app/standard/main.tf b/modules/logic_app/standard/main.tf index 48d75dcf70..b65cd0084b 100644 --- a/modules/logic_app/standard/main.tf +++ b/modules/logic_app/standard/main.tf @@ -12,5 +12,4 @@ locals { app_service_plan = var.app_service_plans[try(var.settings.app_service_plan.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.app_service_plan.key, var.settings.app_service_plan_key)] app_settings = try(var.app_settings, null) subnet_id = can(var.settings.vnet_integration.subnet_id) || can(var.settings.vnet_integration.subnet_key) == false ? try(var.settings.vnet_integration.subnet_id, null) : var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id - } \ No newline at end of file diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 277e81dc13..a2391387a2 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -45,10 +45,11 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index dd14a40905..6c8f63e1e0 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -13,9 +13,11 @@ module "private_endpoint" { try(var.virtual_subnets[var.client_config.landingzone_key][each.value.subnet_key].id, null), try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value - global_settings = var.global_settings - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config + + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + private_dns = var.private_dns + client_config = var.client_config + } \ No newline at end of file From e7730891005b73ffc9dfbd5923d126d9ea0444ce Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Wed, 16 Nov 2022 10:43:37 +0000 Subject: [PATCH 150/244] removing virtual_machine_scale_sets from roles.tf - it is causing cyclic dependencies --- locals.combined_objects.tf | 1 + roles.tf | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index a988afa638..83238d6c06 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -203,3 +203,4 @@ locals { ) } + diff --git a/roles.tf b/roles.tf index 35e3576370..3e0b9f844c 100644 --- a/roles.tf +++ b/roles.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null + role_definition_id = each.value.mode == "custom_role_mapping" ? local.combined_objects_custom_roles[each.value.role_lz_key != null ? each.value.role_lz_key : var.current_landingzone_key][each.value.role_definition_name].role_definition_resource_id : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } @@ -172,7 +172,6 @@ locals { storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces - virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets virtual_subnets = local.combined_objects_virtual_subnets wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications From 7b63eef0fbd5d61c1b9dd9e6d6f185251e5d1ae7 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Fri, 25 Nov 2022 15:42:03 +0000 Subject: [PATCH 151/244] this works for me right now --- roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles.tf b/roles.tf index 3e0b9f844c..8121576923 100644 --- a/roles.tf +++ b/roles.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? local.combined_objects_custom_roles[each.value.role_lz_key != null ? each.value.role_lz_key : var.current_landingzone_key][each.value.role_definition_name].role_definition_resource_id : null + role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } From ab100b74756dcc59c0c1fc9bfe632eed5fccab17 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 11:17:12 +0200 Subject: [PATCH 152/244] Nailing the components which lead to cycle error --- roles.tf | 2 ++ virtual_machines_scale_sets.tf | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles.tf b/roles.tf index 8121576923..12a5c72e13 100644 --- a/roles.tf +++ b/roles.tf @@ -173,6 +173,8 @@ locals { subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces virtual_subnets = local.combined_objects_virtual_subnets + virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets + log_analytics = local.current_objects_log_analytics wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications wvd_host_pools = local.combined_objects_wvd_host_pools diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index d012281d5f..03dcf52d04 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -8,11 +8,11 @@ module "virtual_machine_scale_sets" { module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, - module.load_balancers, + # module.load_balancers, # This is used in line #32 and therefore should have the same issue module.application_gateways, module.application_security_groups, - module.packer_service_principal, - module.packer_build, + #module.packer_service_principal, # This leads to cycle as well + #module.packer_build,# This leads to cycle as well module.proximity_placement_groups ] for_each = local.compute.virtual_machine_scale_sets From f298f8b5639eb9bf6971b37ff1189d24874d4d01 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 12:45:09 +0200 Subject: [PATCH 153/244] Removed direct dependency for role assignment to fix cycle error --- virtual_machines_scale_sets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index 03dcf52d04..d012281d5f 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -8,11 +8,11 @@ module "virtual_machine_scale_sets" { module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, - # module.load_balancers, # This is used in line #32 and therefore should have the same issue + module.load_balancers, module.application_gateways, module.application_security_groups, - #module.packer_service_principal, # This leads to cycle as well - #module.packer_build,# This leads to cycle as well + module.packer_service_principal, + module.packer_build, module.proximity_placement_groups ] for_each = local.compute.virtual_machine_scale_sets From 2dc30514234310e016c6cafa124b5b7b20ae362b Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Tue, 13 Sep 2022 12:53:11 +0200 Subject: [PATCH 154/244] Removing deprecation warning for azurerm 3.0 while maintaining compatibility Increasing readability --- .../apim/api_management_custom_domain/module.tf | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/modules/apim/api_management_custom_domain/module.tf b/modules/apim/api_management_custom_domain/module.tf index 7a11654cba..21960d854d 100644 --- a/modules/apim/api_management_custom_domain/module.tf +++ b/modules/apim/api_management_custom_domain/module.tf @@ -40,8 +40,20 @@ resource "azurerm_api_management_custom_domain" "apim" { } } - dynamic "proxy" { - for_each = try(var.settings.proxy, null) != null ? [var.settings.proxy] : [] + dynamic "gateway" { + for_each = ( + try( + coalesce( + var.settings.gateway, + var.settings.proxy + ), + null) != null + ? [coalesce( + var.settings.gateway, + var.settings.proxy + )] + : [] + ) content { host_name = try(proxy.value.host_name, null) certificate = try(proxy.value.certificate, null) From 7e16b0c1c8143da69060f92cbc69b3d81984789b Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Tue, 13 Sep 2022 13:19:26 +0200 Subject: [PATCH 155/244] Reverting --- .../apim/api_management_custom_domain/module.tf | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/modules/apim/api_management_custom_domain/module.tf b/modules/apim/api_management_custom_domain/module.tf index 21960d854d..7a11654cba 100644 --- a/modules/apim/api_management_custom_domain/module.tf +++ b/modules/apim/api_management_custom_domain/module.tf @@ -40,20 +40,8 @@ resource "azurerm_api_management_custom_domain" "apim" { } } - dynamic "gateway" { - for_each = ( - try( - coalesce( - var.settings.gateway, - var.settings.proxy - ), - null) != null - ? [coalesce( - var.settings.gateway, - var.settings.proxy - )] - : [] - ) + dynamic "proxy" { + for_each = try(var.settings.proxy, null) != null ? [var.settings.proxy] : [] content { host_name = try(proxy.value.host_name, null) certificate = try(proxy.value.certificate, null) From e5f82ffa818d2d41f93e5f9eff88a7c958938fb4 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Tue, 13 Sep 2022 21:48:05 +0200 Subject: [PATCH 156/244] Adoptiong use case "locallly created subnet in externally created vnet" --- .../101-private-public/application_gateways.tfvars | 2 +- .../networking/application_gateway/locals.networking.tf | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars index c316602800..a3d2b6b036 100644 --- a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars @@ -25,7 +25,7 @@ application_gateways = { name = "private" vnet_key = "vnet_region1" subnet_key = "app_gateway_private" - subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet + subnet_cidr_index = 0 # It is possible to have more than one cidr block per vnet private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address private_ip_address_allocation = "Static" } diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 3c5b847432..75537ee02b 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -12,8 +12,8 @@ locals { private_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) - public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) + private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.subnet_key], null) + public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.subnet_key], null) gateway_vnet_remote = try(coalesce( try(var.vnets[var.settings.lz_key][var.settings.vnet_key], null), @@ -27,8 +27,9 @@ locals { private_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key], null) - public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key], null) + private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.subnet_key], null) + public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.subnet_key], null) + gateway_vnet = merge(local.gateway_vnet_local, local.gateway_vnet_remote) private_vnet = merge(local.private_vnet_local, local.private_vnet_remote) From 135ecea5002bfef68bfcc113ec459b083e93f67a Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Wed, 14 Sep 2022 14:34:27 +0200 Subject: [PATCH 157/244] Fix for adopting use case "locallly created subnet in externally created vnet" --- .../101-private-public/application_gateways.tfvars | 2 +- .../networking/application_gateway/locals.networking.tf | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars index a3d2b6b036..c316602800 100644 --- a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars @@ -25,7 +25,7 @@ application_gateways = { name = "private" vnet_key = "vnet_region1" subnet_key = "app_gateway_private" - subnet_cidr_index = 0 # It is possible to have more than one cidr block per vnet + subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address private_ip_address_allocation = "Static" } diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 75537ee02b..3c5b847432 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -12,8 +12,8 @@ locals { private_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.subnet_key], null) - public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.subnet_key], null) + private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) + public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) gateway_vnet_remote = try(coalesce( try(var.vnets[var.settings.lz_key][var.settings.vnet_key], null), @@ -27,9 +27,8 @@ locals { private_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.subnet_key], null) - public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.subnet_key], null) - + private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key], null) + public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key], null) gateway_vnet = merge(local.gateway_vnet_local, local.gateway_vnet_remote) private_vnet = merge(local.private_vnet_local, local.private_vnet_remote) From a1ad458e0b97c4d973f6b444e23e2aac50f8b6c3 Mon Sep 17 00:00:00 2001 From: najeebvv Date: Mon, 13 Feb 2023 18:05:14 +0100 Subject: [PATCH 158/244] - acr premium sku features --- compute_container_registry.tf | 10 +++ .../200-acr-vnet/configuration.tfvars | 12 +++ .../300-acr-premium/configuration.tfvars | 83 +++++++++++++++++++ .../compute/container_registry/registry.tf | 15 ++++ .../compute/container_registry/variables.tf | 43 ++++++++++ 5 files changed, 163 insertions(+) create mode 100644 examples/compute/container_registry/300-acr-premium/configuration.tfvars diff --git a/compute_container_registry.tf b/compute_container_registry.tf index 40aefbd92c..a20a113d6e 100644 --- a/compute_container_registry.tf +++ b/compute_container_registry.tf @@ -20,6 +20,16 @@ module "container_registry" { public_network_access_enabled = try(each.value.public_network_access_enabled, "true") + base_tags = local.global_settings.inherit_tags + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] + resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null + location = try(local.global_settings.regions[each.value.region], null) + + quarantine_policy_enabled = try(each.value.quarantine_policy_enabled, false) + zone_redundancy_enabled = try(each.value.zone_redundancy_enabled, false) + export_policy_enabled = try(each.value.export_policy_enabled, true) + trust_policy = try(each.value.trust_policy, {}) + retention_policy = try(each.value.retention_policy, {}) } output "azure_container_registries" { diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 98d29c455e..5a5f1d126b 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -27,18 +27,30 @@ azure_container_registries = { #public_network_access_enabled = "false" #Only able to control when sku = "premium" + zone_redundancy_enabled = false + quarantine_policy_enabled = true + trust_policy = { + enabled = true + } + retention_policy = { + enabled = true + days = 7 + } + georeplications = { region2 = { tags = { region = "australiacentral" type = "acr_replica" } + regional_endpoint_enabled = true } region3 = { tags = { region = "westeurope" type = "acr_replica" } + regional_endpoint_enabled = false } } network_rule_set = { diff --git a/examples/compute/container_registry/300-acr-premium/configuration.tfvars b/examples/compute/container_registry/300-acr-premium/configuration.tfvars new file mode 100644 index 0000000000..b02e7f1486 --- /dev/null +++ b/examples/compute/container_registry/300-acr-premium/configuration.tfvars @@ -0,0 +1,83 @@ +global_settings = { + default_region = "region1" + environment = "test" + regions = { + region1 = "australiaeast" + region2 = "australiacentral" + region3 = "westeurope" + } +} + + +resource_groups = { + # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" + acr_region1 = { + name = "acr" + } + vnet_region1 = { + name = "acr-vnet" + } +} + +azure_container_registries = { + acr1 = { + name = "acr-test" + resource_group_key = "acr_region1" + sku = "Premium" + + public_network_access_enabled = "false" #Only able to control when sku = "premium" + + georeplications = { + region2 = { + tags = { + region = "australiacentral" + type = "acr_replica" + } + } + region3 = { + tags = { + region = "westeurope" + type = "acr_replica" + } + } + } + network_rule_set = { + rule1 = { + default_action = "Allow" + # ip_rules = { + # rule1 = { + # ip_range = [""] + # } + # } + virtual_networks = { + acr1_jumphost = { + vnet_key = "hub_rg1" + subnet_key = "jumphost" + } + } + } + } + + } +} + + +vnets = { + hub_rg1 = { + resource_group_key = "vnet_region1" + vnet = { + name = "hub" + address_space = ["100.64.100.0/22"] + } + specialsubnets = {} + subnets = { + jumphost = { + name = "jumphost" + cidr = ["100.64.103.0/27"] + service_endpoints = ["Microsoft.ContainerRegistry"] + } + } + } + +} + diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index ca0d8757af..84fa43a94c 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -18,6 +18,20 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = var.public_network_access_enabled + quarantine_policy_enabled = var.quarantine_policy_enabled + zone_redundancy_enabled = var.zone_redundancy_enabled + export_policy_enabled = var.export_policy_enabled + + trust_policy { + enabled = lookup(var.trust_policy, "enabled", false) + } + + retention_policy { + enabled = lookup(var.retention_policy, "enabled", false) + days = lookup(var.retention_policy, "days", 7) + } + + dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) @@ -48,6 +62,7 @@ resource "azurerm_container_registry" "acr" { content { location = var.global_settings.regions[georeplications.key] + regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) tags = try(georeplications.value.tags) } } diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index f688219b8f..8ce6d86325 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -62,4 +62,47 @@ variable "private_dns" { variable "public_network_access_enabled" { default = "true" +} +variable "location" { + description = "location of the resource if different from the resource group." + default = null +} +variable "resource_group_name" { + description = "Resource group object to deploy the virtual machine" + default = null +} +variable "resource_group" { + description = "Resource group object to deploy the virtual machine" +} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} + +variable "quarantine_policy_enabled" { + type = bool + default = false +} + +variable "regional_endpoint_enabled" { + type = bool + default = false +} + +variable "retention_policy" { + default = {} +} + +variable "trust_policy" { + default = {} +} + +variable "zone_redundancy_enabled" { + type = bool + default = false +} + +variable "export_policy_enabled" { + type = bool + default = true } \ No newline at end of file From af402381b7042ee734a6204e0097bbb8b1990872 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 15 Feb 2023 11:57:29 +0100 Subject: [PATCH 159/244] -reverting changes on 200-acr-vnet --- .../200-acr-vnet/configuration.tfvars | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 5a5f1d126b..98d29c455e 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -27,30 +27,18 @@ azure_container_registries = { #public_network_access_enabled = "false" #Only able to control when sku = "premium" - zone_redundancy_enabled = false - quarantine_policy_enabled = true - trust_policy = { - enabled = true - } - retention_policy = { - enabled = true - days = 7 - } - georeplications = { region2 = { tags = { region = "australiacentral" type = "acr_replica" } - regional_endpoint_enabled = true } region3 = { tags = { region = "westeurope" type = "acr_replica" } - regional_endpoint_enabled = false } } network_rule_set = { From 056ab95858cbb71a2a22dc472d763bad1fa46725 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 15 Feb 2023 12:08:32 +0100 Subject: [PATCH 160/244] - variable region endpoint is not required until version 3.0.0 --- modules/compute/container_registry/variables.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index 8ce6d86325..5e7924ee32 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -84,11 +84,6 @@ variable "quarantine_policy_enabled" { default = false } -variable "regional_endpoint_enabled" { - type = bool - default = false -} - variable "retention_policy" { default = {} } From b7465b02f5da4ae027d5aee96b09852180a07624 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 16 Mar 2023 18:40:48 +0100 Subject: [PATCH 161/244] - custom_data improvements - additional private endpoints for aks - role assignment for route tables --- locals.combined_objects.tf | 1 + roles.tf | 1 + 2 files changed, 2 insertions(+) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 83238d6c06..059ed5afdc 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -188,6 +188,7 @@ locals { combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), lookup(var.remote_objects, "wvd_host_pools", {})) combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), lookup(var.remote_objects, "wvd_workspaces", {})) combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) + combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) combined_objects_subscriptions = merge( tomap( diff --git a/roles.tf b/roles.tf index 12a5c72e13..72b13f4eae 100644 --- a/roles.tf +++ b/roles.tf @@ -175,6 +175,7 @@ locals { virtual_subnets = local.combined_objects_virtual_subnets virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets log_analytics = local.current_objects_log_analytics + route_tables = local.combined_objects_route_tables wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications wvd_host_pools = local.combined_objects_wvd_host_pools From 36a3d58bfb9019722ad4c81bd94adb31ef863aab Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Fri, 17 Mar 2023 10:22:24 +0100 Subject: [PATCH 162/244] Revert "Feat/acr enhancements" --- compute_container_registry.tf | 7 -- .../300-acr-premium/configuration.tfvars | 83 ------------------- .../compute/container_registry/registry.tf | 15 ---- .../compute/container_registry/variables.tf | 41 ++------- 4 files changed, 9 insertions(+), 137 deletions(-) delete mode 100644 examples/compute/container_registry/300-acr-premium/configuration.tfvars diff --git a/compute_container_registry.tf b/compute_container_registry.tf index a20a113d6e..94cacd9084 100644 --- a/compute_container_registry.tf +++ b/compute_container_registry.tf @@ -19,17 +19,10 @@ module "container_registry" { settings = each.value public_network_access_enabled = try(each.value.public_network_access_enabled, "true") - base_tags = local.global_settings.inherit_tags resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null location = try(local.global_settings.regions[each.value.region], null) - - quarantine_policy_enabled = try(each.value.quarantine_policy_enabled, false) - zone_redundancy_enabled = try(each.value.zone_redundancy_enabled, false) - export_policy_enabled = try(each.value.export_policy_enabled, true) - trust_policy = try(each.value.trust_policy, {}) - retention_policy = try(each.value.retention_policy, {}) } output "azure_container_registries" { diff --git a/examples/compute/container_registry/300-acr-premium/configuration.tfvars b/examples/compute/container_registry/300-acr-premium/configuration.tfvars deleted file mode 100644 index b02e7f1486..0000000000 --- a/examples/compute/container_registry/300-acr-premium/configuration.tfvars +++ /dev/null @@ -1,83 +0,0 @@ -global_settings = { - default_region = "region1" - environment = "test" - regions = { - region1 = "australiaeast" - region2 = "australiacentral" - region3 = "westeurope" - } -} - - -resource_groups = { - # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" - acr_region1 = { - name = "acr" - } - vnet_region1 = { - name = "acr-vnet" - } -} - -azure_container_registries = { - acr1 = { - name = "acr-test" - resource_group_key = "acr_region1" - sku = "Premium" - - public_network_access_enabled = "false" #Only able to control when sku = "premium" - - georeplications = { - region2 = { - tags = { - region = "australiacentral" - type = "acr_replica" - } - } - region3 = { - tags = { - region = "westeurope" - type = "acr_replica" - } - } - } - network_rule_set = { - rule1 = { - default_action = "Allow" - # ip_rules = { - # rule1 = { - # ip_range = [""] - # } - # } - virtual_networks = { - acr1_jumphost = { - vnet_key = "hub_rg1" - subnet_key = "jumphost" - } - } - } - } - - } -} - - -vnets = { - hub_rg1 = { - resource_group_key = "vnet_region1" - vnet = { - name = "hub" - address_space = ["100.64.100.0/22"] - } - specialsubnets = {} - subnets = { - jumphost = { - name = "jumphost" - cidr = ["100.64.103.0/27"] - service_endpoints = ["Microsoft.ContainerRegistry"] - } - } - } - -} - diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index 84fa43a94c..ca0d8757af 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -18,20 +18,6 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = var.public_network_access_enabled - quarantine_policy_enabled = var.quarantine_policy_enabled - zone_redundancy_enabled = var.zone_redundancy_enabled - export_policy_enabled = var.export_policy_enabled - - trust_policy { - enabled = lookup(var.trust_policy, "enabled", false) - } - - retention_policy { - enabled = lookup(var.retention_policy, "enabled", false) - days = lookup(var.retention_policy, "days", 7) - } - - dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) @@ -62,7 +48,6 @@ resource "azurerm_container_registry" "acr" { content { location = var.global_settings.regions[georeplications.key] - regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) tags = try(georeplications.value.tags) } } diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index 5e7924ee32..242d80e4b6 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -63,41 +63,18 @@ variable "private_dns" { variable "public_network_access_enabled" { default = "true" } -variable "location" { - description = "location of the resource if different from the resource group." - default = null } -variable "resource_group_name" { - description = "Resource group object to deploy the virtual machine" - default = null + type = bool + description = "Base tags for the resource to be inherited from the resource group." +variable "base_tags" { } variable "resource_group" { description = "Resource group object to deploy the virtual machine" } -variable "base_tags" { - description = "Base tags for the resource to be inherited from the resource group." - type = bool -} - -variable "quarantine_policy_enabled" { - type = bool - default = false -} - -variable "retention_policy" { - default = {} -} - -variable "trust_policy" { - default = {} -} - -variable "zone_redundancy_enabled" { - type = bool - default = false + default = null + description = "Resource group object to deploy the virtual machine" +variable "resource_group_name" { } - -variable "export_policy_enabled" { - type = bool - default = true -} \ No newline at end of file + default = null + description = "location of the resource if different from the resource group." +variable "location" { \ No newline at end of file From d471e22e48ece3ca8062f73e6e39304bb2835f1a Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Mon, 12 Jun 2023 10:09:21 +0000 Subject: [PATCH 163/244] fix(network-monitor): adding outputs to be referenced --- locals.combined_objects.tf | 82 +++++++++++++++++++------------------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 059ed5afdc..2b3351f29b 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -114,50 +114,50 @@ locals { combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), lookup(var.remote_objects, "logic_app_standard", {})) combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), lookup(var.remote_objects, "logic_app_workflow", {}), lookup(var.data_sources, "logic_app_workflow", {})) combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) - combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), lookup(var.remote_objects, "machine_learning_workspaces", {}), lookup(var.data_sources, "machine_learning_workspaces", {})) + combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {})) + combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {})) + combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), try(var.remote_objects.monitor_action_groups, {})) + combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), try(var.remote_objects.mssql_databases, {})) + combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_elastic_pools }), try(var.remote_objects.mssql_elastic_pools, {})) + combined_objects_mssql_managed_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_databases }), try(var.remote_objects.mssql_managed_databases, {})) + combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances }), try(var.remote_objects.mssql_managed_instances, {})) + combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances_secondary }), try(var.remote_objects.mssql_managed_instances_secondary, {})) + combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_servers }), try(var.remote_objects.mssql_servers, {})) + combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), try(var.remote_objects.lb_probe, {})) + combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), try(var.remote_objects.mysql_flexible_server, {})) + combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), try(var.remote_objects.mysql_servers, {})) + combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), try(var.remote_objects.nat_gateways, {})) + combined_objects_network_connection_monitors = merge(tomap({ (local.client_config.landingzone_key) = module.network_connection_monitors }), try(var.remote_objects.network_connection_monitors, {})) + combined_objects_network_profiles = merge(tomap({ (local.client_config.landingzone_key) = module.network_profiles }), try(var.remote_objects.network_profiles, {})) + combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), try(var.remote_objects.network_security_groups, {}), try(var.data_sources.network_security_groups, {})) + combined_objects_network_watchers = merge(tomap({ (local.client_config.landingzone_key) = module.network_watchers }), try(var.remote_objects.network_watchers, {}), try(var.data_sources.network_watchers, {})) + combined_objects_networking = merge(tomap({ (local.client_config.landingzone_key) = module.networking }), try(var.remote_objects.vnets, {}), try(var.data_sources.vnets, {})) + combined_objects_postgresql_flexible_servers = merge(tomap({ (local.client_config.landingzone_key) = module.postgresql_flexible_servers }), try(var.remote_objects.postgresql_flexible_servers, {})) + combined_objects_postgresql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.postgresql_servers }), try(var.remote_objects.postgresql_servers, {}), try(var.data_sources.postgresql_servers, {})) + combined_objects_private_dns = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns }), try(var.remote_objects.private_dns, {}), try(var.data_sources.private_dns, {})) + combined_objects_private_dns_resolver_dns_forwarding_rulesets = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_dns_forwarding_rulesets }), try(var.remote_objects.private_dns_resolver_dns_forwarding_rulesets, {})) + combined_objects_private_dns_resolver_inbound_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_inbound_endpoints }), try(var.remote_objects.private_dns_resolver_inbound_endpoints, {})) + combined_objects_private_dns_resolver_outbound_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_outbound_endpoints }), try(var.remote_objects.private_dns_resolver_outbound_endpoints, {})) + combined_objects_private_dns_resolvers = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolvers }), try(var.remote_objects.private_dns_resolvers, {})) + combined_objects_private_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_endpoints }), try(var.remote_objects.private_endpoints, {})) + combined_objects_proximity_placement_groups = merge(tomap({ (local.client_config.landingzone_key) = module.proximity_placement_groups }), try(var.remote_objects.proximity_placement_groups, {}), try(var.data_sources.proximity_placement_groups, {})) + combined_objects_public_ip_addresses = merge(tomap({ (local.client_config.landingzone_key) = module.public_ip_addresses }), try(var.remote_objects.public_ip_addresses, {}), try(var.data_sources.public_ip_addresses, {})) + combined_objects_public_ip_prefixes = merge(tomap({ (local.client_config.landingzone_key) = module.public_ip_prefixes }), try(var.remote_objects.public_ip_prefixes, {})) + combined_objects_purview_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.purview_accounts }), try(var.remote_objects.purview_accounts, {})) + combined_objects_recovery_vaults = merge(tomap({ (local.client_config.landingzone_key) = module.recovery_vaults }), try(var.remote_objects.recovery_vaults, {}), try(var.data_sources.recovery_vaults, {})) + combined_objects_redis_caches = merge(tomap({ (local.client_config.landingzone_key) = module.redis_caches }), try(var.remote_objects.redis_caches, {}), try(var.data_sources.redis_caches, {})) + combined_objects_relay_hybrid_connection = merge(tomap({ (local.client_config.landingzone_key) = module.relay_hybrid_connection }), try(var.remote_objects.relay_hybrid_connection, {})) + combined_objects_relay_namespace = merge(tomap({ (local.client_config.landingzone_key) = module.relay_namespace }), try(var.remote_objects.relay_namespace, {})) + combined_objects_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = local.resource_groups }), try(var.remote_objects.resource_groups, {}), try(var.data_sources.resource_groups, {})) + combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) + combined_objects_sentinel_watchlists = merge(tomap({ (local.client_config.landingzone_key) = module.sentinel_watchlists }), try(var.remote_objects.sentinel_watchlists, {})) + combined_objects_servicebus_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_namespaces }), try(var.remote_objects.servicebus_namespaces, {})) + combined_objects_servicebus_queues = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_queues }), try(var.remote_objects.servicebus_queues, {})) + combined_objects_servicebus_topics = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_topics }), try(var.remote_objects.servicebus_topics, {})) + combined_objects_signalr_services = merge(tomap({ (local.client_config.landingzone_key) = module.signalr_services }), try(var.remote_objects.signalr_services, {})) combined_objects_maintenance_configuration = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_configuration }), lookup(var.remote_objects, "maintenance_configuration", {})) combined_objects_maintenance_assignment_virtual_machine = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_assignment_virtual_machine }), lookup(var.remote_objects, "maintenance_assignment_virtual_machine", {})) - combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), lookup(var.remote_objects, "managed_identities", {}), lookup(var.data_sources, "managed_identities", {})) combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), lookup(var.remote_objects, "maps_accounts", {})) - combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), lookup(var.remote_objects, "monitor_action_groups", {}), lookup(var.data_sources, "monitor_action_groups", {})) - combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), lookup(var.remote_objects, "mssql_databases", {}), lookup(var.data_sources, "mssql_databases", {})) - combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_elastic_pools, lookup(var.data_sources, "mssql_elastic_pools", {})) }), lookup(var.remote_objects, "mssql_elastic_pools", {})) - combined_objects_mssql_managed_databases = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_databases, module.mssql_managed_databases_v1) }), lookup(var.remote_objects, "mssql_managed_databases", {}), lookup(var.data_sources, "mssql_managed_databases", {})) - combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances, module.mssql_managed_instances_v1, lookup(var.data_sources, "mssql_managed_instances", {})) }), lookup(var.remote_objects, "mssql_managed_instances", {}), lookup(var.data_sources, "mssql_managed_instances", {})) - combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances_secondary, module.mssql_managed_instances_secondary_v1, lookup(var.data_sources, "mssql_managed_instances_secondary", {})) }), lookup(var.remote_objects, "mssql_managed_instances_secondary", {}), lookup(var.remote_objects, "mssql_managed_instances_secondary", {})) - combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_servers, lookup(var.data_sources, "mssql_servers", {})) }), lookup(var.remote_objects, "mssql_servers", {})) - combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), lookup(var.remote_objects, "mysql_flexible_server", {})) - combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), lookup(var.remote_objects, "mysql_servers", {}), lookup(var.data_sources, "mysql_servers", {})) - combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), lookup(var.remote_objects, "nat_gateways", {}), lookup(var.data_sources, "nat_gateways", {})) - combined_objects_network_connection_monitors = merge(tomap({ (local.client_config.landingzone_key) = module.network_connection_monitors }), try(var.remote_objects.network_connection_monitors, {})) - combined_objects_network_profiles = merge(tomap({ (local.client_config.landingzone_key) = module.network_profiles }), lookup(var.remote_objects, "network_profiles", {})) - combined_objects_network_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.network_security_groups }), lookup(var.remote_objects, "network_security_groups", {}), lookup(var.data_sources, "network_security_groups", {})) - combined_objects_network_watchers = merge(tomap({ (local.client_config.landingzone_key) = module.network_watchers }), lookup(var.remote_objects, "network_watchers", {}), lookup(var.data_sources, "network_watchers", {})) - combined_objects_networking = merge(tomap({ (local.client_config.landingzone_key) = merge(module.networking, lookup(var.data_sources, "vnets", {})) }), lookup(var.remote_objects, "vnets", {})) - combined_objects_postgresql_flexible_servers = merge(tomap({ (local.client_config.landingzone_key) = module.postgresql_flexible_servers }), lookup(var.remote_objects, "postgresql_flexible_servers", {})) - combined_objects_postgresql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.postgresql_servers }), lookup(var.remote_objects, "postgresql_servers", {}), lookup(var.data_sources, "postgresql_servers", {})) - combined_objects_private_dns = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns }), lookup(var.remote_objects, "private_dns", {}), lookup(var.data_sources, "private_dns", {})) - combined_objects_private_dns_resolver_dns_forwarding_rulesets = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_dns_forwarding_rulesets }), lookup(var.remote_objects, "private_dns_resolver_dns_forwarding_rulesets", {})) - combined_objects_private_dns_resolver_inbound_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_inbound_endpoints }), lookup(var.remote_objects, "private_dns_resolver_inbound_endpoints", {})) - combined_objects_private_dns_resolver_outbound_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolver_outbound_endpoints }), lookup(var.remote_objects, "private_dns_resolver_outbound_endpoints", {})) - combined_objects_private_dns_resolvers = merge(tomap({ (local.client_config.landingzone_key) = module.private_dns_resolvers }), lookup(var.remote_objects, "private_dns_resolvers", {})) - combined_objects_private_endpoints = merge(tomap({ (local.client_config.landingzone_key) = module.private_endpoints }), lookup(var.remote_objects, "private_endpoints", {})) - combined_objects_proximity_placement_groups = merge(tomap({ (local.client_config.landingzone_key) = module.proximity_placement_groups }), lookup(var.remote_objects, "proximity_placement_groups", {}), lookup(var.data_sources, "proximity_placement_groups", {})) - combined_objects_public_ip_addresses = merge(tomap({ (local.client_config.landingzone_key) = module.public_ip_addresses }), lookup(var.remote_objects, "public_ip_addresses", {}), lookup(var.data_sources, "public_ip_addresses", {})) - combined_objects_public_ip_prefixes = merge(tomap({ (local.client_config.landingzone_key) = module.public_ip_prefixes }), lookup(var.remote_objects, "public_ip_prefixes", {})) - combined_objects_purview_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.purview_accounts }), lookup(var.remote_objects, "purview_accounts", {})) - combined_objects_recovery_vaults = merge(tomap({ (local.client_config.landingzone_key) = merge(module.recovery_vaults, lookup(var.data_sources, "recovery_vaults", {})) }), lookup(var.remote_objects, "recovery_vaults", {})) - combined_objects_redis_caches = merge(tomap({ (local.client_config.landingzone_key) = module.redis_caches }), lookup(var.remote_objects, "redis_caches", {}), lookup(var.data_sources, "redis_caches", {})) - combined_objects_relay_hybrid_connection = merge(tomap({ (local.client_config.landingzone_key) = module.relay_hybrid_connection }), lookup(var.remote_objects, "relay_hybrid_connection", {})) - combined_objects_relay_namespace = merge(tomap({ (local.client_config.landingzone_key) = module.relay_namespace }), lookup(var.remote_objects, "relay_namespace", {})) - combined_objects_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = merge(local.resource_groups, lookup(var.data_sources, "resource_groups", {})) }), lookup(var.remote_objects, "resource_groups", {})) - combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), lookup(var.remote_objects, "route_tables", {})) - combined_objects_search_services = merge(tomap({ (local.client_config.landingzone_key) = module.search_service }), lookup(var.remote_objects, "search_services", {}), lookup(var.data_sources, "search_services", {})) - combined_objects_sentinel_watchlists = merge(tomap({ (local.client_config.landingzone_key) = module.sentinel_watchlists }), lookup(var.remote_objects, "sentinel_watchlists", {})) - combined_objects_servicebus_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_namespaces }), lookup(var.remote_objects, "servicebus_namespaces", {}), lookup(var.data_sources, "servicebus_namespaces", {})) - combined_objects_servicebus_queues = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_queues }), lookup(var.remote_objects, "servicebus_queues", {}), lookup(var.data_sources, "servicebus_queues", {})) - combined_objects_servicebus_topics = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_topics }), lookup(var.remote_objects, "servicebus_topics", {}), lookup(var.data_sources, "servicebus_topics", {})) - combined_objects_signalr_services = merge(tomap({ (local.client_config.landingzone_key) = module.signalr_services }), lookup(var.remote_objects, "signalr_services", {}), lookup(var.data_sources, "signalr_services", {})) combined_objects_storage_account_file_shares = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_file_shares }), lookup(var.remote_objects, "storage_account_file_shares", {})) combined_objects_shared_image_galleries = merge(tomap({ (local.client_config.landingzone_key) = module.shared_image_galleries }), try(var.remote_objects.shared_image_galleries, {})) combined_objects_storage_account_queues = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_queues }), lookup(var.remote_objects, "storage_account_queues", {})) From 37ff289650cd28e1f4b30924b5954decddde9204 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Wed, 19 Jul 2023 08:13:41 +0000 Subject: [PATCH 164/244] fixing merge issus, fixing cyclic dependencies, upgrading to azurerm 3.65 --- locals.combined_objects.tf | 2 +- .../api_management_custom_domain/module.tf | 44 +++++++++---------- .../compute/container_registry/variables.tf | 15 ++++--- modules/compute/virtual_machine/variables.tf | 3 +- .../LinuxDiagnostic.tf | 4 +- .../virtual_machine_scale_set/variables.tf | 7 ++- .../virtual_network/subnet/subnet.tf | 14 +++--- virtual_machines_scale_sets.tf | 4 +- 8 files changed, 52 insertions(+), 41 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 2b3351f29b..2333014a70 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -204,4 +204,4 @@ locals { ) } - + diff --git a/modules/apim/api_management_custom_domain/module.tf b/modules/apim/api_management_custom_domain/module.tf index 7a11654cba..d92b031ea5 100644 --- a/modules/apim/api_management_custom_domain/module.tf +++ b/modules/apim/api_management_custom_domain/module.tf @@ -39,28 +39,28 @@ resource "azurerm_api_management_custom_domain" "apim" { negotiate_client_certificate = try(portal.value.negotiate_client_certificate, null) } } - - dynamic "proxy" { - for_each = try(var.settings.proxy, null) != null ? [var.settings.proxy] : [] - content { - host_name = try(proxy.value.host_name, null) - certificate = try(proxy.value.certificate, null) - certificate_password = try(proxy.value.certificate_password, null) - default_ssl_binding = try(proxy.value.default_ssl_binding, null) - #key_vault_id = var.remote_objects.keyvault_certificates[var.client_config.landingzone_key][proxy.value.key_vault_certificate.certificate_key].secret_id - key_vault_id = try( - #data.azurerm_key_vault_certificate.manual_certs[each.key].secret_id, - try(var.remote_objects.keyvault_certificates[proxy.value.key_vault_certificate.lz_key][proxy.value.key_vault_certificate.certificate_key].secret_id, null), - try(var.remote_objects.keyvault_certificates[var.client_config.landingzone_key][proxy.value.key_vault_certificate.certificate_key].secret_id, null), - try(var.remote_objects.keyvault_certificate_requests[var.client_config.landingzone_key][proxy.value.certificate_request_key].secret_id, null), - try(var.remote_objects.keyvault_certificate_requests[proxy.value.key_vault_certificate.lz_key][proxy.value.certificate_request_key].secret_id, null), - try(proxy.value.key_vault_id, null), - null - ) - - negotiate_client_certificate = try(proxy.value.negotiate_client_certificate, null) - } - } + //Blocks of type "proxy" are not expected here. + #dynamic "proxy" { + # for_each = try(var.settings.proxy, null) != null ? [var.settings.proxy] : [] + # content { + # host_name = try(proxy.value.host_name, null) + # certificate = try(proxy.value.certificate, null) + # certificate_password = try(proxy.value.certificate_password, null) + # default_ssl_binding = try(proxy.value.default_ssl_binding, null) + # #key_vault_id = var.remote_objects.keyvault_certificates[var.client_config.landingzone_key][proxy.value.key_vault_certificate.certificate_key].secret_id + # key_vault_id = try( + # #data.azurerm_key_vault_certificate.manual_certs[each.key].secret_id, + # try(var.remote_objects.keyvault_certificates[proxy.value.key_vault_certificate.lz_key][proxy.value.key_vault_certificate.certificate_key].secret_id, null), + # try(var.remote_objects.keyvault_certificates[var.client_config.landingzone_key][proxy.value.key_vault_certificate.certificate_key].secret_id, null), + # try(var.remote_objects.keyvault_certificate_requests[var.client_config.landingzone_key][proxy.value.certificate_request_key].secret_id, null), + # try(var.remote_objects.keyvault_certificate_requests[proxy.value.key_vault_certificate.lz_key][proxy.value.certificate_request_key].secret_id, null), + # try(proxy.value.key_vault_id, null), + # null + # ) + # + # negotiate_client_certificate = try(proxy.value.negotiate_client_certificate, null) + # } + #} dynamic "scm" { for_each = try(var.settings.scm, null) != null ? [var.settings.scm] : [] diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index 242d80e4b6..03831e82b3 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -63,18 +63,23 @@ variable "private_dns" { variable "public_network_access_enabled" { default = "true" } -} + +variable "base_tags" { type = bool description = "Base tags for the resource to be inherited from the resource group." -variable "base_tags" { } + variable "resource_group" { description = "Resource group object to deploy the virtual machine" -} default = null - description = "Resource group object to deploy the virtual machine" + +} + variable "resource_group_name" { } + + +variable "location" { default = null description = "location of the resource if different from the resource group." -variable "location" { \ No newline at end of file +} diff --git a/modules/compute/virtual_machine/variables.tf b/modules/compute/virtual_machine/variables.tf index 3f3efee0e4..d07ac470ae 100644 --- a/modules/compute/virtual_machine/variables.tf +++ b/modules/compute/virtual_machine/variables.tf @@ -27,7 +27,6 @@ variable "settings" {} variable "vnets" {} -variable "virtual_subnets" {} # Security variable "public_key_pem_file" { @@ -97,4 +96,4 @@ variable "virtual_subnets" { description = "Map of virtual_subnets objects" default = {} nullable = false -} \ No newline at end of file +} diff --git a/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf b/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf index ed9cde7c2a..9b00b3bf15 100644 --- a/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf +++ b/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf @@ -59,5 +59,7 @@ data "azurerm_storage_account_sas" "token" { create = true update = true process = true + filter = true + tag = true } -} \ No newline at end of file +} diff --git a/modules/compute/virtual_machine_scale_set/variables.tf b/modules/compute/virtual_machine_scale_set/variables.tf index 4f0ed4f2d1..0098429315 100644 --- a/modules/compute/virtual_machine_scale_set/variables.tf +++ b/modules/compute/virtual_machine_scale_set/variables.tf @@ -68,10 +68,13 @@ variable "image_definitions" { } variable "disk_encryption_sets" {} -variable "load_balancers" {} +variable "load_balancers" { + default = {} + +} variable "lbs" { default = {} } variable "lb_backend_address_pool" { default = {} -} \ No newline at end of file +} diff --git a/modules/networking/virtual_network/subnet/subnet.tf b/modules/networking/virtual_network/subnet/subnet.tf index ef377099e8..fc7494173d 100644 --- a/modules/networking/virtual_network/subnet/subnet.tf +++ b/modules/networking/virtual_network/subnet/subnet.tf @@ -11,11 +11,13 @@ resource "azurecaf_name" "subnet" { resource "azurerm_subnet" "subnet" { - name = azurecaf_name.subnet.result - resource_group_name = var.resource_group_name - virtual_network_name = var.virtual_network_name - address_prefixes = var.address_prefixes - service_endpoints = var.service_endpoints + name = azurecaf_name.subnet.result + resource_group_name = var.resource_group_name + virtual_network_name = var.virtual_network_name + address_prefixes = var.address_prefixes + service_endpoints = var.service_endpoints + //An argument named "private_endpoint_network_policies_enabled" is not expected here. + //An argument named "private_link_service_network_policies_enabled" is not expected here. private_endpoint_network_policies_enabled = try(var.private_endpoint_network_policies_enabled, null) private_link_service_network_policies_enabled = try(var.private_link_service_network_policies_enabled, null) @@ -36,4 +38,4 @@ resource "azurerm_subnet" "subnet" { ignore_changes = [name] } -} \ No newline at end of file +} diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index d012281d5f..83fbc1434c 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -4,11 +4,11 @@ module "virtual_machine_scale_sets" { source = "./modules/compute/virtual_machine_scale_set" depends_on = [ module.availability_sets, - module.dynamic_keyvault_secrets, + #module.dynamic_keyvault_secrets, module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, - module.load_balancers, + #module.load_balancers, module.application_gateways, module.application_security_groups, module.packer_service_principal, From e69ef449ffbdcbfadc4eff2ad371718c4e21aea0 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Thu, 20 Jul 2023 10:52:05 +0000 Subject: [PATCH 165/244] fix(keyvault): adding compatibility for resourcegroup_key + lz_key style references for compatibility purposes --- keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keyvault.tf b/keyvault.tf index 30adbdf8d0..b80f867746 100644 --- a/keyvault.tf +++ b/keyvault.tf @@ -14,7 +14,7 @@ module "keyvaults" { private_dns = local.combined_objects_private_dns base_tags = local.global_settings.inherit_tags - resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] + resource_group = local.combined_objects_resource_groups[try(try(each.value.resource_group.lz_key,each.value.lz_key), local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null location = try(local.global_settings.regions[each.value.region], null) } From 2815e48ed94447d4aeca04faf688bafa81a1944c Mon Sep 17 00:00:00 2001 From: janik muenk Date: Fri, 28 Jul 2023 10:52:10 +0000 Subject: [PATCH 166/244] fix(private-resolvers): random name changes. https://github.com/aztfmod/terraform-azurerm-caf/issues/1730 --- .../private_dns_resolvers_forwarding_rules/module.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/networking/private_dns_resolvers_forwarding_rules/module.tf b/modules/networking/private_dns_resolvers_forwarding_rules/module.tf index 465f023a4a..59b4e474c0 100644 --- a/modules/networking/private_dns_resolvers_forwarding_rules/module.tf +++ b/modules/networking/private_dns_resolvers_forwarding_rules/module.tf @@ -24,7 +24,11 @@ resource "azurerm_private_dns_resolver_forwarding_rule" "pvt_dns_resolver_forwar port = try(target_dns_servers.value.port, 53) } } - + lifecycle { + ignore_changes = [ + name + ] + } } From 0c94a04c000f1285c96805d462e9685757f80007 Mon Sep 17 00:00:00 2001 From: janik muenk Date: Thu, 3 Aug 2023 13:32:52 +0000 Subject: [PATCH 167/244] fix: adding lifecylce rule to azurerm_private_dns_resolver_forwarding_rule --- .../networking/private_dns_resolvers_forwarding_rules/module.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/private_dns_resolvers_forwarding_rules/module.tf b/modules/networking/private_dns_resolvers_forwarding_rules/module.tf index 59b4e474c0..2fb381dbfb 100644 --- a/modules/networking/private_dns_resolvers_forwarding_rules/module.tf +++ b/modules/networking/private_dns_resolvers_forwarding_rules/module.tf @@ -11,7 +11,7 @@ data "azurecaf_name" "pvtdnsrfr" { resource "azurerm_private_dns_resolver_forwarding_rule" "pvt_dns_resolver_forwarding_rule" { - name = data.azurecaf_name.pvtdnsrfr.result + name = data.azurecaf_name.pvtdnsrfr.result //random name changes are a reported issue, can not find the reason right now. https://github.com/aztfmod/terraform-azurerm-caf/issues/1730. Lifecycle rule is a workaround... dns_forwarding_ruleset_id = var.dns_forwarding_ruleset_id domain_name = var.settings.domain_name enabled = try(var.settings.enabled, null) From d9181bda424bb0540c0a0d6e21291686980cb9ba Mon Sep 17 00:00:00 2001 From: janik muenk Date: Thu, 3 Aug 2023 13:36:08 +0000 Subject: [PATCH 168/244] fix: removing second combined_objects_route_tables --- locals.combined_objects.tf | 54 ++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 28 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 2333014a70..deafbc4de2 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -160,34 +160,32 @@ locals { combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), lookup(var.remote_objects, "maps_accounts", {})) combined_objects_storage_account_file_shares = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_file_shares }), lookup(var.remote_objects, "storage_account_file_shares", {})) combined_objects_shared_image_galleries = merge(tomap({ (local.client_config.landingzone_key) = module.shared_image_galleries }), try(var.remote_objects.shared_image_galleries, {})) - combined_objects_storage_account_queues = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_queues }), lookup(var.remote_objects, "storage_account_queues", {})) - combined_objects_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = merge(module.storage_accounts, lookup(var.data_sources, "storage_accounts", {})) }), lookup(var.remote_objects, "storage_accounts", {})) - combined_objects_storage_containers = merge(tomap({ (local.client_config.landingzone_key) = module.storage_containers }), lookup(var.remote_objects, "storage_containers", {}), lookup(var.data_sources, "storage_containers", {})) - combined_objects_synapse_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.synapse_workspaces }), lookup(var.remote_objects, "synapse_workspaces", {}), lookup(var.data_sources, "synapse_workspaces", {})) - combined_objects_traffic_manager_azure_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_azure_endpoint }), lookup(var.remote_objects, "traffic_manager_azure_endpoint", {})) - combined_objects_traffic_manager_external_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_external_endpoint }), lookup(var.remote_objects, "traffic_manager_external_endpoint", {})) - combined_objects_traffic_manager_nested_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_nested_endpoint }), lookup(var.remote_objects, "traffic_manager_nested_endpoint", {})) - combined_objects_traffic_manager_profile = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_profile }), lookup(var.remote_objects, "traffic_manager_profile", {})) - combined_objects_virtual_hub_connections = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_connection.vhub_connection }), lookup(var.remote_objects, "vhub_peerings", {}), lookup(var.remote_objects, "virtual_hub_connections", {})) - combined_objects_virtual_hub_route_tables = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_route_table.route_table }), lookup(var.remote_objects, "virtual_hub_route_tables", {})) - combined_objects_virtual_wans = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_wans, lookup(var.data_sources, "virtual_wans", {})) }), lookup(var.remote_objects, "virtual_wans", {}), lookup(var.data_sources, "virtual_wans", {})) - combined_objects_virtual_hubs = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_hubs, lookup(var.data_sources, "virtual_hubs", {})) }), lookup(var.remote_objects, "virtual_hubs", {}), lookup(var.data_sources, "virtual_hubs", {})) - combined_objects_virtual_machine_scale_sets = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_machine_scale_sets }), lookup(var.remote_objects, "virtual_machine_scale_sets", {}), lookup(var.data_sources, "virtual_machine_scale_sets", {})) - combined_objects_virtual_machines = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_machines }), lookup(var.remote_objects, "virtual_machines", {}), lookup(var.data_sources, "virtual_machines", {})) - combined_objects_virtual_subnets = merge(tomap({ (local.client_config.landingzone_key) = merge(module.virtual_subnets, lookup(var.data_sources, "virtual_subnets", {})) }), lookup(var.remote_objects, "virtual_subnets", {})) - combined_objects_vmware_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_clusters }), lookup(var.remote_objects, "vmware_clusters", {})) - combined_objects_vmware_express_route_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_express_route_authorizations }), lookup(var.remote_objects, "vmware_express_route_authorizations", {})) - combined_objects_vmware_private_clouds = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_private_clouds }), lookup(var.remote_objects, "vmware_private_clouds", {}), lookup(var.data_sources, "vmware_private_clouds", {})) - combined_objects_vpn_gateway_connections = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), lookup(var.remote_objects, "vpn_gateway_connections", {})) - combined_objects_vpn_gateway_nat_rules = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_nat_rules }), lookup(var.remote_objects, "vpn_gateway_nat_rules", {})) - combined_objects_vpn_sites = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), lookup(var.remote_objects, "vpn_sites", {})) - combined_objects_web_pubsub_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsub_hubs }), lookup(var.remote_objects, "web_pubsub_hubs", {})) - combined_objects_web_pubsubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsubs }), lookup(var.remote_objects, "web_pubsubs", {})) - combined_objects_wvd_application_groups = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_application_groups }), lookup(var.remote_objects, "wvd_application_groups", {})) - combined_objects_wvd_applications = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_applications }), lookup(var.remote_objects, "wvd_applications", {})) - combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), lookup(var.remote_objects, "wvd_host_pools", {})) - combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), lookup(var.remote_objects, "wvd_workspaces", {})) - combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) + combined_objects_storage_account_queues = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_queues }), try(var.remote_objects.storage_account_queues, {})) + combined_objects_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.storage_accounts }), try(var.remote_objects.storage_accounts, {}), try(var.data_sources.storage_accounts, {})) + combined_objects_storage_containers = merge(tomap({ (local.client_config.landingzone_key) = module.storage_containers }), try(var.remote_objects.storage_containers, {}), try(var.data_sources.storage_containers, {})) + combined_objects_synapse_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.synapse_workspaces }), try(var.remote_objects.synapse_workspaces, {}), try(var.data_sources.synapse_workspaces, {})) + combined_objects_traffic_manager_azure_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_azure_endpoint }), try(var.remote_objects.traffic_manager_azure_endpoint, {})) + combined_objects_traffic_manager_external_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_external_endpoint }), try(var.remote_objects.traffic_manager_external_endpoint, {})) + combined_objects_traffic_manager_nested_endpoint = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_nested_endpoint }), try(var.remote_objects.traffic_manager_nested_endpoint, {})) + combined_objects_traffic_manager_profile = merge(tomap({ (local.client_config.landingzone_key) = module.traffic_manager_profile }), try(var.remote_objects.traffic_manager_profile, {})) + combined_objects_virtual_hub_connections = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_connection.vhub_connection }), try(var.remote_objects.vhub_peerings, {}), try(var.remote_objects.virtual_hub_connections, {})) + combined_objects_virtual_hub_route_tables = merge(tomap({ (local.client_config.landingzone_key) = azurerm_virtual_hub_route_table.route_table }), try(var.remote_objects.virtual_hub_route_tables, {})) + combined_objects_virtual_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_hubs }), try(var.remote_objects.virtual_hubs, {}), try(var.data_sources.virtual_hubs, {})) + combined_objects_virtual_machine_scale_sets = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_machine_scale_sets }), try(var.remote_objects.virtual_machine_scale_sets, {}), try(var.data_sources.virtual_machine_scale_sets, {})) + combined_objects_virtual_machines = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_machines }), try(var.remote_objects.virtual_machines, {}), try(var.data_sources.virtual_machines, {})) + combined_objects_virtual_subnets = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_subnets }), try(var.remote_objects.virtual_subnets, {})) + combined_objects_virtual_wans = merge(tomap({ (local.client_config.landingzone_key) = module.virtual_wans }), try(var.remote_objects.virtual_wans, {}), try(var.data_sources.virtual_wans, {})) + combined_objects_vmware_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_clusters }), try(var.remote_objects.vmware_clusters, {})) + combined_objects_vmware_express_route_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_express_route_authorizations }), try(var.remote_objects.vmware_express_route_authorizations, {})) + combined_objects_vmware_private_clouds = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_private_clouds }), try(var.remote_objects.vmware_private_clouds, {}), try(var.data_sources.vmware_private_clouds, {})) + combined_objects_vpn_gateway_connections = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), try(var.remote_objects.vpn_gateway_connections, {})) + combined_objects_vpn_sites = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), try(var.remote_objects.vpn_sites, {})) + combined_objects_web_pubsub_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsub_hubs }), try(var.remote_objects.web_pubsub_hubs, {})) + combined_objects_web_pubsubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsubs }), try(var.remote_objects.web_pubsubs, {})) + combined_objects_wvd_application_groups = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_application_groups }), try(var.remote_objects.wvd_application_groups, {})) + combined_objects_wvd_applications = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_applications }), try(var.remote_objects.wvd_applications, {})) + combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), try(var.remote_objects.wvd_host_pools, {})) + combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), try(var.remote_objects.wvd_workspaces, {})) combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) combined_objects_subscriptions = merge( From de01d28542db94ab3fccb581ad026fd0f36dc4e1 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 7 Sep 2023 16:31:44 +0200 Subject: [PATCH 169/244] - support external resource with private endpoint --- .../external_resource/configuration.tfvars | 18 ++++++++++++++++++ .../private_endpoint/private_endpoint.tf | 5 +++-- .../endpoints/subnet/external_resources.tf | 17 +++++++++++++++++ 3 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 examples/networking/private_links/endpoints/external_resource/configuration.tfvars create mode 100644 modules/networking/private_links/endpoints/subnet/external_resources.tf diff --git a/examples/networking/private_links/endpoints/external_resource/configuration.tfvars b/examples/networking/private_links/endpoints/external_resource/configuration.tfvars new file mode 100644 index 0000000000..d92a9c2e75 --- /dev/null +++ b/examples/networking/private_links/endpoints/external_resource/configuration.tfvars @@ -0,0 +1,18 @@ +private_endpoints = { + ingress_test = { + #lz_key = "" + vnet_key = "vnet" + subnet_keys = ["private_endpoints"] + external_resources = { + ingress_link = { + name = "aks-ingress" + resource_group_key = "rg" + private_service_connection = { + name = "aks-ingress-psc" + is_manual_connection = false + resource_alias = "somerandomlink.westeurope.azure.privatelinkservice" + } + } + } + } +} \ No newline at end of file diff --git a/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf b/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf index be7cd68fcc..d34cb6b912 100644 --- a/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf @@ -20,9 +20,10 @@ resource "azurerm_private_endpoint" "pep" { private_service_connection { name = format("%s-%s", var.settings.private_service_connection.name, replace(each.key, " ", "-")) - private_connection_resource_id = var.resource_id + private_connection_resource_id = each.key == "external_resources" ? null : var.resource_id + private_connection_resource_alias = each.key == "external_resources" ? var.settings.private_service_connection.resource_alias : null is_manual_connection = try(var.settings.private_service_connection.is_manual_connection, false) - subresource_names = [each.key] + subresource_names = each.key == "external_resources" ? [] : [each.key] request_message = try(var.settings.private_service_connection.request_message, null) } diff --git a/modules/networking/private_links/endpoints/subnet/external_resources.tf b/modules/networking/private_links/endpoints/subnet/external_resources.tf new file mode 100644 index 0000000000..093b9c8f19 --- /dev/null +++ b/modules/networking/private_links/endpoints/subnet/external_resources.tf @@ -0,0 +1,17 @@ +module "external_resources" { + source = "../private_endpoint" + for_each = { + for key, value in try(var.private_endpoints.external_resources, {}) : key => value + } + global_settings = var.global_settings + client_config = var.client_config + settings = each.value + resource_id = null + subresource_names = ["external_resources"] + subnet_id = var.subnet_id + private_dns = var.private_dns + name = try(each.value.name, each.key) + resource_group_name = can(each.value.resource_group_key) ? var.resource_groups[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.resource_group_key].name : var.vnet_resource_group_name + location = var.vnet_location # The private endpoint must be deployed in the same region as the virtual network. + base_tags = var.base_tags +} \ No newline at end of file From c36869bca1d484f75d845f12c1483ef21e230d8c Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Fri, 8 Sep 2023 12:48:40 +0200 Subject: [PATCH 170/244] change subresource to null value --- .../endpoints/private_endpoint/private_endpoint.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf b/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf index d34cb6b912..26d2bb511d 100644 --- a/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf +++ b/modules/networking/private_links/endpoints/private_endpoint/private_endpoint.tf @@ -23,7 +23,7 @@ resource "azurerm_private_endpoint" "pep" { private_connection_resource_id = each.key == "external_resources" ? null : var.resource_id private_connection_resource_alias = each.key == "external_resources" ? var.settings.private_service_connection.resource_alias : null is_manual_connection = try(var.settings.private_service_connection.is_manual_connection, false) - subresource_names = each.key == "external_resources" ? [] : [each.key] + subresource_names = each.key == "external_resources" ? null : [each.key] request_message = try(var.settings.private_service_connection.request_message, null) } From a7aec86a67785208bca59d75947d9ca707b458b7 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Fri, 8 Sep 2023 13:46:40 +0200 Subject: [PATCH 171/244] example updated --- .../endpoints/external_resource/configuration.tfvars | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/networking/private_links/endpoints/external_resource/configuration.tfvars b/examples/networking/private_links/endpoints/external_resource/configuration.tfvars index d92a9c2e75..36a2272fad 100644 --- a/examples/networking/private_links/endpoints/external_resource/configuration.tfvars +++ b/examples/networking/private_links/endpoints/external_resource/configuration.tfvars @@ -9,8 +9,9 @@ private_endpoints = { resource_group_key = "rg" private_service_connection = { name = "aks-ingress-psc" - is_manual_connection = false + is_manual_connection = true resource_alias = "somerandomlink.westeurope.azure.privatelinkservice" + request_message = "example" } } } From d093ecdfb2b5ec3459496040dc49a181c582fe1c Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Mon, 17 Jul 2023 13:43:29 +0200 Subject: [PATCH 172/244] fix: sshkey --- modules/compute/virtual_machine/vm_linux.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 82d0095d96..6703623b32 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -92,7 +92,7 @@ resource "azurerm_linux_virtual_machine" "vm" { # Create local ssh key dynamic "admin_ssh_key" { - for_each = lookup(each.value, "disable_password_authentication", true) == true && can(var.settings.public_key_pem_file) ? [1] : [] + for_each = lookup(each.value, "disable_password_authentication", true) == true && local.create_sshkeys ? [1] : [] content { username = each.value.admin_username From 6aa4cfb150f2a8a81c99893280cda92d377608ed Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 20 Jul 2023 15:17:18 +0200 Subject: [PATCH 173/244] - support ssh public key file --- modules/compute/virtual_machine/vm_linux.tf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 6703623b32..60b99d97ca 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -96,7 +96,7 @@ resource "azurerm_linux_virtual_machine" "vm" { content { username = each.value.admin_username - public_key = local.create_sshkeys ? tls_private_key.ssh[each.key].public_key_openssh : file(var.settings.public_key_pem_file) + public_key = tls_private_key.ssh[each.key].public_key_openssh } } @@ -142,6 +142,16 @@ resource "azurerm_linux_virtual_machine" "vm" { } } + # by ssh public key + dynamic "admin_ssh_key" { + for_each = lookup(each.value, "disable_password_authentication", true) == true && can(var.settings.public_key_pem_file) == true ? [1] : [] + + content { + username = each.value.admin_username + public_key = file(var.settings.public_key_pem_file) + } + } + os_disk { caching = try(each.value.os_disk.caching, null) disk_size_gb = try(each.value.os_disk.disk_size_gb, null) From 2842020900e5252dc522ce79b59c8a48a32448fc Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 17 Aug 2023 14:25:51 +0200 Subject: [PATCH 174/244] - added missing private endpoint variable - fix monitor dimension bug - fix private endpoint resource group --- compute_aks_clusters.tf | 1 + modules/compute/aks/private_endpoint.tf | 4 ++-- modules/monitoring/monitor_metric_alert/module.tf | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/compute_aks_clusters.tf b/compute_aks_clusters.tf index aa989af4c9..c35bfd8e7b 100644 --- a/compute_aks_clusters.tf +++ b/compute_aks_clusters.tf @@ -14,6 +14,7 @@ module "aks_clusters" { managed_identities = local.combined_objects_managed_identities settings = each.value vnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) admin_group_object_ids = try(each.value.admin_groups.azuread_group_keys, null) == null ? null : try( each.value.admin_groups.ids, diff --git a/modules/compute/aks/private_endpoint.tf b/modules/compute/aks/private_endpoint.tf index c76a587b00..fd6992b627 100644 --- a/modules/compute/aks/private_endpoint.tf +++ b/modules/compute/aks/private_endpoint.tf @@ -2,13 +2,13 @@ module "private_endpoint" { source = "../../networking/private_endpoint" for_each = var.private_endpoints - base_tags = local.tags + base_tags = var.global_settings.inherit_tags client_config = var.client_config global_settings = var.global_settings location = var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][try(each.value.vnet.key, each.value.vnet_key)].location name = each.value.name private_dns = var.private_dns - resource_group_name = var.resource_group_name + resource_group_name = local.resource_group_name resource_id = azurerm_kubernetes_cluster.aks.id settings = each.value subnet_id = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id diff --git a/modules/monitoring/monitor_metric_alert/module.tf b/modules/monitoring/monitor_metric_alert/module.tf index 15d9e1dc92..eb6d049e35 100644 --- a/modules/monitoring/monitor_metric_alert/module.tf +++ b/modules/monitoring/monitor_metric_alert/module.tf @@ -28,7 +28,7 @@ resource "azurerm_monitor_metric_alert" "mma" { operator = try(criteria.value.operator, null) threshold = try(criteria.value.threshold, null) dynamic "dimension" { - for_each = try(var.settings.dimension, null) != null ? [var.settings.dimension] : [] + for_each = try(criteria.value.dimension, {}) content { name = try(dimension.value.name, null) operator = try(dimension.value.operator, null) @@ -47,7 +47,7 @@ resource "azurerm_monitor_metric_alert" "mma" { operator = try(dynamic_criteria.value.operator, null) alert_sensitivity = try(dynamic_criteria.value.alert_sensitivity, null) dynamic "dimension" { - for_each = try(var.settings.dimension, null) != null ? [var.settings.dimension] : [] + for_each = try(criteria.value.dimension, {}) content { name = try(dimension.value.name, null) operator = try(dimension.value.operator, null) From 341847865b4dc2f3756e7728a5f27287839b8434 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Fri, 8 Sep 2023 17:15:09 +0200 Subject: [PATCH 175/244] - typo in monitor metric alert dynamic criteria --- modules/monitoring/monitor_metric_alert/module.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/monitoring/monitor_metric_alert/module.tf b/modules/monitoring/monitor_metric_alert/module.tf index eb6d049e35..feb9d032c5 100644 --- a/modules/monitoring/monitor_metric_alert/module.tf +++ b/modules/monitoring/monitor_metric_alert/module.tf @@ -47,7 +47,7 @@ resource "azurerm_monitor_metric_alert" "mma" { operator = try(dynamic_criteria.value.operator, null) alert_sensitivity = try(dynamic_criteria.value.alert_sensitivity, null) dynamic "dimension" { - for_each = try(criteria.value.dimension, {}) + for_each = try(dynamic_criteria.value.dimension, {}) content { name = try(dimension.value.name, null) operator = try(dimension.value.operator, null) From e2470cf6acadca780f81631c21bb4b9630e64b68 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Tue, 21 Nov 2023 07:33:55 +0100 Subject: [PATCH 176/244] - feature: new module cost anomaly alert --- cost_anomaly_alert.tf | 5 +++++ .../cost_anomaly_alert/configuration.tfvars | 8 ++++++++ local.remote_objects.tf | 1 + locals.combined_objects.tf | 2 +- locals.tf | 1 + modules/cost_management/cost_anomaly_alert/module.tf | 7 +++++++ modules/cost_management/cost_anomaly_alert/output.tf | 4 ++++ modules/cost_management/cost_anomaly_alert/variables.tf | 3 +++ variables.tf | 4 ++++ 9 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 cost_anomaly_alert.tf create mode 100644 examples/cost_management/cost_anomaly_alert/configuration.tfvars create mode 100644 modules/cost_management/cost_anomaly_alert/module.tf create mode 100644 modules/cost_management/cost_anomaly_alert/output.tf create mode 100644 modules/cost_management/cost_anomaly_alert/variables.tf diff --git a/cost_anomaly_alert.tf b/cost_anomaly_alert.tf new file mode 100644 index 0000000000..3b03f8f405 --- /dev/null +++ b/cost_anomaly_alert.tf @@ -0,0 +1,5 @@ +module "cost_anomaly_alert" { + source = "./modules/cost_management/cost_anomaly_alert" + for_each = local.shared_services.cost_anomaly_alert + settings = each.value +} \ No newline at end of file diff --git a/examples/cost_management/cost_anomaly_alert/configuration.tfvars b/examples/cost_management/cost_anomaly_alert/configuration.tfvars new file mode 100644 index 0000000000..f9abb31155 --- /dev/null +++ b/examples/cost_management/cost_anomaly_alert/configuration.tfvars @@ -0,0 +1,8 @@ +cost_anomaly_alert = { + subscription_anomaly = { + name = "subscription-anomaly-alert" + display_name = "Subscription anomaly alert" + email_subject = "Subcsription usage anomaly detected" + email_addresses = ["arandom@example-domain.com"] + } +} \ No newline at end of file diff --git a/local.remote_objects.tf b/local.remote_objects.tf index 4c9760893f..93baae3db4 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -147,5 +147,6 @@ locals { wvd_host_pools = try(local.combined_objects_wvd_host_pools, null) wvd_workspaces = try(local.combined_objects_wvd_workspaces, null) subscriptions = try(local.combined_objects_subscriptions, null) + cost_anomaly_alert = try(local.combined_objects_cost_anomaly_alert, null) } } diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index deafbc4de2..14ed2176cf 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -186,7 +186,7 @@ locals { combined_objects_wvd_applications = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_applications }), try(var.remote_objects.wvd_applications, {})) combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), try(var.remote_objects.wvd_host_pools, {})) combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), try(var.remote_objects.wvd_workspaces, {})) - combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) + combined_objects_cost_anomaly_alert = merge(tomap({ (local.client_config.landingzone_key) = module.cost_anomaly_alert }), try(var.remote_objects.cost_anomaly_alert, {})) combined_objects_subscriptions = merge( tomap( diff --git a/locals.tf b/locals.tf index acff4178a8..8307bb3139 100644 --- a/locals.tf +++ b/locals.tf @@ -397,6 +397,7 @@ locals { packer_build = try(var.shared_services.packer_build, {}) recovery_vaults = try(var.shared_services.recovery_vaults, {}) shared_image_galleries = try(var.shared_services.shared_image_galleries, {}) + cost_anomaly_alert = try(var.shared_services.cost_anomaly_alert, {}) } storage = { diff --git a/modules/cost_management/cost_anomaly_alert/module.tf b/modules/cost_management/cost_anomaly_alert/module.tf new file mode 100644 index 0000000000..6b2f062deb --- /dev/null +++ b/modules/cost_management/cost_anomaly_alert/module.tf @@ -0,0 +1,7 @@ +resource "azurerm_cost_anomaly_alert" "cost_anomaly_alert" { + name = var.settings.name + display_name = var.settings.display_name + email_subject = var.settings.email_subject + email_addresses = var.settings.email_addresses + message = try(var.settings.message, null) +} \ No newline at end of file diff --git a/modules/cost_management/cost_anomaly_alert/output.tf b/modules/cost_management/cost_anomaly_alert/output.tf new file mode 100644 index 0000000000..d2f6c3505c --- /dev/null +++ b/modules/cost_management/cost_anomaly_alert/output.tf @@ -0,0 +1,4 @@ +output "id" { + description = "The ID of the Cost Anomaly Alert." + value = azurerm_cost_anomaly_alert.cost_anomaly_alert.id +} \ No newline at end of file diff --git a/modules/cost_management/cost_anomaly_alert/variables.tf b/modules/cost_management/cost_anomaly_alert/variables.tf new file mode 100644 index 0000000000..140c060182 --- /dev/null +++ b/modules/cost_management/cost_anomaly_alert/variables.tf @@ -0,0 +1,3 @@ +variable "settings" { + description = "Configuration object for the cost anomaly alert" +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 4c4d69c4a1..5e07e2304f 100644 --- a/variables.tf +++ b/variables.tf @@ -450,3 +450,7 @@ variable "load_test" { default = {} } + +variable "cost_anomaly_alert" { + default = {} +} \ No newline at end of file From dafc4851b9d1e8d144dc643c4843f081eee751f1 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Thu, 10 Nov 2022 13:39:56 +0000 Subject: [PATCH 177/244] adding option to reference a group id in azuread_groups_membership adding option to use services_roles for scopes shared_image_galleries and virtual_machine_scale_sets adding combined objects --- locals.combined_objects.tf | 95 +++++++++++++++++++++++++++++++++++++- roles.tf | 1 + 2 files changed, 95 insertions(+), 1 deletion(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 14ed2176cf..6aeaae78f4 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -113,6 +113,99 @@ locals { combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), lookup(var.remote_objects, "logic_app_integration_account", {}), lookup(var.data_sources, "logic_app_integration_account", {})) combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), lookup(var.remote_objects, "logic_app_standard", {})) combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), lookup(var.remote_objects, "logic_app_workflow", {}), lookup(var.data_sources, "logic_app_workflow", {})) + combined_objects_app_service_environments_v3 = merge(tomap({ (local.client_config.landingzone_key) = merge(module.app_service_environments_v3, try(var.data_sources.app_service_environments_v3, {})) }), try(var.remote_objects.app_service_environments_v3, {})) + combined_objects_app_service_plans = merge(tomap({ (local.client_config.landingzone_key) = merge(module.app_service_plans, try(var.data_sources.app_service_plans, {})) }), try(var.remote_objects.app_service_plans, {})) + combined_objects_app_services = merge(tomap({ (local.client_config.landingzone_key) = module.app_services }), try(var.remote_objects.app_services, {}), try(var.data_sources.app_services, {})) + combined_objects_application_gateway_platforms = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateway_platforms }), try(var.remote_objects.application_gateway_platforms, {})) + combined_objects_application_gateway_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateway_waf_policies }), try(var.remote_objects.application_gateway_waf_policies, {})) + combined_objects_application_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateways }), try(var.remote_objects.application_gateways, {}), try(var.data_sources.application_gateways, {})) + combined_objects_application_insights = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights }), try(var.remote_objects.azurerm_application_insights, {}), try(var.data_sources.azurerm_application_insights, {})) + combined_objects_application_insights_standard_web_test = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights_standard_web_test }), try(var.remote_objects.azurerm_application_insights_standard_web_test, {})) + combined_objects_application_insights_web_test = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights_web_test }), try(var.remote_objects.azurerm_application_insights_web_test, {})) + combined_objects_application_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.application_security_groups }), try(var.remote_objects.application_security_groups, {})) + combined_objects_automations = merge(tomap({ (local.client_config.landingzone_key) = module.automations }), try(var.remote_objects.automations, {})) + combined_objects_availability_sets = merge(tomap({ (local.client_config.landingzone_key) = module.availability_sets }), try(var.remote_objects.availability_sets, {})) + combined_objects_azure_container_registries = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {})) + combined_objects_azuread_administrative_units = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_administrative_unit }), try(var.remote_objects.administrative_units, {})) + combined_objects_azuread_applications = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_applications_v1 }), try(var.remote_objects.azuread_applications, {})) + combined_objects_azuread_apps = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_applications }), try(var.remote_objects.azuread_apps, {})) + combined_objects_azuread_groups = merge(tomap({ (local.client_config.landingzone_key) = merge(module.azuread_groups, try(var.data_sources.azuread_groups, {})) }), try(var.remote_objects.azuread_groups, {})) + combined_objects_azuread_service_principal_passwords = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_service_principal_passwords }), try(var.remote_objects.azuread_service_principal_passwords, {})) + combined_objects_azuread_service_principals = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_service_principals }), try(var.remote_objects.azuread_service_principals, {}), try(var.data_sources.azuread_service_principals, {})) + combined_objects_azuread_users = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_users }), try(var.remote_objects.azuread_users, {}), try(var.data_sources.azuread_users, {})) + combined_objects_azurerm_firewall_policies = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewall_policies }), try(var.remote_objects.azurerm_firewall_policies, {}), try(var.data_sources.azurerm_firewall_policies, {})) + combined_objects_azurerm_firewalls = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewalls }), try(var.remote_objects.azurerm_firewalls, {}), try(var.data_sources.azurerm_firewalls, {})) + combined_objects_backup_vault_instances = merge(tomap({ (local.client_config.landingzone_key) = local.backup_vault_instances }), try(var.remote_objects.backup_vault_instances, {})) + combined_objects_backup_vault_policies = merge(tomap({ (local.client_config.landingzone_key) = local.backup_vault_policies }), try(var.remote_objects.backup_vault_policies, {})) + combined_objects_backup_vaults = merge(tomap({ (local.client_config.landingzone_key) = module.backup_vaults }), try(var.remote_objects.backup_vaults, {})) + combined_objects_batch_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.batch_accounts }), try(var.remote_objects.batch_accounts, {})) + combined_objects_batch_applications = merge(tomap({ (local.client_config.landingzone_key) = module.batch_applications }), try(var.remote_objects.batch_applications, {})) + combined_objects_batch_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.batch_certificates }), try(var.remote_objects.batch_certificates, {})) + combined_objects_batch_jobs = merge(tomap({ (local.client_config.landingzone_key) = module.batch_jobs }), try(var.remote_objects.batch_jobs, {})) + combined_objects_batch_pools = merge(tomap({ (local.client_config.landingzone_key) = module.batch_pools }), try(var.remote_objects.batch_pools, {})) + combined_objects_cdn_profile = merge(tomap({ (local.client_config.landingzone_key) = module.cdn_profile }), try(var.remote_objects.cdn_profile, {}), try(var.data_sources.cdn_profile, {})) + combined_objects_cognitive_services_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_services_account }), try(var.remote_objects.cognitive_services_account, {}), try(var.data_sources.cognitive_services_account, {})) + combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), try(var.remote_objects.consumption_budgets_resource_groups, {}), try(var.data_sources.consumption_budgets_resource_groups, {})) + combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), try(var.remote_objects.consumption_budgets_subscriptions, {}), try(var.data_sources.consumption_budgets_subscriptions, {})) + combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {}), try(var.data_sources.container_registry, {})) + combined_objects_cosmos_dbs = merge(tomap({ (local.client_config.landingzone_key) = module.cosmos_dbs }), try(var.remote_objects.cosmos_dbs, {}), try(var.data_sources.cosmos_dbs, {})) + combined_objects_cosmosdb_sql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.cosmosdb_sql_databases }), try(var.remote_objects.cosmosdb_sql_databases, {})) + combined_objects_custom_roles = merge(tomap({ (local.client_config.landingzone_key) = module.custom_roles }), try(var.remote_objects.custom_roles, {})) + combined_objects_data_factory = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory }), try(var.remote_objects.data_factory, {})) + combined_objects_data_factory_integration_runtime_azure_ssis = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_azure_ssis }), try(var.remote_objects.combined_objects_data_factory_integration_runtime_azure_ssis, {})) + combined_objects_data_factory_integration_runtime_self_hosted = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_self_hosted }), try(var.remote_objects.data_factory_integration_runtime_self_hosted, {})) + combined_objects_data_factory_linked_service_azure_blob_storage = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_azure_blob_storage }), try(var.remote_objects.data_factory_linked_service_azure_blob_storage, {})) + combined_objects_data_factory_linked_service_cosmosdb = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_cosmosdb }), try(var.remote_objects.data_factory_linked_service_cosmosdb, {})) + combined_objects_data_factory_linked_service_mysql = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_mysql }), try(var.remote_objects.data_factory_linked_service_mysql, {})) + combined_objects_data_factory_linked_service_postgresql = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_postgresql }), try(var.remote_objects.data_factory_linked_service_postgresql, {})) + combined_objects_data_factory_linked_service_sql_server = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_sql_server }), try(var.remote_objects.data_factory_linked_service_sql_server, {})) + combined_objects_data_factory_linked_service_web = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_web }), try(var.remote_objects.data_factory_linked_service_web, {})) + combined_objects_data_factory_pipeline = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_pipeline }), try(var.remote_objects.data_factory_pipeline, {})) + combined_objects_database_migration_services = merge(tomap({ (local.client_config.landingzone_key) = module.database_migration_services }), try(var.remote_objects.database_migration_services, {})) + combined_objects_databricks_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_workspaces }), try(var.remote_objects.databricks_workspaces, {}), try(var.data_sources.databricks_workspaces, {})) + combined_objects_ddos_services = merge(tomap({ (local.client_config.landingzone_key) = azurerm_network_ddos_protection_plan.ddos_protection_plan }), try(var.remote_objects.ddos_services, {}), try(var.remote_objects.ddos_services, {})) + combined_objects_dedicated_host_groups = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_host_groups }), try(var.remote_objects.dedicated_host_groups, {}), try(var.data_sources.dedicated_host_groups, {})) + combined_objects_dedicated_hosts = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_hosts }), try(var.remote_objects.dedicated_hosts, {}), try(var.data_sources.dedicated_hosts, {})) + combined_objects_diagnostic_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.diagnostic_storage_accounts }), try(var.remote_objects.diagnostic_storage_accounts, {})) + combined_objects_digital_twins_instances = merge(tomap({ (local.client_config.landingzone_key) = module.digital_twins_instances }), try(var.remote_objects.digital_twins_instances, {})) + combined_objects_disk_encryption_sets = merge(tomap({ (local.client_config.landingzone_key) = merge(module.disk_encryption_sets, module.disk_encryption_sets_external) }), try(var.remote_objects.disk_encryption_sets, {}), try(var.remote_objects.disk_encryption_sets_external, {}), try(var.data_sources.disk_encryption_sets, {})) + combined_objects_dns_zones = merge(tomap({ (local.client_config.landingzone_key) = module.dns_zones }), try(var.remote_objects.dns_zones, {}), try(var.data_sources.dns_zones, {})) + combined_objects_domain_name_registrations = merge(tomap({ (local.client_config.landingzone_key) = module.domain_name_registrations }), try(var.remote_objects.domain_name_registrations, {})) + combined_objects_event_hub_auth_rules = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_auth_rules }), try(var.remote_objects.event_hub_auth_rules, {})) + combined_objects_event_hub_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_namespaces }), try(var.remote_objects.event_hub_namespaces, {}), try(var.data_sources.event_hub_namespaces, {})) + combined_objects_event_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.event_hubs }), try(var.remote_objects.event_hubs, {})) + combined_objects_eventgrid_domains = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_domain }), try(var.remote_objects.eventgrid_domain, {})) + combined_objects_eventgrid_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_topic }), try(var.remote_objects.eventgrid_topic, {})) + combined_objects_express_route_circuit_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_authorizations }), try(var.remote_objects.express_route_circuit_authorizations, {})) + combined_objects_express_route_circuit_peerings = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_peerings }), try(var.remote_objects.express_route_circuit_peerings, {})) + combined_objects_express_route_circuits = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuits }), try(var.remote_objects.express_route_circuits, {}), try(var.data_sources.express_route_circuits, {})) + combined_objects_front_door = merge(tomap({ (local.client_config.landingzone_key) = module.front_doors }), try(var.remote_objects.front_doors, {})) + combined_objects_front_door_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.front_door_waf_policies }), try(var.remote_objects.front_door_waf_policies, {})) + combined_objects_function_apps = merge(tomap({ (local.client_config.landingzone_key) = module.function_apps }), try(var.remote_objects.function_apps, {})) + combined_objects_image_definitions = merge(tomap({ (local.client_config.landingzone_key) = module.image_definitions }), try(var.remote_objects.image_definitions, {})) + combined_objects_integration_service_environment = merge(tomap({ (local.client_config.landingzone_key) = module.integration_service_environment }), try(var.remote_objects.integration_service_environment, {})) + combined_objects_iot_central_application = merge(tomap({ (local.client_config.landingzone_key) = module.iot_central_application }), try(var.remote_objects.iot_central_application, {})) + combined_objects_iot_dps_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_certificate }), try(var.remote_objects.iot_dps_certificate, {})) + combined_objects_iot_dps_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_shared_access_policy }), try(var.remote_objects.iot_dps_shared_access_policy, {})) + combined_objects_iot_hub = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub }), try(var.remote_objects.iot_hub, {})) + combined_objects_iot_hub_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_certificate }), try(var.remote_objects.iot_hub_certificate, {})) + combined_objects_iot_hub_consumer_groups = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_consumer_groups }), try(var.remote_objects.iot_hub_consumer_groups, {})) + combined_objects_iot_hub_dps = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_dps }), try(var.remote_objects.iot_hub_dps, {})) + combined_objects_iot_hub_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_shared_access_policy }), try(var.remote_objects.iot_hub_shared_access_policy, {})) + combined_objects_iot_security_device_group = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_device_group }), try(var.remote_objects.iot_security_device_group, {})) + combined_objects_iot_security_solution = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_solution }), try(var.remote_objects.iot_security_solution, {})) + combined_objects_keyvault_certificate_requests = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificate_requests }), try(var.remote_objects.keyvault_certificate_requests, {})) + combined_objects_keyvault_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificates }), try(var.remote_objects.keyvault_certificates, {}), try(var.data_sources.keyvault_certificates, {})) + combined_objects_keyvault_keys = merge(tomap({ (local.client_config.landingzone_key) = merge(module.keyvault_keys, try(var.data_sources.keyvault_keys, {})) }), try(var.remote_objects.keyvault_keys, {}), try(var.data_sources.keyvault_keys, {})) + combined_objects_keyvaults = merge(tomap({ (local.client_config.landingzone_key) = merge(module.keyvaults, try(var.data_sources.keyvaults, {})) }), try(var.remote_objects.keyvaults, {})) + combined_objects_kusto_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_clusters }), try(var.remote_objects.kusto_clusters, {}), try(var.data_sources.kusto_clusters, {})) + combined_objects_kusto_databases = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_databases }), try(var.remote_objects.kusto_databases, {})) + combined_objects_lb = merge(tomap({ (local.client_config.landingzone_key) = module.lb }), try(var.remote_objects.lb, {}), try(var.data_sources.load_balancers, {})) + combined_objects_lb_backend_address_pool = merge(tomap({ (local.client_config.landingzone_key) = module.lb_backend_address_pool }), try(var.remote_objects.lb_backend_address_pool, {})) + combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), try(var.remote_objects.lb_probe, {})) + combined_objects_load_balancers = merge(tomap({ (local.client_config.landingzone_key) = module.load_balancers }), try(var.remote_objects.load_balancers, {}), try(var.data_sources.load_balancers, {})) + combined_objects_log_analytics = merge(tomap({ (local.client_config.landingzone_key) = module.log_analytics }), try(var.remote_objects.log_analytics, {}), try(var.data_sources.log_analytics, {})) + combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), try(var.remote_objects.logic_app_integration_account, {}), try(var.data_sources.logic_app_integration_account, {})) combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {})) combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {})) @@ -158,7 +251,7 @@ locals { combined_objects_maintenance_configuration = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_configuration }), lookup(var.remote_objects, "maintenance_configuration", {})) combined_objects_maintenance_assignment_virtual_machine = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_assignment_virtual_machine }), lookup(var.remote_objects, "maintenance_assignment_virtual_machine", {})) combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), lookup(var.remote_objects, "maps_accounts", {})) - combined_objects_storage_account_file_shares = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_file_shares }), lookup(var.remote_objects, "storage_account_file_shares", {})) + combined_objects_storage_account_file_shares = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_file_shares }), try(var.remote_objects.storage_account_file_shares, {})) combined_objects_shared_image_galleries = merge(tomap({ (local.client_config.landingzone_key) = module.shared_image_galleries }), try(var.remote_objects.shared_image_galleries, {})) combined_objects_storage_account_queues = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_queues }), try(var.remote_objects.storage_account_queues, {})) combined_objects_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.storage_accounts }), try(var.remote_objects.storage_accounts, {}), try(var.data_sources.storage_accounts, {})) diff --git a/roles.tf b/roles.tf index 72b13f4eae..3f754df33e 100644 --- a/roles.tf +++ b/roles.tf @@ -172,6 +172,7 @@ locals { storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces + virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets virtual_subnets = local.combined_objects_virtual_subnets virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets log_analytics = local.current_objects_log_analytics From 2da2e1a2e7aca089f15d5e0b097d2ec16b5e5b2a Mon Sep 17 00:00:00 2001 From: Adam Cain Date: Mon, 17 Oct 2022 18:03:02 +0100 Subject: [PATCH 178/244] Add Logic App Standard with vnet integration --- locals.combined_objects.tf | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 6aeaae78f4..54b63fd90e 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -206,17 +206,18 @@ locals { combined_objects_load_balancers = merge(tomap({ (local.client_config.landingzone_key) = module.load_balancers }), try(var.remote_objects.load_balancers, {}), try(var.data_sources.load_balancers, {})) combined_objects_log_analytics = merge(tomap({ (local.client_config.landingzone_key) = module.log_analytics }), try(var.remote_objects.log_analytics, {}), try(var.data_sources.log_analytics, {})) combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), try(var.remote_objects.logic_app_integration_account, {}), try(var.data_sources.logic_app_integration_account, {})) + combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), try(var.remote_objects.logic_app_workflow, {}), try(var.data_sources.logic_app_workflow, {})) combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) - combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {})) - combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {})) - combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), try(var.remote_objects.monitor_action_groups, {})) - combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), try(var.remote_objects.mssql_databases, {})) - combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_elastic_pools }), try(var.remote_objects.mssql_elastic_pools, {})) - combined_objects_mssql_managed_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_databases }), try(var.remote_objects.mssql_managed_databases, {})) - combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances }), try(var.remote_objects.mssql_managed_instances, {})) - combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances_secondary }), try(var.remote_objects.mssql_managed_instances_secondary, {})) - combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_servers }), try(var.remote_objects.mssql_servers, {})) - combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), try(var.remote_objects.lb_probe, {})) + combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {}), try(var.data_sources.machine_learning_workspaces, {})) + combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {}), try(var.data_sources.managed_identities, {})) + combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), try(var.remote_objects.maps_accounts, {})) + combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), try(var.remote_objects.monitor_action_groups, {}), try(var.data_sources.monitor_action_groups, {})) + combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), try(var.remote_objects.mssql_databases, {}), try(var.data_sources.mssql_databases, {})) + combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_elastic_pools, try(var.data_sources.mssql_elastic_pools, {})) }), try(var.remote_objects.mssql_elastic_pools, {})) + combined_objects_mssql_managed_databases = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_databases, module.mssql_managed_databases_v1) }), try(var.remote_objects.mssql_managed_databases, {}), try(var.data_sources.mssql_managed_databases, {})) + combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances, module.mssql_managed_instances_v1, try(var.data_sources.mssql_managed_instances, {})) }), try(var.remote_objects.mssql_managed_instances, {}), try(var.data_sources.mssql_managed_instances, {})) + combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances_secondary, module.mssql_managed_instances_secondary_v1, try(var.data_sources.mssql_managed_instances_secondary, {})) }), try(var.remote_objects.mssql_managed_instances_secondary, {}), try(var.remote_objects.mssql_managed_instances_secondary, {})) + combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_servers, try(var.data_sources.mssql_servers, {})) }), try(var.remote_objects.mssql_servers, {})) combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), try(var.remote_objects.mysql_flexible_server, {})) combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), try(var.remote_objects.mysql_servers, {})) combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), try(var.remote_objects.nat_gateways, {})) From 25d5fd8e82012d1e024ebf7be5c754d2a2885891 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Wed, 16 Nov 2022 10:43:37 +0000 Subject: [PATCH 179/244] removing virtual_machine_scale_sets from roles.tf - it is causing cyclic dependencies --- roles.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles.tf b/roles.tf index 3f754df33e..17590a49f9 100644 --- a/roles.tf +++ b/roles.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null + role_definition_id = each.value.mode == "custom_role_mapping" ? local.combined_objects_custom_roles[each.value.role_lz_key != null ? each.value.role_lz_key : var.current_landingzone_key][each.value.role_definition_name].role_definition_resource_id : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } @@ -172,7 +172,6 @@ locals { storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces - virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets virtual_subnets = local.combined_objects_virtual_subnets virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets log_analytics = local.current_objects_log_analytics From 9a5e2810bee29a21a2ef920d072dd20fde20a3f6 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Fri, 25 Nov 2022 15:42:03 +0000 Subject: [PATCH 180/244] this works for me right now --- roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles.tf b/roles.tf index 17590a49f9..72b13f4eae 100644 --- a/roles.tf +++ b/roles.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? local.combined_objects_custom_roles[each.value.role_lz_key != null ? each.value.role_lz_key : var.current_landingzone_key][each.value.role_definition_name].role_definition_resource_id : null + role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } From 0055bfe5aff600f85c2007104034a6e2fad0649f Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 11:17:12 +0200 Subject: [PATCH 181/244] Nailing the components which lead to cycle error --- roles.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles.tf b/roles.tf index 72b13f4eae..8121576923 100644 --- a/roles.tf +++ b/roles.tf @@ -173,9 +173,6 @@ locals { subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces virtual_subnets = local.combined_objects_virtual_subnets - virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets - log_analytics = local.current_objects_log_analytics - route_tables = local.combined_objects_route_tables wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications wvd_host_pools = local.combined_objects_wvd_host_pools From f3577b7d9ecfb7ce0b11e158d6891da213e20eae Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 12:45:09 +0200 Subject: [PATCH 182/244] Removed direct dependency for role assignment to fix cycle error --- virtual_machines_scale_sets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index 83fbc1434c..0852aa5cea 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -8,7 +8,7 @@ module "virtual_machine_scale_sets" { module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, - #module.load_balancers, + module.load_balancers, module.application_gateways, module.application_security_groups, module.packer_service_principal, From 5bd2edb28b6e927e7ad2d7b2af15fc0cbf214887 Mon Sep 17 00:00:00 2001 From: Bastian Karstaedt <2082580+bkarstaedt@users.noreply.github.com> Date: Wed, 24 Aug 2022 11:54:40 +0000 Subject: [PATCH 183/244] fix(compute/virtual_machine): attach subnet to vnet via landingzone key --- modules/compute/virtual_machine/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/compute/virtual_machine/variables.tf b/modules/compute/virtual_machine/variables.tf index d07ac470ae..a3a4e95587 100644 --- a/modules/compute/virtual_machine/variables.tf +++ b/modules/compute/virtual_machine/variables.tf @@ -27,6 +27,7 @@ variable "settings" {} variable "vnets" {} +variable "virtual_subnets" {} # Security variable "public_key_pem_file" { From d7c9ef823d4900c0fd6f4b67ac1b9eabfe229641 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Tue, 13 Sep 2022 21:48:05 +0200 Subject: [PATCH 184/244] Adoptiong use case "locallly created subnet in externally created vnet" --- .../app_gateway/101-private-public/application_gateways.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars index c316602800..a3d2b6b036 100644 --- a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars @@ -25,7 +25,7 @@ application_gateways = { name = "private" vnet_key = "vnet_region1" subnet_key = "app_gateway_private" - subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet + subnet_cidr_index = 0 # It is possible to have more than one cidr block per vnet private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address private_ip_address_allocation = "Static" } From 76df1b9b6f5f9f58e1540076a8d50103ba5107bd Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Wed, 14 Sep 2022 14:34:27 +0200 Subject: [PATCH 185/244] Fix for adopting use case "locallly created subnet in externally created vnet" --- .../app_gateway/101-private-public/application_gateways.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars index a3d2b6b036..c316602800 100644 --- a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars @@ -25,7 +25,7 @@ application_gateways = { name = "private" vnet_key = "vnet_region1" subnet_key = "app_gateway_private" - subnet_cidr_index = 0 # It is possible to have more than one cidr block per vnet + subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address private_ip_address_allocation = "Static" } From 34b060a7f439c710ea7aba3e194af67b47512faf Mon Sep 17 00:00:00 2001 From: najeebvv Date: Mon, 13 Feb 2023 18:05:14 +0100 Subject: [PATCH 186/244] - acr premium sku features --- .../200-acr-vnet/configuration.tfvars | 12 +++ .../300-acr-premium/configuration.tfvars | 83 +++++++++++++++++++ .../compute/container_registry/registry.tf | 15 ++++ .../compute/container_registry/variables.tf | 32 +++++++ 4 files changed, 142 insertions(+) create mode 100644 examples/compute/container_registry/300-acr-premium/configuration.tfvars diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 98d29c455e..5a5f1d126b 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -27,18 +27,30 @@ azure_container_registries = { #public_network_access_enabled = "false" #Only able to control when sku = "premium" + zone_redundancy_enabled = false + quarantine_policy_enabled = true + trust_policy = { + enabled = true + } + retention_policy = { + enabled = true + days = 7 + } + georeplications = { region2 = { tags = { region = "australiacentral" type = "acr_replica" } + regional_endpoint_enabled = true } region3 = { tags = { region = "westeurope" type = "acr_replica" } + regional_endpoint_enabled = false } } network_rule_set = { diff --git a/examples/compute/container_registry/300-acr-premium/configuration.tfvars b/examples/compute/container_registry/300-acr-premium/configuration.tfvars new file mode 100644 index 0000000000..b02e7f1486 --- /dev/null +++ b/examples/compute/container_registry/300-acr-premium/configuration.tfvars @@ -0,0 +1,83 @@ +global_settings = { + default_region = "region1" + environment = "test" + regions = { + region1 = "australiaeast" + region2 = "australiacentral" + region3 = "westeurope" + } +} + + +resource_groups = { + # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" + acr_region1 = { + name = "acr" + } + vnet_region1 = { + name = "acr-vnet" + } +} + +azure_container_registries = { + acr1 = { + name = "acr-test" + resource_group_key = "acr_region1" + sku = "Premium" + + public_network_access_enabled = "false" #Only able to control when sku = "premium" + + georeplications = { + region2 = { + tags = { + region = "australiacentral" + type = "acr_replica" + } + } + region3 = { + tags = { + region = "westeurope" + type = "acr_replica" + } + } + } + network_rule_set = { + rule1 = { + default_action = "Allow" + # ip_rules = { + # rule1 = { + # ip_range = [""] + # } + # } + virtual_networks = { + acr1_jumphost = { + vnet_key = "hub_rg1" + subnet_key = "jumphost" + } + } + } + } + + } +} + + +vnets = { + hub_rg1 = { + resource_group_key = "vnet_region1" + vnet = { + name = "hub" + address_space = ["100.64.100.0/22"] + } + specialsubnets = {} + subnets = { + jumphost = { + name = "jumphost" + cidr = ["100.64.103.0/27"] + service_endpoints = ["Microsoft.ContainerRegistry"] + } + } + } + +} + diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index ca0d8757af..84fa43a94c 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -18,6 +18,20 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = var.public_network_access_enabled + quarantine_policy_enabled = var.quarantine_policy_enabled + zone_redundancy_enabled = var.zone_redundancy_enabled + export_policy_enabled = var.export_policy_enabled + + trust_policy { + enabled = lookup(var.trust_policy, "enabled", false) + } + + retention_policy { + enabled = lookup(var.retention_policy, "enabled", false) + days = lookup(var.retention_policy, "days", 7) + } + + dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) @@ -48,6 +62,7 @@ resource "azurerm_container_registry" "acr" { content { location = var.global_settings.regions[georeplications.key] + regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) tags = try(georeplications.value.tags) } } diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index 03831e82b3..f85c18ee48 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -83,3 +83,35 @@ variable "location" { default = null description = "location of the resource if different from the resource group." } +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} + +variable "quarantine_policy_enabled" { + type = bool + default = false +} + +variable "regional_endpoint_enabled" { + type = bool + default = false +} + +variable "retention_policy" { + default = {} +} + +variable "trust_policy" { + default = {} +} + +variable "zone_redundancy_enabled" { + type = bool + default = false +} + +variable "export_policy_enabled" { + type = bool + default = true +} \ No newline at end of file From ce58aa46cca0c2d51dfc87d5e15c0e5a1023241a Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 15 Feb 2023 11:57:29 +0100 Subject: [PATCH 187/244] -reverting changes on 200-acr-vnet --- .../200-acr-vnet/configuration.tfvars | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 5a5f1d126b..98d29c455e 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -27,30 +27,18 @@ azure_container_registries = { #public_network_access_enabled = "false" #Only able to control when sku = "premium" - zone_redundancy_enabled = false - quarantine_policy_enabled = true - trust_policy = { - enabled = true - } - retention_policy = { - enabled = true - days = 7 - } - georeplications = { region2 = { tags = { region = "australiacentral" type = "acr_replica" } - regional_endpoint_enabled = true } region3 = { tags = { region = "westeurope" type = "acr_replica" } - regional_endpoint_enabled = false } } network_rule_set = { From d3dadd715ff4263cc20508a356dcf0ff61edbc99 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 15 Feb 2023 12:08:32 +0100 Subject: [PATCH 188/244] - variable region endpoint is not required until version 3.0.0 --- modules/compute/container_registry/variables.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index f85c18ee48..022f4ad70f 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -93,11 +93,6 @@ variable "quarantine_policy_enabled" { default = false } -variable "regional_endpoint_enabled" { - type = bool - default = false -} - variable "retention_policy" { default = {} } From b71fad77417395c959110cc05fecb1d95af8a8a9 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 16 Mar 2023 18:40:48 +0100 Subject: [PATCH 189/244] - custom_data improvements - additional private endpoints for aks - role assignment for route tables --- modules/compute/virtual_machine/vm_linux.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index 60b99d97ca..f9a317adf6 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -92,7 +92,7 @@ resource "azurerm_linux_virtual_machine" "vm" { # Create local ssh key dynamic "admin_ssh_key" { - for_each = lookup(each.value, "disable_password_authentication", true) == true && local.create_sshkeys ? [1] : [] + for_each = lookup(each.value, "disable_password_authentication", true) == true && can(var.settings.public_key_pem_file) ? [1] : [] content { username = each.value.admin_username From 4646c137896e852cb87c1beb8f089aa1ed42d301 Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Fri, 17 Mar 2023 10:22:24 +0100 Subject: [PATCH 190/244] Revert "Feat/acr enhancements" --- .../300-acr-premium/configuration.tfvars | 83 ------------------- .../compute/container_registry/registry.tf | 15 ---- 2 files changed, 98 deletions(-) delete mode 100644 examples/compute/container_registry/300-acr-premium/configuration.tfvars diff --git a/examples/compute/container_registry/300-acr-premium/configuration.tfvars b/examples/compute/container_registry/300-acr-premium/configuration.tfvars deleted file mode 100644 index b02e7f1486..0000000000 --- a/examples/compute/container_registry/300-acr-premium/configuration.tfvars +++ /dev/null @@ -1,83 +0,0 @@ -global_settings = { - default_region = "region1" - environment = "test" - regions = { - region1 = "australiaeast" - region2 = "australiacentral" - region3 = "westeurope" - } -} - - -resource_groups = { - # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" - acr_region1 = { - name = "acr" - } - vnet_region1 = { - name = "acr-vnet" - } -} - -azure_container_registries = { - acr1 = { - name = "acr-test" - resource_group_key = "acr_region1" - sku = "Premium" - - public_network_access_enabled = "false" #Only able to control when sku = "premium" - - georeplications = { - region2 = { - tags = { - region = "australiacentral" - type = "acr_replica" - } - } - region3 = { - tags = { - region = "westeurope" - type = "acr_replica" - } - } - } - network_rule_set = { - rule1 = { - default_action = "Allow" - # ip_rules = { - # rule1 = { - # ip_range = [""] - # } - # } - virtual_networks = { - acr1_jumphost = { - vnet_key = "hub_rg1" - subnet_key = "jumphost" - } - } - } - } - - } -} - - -vnets = { - hub_rg1 = { - resource_group_key = "vnet_region1" - vnet = { - name = "hub" - address_space = ["100.64.100.0/22"] - } - specialsubnets = {} - subnets = { - jumphost = { - name = "jumphost" - cidr = ["100.64.103.0/27"] - service_endpoints = ["Microsoft.ContainerRegistry"] - } - } - } - -} - diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index 84fa43a94c..ca0d8757af 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -18,20 +18,6 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = var.public_network_access_enabled - quarantine_policy_enabled = var.quarantine_policy_enabled - zone_redundancy_enabled = var.zone_redundancy_enabled - export_policy_enabled = var.export_policy_enabled - - trust_policy { - enabled = lookup(var.trust_policy, "enabled", false) - } - - retention_policy { - enabled = lookup(var.retention_policy, "enabled", false) - days = lookup(var.retention_policy, "days", 7) - } - - dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) @@ -62,7 +48,6 @@ resource "azurerm_container_registry" "acr" { content { location = var.global_settings.regions[georeplications.key] - regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) tags = try(georeplications.value.tags) } } From aadce231297de6cf2823e634ecd3e9be5709904b Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Fri, 9 Jun 2023 10:08:24 +0000 Subject: [PATCH 191/244] feat:#1652 adding network_connection_monitor module --- locals.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/locals.tf b/locals.tf index 8307bb3139..4946402696 100644 --- a/locals.tf +++ b/locals.tf @@ -7,10 +7,6 @@ resource "random_string" "prefix" { } locals { - aadb2c = { - aadb2c_directory = try(var.aadb2c.aadb2c_directory, {}) - } - azuread = { azuread_administrative_unit_members = try(var.azuread.azuread_administrative_unit_members, {}) azuread_administrative_units = try(var.azuread.azuread_administrative_units, {}) From bd0ae8851a7c5cccf5fbad88ad0b856241d98b0c Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Thu, 10 Nov 2022 13:39:56 +0000 Subject: [PATCH 192/244] adding option to reference a group id in azuread_groups_membership adding option to use services_roles for scopes shared_image_galleries and virtual_machine_scale_sets adding combined objects --- roles.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles.tf b/roles.tf index 8121576923..d258e6166f 100644 --- a/roles.tf +++ b/roles.tf @@ -173,12 +173,11 @@ locals { subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces virtual_subnets = local.combined_objects_virtual_subnets + virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications wvd_host_pools = local.combined_objects_wvd_host_pools wvd_workspaces = local.combined_objects_wvd_workspaces - virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets - log_analytics = local.current_objects_log_analytics } current_objects_log_analytics = tomap( From b747a1915e415850a49c2188570531f62dcb96e0 Mon Sep 17 00:00:00 2001 From: Nick Metz Date: Fri, 4 Nov 2022 11:41:56 +0100 Subject: [PATCH 193/244] Add vm-linux_diagnostic_extensions #1423 --- modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf b/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf index 9b00b3bf15..1983db4ac2 100644 --- a/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf +++ b/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf @@ -59,7 +59,5 @@ data "azurerm_storage_account_sas" "token" { create = true update = true process = true - filter = true - tag = true } } From 9725075de1f0f3d5c4172b713547b7056963dfe6 Mon Sep 17 00:00:00 2001 From: Adam Cain Date: Mon, 17 Oct 2022 18:03:02 +0100 Subject: [PATCH 194/244] Add Logic App Standard with vnet integration --- locals.combined_objects.tf | 29 +++++++++--------- modules/logic_app/standard/main.tf | 30 +++++++++++++++---- modules/logic_app/standard/module.tf | 15 +++++----- .../logic_app/standard/private_endpoint.tf | 2 -- 4 files changed, 46 insertions(+), 30 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 54b63fd90e..388975636f 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -202,22 +202,21 @@ locals { combined_objects_kusto_databases = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_databases }), try(var.remote_objects.kusto_databases, {})) combined_objects_lb = merge(tomap({ (local.client_config.landingzone_key) = module.lb }), try(var.remote_objects.lb, {}), try(var.data_sources.load_balancers, {})) combined_objects_lb_backend_address_pool = merge(tomap({ (local.client_config.landingzone_key) = module.lb_backend_address_pool }), try(var.remote_objects.lb_backend_address_pool, {})) - combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), try(var.remote_objects.lb_probe, {})) - combined_objects_load_balancers = merge(tomap({ (local.client_config.landingzone_key) = module.load_balancers }), try(var.remote_objects.load_balancers, {}), try(var.data_sources.load_balancers, {})) - combined_objects_log_analytics = merge(tomap({ (local.client_config.landingzone_key) = module.log_analytics }), try(var.remote_objects.log_analytics, {}), try(var.data_sources.log_analytics, {})) - combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), try(var.remote_objects.logic_app_integration_account, {}), try(var.data_sources.logic_app_integration_account, {})) - combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), try(var.remote_objects.logic_app_workflow, {}), try(var.data_sources.logic_app_workflow, {})) + combined_objects_load_balancers = merge(tomap({ (local.client_config.landingzone_key) = module.load_balancers }), try(var.remote_objects.load_balancers, {})) + combined_objects_log_analytics = merge(tomap({ (local.client_config.landingzone_key) = module.log_analytics }), try(var.remote_objects.log_analytics, {})) + combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), try(var.remote_objects.logic_app_integration_account, {})) + combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), try(var.remote_objects.logic_app_workflow, {})) combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) - combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {}), try(var.data_sources.machine_learning_workspaces, {})) - combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {}), try(var.data_sources.managed_identities, {})) - combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), try(var.remote_objects.maps_accounts, {})) - combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), try(var.remote_objects.monitor_action_groups, {}), try(var.data_sources.monitor_action_groups, {})) - combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), try(var.remote_objects.mssql_databases, {}), try(var.data_sources.mssql_databases, {})) - combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_elastic_pools, try(var.data_sources.mssql_elastic_pools, {})) }), try(var.remote_objects.mssql_elastic_pools, {})) - combined_objects_mssql_managed_databases = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_databases, module.mssql_managed_databases_v1) }), try(var.remote_objects.mssql_managed_databases, {}), try(var.data_sources.mssql_managed_databases, {})) - combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances, module.mssql_managed_instances_v1, try(var.data_sources.mssql_managed_instances, {})) }), try(var.remote_objects.mssql_managed_instances, {}), try(var.data_sources.mssql_managed_instances, {})) - combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_managed_instances_secondary, module.mssql_managed_instances_secondary_v1, try(var.data_sources.mssql_managed_instances_secondary, {})) }), try(var.remote_objects.mssql_managed_instances_secondary, {}), try(var.remote_objects.mssql_managed_instances_secondary, {})) - combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = merge(module.mssql_servers, try(var.data_sources.mssql_servers, {})) }), try(var.remote_objects.mssql_servers, {})) + combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {})) + combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {})) + combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), try(var.remote_objects.monitor_action_groups, {})) + combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), try(var.remote_objects.mssql_databases, {})) + combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_elastic_pools }), try(var.remote_objects.mssql_elastic_pools, {})) + combined_objects_mssql_managed_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_databases }), try(var.remote_objects.mssql_managed_databases, {})) + combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances }), try(var.remote_objects.mssql_managed_instances, {})) + combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances_secondary }), try(var.remote_objects.mssql_managed_instances_secondary, {})) + combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_servers }), try(var.remote_objects.mssql_servers, {})) + combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), try(var.remote_objects.lb_probe, {})) combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), try(var.remote_objects.mysql_flexible_server, {})) combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), try(var.remote_objects.mysql_servers, {})) combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), try(var.remote_objects.nat_gateways, {})) diff --git a/modules/logic_app/standard/main.tf b/modules/logic_app/standard/main.tf index b65cd0084b..bd1fe0a3db 100644 --- a/modules/logic_app/standard/main.tf +++ b/modules/logic_app/standard/main.tf @@ -7,9 +7,29 @@ terraform { } locals { - resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] - storage_account = var.storage_accounts[try(var.settings.lz_key, var.settings.storage_account.lz_key, var.client_config.landingzone_key)][try(var.settings.storage_account.key, var.settings.storage_account_key)] - app_service_plan = var.app_service_plans[try(var.settings.app_service_plan.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.app_service_plan.key, var.settings.app_service_plan_key)] - app_settings = try(var.app_settings, null) - subnet_id = can(var.settings.vnet_integration.subnet_id) || can(var.settings.vnet_integration.subnet_key) == false ? try(var.settings.vnet_integration.subnet_id, null) : var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id + resource_group = coalesce( + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group_key], null), + try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group.key], null), + try(var.resource_groups[var.settings.lz_key][var.settings.resource_group_key], null), + try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group.key], null) + ) + + storage_account = coalesce( + try(var.storage_accounts[var.client_config.landingzone_key][var.settings.storage_account_key], null), + try(var.storage_accounts[var.client_config.landingzone_key][var.settings.storage_account.key], null), + try(var.storage_accounts[var.settings.lz_key][var.settings.storage_account_key], null), + try(var.storage_accounts[var.settings.storage_account.lz_key][var.settings.storage_account.key], null) + ) + + app_service_plan = coalesce( + try(var.app_service_plans[var.client_config.landingzone_key][var.settings.app_service_plan_key], null), + try(var.app_service_plans[var.client_config.landingzone_key][var.settings.app_service_plan.key], null), + try(var.app_service_plans[var.settings.lz_key][var.settings.app_service_plan_key], null), + try(var.app_service_plans[var.settings.app_service_plan.lz_key][var.settings.app_service_plan.key], null) + ) + + app_settings = try(var.app_settings, null) + + subnet_id = try(var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, null) + } \ No newline at end of file diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index a2391387a2..ab1c7896b5 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -22,15 +22,15 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] content { - always_on = lookup(var.settings.site_config, "enabled", null) + always_on = lookup(var.settings.site_config, "enabled", false) dotnet_framework_version = lookup(var.settings.site_config, "dotnet_framework_version", null) - ftps_state = lookup(var.settings.site_config, "ftps_state", null) - http2_enabled = lookup(var.settings.site_config, "http2_enabled", null) + ftps_state = lookup(var.settings.site_config, "ftps_state", "FtpsOnly") + http2_enabled = lookup(var.settings.site_config, "http2_enabled", false) linux_fx_version = lookup(var.settings.site_config, "linux_fx_version", null) - min_tls_version = lookup(var.settings.site_config, "min_tls_version", null) - use_32_bit_worker_process = lookup(var.settings.site_config, "use_32_bit_worker_process", null) - vnet_route_all_enabled = lookup(var.settings.site_config, "enabled", null) - websockets_enabled = lookup(var.settings.site_config, "enabled", null) + min_tls_version = lookup(var.settings.site_config, "min_tls_version", "1.2") + use_32_bit_worker_process = lookup(var.settings.site_config, "use_32_bit_worker_process", false) + vnet_route_all_enabled = lookup(var.settings.site_config, "enabled", false) + websockets_enabled = lookup(var.settings.site_config, "enabled", false) dynamic "cors" { for_each = lookup(var.settings.site_config, "cors", {}) != {} ? [1] : [] @@ -51,5 +51,4 @@ resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { app_service_id = azurerm_logic_app_standard.logic_app_standard.id subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) - } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index 6c8f63e1e0..b01846c314 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -13,11 +13,9 @@ module "private_endpoint" { try(var.virtual_subnets[var.client_config.landingzone_key][each.value.subnet_key].id, null), try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value global_settings = var.global_settings base_tags = var.base_tags private_dns = var.private_dns client_config = var.client_config - } \ No newline at end of file From f3812bfbde8cee7f9fe1ab7935fe5f9c86f2a55d Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 11 Nov 2022 07:57:38 +0000 Subject: [PATCH 195/244] Iterate on #1395 --- modules/logic_app/standard/main.tf | 29 ++++--------------- modules/logic_app/standard/module.tf | 22 +++++++------- .../logic_app/standard/private_endpoint.tf | 10 +++---- 3 files changed, 21 insertions(+), 40 deletions(-) diff --git a/modules/logic_app/standard/main.tf b/modules/logic_app/standard/main.tf index bd1fe0a3db..48d75dcf70 100644 --- a/modules/logic_app/standard/main.tf +++ b/modules/logic_app/standard/main.tf @@ -7,29 +7,10 @@ terraform { } locals { - resource_group = coalesce( - try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group_key], null), - try(var.resource_groups[var.client_config.landingzone_key][var.settings.resource_group.key], null), - try(var.resource_groups[var.settings.lz_key][var.settings.resource_group_key], null), - try(var.resource_groups[var.settings.resource_group.lz_key][var.settings.resource_group.key], null) - ) - - storage_account = coalesce( - try(var.storage_accounts[var.client_config.landingzone_key][var.settings.storage_account_key], null), - try(var.storage_accounts[var.client_config.landingzone_key][var.settings.storage_account.key], null), - try(var.storage_accounts[var.settings.lz_key][var.settings.storage_account_key], null), - try(var.storage_accounts[var.settings.storage_account.lz_key][var.settings.storage_account.key], null) - ) - - app_service_plan = coalesce( - try(var.app_service_plans[var.client_config.landingzone_key][var.settings.app_service_plan_key], null), - try(var.app_service_plans[var.client_config.landingzone_key][var.settings.app_service_plan.key], null), - try(var.app_service_plans[var.settings.lz_key][var.settings.app_service_plan_key], null), - try(var.app_service_plans[var.settings.app_service_plan.lz_key][var.settings.app_service_plan.key], null) - ) - - app_settings = try(var.app_settings, null) - - subnet_id = try(var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, null) + resource_group = var.resource_groups[try(var.settings.lz_key, var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)] + storage_account = var.storage_accounts[try(var.settings.lz_key, var.settings.storage_account.lz_key, var.client_config.landingzone_key)][try(var.settings.storage_account.key, var.settings.storage_account_key)] + app_service_plan = var.app_service_plans[try(var.settings.app_service_plan.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.app_service_plan.key, var.settings.app_service_plan_key)] + app_settings = try(var.app_settings, null) + subnet_id = can(var.settings.vnet_integration.subnet_id) || can(var.settings.vnet_integration.subnet_key) == false ? try(var.settings.vnet_integration.subnet_id, null) : var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id } \ No newline at end of file diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index ab1c7896b5..277e81dc13 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -22,15 +22,15 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] content { - always_on = lookup(var.settings.site_config, "enabled", false) + always_on = lookup(var.settings.site_config, "enabled", null) dotnet_framework_version = lookup(var.settings.site_config, "dotnet_framework_version", null) - ftps_state = lookup(var.settings.site_config, "ftps_state", "FtpsOnly") - http2_enabled = lookup(var.settings.site_config, "http2_enabled", false) + ftps_state = lookup(var.settings.site_config, "ftps_state", null) + http2_enabled = lookup(var.settings.site_config, "http2_enabled", null) linux_fx_version = lookup(var.settings.site_config, "linux_fx_version", null) - min_tls_version = lookup(var.settings.site_config, "min_tls_version", "1.2") - use_32_bit_worker_process = lookup(var.settings.site_config, "use_32_bit_worker_process", false) - vnet_route_all_enabled = lookup(var.settings.site_config, "enabled", false) - websockets_enabled = lookup(var.settings.site_config, "enabled", false) + min_tls_version = lookup(var.settings.site_config, "min_tls_version", null) + use_32_bit_worker_process = lookup(var.settings.site_config, "use_32_bit_worker_process", null) + vnet_route_all_enabled = lookup(var.settings.site_config, "enabled", null) + websockets_enabled = lookup(var.settings.site_config, "enabled", null) dynamic "cors" { for_each = lookup(var.settings.site_config, "cors", {}) != {} ? [1] : [] @@ -45,10 +45,10 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index b01846c314..dd14a40905 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -13,9 +13,9 @@ module "private_endpoint" { try(var.virtual_subnets[var.client_config.landingzone_key][each.value.subnet_key].id, null), try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value - global_settings = var.global_settings - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + private_dns = var.private_dns + client_config = var.client_config } \ No newline at end of file From 397a08bf94d066688b0e36630747e785ec6d2ded Mon Sep 17 00:00:00 2001 From: Adam Cain <72016306+adamcaino@users.noreply.github.com> Date: Fri, 11 Nov 2022 08:03:33 +0000 Subject: [PATCH 196/244] Add Logic App Standard with vnet integration (#1395) Co-authored-by: Arnaud Lheureux --- modules/logic_app/standard/main.tf | 1 - modules/logic_app/standard/module.tf | 9 +++++---- modules/logic_app/standard/private_endpoint.tf | 12 +++++++----- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/modules/logic_app/standard/main.tf b/modules/logic_app/standard/main.tf index 48d75dcf70..b65cd0084b 100644 --- a/modules/logic_app/standard/main.tf +++ b/modules/logic_app/standard/main.tf @@ -12,5 +12,4 @@ locals { app_service_plan = var.app_service_plans[try(var.settings.app_service_plan.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.app_service_plan.key, var.settings.app_service_plan_key)] app_settings = try(var.app_settings, null) subnet_id = can(var.settings.vnet_integration.subnet_id) || can(var.settings.vnet_integration.subnet_key) == false ? try(var.settings.vnet_integration.subnet_id, null) : var.subnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id - } \ No newline at end of file diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 277e81dc13..a2391387a2 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -45,10 +45,11 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + } \ No newline at end of file diff --git a/modules/logic_app/standard/private_endpoint.tf b/modules/logic_app/standard/private_endpoint.tf index dd14a40905..6c8f63e1e0 100644 --- a/modules/logic_app/standard/private_endpoint.tf +++ b/modules/logic_app/standard/private_endpoint.tf @@ -13,9 +13,11 @@ module "private_endpoint" { try(var.virtual_subnets[var.client_config.landingzone_key][each.value.subnet_key].id, null), try(var.virtual_subnets[each.value.lz_key][each.value.subnet_key].id, null) ) - settings = each.value - global_settings = var.global_settings - base_tags = var.base_tags - private_dns = var.private_dns - client_config = var.client_config + + settings = each.value + global_settings = var.global_settings + base_tags = var.base_tags + private_dns = var.private_dns + client_config = var.client_config + } \ No newline at end of file From 496931c6754ceccca87407ade8abe9f0a6e5a871 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Wed, 16 Nov 2022 10:43:37 +0000 Subject: [PATCH 197/244] removing virtual_machine_scale_sets from roles.tf - it is causing cyclic dependencies --- locals.combined_objects.tf | 1 + roles.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 388975636f..f0102c7b2e 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -296,3 +296,4 @@ locals { } + diff --git a/roles.tf b/roles.tf index d258e6166f..08cce72d51 100644 --- a/roles.tf +++ b/roles.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null + role_definition_id = each.value.mode == "custom_role_mapping" ? local.combined_objects_custom_roles[each.value.role_lz_key != null ? each.value.role_lz_key : var.current_landingzone_key][each.value.role_definition_name].role_definition_resource_id : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } From d3a6652770d829d827fce72d80521cecc8f8f3e3 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Fri, 25 Nov 2022 15:42:03 +0000 Subject: [PATCH 198/244] this works for me right now --- roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles.tf b/roles.tf index 08cce72d51..d258e6166f 100644 --- a/roles.tf +++ b/roles.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "for" { } principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : each.value.object_id_lz_key == null ? local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id : local.services_roles[each.value.object_id_resource_type][each.value.object_id_lz_key][each.value.object_id_key_resource].rbac_id - role_definition_id = each.value.mode == "custom_role_mapping" ? local.combined_objects_custom_roles[each.value.role_lz_key != null ? each.value.role_lz_key : var.current_landingzone_key][each.value.role_definition_name].role_definition_resource_id : null + role_definition_id = each.value.mode == "custom_role_mapping" ? try(module.custom_roles[each.value.role_definition_name].role_definition_resource_id, local.combined_objects_custom_roles[each.value.role_lz_key][each.value.role_definition_name].role_definition_resource_id) : null role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null scope = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id } From 172e363817d47e966deda735c9306ec66a254f57 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 11:17:12 +0200 Subject: [PATCH 199/244] Nailing the components which lead to cycle error --- virtual_machines_scale_sets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index 0852aa5cea..103472823d 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -8,11 +8,11 @@ module "virtual_machine_scale_sets" { module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, - module.load_balancers, + # module.load_balancers, # This is used in line #32 and therefore should have the same issue module.application_gateways, module.application_security_groups, - module.packer_service_principal, - module.packer_build, + #module.packer_service_principal, # This leads to cycle as well + #module.packer_build,# This leads to cycle as well module.proximity_placement_groups ] for_each = local.compute.virtual_machine_scale_sets From 3b245cc311515dc2f00c74e79d870941cca2e81c Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Mon, 18 Jul 2022 12:45:09 +0200 Subject: [PATCH 200/244] Removed direct dependency for role assignment to fix cycle error --- virtual_machines_scale_sets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index 103472823d..0852aa5cea 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -8,11 +8,11 @@ module "virtual_machine_scale_sets" { module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, - # module.load_balancers, # This is used in line #32 and therefore should have the same issue + module.load_balancers, module.application_gateways, module.application_security_groups, - #module.packer_service_principal, # This leads to cycle as well - #module.packer_build,# This leads to cycle as well + module.packer_service_principal, + module.packer_build, module.proximity_placement_groups ] for_each = local.compute.virtual_machine_scale_sets From 397607a96f28fcb421acf2908661c1e031d83ae3 Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Tue, 13 Sep 2022 21:48:05 +0200 Subject: [PATCH 201/244] Adoptiong use case "locallly created subnet in externally created vnet" --- .../application_gateways.tfvars | 2 +- .../application_gateway/locals.networking.tf | 16 +++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars index c316602800..a3d2b6b036 100644 --- a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars @@ -25,7 +25,7 @@ application_gateways = { name = "private" vnet_key = "vnet_region1" subnet_key = "app_gateway_private" - subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet + subnet_cidr_index = 0 # It is possible to have more than one cidr block per vnet private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address private_ip_address_allocation = "Static" } diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 3c5b847432..05bdc99cc8 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -12,8 +12,8 @@ locals { private_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) - public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) + private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.subnet_key], null) + public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.subnet_key], null) gateway_vnet_remote = try(coalesce( try(var.vnets[var.settings.lz_key][var.settings.vnet_key], null), @@ -27,14 +27,17 @@ locals { private_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key], null) - public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key], null) + private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.subnet_key], null) + public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.subnet_key], null) + gateway_vnet = merge(local.gateway_vnet_local, local.gateway_vnet_remote) private_vnet = merge(local.private_vnet_local, local.private_vnet_remote) public_vnet = merge(local.public_vnet_local, local.public_vnet_remote) private_subnets = merge(local.private_subnets_local, local.private_subnets_remote) public_subnets = merge(local.public_subnets_local, local.public_subnets_remote) + private_subnets = merge(local.private_subnets_local, local.private_subnets_remote) + public_subnets = merge(local.public_subnets_local, local.public_subnets_remote) ip_configuration = { gateway = { @@ -49,11 +52,13 @@ locals { subnet_id = try(coalesce( try(local.private_vnet.subnets[var.settings.front_end_ip_configurations.private.subnet_key].id, null), try(local.private_subnets[var.settings.front_end_ip_configurations.private.subnet_key].id, null), + try(local.private_subnets[var.settings.front_end_ip_configurations.private.subnet_key].id, null), try(var.settings.front_end_ip_configurations.private.subnet_id, null) ), null) cidr = try(coalesce( try(local.private_vnet.subnets[var.settings.front_end_ip_configurations.private.subnet_key].cidr, null), try(local.private_subnets[var.settings.front_end_ip_configurations.private.subnet_key].cidr, null), + try(local.private_subnets[var.settings.front_end_ip_configurations.private.subnet_key].cidr, null), try(var.settings.front_end_ip_configurations.private.subnet_cidr, null) ), null) @@ -63,12 +68,13 @@ locals { subnet_id = try( local.public_vnet.subnets[var.settings.front_end_ip_configurations.public.subnet_key].id, local.public_subnets[var.settings.front_end_ip_configurations.public.subnet_key].id, + local.public_subnets[var.settings.front_end_ip_configurations.public.subnet_key].id, var.settings.front_end_ip_configurations.public.subnet_id, null ) ip_address_id = try(coalesce( - try(var.public_ip_addresses[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, var.public_ip_addresses[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, null), + try(var.public_ip_addresses[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, var.public_ip_addresses[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, null), try(var.settings.front_end_ip_configurations.public.public_ip_id, null) ), null) } From 988cc318d588958dabb30e418dec3ebc65fd01cc Mon Sep 17 00:00:00 2001 From: Yves Vogl Date: Wed, 14 Sep 2022 14:34:27 +0200 Subject: [PATCH 202/244] Fix for adopting use case "locallly created subnet in externally created vnet" --- .../101-private-public/application_gateways.tfvars | 2 +- .../application_gateway/locals.networking.tf | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars index a3d2b6b036..c316602800 100644 --- a/examples/networking/app_gateway/101-private-public/application_gateways.tfvars +++ b/examples/networking/app_gateway/101-private-public/application_gateways.tfvars @@ -25,7 +25,7 @@ application_gateways = { name = "private" vnet_key = "vnet_region1" subnet_key = "app_gateway_private" - subnet_cidr_index = 0 # It is possible to have more than one cidr block per vnet + subnet_cidr_index = 0 # It is possible to have more than one cidr block per subnet private_ip_offset = 4 # e.g. cidrhost(10.10.0.0/25,4) = 10.10.0.4 => AGW private IP address private_ip_address_allocation = "Static" } diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 05bdc99cc8..603d5f1c5e 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -12,8 +12,8 @@ locals { private_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.subnet_key], null) - public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.subnet_key], null) + private_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) + public_subnets_local = try(var.virtual_subnets[var.client_config.landingzone_key], null) gateway_vnet_remote = try(coalesce( try(var.vnets[var.settings.lz_key][var.settings.vnet_key], null), @@ -27,9 +27,8 @@ locals { private_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.vnet_key], null) - private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.subnet_key], null) - public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.subnet_key], null) - + private_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.private.lz_key], null) + public_subnets_remote = try(var.virtual_subnets[var.settings.front_end_ip_configurations.public.lz_key], null) gateway_vnet = merge(local.gateway_vnet_local, local.gateway_vnet_remote) private_vnet = merge(local.private_vnet_local, local.private_vnet_remote) @@ -74,7 +73,7 @@ locals { ) ip_address_id = try(coalesce( - try(var.public_ip_addresses[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, var.public_ip_addresses[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, null), + try(var.public_ip_addresses[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, var.public_ip_addresses[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.public_ip_key].id, null), try(var.settings.front_end_ip_configurations.public.public_ip_id, null) ), null) } From 9510f86169861057a70cf752871453ad130db417 Mon Sep 17 00:00:00 2001 From: najeebvv Date: Mon, 13 Feb 2023 18:05:14 +0100 Subject: [PATCH 203/244] - acr premium sku features --- compute_container_registry.tf | 6 ++ .../200-acr-vnet/configuration.tfvars | 12 +++ .../300-acr-premium/configuration.tfvars | 83 +++++++++++++++++++ .../compute/container_registry/registry.tf | 15 ++++ .../compute/container_registry/variables.tf | 5 ++ 5 files changed, 121 insertions(+) create mode 100644 examples/compute/container_registry/300-acr-premium/configuration.tfvars diff --git a/compute_container_registry.tf b/compute_container_registry.tf index 94cacd9084..b5de023aac 100644 --- a/compute_container_registry.tf +++ b/compute_container_registry.tf @@ -23,6 +23,12 @@ module "container_registry" { resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null location = try(local.global_settings.regions[each.value.region], null) + + quarantine_policy_enabled = try(each.value.quarantine_policy_enabled, false) + zone_redundancy_enabled = try(each.value.zone_redundancy_enabled, false) + export_policy_enabled = try(each.value.export_policy_enabled, true) + trust_policy = try(each.value.trust_policy, {}) + retention_policy = try(each.value.retention_policy, {}) } output "azure_container_registries" { diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 98d29c455e..5a5f1d126b 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -27,18 +27,30 @@ azure_container_registries = { #public_network_access_enabled = "false" #Only able to control when sku = "premium" + zone_redundancy_enabled = false + quarantine_policy_enabled = true + trust_policy = { + enabled = true + } + retention_policy = { + enabled = true + days = 7 + } + georeplications = { region2 = { tags = { region = "australiacentral" type = "acr_replica" } + regional_endpoint_enabled = true } region3 = { tags = { region = "westeurope" type = "acr_replica" } + regional_endpoint_enabled = false } } network_rule_set = { diff --git a/examples/compute/container_registry/300-acr-premium/configuration.tfvars b/examples/compute/container_registry/300-acr-premium/configuration.tfvars new file mode 100644 index 0000000000..b02e7f1486 --- /dev/null +++ b/examples/compute/container_registry/300-acr-premium/configuration.tfvars @@ -0,0 +1,83 @@ +global_settings = { + default_region = "region1" + environment = "test" + regions = { + region1 = "australiaeast" + region2 = "australiacentral" + region3 = "westeurope" + } +} + + +resource_groups = { + # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" + acr_region1 = { + name = "acr" + } + vnet_region1 = { + name = "acr-vnet" + } +} + +azure_container_registries = { + acr1 = { + name = "acr-test" + resource_group_key = "acr_region1" + sku = "Premium" + + public_network_access_enabled = "false" #Only able to control when sku = "premium" + + georeplications = { + region2 = { + tags = { + region = "australiacentral" + type = "acr_replica" + } + } + region3 = { + tags = { + region = "westeurope" + type = "acr_replica" + } + } + } + network_rule_set = { + rule1 = { + default_action = "Allow" + # ip_rules = { + # rule1 = { + # ip_range = [""] + # } + # } + virtual_networks = { + acr1_jumphost = { + vnet_key = "hub_rg1" + subnet_key = "jumphost" + } + } + } + } + + } +} + + +vnets = { + hub_rg1 = { + resource_group_key = "vnet_region1" + vnet = { + name = "hub" + address_space = ["100.64.100.0/22"] + } + specialsubnets = {} + subnets = { + jumphost = { + name = "jumphost" + cidr = ["100.64.103.0/27"] + service_endpoints = ["Microsoft.ContainerRegistry"] + } + } + } + +} + diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index ca0d8757af..84fa43a94c 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -18,6 +18,20 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = var.public_network_access_enabled + quarantine_policy_enabled = var.quarantine_policy_enabled + zone_redundancy_enabled = var.zone_redundancy_enabled + export_policy_enabled = var.export_policy_enabled + + trust_policy { + enabled = lookup(var.trust_policy, "enabled", false) + } + + retention_policy { + enabled = lookup(var.retention_policy, "enabled", false) + days = lookup(var.retention_policy, "days", 7) + } + + dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) @@ -48,6 +62,7 @@ resource "azurerm_container_registry" "acr" { content { location = var.global_settings.regions[georeplications.key] + regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) tags = try(georeplications.value.tags) } } diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index 022f4ad70f..f85c18ee48 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -93,6 +93,11 @@ variable "quarantine_policy_enabled" { default = false } +variable "regional_endpoint_enabled" { + type = bool + default = false +} + variable "retention_policy" { default = {} } From d13fc80e2fcb2218fa9dbbf0b3a6dc4c84364bb4 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 15 Feb 2023 11:57:29 +0100 Subject: [PATCH 204/244] -reverting changes on 200-acr-vnet --- .../200-acr-vnet/configuration.tfvars | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars index 5a5f1d126b..98d29c455e 100644 --- a/examples/compute/container_registry/200-acr-vnet/configuration.tfvars +++ b/examples/compute/container_registry/200-acr-vnet/configuration.tfvars @@ -27,30 +27,18 @@ azure_container_registries = { #public_network_access_enabled = "false" #Only able to control when sku = "premium" - zone_redundancy_enabled = false - quarantine_policy_enabled = true - trust_policy = { - enabled = true - } - retention_policy = { - enabled = true - days = 7 - } - georeplications = { region2 = { tags = { region = "australiacentral" type = "acr_replica" } - regional_endpoint_enabled = true } region3 = { tags = { region = "westeurope" type = "acr_replica" } - regional_endpoint_enabled = false } } network_rule_set = { From 889b6caaaafb2f41ba03eed85bcd597e705aa595 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 15 Feb 2023 12:08:32 +0100 Subject: [PATCH 205/244] - variable region endpoint is not required until version 3.0.0 --- modules/compute/container_registry/variables.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index f85c18ee48..022f4ad70f 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -93,11 +93,6 @@ variable "quarantine_policy_enabled" { default = false } -variable "regional_endpoint_enabled" { - type = bool - default = false -} - variable "retention_policy" { default = {} } From 82c9368088cd6356b2171783e766c3f0ec2f5864 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 16 Mar 2023 18:40:48 +0100 Subject: [PATCH 206/244] - custom_data improvements - additional private endpoints for aks - role assignment for route tables --- roles.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles.tf b/roles.tf index d258e6166f..3d7e0c6438 100644 --- a/roles.tf +++ b/roles.tf @@ -174,6 +174,8 @@ locals { synapse_workspaces = local.combined_objects_synapse_workspaces virtual_subnets = local.combined_objects_virtual_subnets virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets + log_analytics = local.current_objects_log_analytics + route_tables = local.combined_objects_route_tables wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications wvd_host_pools = local.combined_objects_wvd_host_pools From b4cc96396d947e5e5e050c78e19e43ecc082247c Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Fri, 17 Mar 2023 10:22:24 +0100 Subject: [PATCH 207/244] Revert "Feat/acr enhancements" --- compute_container_registry.tf | 6 -- .../300-acr-premium/configuration.tfvars | 83 ------------------- .../compute/container_registry/registry.tf | 15 ---- .../compute/container_registry/variables.tf | 21 ++--- 4 files changed, 6 insertions(+), 119 deletions(-) delete mode 100644 examples/compute/container_registry/300-acr-premium/configuration.tfvars diff --git a/compute_container_registry.tf b/compute_container_registry.tf index b5de023aac..94cacd9084 100644 --- a/compute_container_registry.tf +++ b/compute_container_registry.tf @@ -23,12 +23,6 @@ module "container_registry" { resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null location = try(local.global_settings.regions[each.value.region], null) - - quarantine_policy_enabled = try(each.value.quarantine_policy_enabled, false) - zone_redundancy_enabled = try(each.value.zone_redundancy_enabled, false) - export_policy_enabled = try(each.value.export_policy_enabled, true) - trust_policy = try(each.value.trust_policy, {}) - retention_policy = try(each.value.retention_policy, {}) } output "azure_container_registries" { diff --git a/examples/compute/container_registry/300-acr-premium/configuration.tfvars b/examples/compute/container_registry/300-acr-premium/configuration.tfvars deleted file mode 100644 index b02e7f1486..0000000000 --- a/examples/compute/container_registry/300-acr-premium/configuration.tfvars +++ /dev/null @@ -1,83 +0,0 @@ -global_settings = { - default_region = "region1" - environment = "test" - regions = { - region1 = "australiaeast" - region2 = "australiacentral" - region3 = "westeurope" - } -} - - -resource_groups = { - # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" - acr_region1 = { - name = "acr" - } - vnet_region1 = { - name = "acr-vnet" - } -} - -azure_container_registries = { - acr1 = { - name = "acr-test" - resource_group_key = "acr_region1" - sku = "Premium" - - public_network_access_enabled = "false" #Only able to control when sku = "premium" - - georeplications = { - region2 = { - tags = { - region = "australiacentral" - type = "acr_replica" - } - } - region3 = { - tags = { - region = "westeurope" - type = "acr_replica" - } - } - } - network_rule_set = { - rule1 = { - default_action = "Allow" - # ip_rules = { - # rule1 = { - # ip_range = [""] - # } - # } - virtual_networks = { - acr1_jumphost = { - vnet_key = "hub_rg1" - subnet_key = "jumphost" - } - } - } - } - - } -} - - -vnets = { - hub_rg1 = { - resource_group_key = "vnet_region1" - vnet = { - name = "hub" - address_space = ["100.64.100.0/22"] - } - specialsubnets = {} - subnets = { - jumphost = { - name = "jumphost" - cidr = ["100.64.103.0/27"] - service_endpoints = ["Microsoft.ContainerRegistry"] - } - } - } - -} - diff --git a/modules/compute/container_registry/registry.tf b/modules/compute/container_registry/registry.tf index 84fa43a94c..ca0d8757af 100644 --- a/modules/compute/container_registry/registry.tf +++ b/modules/compute/container_registry/registry.tf @@ -18,20 +18,6 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = var.public_network_access_enabled - quarantine_policy_enabled = var.quarantine_policy_enabled - zone_redundancy_enabled = var.zone_redundancy_enabled - export_policy_enabled = var.export_policy_enabled - - trust_policy { - enabled = lookup(var.trust_policy, "enabled", false) - } - - retention_policy { - enabled = lookup(var.retention_policy, "enabled", false) - days = lookup(var.retention_policy, "days", 7) - } - - dynamic "network_rule_set" { for_each = try(var.network_rule_set, {}) @@ -62,7 +48,6 @@ resource "azurerm_container_registry" "acr" { content { location = var.global_settings.regions[georeplications.key] - regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) tags = try(georeplications.value.tags) } } diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index 022f4ad70f..5e7924ee32 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -63,25 +63,16 @@ variable "private_dns" { variable "public_network_access_enabled" { default = "true" } - -variable "base_tags" { - type = bool - description = "Base tags for the resource to be inherited from the resource group." -} - -variable "resource_group" { - description = "Resource group object to deploy the virtual machine" +variable "location" { + description = "location of the resource if different from the resource group." default = null - } - variable "resource_group_name" { -} - - -variable "location" { + description = "Resource group object to deploy the virtual machine" default = null - description = "location of the resource if different from the resource group." +} +variable "resource_group" { + description = "Resource group object to deploy the virtual machine" } variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." From 8e69af20cd90406d02ed8f145b8ee714434e5c97 Mon Sep 17 00:00:00 2001 From: Janik Muenk Date: Wed, 19 Jul 2023 08:13:41 +0000 Subject: [PATCH 208/244] fixing merge issus, fixing cyclic dependencies, upgrading to azurerm 3.65 --- .../compute/container_registry/variables.tf | 40 +++++-------------- modules/compute/virtual_machine/variables.tf | 1 - .../LinuxDiagnostic.tf | 2 + virtual_machines_scale_sets.tf | 2 +- 4 files changed, 12 insertions(+), 33 deletions(-) diff --git a/modules/compute/container_registry/variables.tf b/modules/compute/container_registry/variables.tf index 5e7924ee32..d4ba0209c0 100644 --- a/modules/compute/container_registry/variables.tf +++ b/modules/compute/container_registry/variables.tf @@ -63,41 +63,19 @@ variable "private_dns" { variable "public_network_access_enabled" { default = "true" } -variable "location" { - description = "location of the resource if different from the resource group." - default = null -} -variable "resource_group_name" { - description = "Resource group object to deploy the virtual machine" - default = null -} -variable "resource_group" { - description = "Resource group object to deploy the virtual machine" -} + variable "base_tags" { - description = "Base tags for the resource to be inherited from the resource group." type = bool + description = "Base tags for the resource to be inherited from the resource group." } - -variable "quarantine_policy_enabled" { - type = bool - default = false -} - -variable "retention_policy" { - default = {} -} - -variable "trust_policy" { - default = {} +variable "resource_group" { + default = null + description = "Resource group object to deploy the virtual machine" } -variable "zone_redundancy_enabled" { - type = bool - default = false +variable "resource_group_name" { } - -variable "export_policy_enabled" { - type = bool - default = true +variable "location" { + default = null + description = "location of the resource if different from the resource group." } \ No newline at end of file diff --git a/modules/compute/virtual_machine/variables.tf b/modules/compute/virtual_machine/variables.tf index a3a4e95587..d07ac470ae 100644 --- a/modules/compute/virtual_machine/variables.tf +++ b/modules/compute/virtual_machine/variables.tf @@ -27,7 +27,6 @@ variable "settings" {} variable "vnets" {} -variable "virtual_subnets" {} # Security variable "public_key_pem_file" { diff --git a/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf b/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf index 1983db4ac2..9b00b3bf15 100644 --- a/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf +++ b/modules/compute/virtual_machine_extensions/LinuxDiagnostic.tf @@ -59,5 +59,7 @@ data "azurerm_storage_account_sas" "token" { create = true update = true process = true + filter = true + tag = true } } diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf index 0852aa5cea..83fbc1434c 100644 --- a/virtual_machines_scale_sets.tf +++ b/virtual_machines_scale_sets.tf @@ -8,7 +8,7 @@ module "virtual_machine_scale_sets" { module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, - module.load_balancers, + #module.load_balancers, module.application_gateways, module.application_security_groups, module.packer_service_principal, From 32cf52b43c7a9399810914b9eeeea270545f1c6c Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Mon, 17 Jul 2023 13:43:29 +0200 Subject: [PATCH 209/244] fix: sshkey --- modules/compute/virtual_machine/vm_linux.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf index f9a317adf6..60b99d97ca 100644 --- a/modules/compute/virtual_machine/vm_linux.tf +++ b/modules/compute/virtual_machine/vm_linux.tf @@ -92,7 +92,7 @@ resource "azurerm_linux_virtual_machine" "vm" { # Create local ssh key dynamic "admin_ssh_key" { - for_each = lookup(each.value, "disable_password_authentication", true) == true && can(var.settings.public_key_pem_file) ? [1] : [] + for_each = lookup(each.value, "disable_password_authentication", true) == true && local.create_sshkeys ? [1] : [] content { username = each.value.admin_username From 50cca4ac8197f8b962318ccd27a93d52d4ef096a Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Mon, 16 Oct 2023 09:22:09 +0000 Subject: [PATCH 210/244] fix(merging): fixing cyclic dependencies --- compute_virtual_machines_scale_sets.tf | 16 +++---- locals.tf | 3 ++ .../application_gateway/locals.networking.tf | 3 +- storage_account_file_shares.tf | 2 +- virtual_machines_scale_sets.tf | 48 ------------------- 5 files changed, 13 insertions(+), 59 deletions(-) delete mode 100644 virtual_machines_scale_sets.tf diff --git a/compute_virtual_machines_scale_sets.tf b/compute_virtual_machines_scale_sets.tf index da06e21d0a..7b09d02b5f 100644 --- a/compute_virtual_machines_scale_sets.tf +++ b/compute_virtual_machines_scale_sets.tf @@ -3,17 +3,18 @@ module "virtual_machine_scale_sets" { source = "./modules/compute/virtual_machine_scale_set" depends_on = [ - module.application_gateways, - module.application_security_groups, module.availability_sets, module.dynamic_keyvault_secrets, - module.keyvault_access_policies_azuread_apps, module.keyvault_access_policies, - module.load_balancers, - module.packer_build, - module.packer_service_principal, + module.keyvault_access_policies_azuread_apps, module.proximity_placement_groups, time_sleep.azurerm_role_assignment_for[0] + #module.load_balancers, + module.application_gateways, + module.application_security_groups, + module.packer_service_principal, + module.packer_build, + module.proximity_placement_groups ] for_each = local.compute.virtual_machine_scale_sets @@ -52,5 +53,4 @@ module "virtual_machine_scale_sets" { output "virtual_machine_scale_sets" { value = module.virtual_machine_scale_sets -} - +} \ No newline at end of file diff --git a/locals.tf b/locals.tf index 4946402696..a6d3e8b9c4 100644 --- a/locals.tf +++ b/locals.tf @@ -7,6 +7,9 @@ resource "random_string" "prefix" { } locals { + aadb2c = { + aadb2c_directory = try(var.aadb2c.aadb2c_directory, {}) + } azuread = { azuread_administrative_unit_members = try(var.azuread.azuread_administrative_unit_members, {}) azuread_administrative_units = try(var.azuread.azuread_administrative_units, {}) diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index 603d5f1c5e..df9b61b967 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -35,8 +35,7 @@ locals { public_vnet = merge(local.public_vnet_local, local.public_vnet_remote) private_subnets = merge(local.private_subnets_local, local.private_subnets_remote) public_subnets = merge(local.public_subnets_local, local.public_subnets_remote) - private_subnets = merge(local.private_subnets_local, local.private_subnets_remote) - public_subnets = merge(local.public_subnets_local, local.public_subnets_remote) + ip_configuration = { gateway = { diff --git a/storage_account_file_shares.tf b/storage_account_file_shares.tf index eeb2e50b8c..3b65edce84 100644 --- a/storage_account_file_shares.tf +++ b/storage_account_file_shares.tf @@ -4,7 +4,7 @@ module "storage_account_file_shares" { source = "./modules/storage_account/file_share" - depends_on = [azurerm_role_assignment.for] + #depends_on = [azurerm_role_assignment.for] for_each = local.storage.storage_account_file_shares storage_account_name = local.combined_objects_storage_accounts[try(each.value.storage_account.lz_key, local.client_config.landingzone_key)][each.value.storage_account.key].name diff --git a/virtual_machines_scale_sets.tf b/virtual_machines_scale_sets.tf deleted file mode 100644 index 83fbc1434c..0000000000 --- a/virtual_machines_scale_sets.tf +++ /dev/null @@ -1,48 +0,0 @@ - - -module "virtual_machine_scale_sets" { - source = "./modules/compute/virtual_machine_scale_set" - depends_on = [ - module.availability_sets, - #module.dynamic_keyvault_secrets, - module.keyvault_access_policies, - module.keyvault_access_policies_azuread_apps, - module.proximity_placement_groups, - #module.load_balancers, - module.application_gateways, - module.application_security_groups, - module.packer_service_principal, - module.packer_build, - module.proximity_placement_groups - ] - for_each = local.compute.virtual_machine_scale_sets - - availability_sets = local.combined_objects_availability_sets - application_gateways = local.combined_objects_application_gateways - application_security_groups = local.combined_objects_application_security_groups - base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} - boot_diagnostics_storage_account = try(local.combined_diagnostics.storage_accounts[each.value.boot_diagnostics_storage_account_key].primary_blob_endpoint, {}) - client_config = local.client_config - diagnostics = local.combined_diagnostics - disk_encryption_sets = local.combined_objects_disk_encryption_sets - global_settings = local.global_settings - image_definitions = local.combined_objects_image_definitions - keyvaults = local.combined_objects_keyvaults - load_balancers = local.combined_objects_load_balancers - lbs = local.combined_objects_lb - lb_backend_address_pool = local.combined_objects_lb_backend_address_pool - managed_identities = local.combined_objects_managed_identities - network_security_groups = try(module.network_security_groups, {}) - proximity_placement_groups = local.combined_objects_proximity_placement_groups - public_ip_addresses = local.combined_objects_public_ip_addresses - recovery_vaults = local.combined_objects_recovery_vaults - settings = each.value - vnets = local.combined_objects_networking - location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location - resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name -} - - -output "virtual_machine_scale_sets" { - value = module.virtual_machine_scale_sets -} From f1cf6c54dba4ad0325e628a0f11dd3d61b6c9deb Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 11 Oct 2023 16:41:12 +0200 Subject: [PATCH 211/244] - fix: aks default node count - fix: merge upstream changes --- modules/compute/aks/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index 0ace42bb06..cad9cdcb9c 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_kubernetes_cluster" "aks" { max_pods = try(var.settings.default_node_pool.max_pods, 30) min_count = try(var.settings.default_node_pool.min_count, null) name = var.settings.default_node_pool.name //azurecaf_name.default_node_pool.result - node_count = try(var.settings.default_node_pool.node_count, 1) + node_count = try(var.settings.default_node_pool.node_count, null) node_labels = try(var.settings.default_node_pool.node_labels, null) node_public_ip_prefix_id = try(var.settings.default_node_pool.node_public_ip_prefix_id, null) only_critical_addons_enabled = try(var.settings.default_node_pool.only_critical_addons_enabled, false) From 92d6afe46d00459e718c761982442696beaff436 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Wed, 18 Oct 2023 12:30:52 +0000 Subject: [PATCH 212/244] fix: merge conflict resolution --- locals.combined_objects.tf | 115 ++---------------- .../application_gateway/locals.networking.tf | 4 +- 2 files changed, 11 insertions(+), 108 deletions(-) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index f0102c7b2e..290c775518 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -46,12 +46,13 @@ locals { combined_objects_cognitive_services_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_services_account }), lookup(var.remote_objects, "cognitive_services_account", {}), lookup(var.data_sources, "cognitive_services_account", {})) combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), lookup(var.remote_objects, "consumption_budgets_resource_groups", {}), lookup(var.data_sources, "consumption_budgets_resource_groups", {})) combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), lookup(var.remote_objects, "consumption_budgets_subscriptions", {}), lookup(var.data_sources, "consumption_budgets_subscriptions", {})) - combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), lookup(var.remote_objects, "container_registry", {}), lookup(var.data_sources, "container_registry", {})) - combined_objects_container_app_environments = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environments }), lookup(var.remote_objects, "container_app_environments", {})) combined_objects_container_app_environment_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_certificates }), lookup(var.remote_objects, "container_app_environment_certificates", {})) combined_objects_container_app_environment_storages = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environment_storages }), lookup(var.remote_objects, "container_app_environment_storages", {})) + combined_objects_container_app_environments = merge(tomap({ (local.client_config.landingzone_key) = module.container_app_environments }), lookup(var.remote_objects, "container_app_environments", {})) + combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), lookup(var.remote_objects, "container_registry", {}), lookup(var.data_sources, "container_registry", {})) combined_objects_cosmos_dbs = merge(tomap({ (local.client_config.landingzone_key) = module.cosmos_dbs }), lookup(var.remote_objects, "cosmos_dbs", {}), lookup(var.data_sources, "cosmos_dbs", {})) combined_objects_cosmosdb_sql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.cosmosdb_sql_databases }), lookup(var.remote_objects, "cosmosdb_sql_databases", {})) + combined_objects_cost_anomaly_alert = merge(tomap({ (local.client_config.landingzone_key) = module.cost_anomaly_alert }), try(var.remote_objects.cost_anomaly_alert, {})) combined_objects_custom_roles = merge(tomap({ (local.client_config.landingzone_key) = module.custom_roles }), try(var.remote_objects.custom_roles, {})) combined_objects_data_factory = merge(tomap({ (local.client_config.landingzone_key) = merge(module.data_factory, lookup(var.data_sources, "data_factory", {})) }), lookup(var.remote_objects, "data_factory", {})) combined_objects_data_factory_integration_runtime_azure_ssis = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_azure_ssis }), lookup(var.remote_objects, "combined_objects_data_factory_integration_runtime_azure_ssis", {})) @@ -64,8 +65,8 @@ locals { combined_objects_data_factory_linked_service_web = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_web }), lookup(var.remote_objects, "data_factory_linked_service_web", {})) combined_objects_data_factory_pipeline = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_pipeline }), lookup(var.remote_objects, "data_factory_pipeline", {})) combined_objects_database_migration_services = merge(tomap({ (local.client_config.landingzone_key) = module.database_migration_services }), lookup(var.remote_objects, "database_migration_services", {})) - combined_objects_databricks_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_workspaces }), lookup(var.remote_objects, "databricks_workspaces", {}), lookup(var.data_sources, "databricks_workspaces", {})) combined_objects_databricks_access_connectors = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_access_connectors }), lookup(var.remote_objects, "databricks_access_connectors", {}), lookup(var.data_sources, "databricks_access_connectors", {})) + combined_objects_databricks_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_workspaces }), lookup(var.remote_objects, "databricks_workspaces", {}), lookup(var.data_sources, "databricks_workspaces", {})) combined_objects_ddos_services = merge(tomap({ (local.client_config.landingzone_key) = azurerm_network_ddos_protection_plan.ddos_protection_plan }), lookup(var.remote_objects, "ddos_services", {}), lookup(var.remote_objects, "ddos_services", {})) combined_objects_dedicated_host_groups = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_host_groups }), lookup(var.remote_objects, "dedicated_host_groups", {}), lookup(var.data_sources, "dedicated_host_groups", {})) combined_objects_dedicated_hosts = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_hosts }), lookup(var.remote_objects, "dedicated_hosts", {}), lookup(var.data_sources, "dedicated_hosts", {})) @@ -78,8 +79,8 @@ locals { combined_objects_event_hub_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_namespaces }), lookup(var.remote_objects, "event_hub_namespaces", {}), lookup(var.data_sources, "event_hub_namespaces", {})) combined_objects_event_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.event_hubs }), lookup(var.remote_objects, "event_hubs", {})) combined_objects_eventgrid_domains = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_domain }), lookup(var.remote_objects, "eventgrid_domain", {})) - combined_objects_eventgrid_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_topic }), lookup(var.remote_objects, "eventgrid_topic", {})) combined_objects_eventgrid_system_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_system_topic }), lookup(var.remote_objects, "eventgrid_system_topic", {})) + combined_objects_eventgrid_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_topic }), lookup(var.remote_objects, "eventgrid_topic", {})) combined_objects_express_route_circuit_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_authorizations }), lookup(var.remote_objects, "express_route_circuit_authorizations", {})) combined_objects_express_route_circuit_peerings = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_peerings }), lookup(var.remote_objects, "express_route_circuit_peerings", {})) combined_objects_express_route_circuits = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuits }), lookup(var.remote_objects, "express_route_circuits", {}), lookup(var.data_sources, "express_route_circuits", {})) @@ -96,6 +97,7 @@ locals { combined_objects_iot_hub_consumer_groups = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_consumer_groups }), lookup(var.remote_objects, "iot_hub_consumer_groups", {})) combined_objects_iot_hub_dps = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_dps }), lookup(var.remote_objects, "iot_hub_dps", {})) combined_objects_iot_hub_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_shared_access_policy }), lookup(var.remote_objects, "iot_hub_shared_access_policy", {})) + combined_objects_iot_hub_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_shared_access_policy }), try(var.remote_objects.iot_hub_shared_access_policy, {})) combined_objects_iot_security_device_group = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_device_group }), lookup(var.remote_objects, "iot_security_device_group", {})) combined_objects_iot_security_solution = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_solution }), lookup(var.remote_objects, "iot_security_solution", {})) combined_objects_keyvault_certificate_requests = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificate_requests }), lookup(var.remote_objects, "keyvault_certificate_requests", {})) @@ -113,102 +115,11 @@ locals { combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), lookup(var.remote_objects, "logic_app_integration_account", {}), lookup(var.data_sources, "logic_app_integration_account", {})) combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), lookup(var.remote_objects, "logic_app_standard", {})) combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), lookup(var.remote_objects, "logic_app_workflow", {}), lookup(var.data_sources, "logic_app_workflow", {})) - combined_objects_app_service_environments_v3 = merge(tomap({ (local.client_config.landingzone_key) = merge(module.app_service_environments_v3, try(var.data_sources.app_service_environments_v3, {})) }), try(var.remote_objects.app_service_environments_v3, {})) - combined_objects_app_service_plans = merge(tomap({ (local.client_config.landingzone_key) = merge(module.app_service_plans, try(var.data_sources.app_service_plans, {})) }), try(var.remote_objects.app_service_plans, {})) - combined_objects_app_services = merge(tomap({ (local.client_config.landingzone_key) = module.app_services }), try(var.remote_objects.app_services, {}), try(var.data_sources.app_services, {})) - combined_objects_application_gateway_platforms = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateway_platforms }), try(var.remote_objects.application_gateway_platforms, {})) - combined_objects_application_gateway_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateway_waf_policies }), try(var.remote_objects.application_gateway_waf_policies, {})) - combined_objects_application_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.application_gateways }), try(var.remote_objects.application_gateways, {}), try(var.data_sources.application_gateways, {})) - combined_objects_application_insights = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights }), try(var.remote_objects.azurerm_application_insights, {}), try(var.data_sources.azurerm_application_insights, {})) - combined_objects_application_insights_standard_web_test = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights_standard_web_test }), try(var.remote_objects.azurerm_application_insights_standard_web_test, {})) - combined_objects_application_insights_web_test = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_application_insights_web_test }), try(var.remote_objects.azurerm_application_insights_web_test, {})) - combined_objects_application_security_groups = merge(tomap({ (local.client_config.landingzone_key) = module.application_security_groups }), try(var.remote_objects.application_security_groups, {})) - combined_objects_automations = merge(tomap({ (local.client_config.landingzone_key) = module.automations }), try(var.remote_objects.automations, {})) - combined_objects_availability_sets = merge(tomap({ (local.client_config.landingzone_key) = module.availability_sets }), try(var.remote_objects.availability_sets, {})) - combined_objects_azure_container_registries = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {})) - combined_objects_azuread_administrative_units = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_administrative_unit }), try(var.remote_objects.administrative_units, {})) - combined_objects_azuread_applications = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_applications_v1 }), try(var.remote_objects.azuread_applications, {})) - combined_objects_azuread_apps = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_applications }), try(var.remote_objects.azuread_apps, {})) - combined_objects_azuread_groups = merge(tomap({ (local.client_config.landingzone_key) = merge(module.azuread_groups, try(var.data_sources.azuread_groups, {})) }), try(var.remote_objects.azuread_groups, {})) - combined_objects_azuread_service_principal_passwords = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_service_principal_passwords }), try(var.remote_objects.azuread_service_principal_passwords, {})) - combined_objects_azuread_service_principals = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_service_principals }), try(var.remote_objects.azuread_service_principals, {}), try(var.data_sources.azuread_service_principals, {})) - combined_objects_azuread_users = merge(tomap({ (local.client_config.landingzone_key) = module.azuread_users }), try(var.remote_objects.azuread_users, {}), try(var.data_sources.azuread_users, {})) - combined_objects_azurerm_firewall_policies = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewall_policies }), try(var.remote_objects.azurerm_firewall_policies, {}), try(var.data_sources.azurerm_firewall_policies, {})) - combined_objects_azurerm_firewalls = merge(tomap({ (local.client_config.landingzone_key) = module.azurerm_firewalls }), try(var.remote_objects.azurerm_firewalls, {}), try(var.data_sources.azurerm_firewalls, {})) - combined_objects_backup_vault_instances = merge(tomap({ (local.client_config.landingzone_key) = local.backup_vault_instances }), try(var.remote_objects.backup_vault_instances, {})) - combined_objects_backup_vault_policies = merge(tomap({ (local.client_config.landingzone_key) = local.backup_vault_policies }), try(var.remote_objects.backup_vault_policies, {})) - combined_objects_backup_vaults = merge(tomap({ (local.client_config.landingzone_key) = module.backup_vaults }), try(var.remote_objects.backup_vaults, {})) - combined_objects_batch_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.batch_accounts }), try(var.remote_objects.batch_accounts, {})) - combined_objects_batch_applications = merge(tomap({ (local.client_config.landingzone_key) = module.batch_applications }), try(var.remote_objects.batch_applications, {})) - combined_objects_batch_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.batch_certificates }), try(var.remote_objects.batch_certificates, {})) - combined_objects_batch_jobs = merge(tomap({ (local.client_config.landingzone_key) = module.batch_jobs }), try(var.remote_objects.batch_jobs, {})) - combined_objects_batch_pools = merge(tomap({ (local.client_config.landingzone_key) = module.batch_pools }), try(var.remote_objects.batch_pools, {})) - combined_objects_cdn_profile = merge(tomap({ (local.client_config.landingzone_key) = module.cdn_profile }), try(var.remote_objects.cdn_profile, {}), try(var.data_sources.cdn_profile, {})) - combined_objects_cognitive_services_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.cognitive_services_account }), try(var.remote_objects.cognitive_services_account, {}), try(var.data_sources.cognitive_services_account, {})) - combined_objects_consumption_budgets_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_resource_groups }), try(var.remote_objects.consumption_budgets_resource_groups, {}), try(var.data_sources.consumption_budgets_resource_groups, {})) - combined_objects_consumption_budgets_subscriptions = merge(tomap({ (local.client_config.landingzone_key) = module.consumption_budgets_subscriptions }), try(var.remote_objects.consumption_budgets_subscriptions, {}), try(var.data_sources.consumption_budgets_subscriptions, {})) - combined_objects_container_registry = merge(tomap({ (local.client_config.landingzone_key) = module.container_registry }), try(var.remote_objects.container_registry, {}), try(var.data_sources.container_registry, {})) - combined_objects_cosmos_dbs = merge(tomap({ (local.client_config.landingzone_key) = module.cosmos_dbs }), try(var.remote_objects.cosmos_dbs, {}), try(var.data_sources.cosmos_dbs, {})) - combined_objects_cosmosdb_sql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.cosmosdb_sql_databases }), try(var.remote_objects.cosmosdb_sql_databases, {})) - combined_objects_custom_roles = merge(tomap({ (local.client_config.landingzone_key) = module.custom_roles }), try(var.remote_objects.custom_roles, {})) - combined_objects_data_factory = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory }), try(var.remote_objects.data_factory, {})) - combined_objects_data_factory_integration_runtime_azure_ssis = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_azure_ssis }), try(var.remote_objects.combined_objects_data_factory_integration_runtime_azure_ssis, {})) - combined_objects_data_factory_integration_runtime_self_hosted = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_integration_runtime_self_hosted }), try(var.remote_objects.data_factory_integration_runtime_self_hosted, {})) - combined_objects_data_factory_linked_service_azure_blob_storage = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_azure_blob_storage }), try(var.remote_objects.data_factory_linked_service_azure_blob_storage, {})) - combined_objects_data_factory_linked_service_cosmosdb = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_cosmosdb }), try(var.remote_objects.data_factory_linked_service_cosmosdb, {})) - combined_objects_data_factory_linked_service_mysql = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_mysql }), try(var.remote_objects.data_factory_linked_service_mysql, {})) - combined_objects_data_factory_linked_service_postgresql = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_postgresql }), try(var.remote_objects.data_factory_linked_service_postgresql, {})) - combined_objects_data_factory_linked_service_sql_server = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_sql_server }), try(var.remote_objects.data_factory_linked_service_sql_server, {})) - combined_objects_data_factory_linked_service_web = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_linked_service_web }), try(var.remote_objects.data_factory_linked_service_web, {})) - combined_objects_data_factory_pipeline = merge(tomap({ (local.client_config.landingzone_key) = module.data_factory_pipeline }), try(var.remote_objects.data_factory_pipeline, {})) - combined_objects_database_migration_services = merge(tomap({ (local.client_config.landingzone_key) = module.database_migration_services }), try(var.remote_objects.database_migration_services, {})) - combined_objects_databricks_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.databricks_workspaces }), try(var.remote_objects.databricks_workspaces, {}), try(var.data_sources.databricks_workspaces, {})) - combined_objects_ddos_services = merge(tomap({ (local.client_config.landingzone_key) = azurerm_network_ddos_protection_plan.ddos_protection_plan }), try(var.remote_objects.ddos_services, {}), try(var.remote_objects.ddos_services, {})) - combined_objects_dedicated_host_groups = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_host_groups }), try(var.remote_objects.dedicated_host_groups, {}), try(var.data_sources.dedicated_host_groups, {})) - combined_objects_dedicated_hosts = merge(tomap({ (local.client_config.landingzone_key) = module.dedicated_hosts }), try(var.remote_objects.dedicated_hosts, {}), try(var.data_sources.dedicated_hosts, {})) - combined_objects_diagnostic_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.diagnostic_storage_accounts }), try(var.remote_objects.diagnostic_storage_accounts, {})) - combined_objects_digital_twins_instances = merge(tomap({ (local.client_config.landingzone_key) = module.digital_twins_instances }), try(var.remote_objects.digital_twins_instances, {})) - combined_objects_disk_encryption_sets = merge(tomap({ (local.client_config.landingzone_key) = merge(module.disk_encryption_sets, module.disk_encryption_sets_external) }), try(var.remote_objects.disk_encryption_sets, {}), try(var.remote_objects.disk_encryption_sets_external, {}), try(var.data_sources.disk_encryption_sets, {})) - combined_objects_dns_zones = merge(tomap({ (local.client_config.landingzone_key) = module.dns_zones }), try(var.remote_objects.dns_zones, {}), try(var.data_sources.dns_zones, {})) - combined_objects_domain_name_registrations = merge(tomap({ (local.client_config.landingzone_key) = module.domain_name_registrations }), try(var.remote_objects.domain_name_registrations, {})) - combined_objects_event_hub_auth_rules = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_auth_rules }), try(var.remote_objects.event_hub_auth_rules, {})) - combined_objects_event_hub_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_namespaces }), try(var.remote_objects.event_hub_namespaces, {}), try(var.data_sources.event_hub_namespaces, {})) - combined_objects_event_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.event_hubs }), try(var.remote_objects.event_hubs, {})) - combined_objects_eventgrid_domains = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_domain }), try(var.remote_objects.eventgrid_domain, {})) - combined_objects_eventgrid_topics = merge(tomap({ (local.client_config.landingzone_key) = module.eventgrid_topic }), try(var.remote_objects.eventgrid_topic, {})) - combined_objects_express_route_circuit_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_authorizations }), try(var.remote_objects.express_route_circuit_authorizations, {})) - combined_objects_express_route_circuit_peerings = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuit_peerings }), try(var.remote_objects.express_route_circuit_peerings, {})) - combined_objects_express_route_circuits = merge(tomap({ (local.client_config.landingzone_key) = module.express_route_circuits }), try(var.remote_objects.express_route_circuits, {}), try(var.data_sources.express_route_circuits, {})) - combined_objects_front_door = merge(tomap({ (local.client_config.landingzone_key) = module.front_doors }), try(var.remote_objects.front_doors, {})) - combined_objects_front_door_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.front_door_waf_policies }), try(var.remote_objects.front_door_waf_policies, {})) - combined_objects_function_apps = merge(tomap({ (local.client_config.landingzone_key) = module.function_apps }), try(var.remote_objects.function_apps, {})) - combined_objects_image_definitions = merge(tomap({ (local.client_config.landingzone_key) = module.image_definitions }), try(var.remote_objects.image_definitions, {})) - combined_objects_integration_service_environment = merge(tomap({ (local.client_config.landingzone_key) = module.integration_service_environment }), try(var.remote_objects.integration_service_environment, {})) - combined_objects_iot_central_application = merge(tomap({ (local.client_config.landingzone_key) = module.iot_central_application }), try(var.remote_objects.iot_central_application, {})) - combined_objects_iot_dps_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_certificate }), try(var.remote_objects.iot_dps_certificate, {})) - combined_objects_iot_dps_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_shared_access_policy }), try(var.remote_objects.iot_dps_shared_access_policy, {})) - combined_objects_iot_hub = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub }), try(var.remote_objects.iot_hub, {})) - combined_objects_iot_hub_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_certificate }), try(var.remote_objects.iot_hub_certificate, {})) - combined_objects_iot_hub_consumer_groups = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_consumer_groups }), try(var.remote_objects.iot_hub_consumer_groups, {})) - combined_objects_iot_hub_dps = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_dps }), try(var.remote_objects.iot_hub_dps, {})) - combined_objects_iot_hub_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_shared_access_policy }), try(var.remote_objects.iot_hub_shared_access_policy, {})) - combined_objects_iot_security_device_group = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_device_group }), try(var.remote_objects.iot_security_device_group, {})) - combined_objects_iot_security_solution = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_solution }), try(var.remote_objects.iot_security_solution, {})) - combined_objects_keyvault_certificate_requests = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificate_requests }), try(var.remote_objects.keyvault_certificate_requests, {})) - combined_objects_keyvault_certificates = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificates }), try(var.remote_objects.keyvault_certificates, {}), try(var.data_sources.keyvault_certificates, {})) - combined_objects_keyvault_keys = merge(tomap({ (local.client_config.landingzone_key) = merge(module.keyvault_keys, try(var.data_sources.keyvault_keys, {})) }), try(var.remote_objects.keyvault_keys, {}), try(var.data_sources.keyvault_keys, {})) - combined_objects_keyvaults = merge(tomap({ (local.client_config.landingzone_key) = merge(module.keyvaults, try(var.data_sources.keyvaults, {})) }), try(var.remote_objects.keyvaults, {})) - combined_objects_kusto_clusters = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_clusters }), try(var.remote_objects.kusto_clusters, {}), try(var.data_sources.kusto_clusters, {})) - combined_objects_kusto_databases = merge(tomap({ (local.client_config.landingzone_key) = module.kusto_databases }), try(var.remote_objects.kusto_databases, {})) - combined_objects_lb = merge(tomap({ (local.client_config.landingzone_key) = module.lb }), try(var.remote_objects.lb, {}), try(var.data_sources.load_balancers, {})) - combined_objects_lb_backend_address_pool = merge(tomap({ (local.client_config.landingzone_key) = module.lb_backend_address_pool }), try(var.remote_objects.lb_backend_address_pool, {})) - combined_objects_load_balancers = merge(tomap({ (local.client_config.landingzone_key) = module.load_balancers }), try(var.remote_objects.load_balancers, {})) - combined_objects_log_analytics = merge(tomap({ (local.client_config.landingzone_key) = module.log_analytics }), try(var.remote_objects.log_analytics, {})) - combined_objects_logic_app_integration_account = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_integration_account }), try(var.remote_objects.logic_app_integration_account, {})) - combined_objects_logic_app_workflow = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_workflow }), try(var.remote_objects.logic_app_workflow, {})) - combined_objects_logic_app_standard = merge(tomap({ (local.client_config.landingzone_key) = module.logic_app_standard }), try(var.remote_objects.logic_app_standard, {})) combined_objects_machine_learning = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {})) + combined_objects_maintenance_assignment_virtual_machine = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_assignment_virtual_machine }), lookup(var.remote_objects, "maintenance_assignment_virtual_machine", {})) + combined_objects_maintenance_configuration = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_configuration }), lookup(var.remote_objects, "maintenance_configuration", {})) combined_objects_managed_identities = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {})) + combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), lookup(var.remote_objects, "maps_accounts", {})) combined_objects_monitor_action_groups = merge(tomap({ (local.client_config.landingzone_key) = module.monitor_action_groups }), try(var.remote_objects.monitor_action_groups, {})) combined_objects_mssql_databases = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), try(var.remote_objects.mssql_databases, {})) combined_objects_mssql_elastic_pools = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_elastic_pools }), try(var.remote_objects.mssql_elastic_pools, {})) @@ -216,7 +127,6 @@ locals { combined_objects_mssql_managed_instances = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances }), try(var.remote_objects.mssql_managed_instances, {})) combined_objects_mssql_managed_instances_secondary = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_managed_instances_secondary }), try(var.remote_objects.mssql_managed_instances_secondary, {})) combined_objects_mssql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_servers }), try(var.remote_objects.mssql_servers, {})) - combined_objects_lb_probe = merge(tomap({ (local.client_config.landingzone_key) = module.lb_probe }), try(var.remote_objects.lb_probe, {})) combined_objects_mysql_flexible_server = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_flexible_server }), try(var.remote_objects.mysql_flexible_server, {})) combined_objects_mysql_servers = merge(tomap({ (local.client_config.landingzone_key) = module.mysql_servers }), try(var.remote_objects.mysql_servers, {})) combined_objects_nat_gateways = merge(tomap({ (local.client_config.landingzone_key) = module.nat_gateways }), try(var.remote_objects.nat_gateways, {})) @@ -247,12 +157,9 @@ locals { combined_objects_servicebus_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_namespaces }), try(var.remote_objects.servicebus_namespaces, {})) combined_objects_servicebus_queues = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_queues }), try(var.remote_objects.servicebus_queues, {})) combined_objects_servicebus_topics = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_topics }), try(var.remote_objects.servicebus_topics, {})) + combined_objects_shared_image_galleries = merge(tomap({ (local.client_config.landingzone_key) = module.shared_image_galleries }), try(var.remote_objects.shared_image_galleries, {})) combined_objects_signalr_services = merge(tomap({ (local.client_config.landingzone_key) = module.signalr_services }), try(var.remote_objects.signalr_services, {})) - combined_objects_maintenance_configuration = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_configuration }), lookup(var.remote_objects, "maintenance_configuration", {})) - combined_objects_maintenance_assignment_virtual_machine = merge(tomap({ (local.client_config.landingzone_key) = module.maintenance_assignment_virtual_machine }), lookup(var.remote_objects, "maintenance_assignment_virtual_machine", {})) - combined_objects_maps_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.maps_accounts }), lookup(var.remote_objects, "maps_accounts", {})) combined_objects_storage_account_file_shares = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_file_shares }), try(var.remote_objects.storage_account_file_shares, {})) - combined_objects_shared_image_galleries = merge(tomap({ (local.client_config.landingzone_key) = module.shared_image_galleries }), try(var.remote_objects.shared_image_galleries, {})) combined_objects_storage_account_queues = merge(tomap({ (local.client_config.landingzone_key) = module.storage_account_queues }), try(var.remote_objects.storage_account_queues, {})) combined_objects_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.storage_accounts }), try(var.remote_objects.storage_accounts, {}), try(var.data_sources.storage_accounts, {})) combined_objects_storage_containers = merge(tomap({ (local.client_config.landingzone_key) = module.storage_containers }), try(var.remote_objects.storage_containers, {}), try(var.data_sources.storage_containers, {})) @@ -279,8 +186,6 @@ locals { combined_objects_wvd_applications = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_applications }), try(var.remote_objects.wvd_applications, {})) combined_objects_wvd_host_pools = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_host_pools }), try(var.remote_objects.wvd_host_pools, {})) combined_objects_wvd_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.wvd_workspaces }), try(var.remote_objects.wvd_workspaces, {})) - combined_objects_cost_anomaly_alert = merge(tomap({ (local.client_config.landingzone_key) = module.cost_anomaly_alert }), try(var.remote_objects.cost_anomaly_alert, {})) - combined_objects_subscriptions = merge( tomap( { diff --git a/modules/networking/application_gateway/locals.networking.tf b/modules/networking/application_gateway/locals.networking.tf index df9b61b967..687080544b 100644 --- a/modules/networking/application_gateway/locals.networking.tf +++ b/modules/networking/application_gateway/locals.networking.tf @@ -9,6 +9,7 @@ locals { try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.subnet_key], null), ), null) + private_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_local = try(var.vnets[var.client_config.landingzone_key][var.settings.front_end_ip_configurations.public.vnet_key], null) @@ -20,9 +21,6 @@ locals { try(var.vnets[var.settings.subnet.lz_key][var.settings.subnet.vnet_key], null) ), null) - gateway_virtual_subnets_remote = try(coalesce( - try(var.virtual_subnets[var.settings.subnet.lz_key][var.settings.subnet.subnet_key], null) - ), null) private_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.private.lz_key][var.settings.front_end_ip_configurations.private.vnet_key], null) public_vnet_remote = try(var.vnets[var.settings.front_end_ip_configurations.public.lz_key][var.settings.front_end_ip_configurations.public.vnet_key], null) From 9bdea70dbe193be82d6785d743319b2df9177788 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 10 Nov 2023 10:23:46 +0000 Subject: [PATCH 213/244] fix: updating aad version --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 62592bce80..b0d67661de 100644 --- a/main.tf +++ b/main.tf @@ -10,7 +10,7 @@ terraform { } azuread = { source = "hashicorp/azuread" - version = "~> 2.43.0" + version = "~> 2.44.0" } azapi = { source = "azure/azapi" From aec91e52319eb1fb183f8a76c4be52a491b1fd3b Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 10 Nov 2023 12:10:46 +0000 Subject: [PATCH 214/244] fix: using latest --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b0d67661de..aa401d7564 100644 --- a/main.tf +++ b/main.tf @@ -10,7 +10,7 @@ terraform { } azuread = { source = "hashicorp/azuread" - version = "~> 2.44.0" + version = "~> 2.45.0" } azapi = { source = "azure/azapi" From 7bcbe6260ce237b3b80de4658536fc2a87248c4d Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 10 Nov 2023 14:12:18 +0000 Subject: [PATCH 215/244] fix: allowing empty dynamic secrets --- dynamic_secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dynamic_secrets.tf b/dynamic_secrets.tf index 00e1c577ec..9b028d7179 100644 --- a/dynamic_secrets.tf +++ b/dynamic_secrets.tf @@ -9,7 +9,7 @@ module "dynamic_keyvault_secrets" { for_each = { for keyvault_key, secrets in try(var.security.dynamic_keyvault_secrets, {}) : keyvault_key => { for key, value in secrets : key => value - if try(value.value, null) != null && try(value.value, null) != "" + if try(value.value, null) != null # && try(value.value, null) != "" We want to allow empty values to support our Azdo-PAT usecease in level2 } } From 1fa922830113ca6e328de9d28d0653b79c0e3b33 Mon Sep 17 00:00:00 2001 From: FabianTek Date: Thu, 30 Nov 2023 09:42:34 +0000 Subject: [PATCH 216/244] feat: add service bus related resources --- roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles.tf b/roles.tf index 3d7e0c6438..b769522657 100644 --- a/roles.tf +++ b/roles.tf @@ -169,13 +169,13 @@ locals { route_tables = local.combined_objects_route_tables servicebus_namespaces = local.combined_objects_servicebus_namespaces servicebus_topics = local.combined_objects_servicebus_topics + servicebus_queues = local.combined_objects_servicebus_queues storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces virtual_subnets = local.combined_objects_virtual_subnets virtual_machine_scale_sets = local.combined_objects_virtual_machine_scale_sets log_analytics = local.current_objects_log_analytics - route_tables = local.combined_objects_route_tables wvd_application_groups = local.combined_objects_wvd_application_groups wvd_applications = local.combined_objects_wvd_applications wvd_host_pools = local.combined_objects_wvd_host_pools From 8a2b0050d91d9d84ed10ff69100d8835b82462fb Mon Sep 17 00:00:00 2001 From: FabianTek Date: Thu, 30 Nov 2023 12:37:01 +0000 Subject: [PATCH 217/244] chore: order objects alphabetically, 2nd attempt --- roles.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles.tf b/roles.tf index b769522657..150b45a175 100644 --- a/roles.tf +++ b/roles.tf @@ -168,8 +168,9 @@ locals { shared_image_galleries = local.combined_objects_shared_image_galleries route_tables = local.combined_objects_route_tables servicebus_namespaces = local.combined_objects_servicebus_namespaces - servicebus_topics = local.combined_objects_servicebus_topics servicebus_queues = local.combined_objects_servicebus_queues + servicebus_topics = local.combined_objects_servicebus_topics + shared_image_galleries = local.combined_objects_shared_image_galleries storage_accounts = local.combined_objects_storage_accounts subscriptions = local.combined_objects_subscriptions synapse_workspaces = local.combined_objects_synapse_workspaces From 8eedced353492531b53997365799bd5ee4377652 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 1 Dec 2023 10:57:13 +0000 Subject: [PATCH 218/244] feat(dynamic-secrets): Adding missing outputs --- dynamic_secrets.tf | 27 +++++++++++++++++-- .../dynamic_keyvault_secrets/keyvault.tf | 1 + .../dynamic_keyvault_secrets/outputs.tf | 14 ++++++++++ .../secret/outputs.tf | 18 +++++++++++++ .../secret_dynamic/outputs.tf | 19 +++++++++++++ .../secret_immutable/outputs.tf | 18 +++++++++++++ 6 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 modules/security/dynamic_keyvault_secrets/outputs.tf create mode 100644 modules/security/dynamic_keyvault_secrets/secret/outputs.tf create mode 100644 modules/security/dynamic_keyvault_secrets/secret_dynamic/outputs.tf create mode 100644 modules/security/dynamic_keyvault_secrets/secret_immutable/outputs.tf diff --git a/dynamic_secrets.tf b/dynamic_secrets.tf index 9b028d7179..52e757a31c 100644 --- a/dynamic_secrets.tf +++ b/dynamic_secrets.tf @@ -17,6 +17,29 @@ module "dynamic_keyvault_secrets" { keyvault = local.combined_objects_keyvaults[local.client_config.landingzone_key][each.key] } + output "dynamic_keyvault_secrets" { - value = module.dynamic_keyvault_secrets -} \ No newline at end of file + value = { for key, value in try(var.security.dynamic_keyvault_secrets, {}): + key => module.dynamic_keyvault_secrets[key].secrets + } +} +# Output looks different then probably expected, its resource_type --> keyvault_key --> secret_key +# dynamic_keyvault_secrets = { <-- resource_type +# keyvault_key = { <-- keyvault_key +# secret_key = { <-- secret_key +# content_type = "" +# expiration_date = null +# id = "https://vault_xy.vault.azure.net/secrets/secret-name/xxx" +# key_vault_id = "/subscriptions/1234/resourceGroups/rg-fo/providers/Microsoft.KeyVault/vaults/vault_xy" +# name = "secret-name" +# not_before_date = null +# resource_id = "/subscriptions/1234/resourceGroups/rg-fo/providers/Microsoft.KeyVault/vaults/vault_xy/secrets/secret-name/versions/xxx" +# resource_versionless_id = "/subscriptions/1234/resourceGroups/rg-fo/providers/Microsoft.KeyVault/vaults/vault_xy/secrets/secret-name" +# tags = {} +# timeouts = null +# value = "" +# version = "xxxxx" +# versionless_id = "https://vault_xy.vault.azure.net/secrets/secret-name" +# } +# } +# } \ No newline at end of file diff --git a/modules/security/dynamic_keyvault_secrets/keyvault.tf b/modules/security/dynamic_keyvault_secrets/keyvault.tf index 6cb4d11083..19aba59eb8 100644 --- a/modules/security/dynamic_keyvault_secrets/keyvault.tf +++ b/modules/security/dynamic_keyvault_secrets/keyvault.tf @@ -48,3 +48,4 @@ module "secret_dynamic" { keyvault_id = var.keyvault.id config = each.value.config } + diff --git a/modules/security/dynamic_keyvault_secrets/outputs.tf b/modules/security/dynamic_keyvault_secrets/outputs.tf new file mode 100644 index 0000000000..5182e0c70a --- /dev/null +++ b/modules/security/dynamic_keyvault_secrets/outputs.tf @@ -0,0 +1,14 @@ +locals { + secret_output = {for key, value in var.settings : + key => merge( + try(module.secret[key].secret, {}), + try(module.secret_value[key].secret, {}), + try(module.secret_immutable[key].secret, {}), + try(module.secret_dynamic[key].secret, {}), + ) + } + +} +output "secrets" { + value = local.secret_output +} \ No newline at end of file diff --git a/modules/security/dynamic_keyvault_secrets/secret/outputs.tf b/modules/security/dynamic_keyvault_secrets/secret/outputs.tf new file mode 100644 index 0000000000..5a0fe32dcc --- /dev/null +++ b/modules/security/dynamic_keyvault_secrets/secret/outputs.tf @@ -0,0 +1,18 @@ +output "secret" { + value = azurerm_key_vault_secret.secret +} +output "id" { + value = azurerm_key_vault_secret.secret.id +} +output "resource_id" { + value = azurerm_key_vault_secret.secret.resource_id +} +output "resource_versionless_id" { + value = azurerm_key_vault_secret.secret.resource_versionless_id +} +output "version" { + value = azurerm_key_vault_secret.secret.version +} +output "versionless_id" { + value = azurerm_key_vault_secret.secret.versionless_id +} \ No newline at end of file diff --git a/modules/security/dynamic_keyvault_secrets/secret_dynamic/outputs.tf b/modules/security/dynamic_keyvault_secrets/secret_dynamic/outputs.tf new file mode 100644 index 0000000000..d53b04258c --- /dev/null +++ b/modules/security/dynamic_keyvault_secrets/secret_dynamic/outputs.tf @@ -0,0 +1,19 @@ +output "secret" { + value = azurerm_key_vault_secret.secret +} + +output "id" { + value = azurerm_key_vault_secret.secret.id +} +output "resource_id" { + value = azurerm_key_vault_secret.secret.resource_id +} +output "resource_versionless_id" { + value = azurerm_key_vault_secret.secret.resource_versionless_id +} +output "version" { + value = azurerm_key_vault_secret.secret.version +} +output "versionless_id" { + value = azurerm_key_vault_secret.secret.versionless_id +} \ No newline at end of file diff --git a/modules/security/dynamic_keyvault_secrets/secret_immutable/outputs.tf b/modules/security/dynamic_keyvault_secrets/secret_immutable/outputs.tf new file mode 100644 index 0000000000..69c1cd6692 --- /dev/null +++ b/modules/security/dynamic_keyvault_secrets/secret_immutable/outputs.tf @@ -0,0 +1,18 @@ +output "secret" { + value = azurerm_key_vault_secret.secret.0 +} +output "id" { + value = azurerm_key_vault_secret.secret.0.id +} +output "resource_id" { + value = azurerm_key_vault_secret.secret.0.resource_id +} +output "resource_versionless_id" { + value = azurerm_key_vault_secret.secret.0.resource_versionless_id +} +output "version" { + value = azurerm_key_vault_secret.secret.0.version +} +output "versionless_id" { + value = azurerm_key_vault_secret.secret.0.versionless_id +} \ No newline at end of file From 8023a7532c338e8ef695cf81bf709736c853750f Mon Sep 17 00:00:00 2001 From: FabianTek Date: Fri, 1 Dec 2023 11:57:20 +0000 Subject: [PATCH 219/244] feat: add endpoint output to sb namespace --- modules/messaging/servicebus/namespace/output.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/messaging/servicebus/namespace/output.tf b/modules/messaging/servicebus/namespace/output.tf index 00706cb5f0..95756f3e68 100644 --- a/modules/messaging/servicebus/namespace/output.tf +++ b/modules/messaging/servicebus/namespace/output.tf @@ -8,6 +8,11 @@ output "name" { value = azurerm_servicebus_namespace.namespace.name } +output "endpoint" { + description = "The URL to access the ServiceBus Namespace" + value = azurerm_servicebus_namespace.namespace.endpoint +} + output "resource_group_name" { description = "The resource group name of the service bus namespace" value = local.resource_group_name From 400a141f8c94cf5cc992a800f42bd7e494f4b978 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 22 Nov 2023 18:10:37 +0100 Subject: [PATCH 220/244] - consumption budget requires /subscriptions/ prefix --- .../consumption_budget/subscription/subscription_budget.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/consumption_budget/subscription/subscription_budget.tf b/modules/consumption_budget/subscription/subscription_budget.tf index 142961c7b3..fb99d2d469 100644 --- a/modules/consumption_budget/subscription/subscription_budget.tf +++ b/modules/consumption_budget/subscription/subscription_budget.tf @@ -10,11 +10,11 @@ resource "azurecaf_name" "this_name" { resource "azurerm_consumption_budget_subscription" "this" { name = azurecaf_name.this_name.result - subscription_id = coalesce( + subscription_id = "/subscriptions/${coalesce( try(var.settings.subscription.id, null), try(var.local_combined_resources["subscriptions"][try(var.settings.subscription.lz_key, var.client_config.landingzone_key)][var.settings.subscription.key].subscription_id, null), var.client_config.subscription_id - ) + )}" amount = var.settings.amount time_grain = var.settings.time_grain From da9b579e8904dad5aab86ebb4efd0cd3e456d458 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 8 Feb 2024 08:22:14 +0100 Subject: [PATCH 221/244] feature: name passthrough - topic needs a predictable name for external reference - added an option in resource settings to make name passthrough --- modules/messaging/servicebus/topic/topic.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/messaging/servicebus/topic/topic.tf b/modules/messaging/servicebus/topic/topic.tf index f94a2b6fe1..8ad5e7a813 100644 --- a/modules/messaging/servicebus/topic/topic.tf +++ b/modules/messaging/servicebus/topic/topic.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "topic" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = var.global_settings.passthrough + passthrough = try(var.settings.passthough, false) ? var.settings.passthough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } From 23613780a7dea837771cb57c63db627428057529 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 8 Feb 2024 18:20:01 +0100 Subject: [PATCH 222/244] passthrough --- modules/messaging/servicebus/queue/queue.tf | 2 +- modules/messaging/servicebus/topic/subscription/subscription.tf | 2 +- modules/messaging/servicebus/topic/topic.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/messaging/servicebus/queue/queue.tf b/modules/messaging/servicebus/queue/queue.tf index 7000863064..4b7329e540 100644 --- a/modules/messaging/servicebus/queue/queue.tf +++ b/modules/messaging/servicebus/queue/queue.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "queue" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } diff --git a/modules/messaging/servicebus/topic/subscription/subscription.tf b/modules/messaging/servicebus/topic/subscription/subscription.tf index 22bc5dfe04..5b60fc1eb2 100644 --- a/modules/messaging/servicebus/topic/subscription/subscription.tf +++ b/modules/messaging/servicebus/topic/subscription/subscription.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "servicebus_subscription" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } diff --git a/modules/messaging/servicebus/topic/topic.tf b/modules/messaging/servicebus/topic/topic.tf index 8ad5e7a813..f8dd9f4934 100644 --- a/modules/messaging/servicebus/topic/topic.tf +++ b/modules/messaging/servicebus/topic/topic.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "topic" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = try(var.settings.passthough, false) ? var.settings.passthough : var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } From c1420f58b7b06400bc401165b42b629c8820af8b Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 8 Feb 2024 18:24:46 +0100 Subject: [PATCH 223/244] fix formatting --- modules/messaging/servicebus/queue/queue.tf | 2 +- modules/messaging/servicebus/topic/subscription/subscription.tf | 2 +- modules/messaging/servicebus/topic/topic.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/messaging/servicebus/queue/queue.tf b/modules/messaging/servicebus/queue/queue.tf index 4b7329e540..a49b74e85f 100644 --- a/modules/messaging/servicebus/queue/queue.tf +++ b/modules/messaging/servicebus/queue/queue.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "queue" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } diff --git a/modules/messaging/servicebus/topic/subscription/subscription.tf b/modules/messaging/servicebus/topic/subscription/subscription.tf index 5b60fc1eb2..bf36e76415 100644 --- a/modules/messaging/servicebus/topic/subscription/subscription.tf +++ b/modules/messaging/servicebus/topic/subscription/subscription.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "servicebus_subscription" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } diff --git a/modules/messaging/servicebus/topic/topic.tf b/modules/messaging/servicebus/topic/topic.tf index f8dd9f4934..c97aa9d6f6 100644 --- a/modules/messaging/servicebus/topic/topic.tf +++ b/modules/messaging/servicebus/topic/topic.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "topic" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } From abc12464a257b8bb3fcf9669a644233ba17b235f Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Wed, 21 Feb 2024 14:14:34 +0100 Subject: [PATCH 224/244] feature: - eventgrid system topic - eventgrid system topic event subscription --- .../configuration.tfvars | 90 +++++++ .../eventgrid/eventgrid_system_topic/main.tf | 18 ++ .../main.tf | 8 + .../module.tf | 248 ++++++++++++++++++ .../output.tf | 4 + .../variables.tf | 18 ++ 6 files changed, 386 insertions(+) create mode 100644 examples/messaging/eventgrid/201-eventgrid-system-topic/configuration.tfvars create mode 100644 modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/output.tf create mode 100644 modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf diff --git a/examples/messaging/eventgrid/201-eventgrid-system-topic/configuration.tfvars b/examples/messaging/eventgrid/201-eventgrid-system-topic/configuration.tfvars new file mode 100644 index 0000000000..07bcb2d131 --- /dev/null +++ b/examples/messaging/eventgrid/201-eventgrid-system-topic/configuration.tfvars @@ -0,0 +1,90 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "southeastasia" + } +} + +resource_groups = { + # Default to var.global_settings.default_region. You can overwrite it by setting the attribute region = "region2" + evg_examples = { + name = "eventgrid" + region = "region1" + } +} + +storage_accounts = { + evg_storage = { + name = "storage" + resource_group_key = "evg_examples" + region = "region1" + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + } +} + +servicebus_namespaces = { + evg_service_bus = { + resource_group = { + key = "eventgrid" + } + name = "eventgrid" + sku = "Standard" + namespace_auth_rules = { + rule1 = { + name = "rule1" + listen = true + send = true + manage = false + } + } + } +} + +servicebus_queues = { + eventgrid_queue = { + name = "eventgrid-queue" + servicebus_namespace = { + key = "evg_service_bus" + } + max_delivery_count = 10 + max_size_in_megabytes = 1024 + default_message_ttl = "P0Y0M14DT0H0M0S" + queue_auth_rules = { + rule1 = { + name = "qauthrule1" + listen = true + send = false + manage = false + } + } + } +} + +eventgrid_system_topic = { + evg_system_topic = { + name = "eventgrid-topic" + topic = { + resource_type = "storage_accounts" + resource_key = "evg_storage" + } + topic_type = "Microsoft.Storage.StorageAccounts" + } +} + +eventgrid_system_topic_event_subscription = { + blob-created = { + name = "blob-created" + scope = { + key = "evg_system_topic" + } + servicebus_queues = { + key = "eventgrid_queue" + } + subject_filter = { + subject_ends_with = ".pdf" + } + included_event_types = ["Microsoft.Storage.BlobCreated"] + } +} diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf index 836b88d404..18070aadb3 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf @@ -11,4 +11,22 @@ locals { "module" = basename(abspath(path.module)) } tags = merge(var.base_tags, local.module_tag, try(var.settings.tags, null)) + + managed_local_identities = flatten([ + for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ + var.remote_objects.all.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + ] + ]) + + managed_remote_identities = flatten([ + for lz_key, value in try(var.settings.identity.remote, []) : [ + for managed_identity_key in value.managed_identity_keys : [ + var.remote_objects.all.managed_identities[lz_key][managed_identity_key].id + ] + ] + ]) + + provided_identities = try(var.settings.identity.managed_identity_ids, []) + managed_identities = concat(local.provided_identities, local.managed_local_identities, local.managed_remote_identities) + } diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf new file mode 100644 index 0000000000..6c3801cbd3 --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } + +} diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf new file mode 100644 index 0000000000..ba18df1bfc --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf @@ -0,0 +1,248 @@ + +resource "azurecaf_name" "egstes" { + name = var.settings.name + resource_type = "azurerm_eventgrid_event_subscription" + prefixes = var.global_settings.prefixes + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough + use_slug = var.global_settings.use_slug +} +resource "azurerm_eventgrid_system_topic_event_subscription" "egstes" { + name = azurecaf_name.egstes.result + system_topic = coalesce(try(var.settings.scope.id, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].name, null)) + resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.all.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].resource_group_name, null)) + expiration_time_utc = try(var.settings.expiration_time_utc, null) + event_delivery_schema = try(var.settings.event_delivery_schema, null) + included_event_types = try(var.settings.included_event_types, null) + + dynamic "azure_function_endpoint" { + for_each = try(var.settings.azure_function_endpoint, null) != null ? [var.settings.azure_function_endpoint] : [] + content { + function_id = can(azure_function_endpoint.value.function.id) ? azure_function_endpoint.value.function.id : can(var.remote_objects.functions[try(azure_function_endpoint.value.function.lz_key, var.client_config.landingzone_key)][azure_function_endpoint.value.function.key].id) ? var.remote_objects.functions[try(azure_function_endpoint.value.function.lz_key, var.client_config.landingzone_key)][azure_function_endpoint.value.function.key].id : null + max_events_per_batch = try(azure_function_endpoint.value.max_events_per_batch, null) + preferred_batch_size_in_kilobytes = try(azure_function_endpoint.value.preferred_batch_size_in_kilobytes, null) + } + } + + #eventhub_endpoint - (Optional / Deprecated in favour of eventhub_endpoint_id) + eventhub_endpoint_id = can(var.settings.eventhub.id) ? var.settings.eventhub.id : can(var.remote_objects.eventhubs[try(var.settings.eventhub.lz_key, var.client_config.landingzone_key)][var.settings.eventhub.key].id) ? var.remote_objects.eventhubs[try(var.settings.eventhub.lz_key, var.client_config.landingzone_key)][var.settings.eventhub.key].id : null + #hybrid_connection_endpoint - (Optional / Deprecated in favour of hybrid_connection_endpoint_id) + hybrid_connection_endpoint_id = can(var.settings.hybrid_connection.id) ? var.settings.hybrid_connection.id : can(var.remote_objects.hybrid_connections[try(var.settings.hybrid_connection.lz_key, var.client_config.landingzone_key)][var.settings.hybrid_connection.key].id) ? var.remote_objects.hybrid_connections[try(var.settings.hybrid_connection.lz_key, var.client_config.landingzone_key)][var.settings.hybrid_connection.key].id : null + service_bus_queue_endpoint_id = can(var.settings.servicebus_queues.id) ? var.settings.servicebus_queues.id : can(var.remote_objects.servicebus_queues[try(var.settings.servicebus_queues.lz_key, var.client_config.landingzone_key)][var.settings.servicebus_queues.key].id) ? var.remote_objects.servicebus_queues[try(var.settings.servicebus_queues.lz_key, var.client_config.landingzone_key)][var.settings.servicebus_queues.key].id : null + service_bus_topic_endpoint_id = can(var.settings.servicebus_topic.id) ? var.settings.servicebus_topic.id : can(var.remote_objects.servicebus_topic[try(var.settings.servicebus_topic.lz_key, var.client_config.landingzone_key)][var.settings.servicebus_topic.key].id) ? var.remote_objects.servicebus_topic[try(var.settings.servicebus_topic.lz_key, var.client_config.landingzone_key)][var.settings.servicebus_topic.key].id : null + + dynamic "storage_queue_endpoint" { + for_each = try(var.settings.storage_queue_endpoint, null) != null ? [var.settings.storage_queue_endpoint] : [] + content { + storage_account_id = can(storage_queue_endpoint.value.eue_endpoint.storage_account.id) ? storage_queue_endpoint.value.eue_endpoint.storage_account.id : var.remote_objects.storage_accounts[try(storage_queue_endpoint.value.storage_account.lz_key, var.client_config.landingzone_key)][storage_queue_endpoint.value.storage_account.key].id + queue_name = can(storage_queue_endpoint.value.queue.name) ? storage_queue_endpoint.value.queue.name : var.remote_objects.storage_account_queues[try(storage_queue_endpoint.value.queue.lz_key, var.client_config.landingzone_key)][storage_queue_endpoint.value.queue.key].name + queue_message_time_to_live_in_seconds = try(storage_queue_endpoint.value.queue_message_time_to_live_in_seconds, null) + } + } + dynamic "webhook_endpoint" { + for_each = try(var.settings.webhook_endpoint, null) != null ? [var.settings.webhook_endpoint] : [] + content { + url = try(webhook_endpoint.value.url, null) + base_url = try(webhook_endpoint.value.base_url, null) + max_events_per_batch = try(webhook_endpoint.value.max_events_per_batch, null) + preferred_batch_size_in_kilobytes = try(webhook_endpoint.value.preferred_batch_size_in_kilobytes, null) + active_directory_tenant_id = try(webhook_endpoint.value.active_directory_tenant_id, null) + active_directory_app_id_or_uri = try(webhook_endpoint.value.active_directory_app_id_or_uri, null) + } + } + + dynamic "subject_filter" { + for_each = try(var.settings.subject_filter, null) != null ? [var.settings.subject_filter] : [] + content { + subject_begins_with = try(subject_filter.value.subject_begins_with, null) + subject_ends_with = try(subject_filter.value.subject_ends_with, null) + case_sensitive = try(subject_filter.value.case_sensitive, null) + } + } + + dynamic "advanced_filter" { + for_each = try(var.settings.advanced_filter, null) != null ? [var.settings.advanced_filter] : [] + content { + dynamic "bool_equals" { + for_each = try(advanced_filter.value.bool_equals, null) != null ? [advanced_filter.value.bool_equals] : [] + content { + key = try(bool_equals.value.key, null) + value = try(bool_equals.value.value, null) + } + } + dynamic "number_greater_than" { + for_each = try(advanced_filter.value.number_greater_than, null) != null ? [advanced_filter.value.number_greater_than] : [] + content { + key = try(number_greater_than.value.key, null) + value = try(number_greater_than.value.value, null) + + } + } + dynamic "number_greater_than_or_equals" { + for_each = try(advanced_filter.value.number_greater_than_or_equals, null) != null ? [advanced_filter.value.number_greater_than_or_equals] : [] + content { + key = try(number_greater_than_or_equals.value.key, null) + value = try(number_greater_than_or_equals.value.value, null) + } + } + dynamic "number_less_than" { + for_each = try(advanced_filter.value.number_less_than, null) != null ? [advanced_filter.value.number_less_than] : [] + content { + key = try(number_less_than.value.key, null) + value = try(number_less_than.value.value, null) + } + } + dynamic "number_less_than_or_equals" { + for_each = try(advanced_filter.value.number_less_than_or_equals, null) != null ? [advanced_filter.value.number_less_than_or_equals] : [] + content { + key = try(number_less_than_or_equals.value.key, null) + value = try(number_less_than_or_equals.value.value, null) + } + } + dynamic "number_in" { + for_each = try(advanced_filter.value.number_in, null) != null ? [advanced_filter.value.number_in] : [] + content { + key = try(number_in.value.key, null) + values = try(number_in.value.value, null) + } + } + dynamic "number_not_in" { + for_each = try(advanced_filter.value.number_not_in, null) != null ? [advanced_filter.value.number_not_in] : [] + content { + key = try(number_not_in.value.key, null) + values = try(number_not_in.value.value, null) + } + } + dynamic "number_in_range" { + for_each = try(advanced_filter.value.number_in_range, null) != null ? [advanced_filter.value.number_in_range] : [] + content { + key = try(number_in_range.value.key, null) + values = try(number_in_range.value.value, null) + } + } + dynamic "number_not_in_range" { + for_each = try(advanced_filter.value.number_not_in_range, null) != null ? [advanced_filter.value.number_not_in_range] : [] + content { + key = try(number_not_in_range.value.key, null) + values = try(number_not_in_range.value.value, null) + } + } + dynamic "string_begins_with" { + for_each = try(advanced_filter.value.string_begins_with, null) != null ? [advanced_filter.value.string_begins_with] : [] + content { + key = try(string_begins_with.value.key, null) + values = try(string_begins_with.value.value, null) + } + } + dynamic "string_not_begins_with" { + for_each = try(advanced_filter.value.string_not_begins_with, null) != null ? [advanced_filter.value.string_not_begins_with] : [] + content { + key = try(string_not_begins_with.value.key, null) + values = try(string_not_begins_with.value.value, null) + } + } + dynamic "string_ends_with" { + for_each = try(advanced_filter.value.string_ends_with, null) != null ? [advanced_filter.value.string_ends_with] : [] + content { + key = try(string_ends_with.value.key, null) + values = try(string_ends_with.value.value, null) + } + } + dynamic "string_not_ends_with" { + for_each = try(advanced_filter.value.string_not_ends_with, null) != null ? [advanced_filter.value.string_not_ends_with] : [] + content { + key = try(string_not_ends_with.value.key, null) + values = try(string_not_ends_with.value.value, null) + } + } + dynamic "string_contains" { + for_each = try(advanced_filter.value.string_contains, null) != null ? [advanced_filter.value.string_contains] : [] + content { + key = try(string_contains.value.key, null) + values = try(string_contains.value.value, null) + } + } + dynamic "string_not_contains" { + for_each = try(advanced_filter.value.string_not_contains, null) != null ? [advanced_filter.value.string_not_contains] : [] + content { + key = try(string_not_contains.value.key, null) + values = try(string_not_contains.value.value, null) + } + } + dynamic "string_in" { + for_each = try(advanced_filter.value.string_in, null) != null ? [advanced_filter.value.string_in] : [] + content { + key = try(string_in.value.key, null) + values = try(string_in.value.value, null) + } + } + dynamic "string_not_in" { + for_each = try(advanced_filter.value.string_not_in, null) != null ? [advanced_filter.value.string_not_in] : [] + content { + key = try(string_not_in.value.key, null) + values = try(string_not_in.value.value, null) + } + } + dynamic "is_not_null" { + for_each = try(advanced_filter.value.is_not_null, null) != null ? [advanced_filter.value.is_not_null] : [] + content { + key = try(is_not_null.value.key, null) + } + } + dynamic "is_null_or_undefined" { + for_each = try(advanced_filter.value.is_null_or_undefined, null) != null ? [advanced_filter.value.is_null_or_undefined] : [] + content { + key = try(is_null_or_undefined.value.key, null) + } + } + } + } + dynamic "delivery_identity" { + for_each = try(var.settings.delivery_identity, null) != null ? [var.settings.delivery_identity] : [] + content { + type = try(delivery_identity.value.type, null) + user_assigned_identity = try(delivery_identity.value.user_assigned_identity, null) + } + } + dynamic "delivery_property" { + for_each = try(var.settings.delivery_property, null) != null ? [var.settings.delivery_property] : [] + content { + header_name = try(delivery_property.value.header_name, null) + type = try(delivery_property.value.type, null) + value = try(delivery_property.value.value, null) + source_field = try(delivery_property.value.source_field, null) + secret = try(delivery_property.value.secret, null) + } + } + dynamic "dead_letter_identity" { + for_each = try(var.settings.dead_letter_identity, null) != null ? [var.settings.dead_letter_identity] : [] + content { + type = try(dead_letter_identity.value.type, null) + user_assigned_identity = try(dead_letter_identity.value.user_assigned_identity, null) + } + } + dynamic "storage_blob_dead_letter_destination" { + for_each = try(var.settings.storage_blob_dead_letter_destination, null) != null ? [var.settings.storage_blob_dead_letter_destination] : [] + content { + storage_account_id = try(storage_blob_dead_letter_destination.value.storage_account_id, null) + storage_blob_container_name = try(storage_blob_dead_letter_destination.value.storage_blob_container_name, null) + } + } + dynamic "storage_blob_dead_letter_destination" { + for_each = try(var.settings.storage_blob_dead_letter_destination, null) != null ? [var.settings.storage_blob_dead_letter_destination] : [] + content { + storage_account_id = try(storage_blob_dead_letter_destination.value.storage_account_id, null) + storage_blob_container_name = try(storage_blob_dead_letter_destination.value.storage_blob_container_name, null) + } + } + dynamic "retry_policy" { + for_each = try(var.settings.retry_policy, null) != null ? [var.settings.retry_policy] : [] + content { + max_delivery_attempts = try(retry_policy.value.max_delivery_attempts, null) + event_time_to_live = try(retry_policy.value.event_time_to_live, null) + } + } + labels = try(var.settings.labels, null) + advanced_filtering_on_arrays_enabled = try(var.settings.advanced_filtering_on_arrays_enabled, null) +} \ No newline at end of file diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/output.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/output.tf new file mode 100644 index 0000000000..a269931f46 --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/output.tf @@ -0,0 +1,4 @@ +output "id" { + value = azurerm_eventgrid_system_topic_event_subscription.egstes.id + description = "The ID of the EventGrid Event Subscription." +} diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf new file mode 100644 index 0000000000..aade8e83bf --- /dev/null +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf @@ -0,0 +1,18 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "client_config" { + description = "Client configuration object (see module README.md)." +} +variable "settings" { + description = "(Required) Used to handle passthrough paramenters." +} +variable "remote_objects" { + description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." + default = {} +} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = map(any) + default = {} +} From 88dedcb86bcb5e166879a8cb708952cede3bf3fd Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Thu, 22 Feb 2024 17:00:51 +0100 Subject: [PATCH 225/244] delivery identity key support --- .../eventgrid_system_topic_event_subscription/module.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf index ba18df1bfc..415440f0a9 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf @@ -202,7 +202,7 @@ resource "azurerm_eventgrid_system_topic_event_subscription" "egstes" { for_each = try(var.settings.delivery_identity, null) != null ? [var.settings.delivery_identity] : [] content { type = try(delivery_identity.value.type, null) - user_assigned_identity = try(delivery_identity.value.user_assigned_identity, null) + user_assigned_identity = coalesce(try(delivery_identity.value.id, null), try(var.remote_objects.all.managed_identities[try(delivery_identity.value.lz_key, var.client_config.landingzone_key)][delivery_identity.value.key].id, null)) } } dynamic "delivery_property" { From 64635798d3842f8eea07d41c4412d4f0dc4b9ad7 Mon Sep 17 00:00:00 2001 From: Najeeb Vayal Valappil Date: Tue, 27 Feb 2024 11:03:02 +0100 Subject: [PATCH 226/244] features added --- local.remote_objects.tf | 4 ++-- modules/compute/aks/aks.tf | 2 ++ modules/compute/aks/output.tf | 4 ++++ .../active_directory_administrator.tf | 14 ++++++++++++++ .../postgresql_flexible_server/main.tf | 17 +++++++++++++++++ .../postgresql_flexible_server/server.tf | 14 ++++++++++++-- .../eventgrid/eventgrid_system_topic/main.tf | 8 ++++++-- .../main.tf | 7 ++++++- .../module.tf | 7 +++---- .../variables.tf | 2 +- modules/messaging/servicebus/queue/queue.tf | 2 +- .../topic/subscription/subscription.tf | 2 +- modules/messaging/servicebus/topic/topic.tf | 2 +- 13 files changed, 70 insertions(+), 15 deletions(-) create mode 100644 modules/databases/postgresql_flexible_server/active_directory_administrator.tf diff --git a/local.remote_objects.tf b/local.remote_objects.tf index 93baae3db4..5e6549664f 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -40,8 +40,8 @@ locals { consumption_budgets_subscriptions = try(local.combined_objects_consumption_budgets_subscriptions, null) container_registry = try(local.combined_objects_container_registry, null) cosmos_dbs = try(local.combined_objects_cosmos_dbs, null) + cost_anomaly_alert = try(local.combined_objects_cost_anomaly_alert, null) databricks_workspaces = try(local.combined_objects_databricks_workspaces, null) - databricks_access_connectors = try(local.combined_objects_databricks_access_connectors, null) data_factory = try(local.combined_objects_data_factory, null) data_factory_integration_runtime_azure_ssis = try(local.combined_objects_data_factory_integration_runtime_azure_ssis, null) data_factory_linked_service_azure_blob_storage = try(local.combined_objects_data_factory_linked_service_azure_blob_storage, null) @@ -53,6 +53,7 @@ locals { data_factory_pipeline = try(local.combined_objects_data_factory_pipeline, null) data_factory_integration_runtime_self_hosted = try(local.combined_objects_data_factory_integration_runtime_self_hosted, null) database_migration_services = try(local.combined_objects_database_migration_services, null) + databricks_access_connectors = try(local.combined_objects_databricks_access_connectors, null) dedicated_host_groups = try(local.combined_objects_dedicated_host_groups, null) dedicated_hosts = try(local.combined_objects_dedicated_hosts, null) diagnostic_storage_accounts = try(local.combined_objects_diagnostic_storage_accounts, null) @@ -147,6 +148,5 @@ locals { wvd_host_pools = try(local.combined_objects_wvd_host_pools, null) wvd_workspaces = try(local.combined_objects_wvd_workspaces, null) subscriptions = try(local.combined_objects_subscriptions, null) - cost_anomaly_alert = try(local.combined_objects_cost_anomaly_alert, null) } } diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index cad9cdcb9c..e999dafd3d 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -70,6 +70,7 @@ resource "azurerm_kubernetes_cluster" "aks" { capacity_reservation_group_id = try(var.settings.capacity_reservation_group_id, null) custom_ca_trust_enabled = try(var.settings.custom_ca_trust_enabled, null) host_group_id = try(var.settings.host_group_id, null) + temporary_name_for_rotation = try(var.settings.default_node_pool.temporary_name_for_rotation, null) pod_subnet_id = can(var.settings.default_node_pool.pod_subnet_key) == false || can(var.settings.default_node_pool.pod_subnet.key) == false || can(var.settings.default_node_pool.pod_subnet_id) || can(var.settings.default_node_pool.pod_subnet.resource_id) ? try(var.settings.default_node_pool.pod_subnet_id, var.settings.default_node_pool.pod_subnet.resource_id, null) : var.vnets[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.vnet_key].subnets[try(var.settings.default_node_pool.pod_subnet_key, var.settings.default_node_pool.pod_subnet.key)].id vnet_subnet_id = can(var.settings.default_node_pool.vnet_subnet_id) || can(var.settings.default_node_pool.subnet.resource_id) ? try(var.settings.default_node_pool.vnet_subnet_id, var.settings.default_node_pool.subnet.resource_id) : var.vnets[try(var.settings.vnet.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.vnet.key, var.settings.vnet_key)].subnets[try(var.settings.default_node_pool.subnet_key, var.settings.default_node_pool.subnet.key)].id @@ -328,6 +329,7 @@ resource "azurerm_kubernetes_cluster" "aks" { docker_bridge_cidr = try(network_profile.value.docker_bridge_cidr, null) outbound_type = try(network_profile.value.outbound_type, null) pod_cidr = try(network_profile.value.pod_cidr, null) + pod_cidrs = try(network_profile.value.pod_cidrs, null) service_cidr = try(network_profile.value.service_cidr, null) service_cidrs = try(network_profile.value.network_cidrs, null) load_balancer_sku = try(network_profile.value.load_balancer_sku, null) diff --git a/modules/compute/aks/output.tf b/modules/compute/aks/output.tf index 4a0511459c..2f1318fb69 100644 --- a/modules/compute/aks/output.tf +++ b/modules/compute/aks/output.tf @@ -47,3 +47,7 @@ output "node_resource_group" { output "private_fqdn" { value = azurerm_kubernetes_cluster.aks.private_fqdn } + +output "oidc_issuer_url" { + value = azurerm_kubernetes_cluster.aks.oidc_issuer_url +} \ No newline at end of file diff --git a/modules/databases/postgresql_flexible_server/active_directory_administrator.tf b/modules/databases/postgresql_flexible_server/active_directory_administrator.tf new file mode 100644 index 0000000000..d4b5d5c534 --- /dev/null +++ b/modules/databases/postgresql_flexible_server/active_directory_administrator.tf @@ -0,0 +1,14 @@ +resource "azurerm_postgresql_flexible_server_active_directory_administrator" "postgresql" { + for_each = try(var.settings.authentication.azuread_administrator, {}) + + resource_group_name = local.resource_group_name + server_name = azurerm_postgresql_flexible_server.postgresql.name + tenant_id = can(var.settings.authentication.tenant_id) ? var.settings.authentication.tenant_id : var.client_config.tenant_id + object_id = can(each.value.object_id) ? each.value.object_id : ( + each.value.principal_type == "ServicePrincipal" ? var.remote_objects.service_principals[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.key].object_id : + each.value.principal_type == "Group" ? var.remote_objects.azuread_groups[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.key].object_id : + each.value.principal_type == "User" ? var.remote_objects.azuread_users[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.key].object_id : null + ) + principal_name = each.value.display_name + principal_type = each.value.principal_type +} \ No newline at end of file diff --git a/modules/databases/postgresql_flexible_server/main.tf b/modules/databases/postgresql_flexible_server/main.tf index dae9051a49..f687f02c7e 100644 --- a/modules/databases/postgresql_flexible_server/main.tf +++ b/modules/databases/postgresql_flexible_server/main.tf @@ -23,4 +23,21 @@ locals { location = var.resource_group.location resource_group_name = var.resource_group.name + + managed_local_identities = flatten([ + for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ + var.remote_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + ] + ]) + + managed_remote_identities = flatten([ + for lz_key, value in try(var.settings.identity.remote, []) : [ + for managed_identity_key in value.managed_identity_keys : [ + var.remote_objects.managed_identities[lz_key][managed_identity_key].id + ] + ] + ]) + + provided_identities = try(var.settings.identity.managed_identity_ids, []) + managed_identities = concat(local.provided_identities, local.managed_local_identities, local.managed_remote_identities) } \ No newline at end of file diff --git a/modules/databases/postgresql_flexible_server/server.tf b/modules/databases/postgresql_flexible_server/server.tf index 5a97256436..b67e68a400 100644 --- a/modules/databases/postgresql_flexible_server/server.tf +++ b/modules/databases/postgresql_flexible_server/server.tf @@ -16,6 +16,7 @@ resource "azurerm_postgresql_flexible_server" "postgresql" { sku_name = try(var.settings.sku_name, null) zone = try(var.settings.zone, null) storage_mb = try(var.settings.storage_mb, null) + auto_grow_enabled = try(var.settings.auto_grow_enabled, null) delegated_subnet_id = var.remote_objects.subnet_id private_dns_zone_id = var.remote_objects.private_dns_zone_id @@ -52,11 +53,20 @@ resource "azurerm_postgresql_flexible_server" "postgresql" { for_each = try(var.settings.high_availability, null) == null ? [] : [var.settings.high_availability] content { - mode = "ZoneRedundant" - standby_availability_zone = var.settings.zone == null ? null : var.settings.high_availability.standby_availability_zone + mode = try(var.settings.high_availability.mode, "ZoneRedundant") + standby_availability_zone = var.settings.high_availability.mode == "SameZone" ? var.settings.zone : try(var.settings.high_availability.standby_availability_zone, null) } } + dynamic "identity" { + for_each = can(var.settings.identity) ? [var.settings.identity] : [] + + content { + type = "UserAssigned" + identity_ids = local.managed_identities + } + } + lifecycle { ignore_changes = [ private_dns_zone_id, diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf index 18070aadb3..2c2557d820 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf @@ -14,14 +14,14 @@ locals { managed_local_identities = flatten([ for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ - var.remote_objects.all.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + var.remote_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id ] ]) managed_remote_identities = flatten([ for lz_key, value in try(var.settings.identity.remote, []) : [ for managed_identity_key in value.managed_identity_keys : [ - var.remote_objects.all.managed_identities[lz_key][managed_identity_key].id + var.remote_objects.managed_identities[lz_key][managed_identity_key].id ] ] ]) @@ -29,4 +29,8 @@ locals { provided_identities = try(var.settings.identity.managed_identity_ids, []) managed_identities = concat(local.provided_identities, local.managed_local_identities, local.managed_remote_identities) + resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects[var.settings.topic.resource_type][try(var.settings.topic.lz_key, var.client_config.landingzone_key)][var.settings.topic.resource_key].resource_group_name, null)) + + location = coalesce(try(var.settings.location, null), try(var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)].location, null), try(var.remote_objects[var.settings.topic.resource_type][try(var.settings.topic.lz_key, var.client_config.landingzone_key)][var.settings.topic.resource_key].location, null), "global") + } diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf index 6c3801cbd3..6b36696ec8 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf @@ -4,5 +4,10 @@ terraform { source = "aztfmod/azurecaf" } } - } + + +locals { + system_topic = coalesce(try(var.settings.scope.id, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].name, null)) + resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.all.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].resource_group_name, null)) +} \ No newline at end of file diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf index 415440f0a9..1bdb4b51fe 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf @@ -1,4 +1,3 @@ - resource "azurecaf_name" "egstes" { name = var.settings.name resource_type = "azurerm_eventgrid_event_subscription" @@ -10,8 +9,8 @@ resource "azurecaf_name" "egstes" { } resource "azurerm_eventgrid_system_topic_event_subscription" "egstes" { name = azurecaf_name.egstes.result - system_topic = coalesce(try(var.settings.scope.id, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].name, null)) - resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.all.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].resource_group_name, null)) + system_topic = local.system_topic + resource_group_name = local.resource_group_name expiration_time_utc = try(var.settings.expiration_time_utc, null) event_delivery_schema = try(var.settings.event_delivery_schema, null) included_event_types = try(var.settings.included_event_types, null) @@ -202,7 +201,7 @@ resource "azurerm_eventgrid_system_topic_event_subscription" "egstes" { for_each = try(var.settings.delivery_identity, null) != null ? [var.settings.delivery_identity] : [] content { type = try(delivery_identity.value.type, null) - user_assigned_identity = coalesce(try(delivery_identity.value.id, null), try(var.remote_objects.all.managed_identities[try(delivery_identity.value.lz_key, var.client_config.landingzone_key)][delivery_identity.value.key].id, null)) + user_assigned_identity = coalesce(try(delivery_identity.value.id, null), try(var.remote_objects.managed_identities[try(delivery_identity.value.lz_key, var.client_config.landingzone_key)][delivery_identity.value.key].id)) } } dynamic "delivery_property" { diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf index aade8e83bf..fc7ff1a9bc 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf @@ -15,4 +15,4 @@ variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = map(any) default = {} -} +} \ No newline at end of file diff --git a/modules/messaging/servicebus/queue/queue.tf b/modules/messaging/servicebus/queue/queue.tf index a49b74e85f..4b7329e540 100644 --- a/modules/messaging/servicebus/queue/queue.tf +++ b/modules/messaging/servicebus/queue/queue.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "queue" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } diff --git a/modules/messaging/servicebus/topic/subscription/subscription.tf b/modules/messaging/servicebus/topic/subscription/subscription.tf index bf36e76415..5b60fc1eb2 100644 --- a/modules/messaging/servicebus/topic/subscription/subscription.tf +++ b/modules/messaging/servicebus/topic/subscription/subscription.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "servicebus_subscription" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } diff --git a/modules/messaging/servicebus/topic/topic.tf b/modules/messaging/servicebus/topic/topic.tf index c97aa9d6f6..f8dd9f4934 100644 --- a/modules/messaging/servicebus/topic/topic.tf +++ b/modules/messaging/servicebus/topic/topic.tf @@ -4,7 +4,7 @@ resource "azurecaf_name" "topic" { prefixes = var.global_settings.prefixes random_length = var.global_settings.random_length clean_input = true - passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough + passthrough = try(var.settings.passthrough, false) ? var.settings.passthrough : var.global_settings.passthrough use_slug = var.global_settings.use_slug } From a48e2d604452befb1163b25cae09aa50af61e9ff Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Tue, 12 Mar 2024 16:18:58 +0100 Subject: [PATCH 227/244] Feature/gallery app (#43) * feature: gallery app * removed commented out elements - lookup for region from global settings * - support storage containers block * feature: output added to gallery apps --- .../gallery_application.tfvars | 11 +++ .../gallery_application_version.tfvars | 32 +++++++ .../resource_groups.tfvars | 6 ++ .../role_mapping.tfvars | 13 +++ .../shared_image_galleries.tfvars | 7 ++ .../storage_account.tfvars | 15 +++ local.remote_objects.tf | 2 + locals.combined_objects.tf | 2 + locals.tf | 2 + .../azurerm_gallery_application.tf | 12 +++ .../gallery_application/main.tf | 14 +++ .../gallery_application/output.tf | 9 ++ .../gallery_application/variables.tf | 9 ++ .../azurerm_gallery_application_version.tf | 92 +++++++++++++++++++ .../gallery_application_version/main.tf | 18 ++++ .../gallery_application_version/output.tf | 6 ++ .../gallery_application_version/variables.tf | 11 +++ .../image_galleries/output.tf | 8 ++ shared_image_gallery.tf | 41 +++++++++ 19 files changed, 310 insertions(+) create mode 100644 examples/shared_image_gallery/105-gallery-application/gallery_application.tfvars create mode 100644 examples/shared_image_gallery/105-gallery-application/gallery_application_version.tfvars create mode 100644 examples/shared_image_gallery/105-gallery-application/resource_groups.tfvars create mode 100644 examples/shared_image_gallery/105-gallery-application/role_mapping.tfvars create mode 100644 examples/shared_image_gallery/105-gallery-application/shared_image_galleries.tfvars create mode 100644 examples/shared_image_gallery/105-gallery-application/storage_account.tfvars create mode 100644 modules/shared_image_gallery/gallery_application/azurerm_gallery_application.tf create mode 100644 modules/shared_image_gallery/gallery_application/main.tf create mode 100644 modules/shared_image_gallery/gallery_application/output.tf create mode 100644 modules/shared_image_gallery/gallery_application/variables.tf create mode 100644 modules/shared_image_gallery/gallery_application_version/azurerm_gallery_application_version.tf create mode 100644 modules/shared_image_gallery/gallery_application_version/main.tf create mode 100644 modules/shared_image_gallery/gallery_application_version/output.tf create mode 100644 modules/shared_image_gallery/gallery_application_version/variables.tf diff --git a/examples/shared_image_gallery/105-gallery-application/gallery_application.tfvars b/examples/shared_image_gallery/105-gallery-application/gallery_application.tfvars new file mode 100644 index 0000000000..7e00420db9 --- /dev/null +++ b/examples/shared_image_gallery/105-gallery-application/gallery_application.tfvars @@ -0,0 +1,11 @@ +gallery_application = { + linux = { + resource_group_key = "gallery_app" + supported_os_type = "Linux" + name = "Linux-App" + description = "tcpdump" + shared_image_gallery_destination = { + gallery_key = "crowdtrike_app" + } + } +} \ No newline at end of file diff --git a/examples/shared_image_gallery/105-gallery-application/gallery_application_version.tfvars b/examples/shared_image_gallery/105-gallery-application/gallery_application_version.tfvars new file mode 100644 index 0000000000..d42bf645bf --- /dev/null +++ b/examples/shared_image_gallery/105-gallery-application/gallery_application_version.tfvars @@ -0,0 +1,32 @@ +gallery_application_version = { + version_one = { + name = "1.0.0" + gallery_application = { + gallery_key = "shared_gallery" + } + install_cmd = <<-EOL + sudo apt-get update && + sudo apt-get install ./tcpdump -y + EOL + remove_cmd = <<-EOL + sudo apt-get update && + sudo apt-get purge tcpdump -y + EOL + update_cmd = <<-EOL + sudo apt-get update && + sudo apt-get upgrade ./tcpdump -y && + EOL + exclude_from_latest = false + storage_accounts = { + sas_policy = { + expire_in_days = 14 + rotation = { + days = 7 + } + } + container_key = "installer" + storage_account_key = "crowdstrike" + blob_name = "tcpdump.deb" + } + } +} \ No newline at end of file diff --git a/examples/shared_image_gallery/105-gallery-application/resource_groups.tfvars b/examples/shared_image_gallery/105-gallery-application/resource_groups.tfvars new file mode 100644 index 0000000000..93218fcf41 --- /dev/null +++ b/examples/shared_image_gallery/105-gallery-application/resource_groups.tfvars @@ -0,0 +1,6 @@ +resource_groups = { + gallery_app = { + name = "app-gallery" + region = "region1" + } +} \ No newline at end of file diff --git a/examples/shared_image_gallery/105-gallery-application/role_mapping.tfvars b/examples/shared_image_gallery/105-gallery-application/role_mapping.tfvars new file mode 100644 index 0000000000..336507dcbe --- /dev/null +++ b/examples/shared_image_gallery/105-gallery-application/role_mapping.tfvars @@ -0,0 +1,13 @@ +role_mapping = { + built_in_role_mapping = { + storage_accounts = { + crowdstrike = { + "Storage Blob Data Contributor" = { + object_ids = { + keys = [""] # to generate access token. + } + } + } + } + } +} diff --git a/examples/shared_image_gallery/105-gallery-application/shared_image_galleries.tfvars b/examples/shared_image_gallery/105-gallery-application/shared_image_galleries.tfvars new file mode 100644 index 0000000000..26dfb201ee --- /dev/null +++ b/examples/shared_image_gallery/105-gallery-application/shared_image_galleries.tfvars @@ -0,0 +1,7 @@ +shared_image_galleries = { + shared_gallery = { + resource_group_key = "gallery_app" + name = "apps" + description = "demo-installers" + } +} \ No newline at end of file diff --git a/examples/shared_image_gallery/105-gallery-application/storage_account.tfvars b/examples/shared_image_gallery/105-gallery-application/storage_account.tfvars new file mode 100644 index 0000000000..b4dd6dc782 --- /dev/null +++ b/examples/shared_image_gallery/105-gallery-application/storage_account.tfvars @@ -0,0 +1,15 @@ +storage_accounts = { + installer = { + name = "installer" + resource_group_key = "gallery_app" + account_kind = "BlobStorage" + account_tier = "Standard" + account_replication_type = "LRS" + containers = { + installer = { + name = "installer" + } + } + enable_system_msi = true + } +} \ No newline at end of file diff --git a/local.remote_objects.tf b/local.remote_objects.tf index 5e6549664f..9410e7d0f4 100644 --- a/local.remote_objects.tf +++ b/local.remote_objects.tf @@ -67,6 +67,8 @@ locals { express_route_circuits = try(local.combined_objects_express_route_circuits, null) front_door = try(local.combined_objects_front_door, null) front_door_waf_policies = try(local.combined_objects_front_door_waf_policies, null) + gallery_application = try(local.combined_objects_gallery_application, null) + gallery_application_version = try(local.combined_objects_gallery_application_version, null) integration_service_environment = try(local.combined_objects_integration_service_environment, null) iot_security_solution = try(local.combined_objects_iot_security_solution, null) iot_security_device_group = try(local.combined_objects_iot_security_device_group, null) diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 290c775518..2becc455b8 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -87,6 +87,8 @@ locals { combined_objects_front_door = merge(tomap({ (local.client_config.landingzone_key) = module.front_doors }), lookup(var.remote_objects, "front_doors", {})) combined_objects_front_door_waf_policies = merge(tomap({ (local.client_config.landingzone_key) = module.front_door_waf_policies }), lookup(var.remote_objects, "front_door_waf_policies", {})) combined_objects_function_apps = merge(tomap({ (local.client_config.landingzone_key) = module.function_apps }), lookup(var.remote_objects, "function_apps", {})) + combined_objects_gallery_application = merge(tomap({ (local.client_config.landingzone_key) = module.gallery_application }), try(var.remote_objects.gallery_application, {})) + combined_objects_gallery_application_version = merge(tomap({ (local.client_config.landingzone_key) = module.gallery_application_version }), try(var.remote_objects.gallery_application_version, {})) combined_objects_image_definitions = merge(tomap({ (local.client_config.landingzone_key) = module.image_definitions }), lookup(var.remote_objects, "image_definitions", {})) combined_objects_integration_service_environment = merge(tomap({ (local.client_config.landingzone_key) = module.integration_service_environment }), lookup(var.remote_objects, "integration_service_environment", {})) combined_objects_iot_central_application = merge(tomap({ (local.client_config.landingzone_key) = module.iot_central_application }), lookup(var.remote_objects, "iot_central_application", {})) diff --git a/locals.tf b/locals.tf index a6d3e8b9c4..2908216245 100644 --- a/locals.tf +++ b/locals.tf @@ -397,6 +397,8 @@ locals { recovery_vaults = try(var.shared_services.recovery_vaults, {}) shared_image_galleries = try(var.shared_services.shared_image_galleries, {}) cost_anomaly_alert = try(var.shared_services.cost_anomaly_alert, {}) + gallery_application = try(var.shared_services.gallery_application, {}) + gallery_application_version = try(var.shared_services.gallery_application_version, {}) } storage = { diff --git a/modules/shared_image_gallery/gallery_application/azurerm_gallery_application.tf b/modules/shared_image_gallery/gallery_application/azurerm_gallery_application.tf new file mode 100644 index 0000000000..e02ea90ce7 --- /dev/null +++ b/modules/shared_image_gallery/gallery_application/azurerm_gallery_application.tf @@ -0,0 +1,12 @@ +resource "azurerm_gallery_application" "gallery_application" { + name = var.settings.name + gallery_id = var.gallery_id + location = var.location + supported_os_type = var.settings.supported_os_type + description = try(var.settings.description, null) + end_of_life_date = try(var.settings.end_of_life_date, null) + eula = try(var.settings.eula, null) + privacy_statement_uri = try(var.settings.privacy_statement_uri, null) + release_note_uri = try(var.settings.release_note_uri, null) + tags = local.tags +} \ No newline at end of file diff --git a/modules/shared_image_gallery/gallery_application/main.tf b/modules/shared_image_gallery/gallery_application/main.tf new file mode 100644 index 0000000000..5d34f73eb1 --- /dev/null +++ b/modules/shared_image_gallery/gallery_application/main.tf @@ -0,0 +1,14 @@ +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = var.base_tags ? merge( + var.global_settings.tags, + local.module_tag, + try(var.settings.tags, null) + ) : merge( + local.module_tag, + try(var.settings.tags, + null) + ) +} \ No newline at end of file diff --git a/modules/shared_image_gallery/gallery_application/output.tf b/modules/shared_image_gallery/gallery_application/output.tf new file mode 100644 index 0000000000..d3e7c3c54c --- /dev/null +++ b/modules/shared_image_gallery/gallery_application/output.tf @@ -0,0 +1,9 @@ +output "location" { + value = azurerm_gallery_application.gallery_application.location +} +output "id" { + value = azurerm_gallery_application.gallery_application.id +} +output "name" { + value = azurerm_gallery_application.gallery_application.name +} \ No newline at end of file diff --git a/modules/shared_image_gallery/gallery_application/variables.tf b/modules/shared_image_gallery/gallery_application/variables.tf new file mode 100644 index 0000000000..d0501b1c55 --- /dev/null +++ b/modules/shared_image_gallery/gallery_application/variables.tf @@ -0,0 +1,9 @@ +variable "client_config" {} +variable "global_settings" {} +variable "settings" {} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "gallery_id" {} +variable "location" {} \ No newline at end of file diff --git a/modules/shared_image_gallery/gallery_application_version/azurerm_gallery_application_version.tf b/modules/shared_image_gallery/gallery_application_version/azurerm_gallery_application_version.tf new file mode 100644 index 0000000000..55d64b8d6c --- /dev/null +++ b/modules/shared_image_gallery/gallery_application_version/azurerm_gallery_application_version.tf @@ -0,0 +1,92 @@ +data "azurerm_storage_account" "installer" { + count = can(var.settings.media_link) ? 0 : 1 + + name = local.installer_storage_account.name + resource_group_name = local.installer_storage_account.resource_group_name +} + +data "azurerm_storage_blob" "installer" { + count = can(var.settings.media_link) ? 0 : 1 + name = var.settings.blob_name + storage_account_name = local.installer_storage_account.name + storage_container_name = local.installer_storage_container +} + +data "azurerm_storage_account_sas" "installer" { + count = can(var.settings.media_link) ? 0 : 1 + + connection_string = data.azurerm_storage_account.installer.0.primary_connection_string + https_only = true + + start = time_rotating.sas[0].id + expiry = timeadd(time_rotating.sas[0].id, format("%sh", var.settings.storage_accounts.sas_policy.expire_in_days * 24)) + + resource_types { + service = false + container = false + object = true + } + + services { + blob = true + queue = false + table = false + file = false + } + + permissions { + read = true + write = false + delete = false + list = false + add = false + create = false + update = false + process = false + tag = false + filter = false + } +} + +resource "time_rotating" "sas" { + count = can(var.settings.storage_accounts.sas_policy) ? 1 : 0 + + rotation_minutes = lookup(var.settings.storage_accounts.sas_policy.rotation, "mins", null) + rotation_days = lookup(var.settings.storage_accounts.sas_policy.rotation, "days", null) + rotation_months = lookup(var.settings.storage_accounts.sas_policy.rotation, "months", null) + rotation_years = lookup(var.settings.storage_accounts.sas_policy.rotation, "years", null) +} + +resource "azurerm_gallery_application_version" "gallery_application_version" { + name = var.settings.name + gallery_application_id = var.gallery_application_id + location = var.location + enable_health_check = try(var.settings.enable_health_check, false) + end_of_life_date = try(var.settings.end_of_life_date, try(can(var.settings.media_link) ? null : timeadd(time_rotating.sas[0].id, format("%sh", var.settings.storage_accounts.sas_policy.expire_in_days * 24)))) + exclude_from_latest = try(var.settings.exclude_from_latest, false) + tags = local.tags + manage_action { + install = var.settings.install_cmd + remove = var.settings.remove_cmd + update = try(var.settings.update_cmd, null) + } + + source { + media_link = try(var.settings.media_link, local.blob_sas_url) + default_configuration_link = try(var.settings.default_configuration_link, null) + } + + target_region { + name = var.location + regional_replica_count = try(var.settings.defult_regional_replica_count, 1) + storage_account_type = try(var.settings.defult_storage_account_type, "Standard_LRS") + } + dynamic "target_region" { + for_each = try(var.settings.target_regions, {}) + content { + name = coalesce(try(target_region.value.name, null), try(lookup(var.global_settings.regions, target_region.value.region_key, null), null)) + regional_replica_count = coalesce(try(target_region.value.regional_replica_count, null), try(var.settings.default_regional_replica_count, 1)) + storage_account_type = coalesce(try(target_region.value.storage_account_type, null), try(var.settings.defult_storage_account_type, "Standard_LRS")) + } + } +} \ No newline at end of file diff --git a/modules/shared_image_gallery/gallery_application_version/main.tf b/modules/shared_image_gallery/gallery_application_version/main.tf new file mode 100644 index 0000000000..da9d3f4a12 --- /dev/null +++ b/modules/shared_image_gallery/gallery_application_version/main.tf @@ -0,0 +1,18 @@ +locals { + module_tag = { + "module" = basename(abspath(path.module)) + } + tags = var.base_tags ? merge( + var.global_settings.tags, + local.module_tag, + try(var.settings.tags, null) + ) : merge( + local.module_tag, + try(var.settings.tags, + null) + ) + + installer_storage_account = can(var.settings.media_link) ? null : var.storage_accounts[try(var.settings.storage_accounts.lz_key, var.client_config.landingzone_key)][var.settings.storage_accounts.storage_account_key] + installer_storage_container = can(var.settings.media_link) ? null : coalesce(try(var.settings.storage_containers.storage_container_name, null), try(var.storage_containers[try(var.settings.storage_containers.lz_key, var.client_config.landingzone_key)][var.settings.storage_containers.container_key].name, null), try(local.installer_storage_account.containers[var.settings.storage_accounts.container_key].name, null)) + blob_sas_url = can(var.settings.media_link) ? null : "${data.azurerm_storage_blob.installer[0].url}${data.azurerm_storage_account_sas.installer[0].sas}" +} \ No newline at end of file diff --git a/modules/shared_image_gallery/gallery_application_version/output.tf b/modules/shared_image_gallery/gallery_application_version/output.tf new file mode 100644 index 0000000000..7ce5ea97eb --- /dev/null +++ b/modules/shared_image_gallery/gallery_application_version/output.tf @@ -0,0 +1,6 @@ +output "id" { + value = azurerm_gallery_application_version.gallery_application_version.id +} +output "version" { + value = azurerm_gallery_application_version.gallery_application_version.name +} \ No newline at end of file diff --git a/modules/shared_image_gallery/gallery_application_version/variables.tf b/modules/shared_image_gallery/gallery_application_version/variables.tf new file mode 100644 index 0000000000..7ade5150d2 --- /dev/null +++ b/modules/shared_image_gallery/gallery_application_version/variables.tf @@ -0,0 +1,11 @@ +variable "client_config" {} +variable "global_settings" {} +variable "settings" {} +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} +variable "gallery_application_id" {} +variable "storage_accounts" {} +variable "storage_containers" {} +variable "location" {} \ No newline at end of file diff --git a/modules/shared_image_gallery/image_galleries/output.tf b/modules/shared_image_gallery/image_galleries/output.tf index 0f37985c92..6bd2fb0819 100644 --- a/modules/shared_image_gallery/image_galleries/output.tf +++ b/modules/shared_image_gallery/image_galleries/output.tf @@ -1,3 +1,11 @@ output "name" { value = azurerm_shared_image_gallery.gallery.name +} + +output "location" { + value = azurerm_shared_image_gallery.gallery.location +} + +output "id" { + value = azurerm_shared_image_gallery.gallery.id } \ No newline at end of file diff --git a/shared_image_gallery.tf b/shared_image_gallery.tf index f21b3b9035..ba92588c18 100644 --- a/shared_image_gallery.tf +++ b/shared_image_gallery.tf @@ -78,3 +78,44 @@ module "packer_build" { #azurerm_role_assignment.for, # NOTE: Deactivated this direct dependency due to Cycle error ] } + +module "gallery_application" { + source = "./modules/shared_image_gallery/gallery_application" + for_each = try(local.shared_services.gallery_application, {}) + + base_tags = local.global_settings.inherit_tags + client_config = local.client_config + global_settings = local.global_settings + gallery_id = module.shared_image_galleries[each.value.shared_image_gallery_destination.gallery_key].id + location = module.shared_image_galleries[each.value.shared_image_gallery_destination.gallery_key].location + settings = each.value + depends_on = [ + module.shared_image_galleries + ] +} + +module "gallery_application_version" { + source = "./modules/shared_image_gallery/gallery_application_version" + for_each = try(local.shared_services.gallery_application_version, {}) + + base_tags = local.global_settings.inherit_tags + client_config = local.client_config + global_settings = local.global_settings + gallery_application_id = module.gallery_application[each.value.gallery_application.gallery_key].id + location = module.gallery_application[each.value.gallery_application.gallery_key].location + storage_accounts = local.combined_objects_storage_accounts + storage_containers = local.combined_objects_storage_containers + settings = each.value + depends_on = [ + module.shared_image_galleries, + module.gallery_application + ] +} + +output "gallery_application" { + value = module.gallery_application +} + +output "gallery_application_version" { + value = module.gallery_application_version +} \ No newline at end of file From 97a591b2b175c3681b72a60ae55c3aa5e70a6ca0 Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Tue, 12 Mar 2024 16:34:46 +0100 Subject: [PATCH 228/244] Feature/route table import (#47) * gallery app * feature: route table import --- networking.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/networking.tf b/networking.tf index f906002385..a3cd729c74 100644 --- a/networking.tf +++ b/networking.tf @@ -259,7 +259,7 @@ resource "azurecaf_name" "route_tables" { prefixes = local.global_settings.prefixes random_length = local.global_settings.random_length clean_input = true - passthrough = local.global_settings.passthrough + passthrough = can( each.value.passthrough ) ? true : local.global_settings.passthrough use_slug = local.global_settings.use_slug } From 1d7711db8da9c9a33bff3dd2d346f20f795f12e2 Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Mon, 25 Mar 2024 17:25:35 +0100 Subject: [PATCH 229/244] - replaced deprecated option disabled_rules (#49) in azurerm_web_application_firewall_policy Co-authored-by: Najeeb Vayal Valappil --- .../application_gateway_waf_policies/waf_policy.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/networking/application_gateway_waf_policies/waf_policy.tf b/modules/networking/application_gateway_waf_policies/waf_policy.tf index ab0da3fa8a..ffad0c8823 100644 --- a/modules/networking/application_gateway_waf_policies/waf_policy.tf +++ b/modules/networking/application_gateway_waf_policies/waf_policy.tf @@ -83,7 +83,16 @@ resource "azurerm_web_application_firewall_policy" "wafpolicy" { for_each = try(managed_rule_set.value.rule_group_override, {}) content { rule_group_name = rule_group_override.value.rule_group_name - disabled_rules = try(rule_group_override.value.disabled_rules, null) + dynamic "rule" { + for_each = { + for key, value in try(rule_group_override.value.rules, {}) : key => value + } + content { + id = rule.value.id + enabled = try(rule.value.enabled, null) + action = try(rule.value.action, null) + } + } } } } From 1fcb1b87f5cec6ceee812570991d8ac644afeeb9 Mon Sep 17 00:00:00 2001 From: najeebvv <79649322+najeebvv@users.noreply.github.com> Date: Tue, 26 Mar 2024 13:16:28 +0100 Subject: [PATCH 230/244] feature: (#50) added - list support for status and levels Co-authored-by: Najeeb Vayal Valappil --- modules/monitoring/monitor_activity_log_alert/module.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/monitoring/monitor_activity_log_alert/module.tf b/modules/monitoring/monitor_activity_log_alert/module.tf index a2b2ec515a..c5b5b8344d 100644 --- a/modules/monitoring/monitor_activity_log_alert/module.tf +++ b/modules/monitoring/monitor_activity_log_alert/module.tf @@ -35,7 +35,9 @@ resource "azurerm_monitor_activity_log_alert" "mala" { ) caller = try(criteria.value.caller, null) level = try(criteria.value.level, null) + levels = try(criteria.value.levels, null) status = try(criteria.value.status, null) + statuses = try(criteria.value.statuses, null) sub_status = try(criteria.value.sub_status, null) recommendation_type = try(criteria.value.recommendation_type, null) recommendation_category = try(criteria.value.recommendation_category, null) From ba7690831ff148c3a12ff5d374412dc643b4c46a Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Wed, 27 Mar 2024 11:51:28 +0000 Subject: [PATCH 231/244] feat:(connection-monitor): adding capability to reference diagnostic log anayltics --- modules/networking/network_connection_monitor/module.tf | 6 +++++- modules/networking/network_connection_monitor/variables.tf | 4 +++- networking_connection_monitor.tf | 1 + 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/networking/network_connection_monitor/module.tf b/modules/networking/network_connection_monitor/module.tf index ad7ad397fd..f627b2e89f 100644 --- a/modules/networking/network_connection_monitor/module.tf +++ b/modules/networking/network_connection_monitor/module.tf @@ -126,11 +126,15 @@ locals { key => var.combined_objects_log_analytics[try(value.lz_key, var.client_config.landingzone_key)][value.key].id if try(value.key, null) != null } + workspace_id_from_diagnostics = {for key, value in var.diagnostics.log_analytics : + key => value.id + if try(value.diagnostic_log_destination_key, null) != null + } workspace_from_ids = { for key, value in var.settings.output_workspaces : key => value.id if try(value.id, null) != null } - workspace_ids = concat(values(local.workspace_ids_from_keys), values(local.workspace_from_ids)) + workspace_ids = concat(values(local.workspace_ids_from_keys), values(local.workspace_from_ids), values(local.workspace_id_from_diagnostics)) name = var.network_watcher_name != null ? var.network_watcher_name : format("NetworkWatcher_%s", var.location) resource_group_name = var.network_watcher_resource_group_name != null ? var.network_watcher_resource_group_name : "NetworkWatcherRG" diff --git a/modules/networking/network_connection_monitor/variables.tf b/modules/networking/network_connection_monitor/variables.tf index 872b685bac..c072e2c9e7 100644 --- a/modules/networking/network_connection_monitor/variables.tf +++ b/modules/networking/network_connection_monitor/variables.tf @@ -32,7 +32,9 @@ variable "network_watcher_id" { default = null } variable "combined_objects_log_analytics" {} - +variable "diagnostics" { + default = {} +} variable "endpoint_objects" { description = "map of possible endpoint objects from caf" diff --git a/networking_connection_monitor.tf b/networking_connection_monitor.tf index 1104635bb9..8c4b908caa 100644 --- a/networking_connection_monitor.tf +++ b/networking_connection_monitor.tf @@ -15,6 +15,7 @@ module "network_connection_monitors" { network_watcher_name = try(each.value.network_watcher_name, null) combined_objects_log_analytics = local.combined_objects_log_analytics + diagnostics = local.combined_diagnostics endpoint_objects = { virtual_subnets = local.combined_objects_virtual_subnets From 5a1f72965d0a4fe5aa305ba8b0b100ab65c6b530 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Tue, 14 May 2024 08:01:26 +0000 Subject: [PATCH 232/244] fix(logic-apps): #1973 - adding version, fixing identity assignment --- logic_app.tf | 32 +++++++++---------- .../logic_app/standard/managed_identities.tf | 17 ---------- modules/logic_app/standard/module.tf | 19 ++++++++--- modules/logic_app/standard/variables.tf | 8 ++--- 4 files changed, 35 insertions(+), 41 deletions(-) delete mode 100644 modules/logic_app/standard/managed_identities.tf diff --git a/logic_app.tf b/logic_app.tf index 47d15f8b1e..a592845324 100644 --- a/logic_app.tf +++ b/logic_app.tf @@ -140,23 +140,23 @@ module "logic_app_standard" { for_each = local.logic_app.logic_app_standard - global_settings = local.global_settings - client_config = local.client_config - settings = each.value - resource_groups = local.combined_objects_resource_groups - storage_accounts = local.combined_objects_storage_accounts - app_service_plans = local.combined_objects_app_service_plans - app_settings = try(each.value.app_settings, null) - subnets = local.combined_objects_networking - identity = try(each.value.identity, null) - private_endpoints = try(each.value.private_endpoints, {}) - private_dns = local.combined_objects_private_dns - vnets = local.combined_objects_networking - virtual_subnets = local.combined_objects_virtual_subnets - base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} - vnet_integration = try(each.value.vnet_integration, {}) + global_settings = local.global_settings + client_config = local.client_config + settings = each.value + resource_groups = local.combined_objects_resource_groups + storage_accounts = local.combined_objects_storage_accounts + app_service_plans = local.combined_objects_app_service_plans + app_settings = try(each.value.app_settings, null) + subnets = local.combined_objects_networking + private_endpoints = try(each.value.private_endpoints, {}) + private_dns = local.combined_objects_private_dns + vnets = local.combined_objects_networking + virtual_subnets = local.combined_objects_virtual_subnets + base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + vnet_integration = try(each.value.vnet_integration, {}) + managed_identities = local.combined_objects_managed_identities } output "logic_app_standard" { value = module.logic_app_standard -} \ No newline at end of file +} diff --git a/modules/logic_app/standard/managed_identities.tf b/modules/logic_app/standard/managed_identities.tf deleted file mode 100644 index cb18c82023..0000000000 --- a/modules/logic_app/standard/managed_identities.tf +++ /dev/null @@ -1,17 +0,0 @@ -locals { - managed_local_identities = flatten([ - for managed_identity_key in try(var.identity.managed_identity_keys, []) : [ - var.combined_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id - ] - ]) - - managed_remote_identities = flatten([ - for keyvault_key, value in try(var.identity.remote, []) : [ - for managed_identity_key in value.managed_identity_keys : [ - var.combined_objects.managed_identities[keyvault_key][managed_identity_key].id - ] - ] - ]) - - managed_identities = concat(local.managed_local_identities, local.managed_remote_identities) -} \ No newline at end of file diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index a2391387a2..5d6444eb1f 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -17,6 +17,9 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { storage_account_access_key = local.storage_account.primary_access_key https_only = lookup(var.settings, "https_only", null) app_settings = local.app_settings + version = lookup(var.settings, "version", null) + + app_settings = local.app_settings dynamic "site_config" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] @@ -42,14 +45,22 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } } } + dynamic "identity" { + for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] + content { + type = lookup(var.settings.identity, "type", null) + identity_ids = try(try(lookup(var.settings.identity, "identity_ids"), [try(var.managed_identities[var.client_config.landingzone_key][var.settings.identity.key].id, var.managed_identities[var.settings.identity.lz_key][var.settings.identity.key].id)]), null) + } + } + } resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 + depends_on = [azurerm_logic_app_standard.logic_app_standard] + count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) + subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) } \ No newline at end of file diff --git a/modules/logic_app/standard/variables.tf b/modules/logic_app/standard/variables.tf index 8cce8a818e..7521d7fb84 100644 --- a/modules/logic_app/standard/variables.tf +++ b/modules/logic_app/standard/variables.tf @@ -34,9 +34,6 @@ variable "vnets" { variable "base_tags" { default = {} } -variable "identity" { - default = null -} variable "combined_objects" { default = {} } @@ -45,4 +42,7 @@ variable "virtual_subnets" { } variable "vnet_integration" { default = {} -} \ No newline at end of file +} +variable "managed_identities" { + default = {} +} From 7c961e62eba7d30e98568c6970387f4631a951d2 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 17 May 2024 09:36:00 +0000 Subject: [PATCH 233/244] fix: bool is expected --- logic_app.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logic_app.tf b/logic_app.tf index a592845324..c2837dd247 100644 --- a/logic_app.tf +++ b/logic_app.tf @@ -152,7 +152,7 @@ module "logic_app_standard" { private_dns = local.combined_objects_private_dns vnets = local.combined_objects_networking virtual_subnets = local.combined_objects_virtual_subnets - base_tags = try(local.global_settings.inherit_tags, false) ? local.resource_groups[each.value.resource_group_key].tags : {} + base_tags = try(local.global_settings.inherit_tags, false) vnet_integration = try(each.value.vnet_integration, {}) managed_identities = local.combined_objects_managed_identities } From 342c36f42d8c782dfd28a0bac6f566cfc838b243 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Wed, 15 May 2024 13:12:29 +0000 Subject: [PATCH 234/244] fix: azurerm_logic_app_standard virtual_network_subnet_id is always reset --- modules/logic_app/standard/module.tf | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 5d6444eb1f..c1bf249115 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -18,7 +18,8 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { https_only = lookup(var.settings, "https_only", null) app_settings = local.app_settings version = lookup(var.settings, "version", null) - + virtual_network_subnet_id = lookup(var.settings, "vnet_integration", null) != null ? can(var.settings.vnet_integration.subnet_id) ? var.settings.vnet_integration.subnet_id : try(var.vnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, + try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.vnet_integration.subnet_key].id, var.virtual_subnets[var.settings.vnet_integration.lz_key][var.settings.vnet_integration.subnet_key].id)) : null app_settings = local.app_settings dynamic "site_config" { @@ -55,12 +56,12 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { } -resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { - depends_on = [azurerm_logic_app_standard.logic_app_standard] - count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 - - app_service_id = azurerm_logic_app_standard.logic_app_standard.id - subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, - try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) - -} \ No newline at end of file +#resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" { +# depends_on = [azurerm_logic_app_standard.logic_app_standard] +# count = lookup(var.settings, "vnet_integration", {}) != {} ? 1 : 0 +# +# app_service_id = azurerm_logic_app_standard.logic_app_standard.id +# subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, +# try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) +# +#} \ No newline at end of file From 7317f9a2d62c466888e0d9c295dc857d8aad3ec5 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 17 May 2024 11:00:19 +0000 Subject: [PATCH 235/244] feat: adding example --- .../configuration.tfvars | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 examples/logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity/configuration.tfvars diff --git a/examples/logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity/configuration.tfvars b/examples/logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity/configuration.tfvars new file mode 100644 index 0000000000..da855810fa --- /dev/null +++ b/examples/logic_app/110-logic_app_vnet_integration_private_endpoint_managed_identity/configuration.tfvars @@ -0,0 +1,97 @@ +resource_groups = { + la_test = { + name = "rg-logic-app" + } +} + +vnets = { + vnet = { + resource_group_key = "la_test" + vnet = { + name = "la-vnet" + address_space = ["10.0.0.0/24"] + } + subnets = { + private_endpoints_sn = { + name = "private-endpoints" + cidr = ["10.0.0.32/27"] + enforce_private_link_endpoint_network_policies = false + enforce_private_link_service_network_policies = false + } + la_test_subnet = { + name = "logic_apps" + cidr = ["10.0.0.64/27"] + delegation = { + name = "functions" + service_delegation = "Microsoft.Web/serverFarms" + actions = ["Microsoft.Network/virtualNetworks/subnets/action"] + } + } + } + } +} + +storage_accounts = { + sa1 = { + name = "la_sa" + resource_group_key = "la_test" + account_tier = "Standard" + account_replication_type = "LRS" + } +} + +managed_identities = { + logicapp_msi = { + name = "logicapp1-msi" + resource_group_key = "la_test" + } +} + + +app_service_plans = { + asp1 = { + name = "appserviceplan1" + resource_group_key = "la_test" + kind = "elastic" + + sku = { + tier = "WorkflowStandard" + size = "WS1" + } + } +} + +logic_app_standard = { + las1 = { + name = "logicapp1" + resource_group_key = "la_test" + app_service_plan_key = "asp1" + storage_account_key = "sa1" + version = "~4" + # Required for virtual network integration + vnet_integration = { + vnet_key = "vnet" + subnet_key = "la_test_subnet" + # lz_key = "" + # subnet_id = "" + } + identity = { + type = "UserAssigned" #SystemAssigned + key = "logicapp_msi" + #lz_key = "" + #identity_ids = ["/subscriptions/sub-id/resourceGroups/rg-id/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-id"] + } + private_endpoints = { + pe_la = { + private_service_connection = { + name = "pe_la_sc" + subresource_names = ["sites"] + } + name = "pe_la" + vnet_key = "vnet" + subnet_key = "private_endpoints_sn" + #lz_key = "" + } + } + } +} \ No newline at end of file From 0d9d67c76a416c6cbb296312646ff5de45c54eb5 Mon Sep 17 00:00:00 2001 From: arne21a <42212708+arne21a@users.noreply.github.com> Date: Fri, 17 May 2024 09:26:03 +0200 Subject: [PATCH 236/244] Update modules/logic_app/standard/module.tf Co-authored-by: Arnaud Lheureux --- modules/logic_app/standard/module.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index c1bf249115..c0f9e24b2d 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -50,7 +50,7 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] content { type = lookup(var.settings.identity, "type", null) - identity_ids = try(try(lookup(var.settings.identity, "identity_ids"), [try(var.managed_identities[var.client_config.landingzone_key][var.settings.identity.key].id, var.managed_identities[var.settings.identity.lz_key][var.settings.identity.key].id)]), null) + identity_ids = can(var.settings.identity.ids) ? var.settings.identity.ids : can(var.settings.identity.key) ? [var.managed_identities[try(var.settings.identity.lz_key, var.client_config.landingzone_key)][var.settings.identity.key].id] : null } } From ce4a90b305f7b95b74ddd0c47c237821de7cfa5e Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Thu, 23 May 2024 11:01:47 +0000 Subject: [PATCH 237/244] fix: adding https_only flag --- modules/logic_app/standard/module.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index c0f9e24b2d..4a26ad4df3 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -18,10 +18,10 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { https_only = lookup(var.settings, "https_only", null) app_settings = local.app_settings version = lookup(var.settings, "version", null) - virtual_network_subnet_id = lookup(var.settings, "vnet_integration", null) != null ? can(var.settings.vnet_integration.subnet_id) ? var.settings.vnet_integration.subnet_id : try(var.vnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, + virtual_network_subnet_id = lookup(var.settings, "vnet_integration", null) != null ? can(var.settings.vnet_integration.subnet_id) ? var.settings.vnet_integration.subnet_id : try(var.vnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.vnet_integration.subnet_key].id, var.virtual_subnets[var.settings.vnet_integration.lz_key][var.settings.vnet_integration.subnet_key].id)) : null app_settings = local.app_settings - + https_only = lookup(var.settings, "https_only", null) dynamic "site_config" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] @@ -49,7 +49,7 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { dynamic "identity" { for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] content { - type = lookup(var.settings.identity, "type", null) + type = lookup(var.settings.identity, "type", null) identity_ids = can(var.settings.identity.ids) ? var.settings.identity.ids : can(var.settings.identity.key) ? [var.managed_identities[try(var.settings.identity.lz_key, var.client_config.landingzone_key)][var.settings.identity.key].id] : null } } @@ -64,4 +64,4 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { # subnet_id = can(var.vnet_integration.subnet_id) ? var.vnet_integration.subnet_id : try(var.vnets[try(var.vnet_integration.lz_key, var.client_config.landingzone_key)][var.vnet_integration.vnet_key].subnets[var.vnet_integration.subnet_key].id, # try(var.virtual_subnets[var.client_config.landingzone_key][var.vnet_integration.subnet_key].id, var.virtual_subnets[var.vnet_integration.lz_key][var.vnet_integration.subnet_key].id)) # -#} \ No newline at end of file +#} From 2de8097a440b915a990c3ecb0ffe023db52bcb4a Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Thu, 20 Jun 2024 13:26:19 +0000 Subject: [PATCH 238/244] feat(invoice-sections): adding invoice section creation and updating subscription creation to be able to reference them --- billing_invoice_section.tf | 13 ++++++++ .../configuration.tfvars | 31 +++++++++++++++++++ locals.combined_objects.tf | 1 + modules/billing/invoice_sections/main.tf | 18 +++++++++++ modules/billing/invoice_sections/module.tf | 29 +++++++++++++++++ modules/billing/invoice_sections/variables.tf | 13 ++++++++ modules/subscriptions/subscriptions.tf | 14 ++++++--- modules/subscriptions/variables.tf | 4 ++- subscriptions.tf | 4 +++ variables.tf | 5 ++- 10 files changed, 126 insertions(+), 6 deletions(-) create mode 100644 billing_invoice_section.tf create mode 100644 examples/subscriptions/102-create-subscription-with-mca-invoice-section/configuration.tfvars create mode 100644 modules/billing/invoice_sections/main.tf create mode 100644 modules/billing/invoice_sections/module.tf create mode 100644 modules/billing/invoice_sections/variables.tf diff --git a/billing_invoice_section.tf b/billing_invoice_section.tf new file mode 100644 index 0000000000..59eaf7f725 --- /dev/null +++ b/billing_invoice_section.tf @@ -0,0 +1,13 @@ +module "invoice_section" { + source = "./modules/billing/invoice_sections" + for_each = var.invoice_sections + + global_settings = local.global_settings + client_config = local.client_config + settings = each.value + base_tags = local.global_settings.inherit_tags +} + +output "invoice_sections" { + value = module.invoice_section +} \ No newline at end of file diff --git a/examples/subscriptions/102-create-subscription-with-mca-invoice-section/configuration.tfvars b/examples/subscriptions/102-create-subscription-with-mca-invoice-section/configuration.tfvars new file mode 100644 index 0000000000..539224c2b1 --- /dev/null +++ b/examples/subscriptions/102-create-subscription-with-mca-invoice-section/configuration.tfvars @@ -0,0 +1,31 @@ +subscriptions = { + + sandbox = { + name = "my-sandbox" + create_alias = true + billing_account_name = "0000000-0000-0000-0000-0000000:000000-0000-0000-0000-00000000_2019-05-31" + billing_profile_name = "XXXX-XXXX-XXX-XXX" + #invoice_section_name = "XXXX-XXXX-XXX-XXX" + invoice_section_key = "section_1" + #invoice_section_lz_key = "" + management_group_id = "caf-sandbox-landingzones" + workload = "DevTest" + tags = { + owner = "Cloud Platform Team" + } + } +} + +invoice_sections = { + section_1 = { + name = "sandbox-automation-invoice-section" + billing_account_id = "0000000-0000-0000-0000-0000000:000000-0000-0000-0000-00000000_2019-05-31" + billing_profile_id = "XXXX-XXXX-XXX-XXX" + labels = { + "foo" = "baz" + } + tags = { + "tagA" = "valueA" + } + } +} \ No newline at end of file diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index 2becc455b8..a2c0856b82 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -91,6 +91,7 @@ locals { combined_objects_gallery_application_version = merge(tomap({ (local.client_config.landingzone_key) = module.gallery_application_version }), try(var.remote_objects.gallery_application_version, {})) combined_objects_image_definitions = merge(tomap({ (local.client_config.landingzone_key) = module.image_definitions }), lookup(var.remote_objects, "image_definitions", {})) combined_objects_integration_service_environment = merge(tomap({ (local.client_config.landingzone_key) = module.integration_service_environment }), lookup(var.remote_objects, "integration_service_environment", {})) + combined_objects_invoice_sections = merge(tomap({ (local.client_config.landingzone_key) = module.invoice_section }), try(var.remote_objects.invoice_sections, {})) combined_objects_iot_central_application = merge(tomap({ (local.client_config.landingzone_key) = module.iot_central_application }), lookup(var.remote_objects, "iot_central_application", {})) combined_objects_iot_dps_certificate = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_certificate }), lookup(var.remote_objects, "iot_dps_certificate", {})) combined_objects_iot_dps_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_dps_shared_access_policy }), lookup(var.remote_objects, "iot_dps_shared_access_policy", {})) diff --git a/modules/billing/invoice_sections/main.tf b/modules/billing/invoice_sections/main.tf new file mode 100644 index 0000000000..4b5407c44a --- /dev/null +++ b/modules/billing/invoice_sections/main.tf @@ -0,0 +1,18 @@ +locals { + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.settings.tags, null) + ) : try(var.settings.tags, null) +} + +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + azapi = { + source = "azure/azapi" + version = "~> 1.6.0" + } + } +} diff --git a/modules/billing/invoice_sections/module.tf b/modules/billing/invoice_sections/module.tf new file mode 100644 index 0000000000..0a49d498df --- /dev/null +++ b/modules/billing/invoice_sections/module.tf @@ -0,0 +1,29 @@ +resource "azapi_resource" "invoice_section" { + type = "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections@2020-05-01" + name = var.settings.name + parent_id = format("/providers/Microsoft.Billing/billingAccounts/%s/billingProfiles/%s", var.settings.billing_account_id, var.settings.billing_profile_id) + response_export_values = ["properties.displayName"] + body = jsonencode({ + properties = { + displayName = var.settings.name + labels = try(var.settings.labels, null) + tags = local.tags + } + }) +} + +output "id" { + value = azapi_resource.invoice_section.id +} +output "name" { + value = var.settings.name +} +output "display_name" { + value = jsondecode(azapi_resource.invoice_section.output).properties.displayName +} +output "billing_account_id" { + value = var.settings.billing_account_id +} +output "billing_profile_id" { + value = var.settings.billing_profile_id +} diff --git a/modules/billing/invoice_sections/variables.tf b/modules/billing/invoice_sections/variables.tf new file mode 100644 index 0000000000..e3f1e1db50 --- /dev/null +++ b/modules/billing/invoice_sections/variables.tf @@ -0,0 +1,13 @@ +variable "global_settings" { + description = "Global settings object (see module README.md)" +} +variable "client_config" { + description = "Client configuration object (see module README.md)." +} + +variable "settings" {} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} \ No newline at end of file diff --git a/modules/subscriptions/subscriptions.tf b/modules/subscriptions/subscriptions.tf index 433fc473e8..7c4d6b1592 100644 --- a/modules/subscriptions/subscriptions.tf +++ b/modules/subscriptions/subscriptions.tf @@ -6,7 +6,7 @@ data "azurerm_billing_enrollment_account_scope" "sub" { } data "azurerm_billing_mca_account_scope" "sub" { - count = try(var.settings.subscription_id, null) == null && var.subscription_key != "logged_in_subscription" && try(var.settings.billing_profile_name, null) != null ? 1 : 0 + count = !can(var.settings.subscription_id) && var.subscription_key != "logged_in_subscription" && can(var.settings.billing_profile_name) && !can(var.settings.invoice_section_key) ? 1 : 0 billing_account_name = var.settings.billing_account_name billing_profile_name = var.settings.billing_profile_name @@ -19,9 +19,10 @@ resource "azurerm_subscription" "sub" { alias = try(var.settings.alias, null) == null ? var.subscription_key : var.settings.alias subscription_name = var.settings.name subscription_id = try(var.settings.subscription_id, null) != null ? var.settings.subscription_id : null - billing_scope_id = try(var.settings.billing_scope_id, null) == null ? try(data.azurerm_billing_enrollment_account_scope.sub.0.id, data.azurerm_billing_mca_account_scope.sub.0.id, null) : var.settings.billing_scope_id - workload = try(var.settings.workload, null) - tags = try(var.tags, null) + billing_scope_id = can(local.billing_scope_id) ? local.billing_scope_id : try(data.azurerm_billing_enrollment_account_scope.sub.0.id, data.azurerm_billing_mca_account_scope.sub.0.id, null) + + workload = try(var.settings.workload, null) + tags = try(var.tags, null) lifecycle { ignore_changes = [ @@ -29,6 +30,11 @@ resource "azurerm_subscription" "sub" { ] } } +locals { + billing_scope_by_name = try(data.azurerm_billing_enrollment_account_scope.sub.0.id, data.azurerm_billing_mca_account_scope.sub.0.id, null) + billing_scope_by_key = try((can(var.billing_scope_id) ? var.billing_scope_id : null), (can(var.settings.billing_scope_id) ? var.settings.billing_scope_id : null), null) + billing_scope_id = try(coalesce(local.billing_scope_by_name, local.billing_scope_by_key), null) +} resource "null_resource" "refresh_access_token" { diff --git a/modules/subscriptions/variables.tf b/modules/subscriptions/variables.tf index c8b3fb97fe..1cfadf5e64 100644 --- a/modules/subscriptions/variables.tf +++ b/modules/subscriptions/variables.tf @@ -10,7 +10,9 @@ variable "client_config" {} variable "global_settings" { description = "Global settings object (see module README.md)" } - +variable "billing_scope_id" { + default = {} +} # For diagnostics settings variable "diagnostics" { default = {} diff --git a/subscriptions.tf b/subscriptions.tf index fd8bc0abbc..4d9dda29bf 100644 --- a/subscriptions.tf +++ b/subscriptions.tf @@ -7,11 +7,14 @@ module "subscriptions" { global_settings = local.global_settings subscription_key = each.key settings = each.value + # billing_scope_id can also be set by tfvars (var.settings). This is only the way to inject billing_scope_id by key + billing_scope_id = can(each.value.invoice_section_key) ? local.combined_objects_invoice_sections[try(each.value.invoice_section_lz_key, local.client_config.landingzone_key)][each.value.invoice_section_key].id : null client_config = local.client_config diagnostics = local.combined_diagnostics tags = merge(var.tags, lookup(each.value, "tags", {})) } + module "subscription_billing_role_assignments" { source = "./modules/subscription_billing_role_assignment" for_each = var.subscription_billing_role_assignments @@ -31,3 +34,4 @@ module "subscription_billing_role_assignments" { output "subscriptions" { value = module.subscriptions } + diff --git a/variables.tf b/variables.tf index 5e07e2304f..5c271ce96e 100644 --- a/variables.tf +++ b/variables.tf @@ -453,4 +453,7 @@ variable "load_test" { variable "cost_anomaly_alert" { default = {} -} \ No newline at end of file +} +variable "invoice_sections" { + default = {} +} From ac699c2eb4470f9350309e28785daf8c7977561e Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Tue, 1 Oct 2024 08:15:38 +0000 Subject: [PATCH 239/244] fix: fixing bad conflict resolve --- compute_virtual_machines.tf | 3 ++- compute_virtual_machines_scale_sets.tf | 16 ++++++++-------- locals.combined_objects.tf | 3 ++- modules/compute/aks/aks.tf | 1 - modules/logic_app/standard/module.tf | 2 -- storage_container.tf | 1 + 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/compute_virtual_machines.tf b/compute_virtual_machines.tf index 267e87986a..d0ef49fafb 100644 --- a/compute_virtual_machines.tf +++ b/compute_virtual_machines.tf @@ -12,7 +12,8 @@ module "virtual_machines" { module.packer_service_principal, module.proximity_placement_groups, module.storage_account_blobs, - time_sleep.azurerm_role_assignment_for[0] + # triggers cyclic dependency + #time_sleep.azurerm_role_assignment_for[0] ] for_each = local.compute.virtual_machines diff --git a/compute_virtual_machines_scale_sets.tf b/compute_virtual_machines_scale_sets.tf index 7b09d02b5f..8ef1ac29cb 100644 --- a/compute_virtual_machines_scale_sets.tf +++ b/compute_virtual_machines_scale_sets.tf @@ -3,18 +3,18 @@ module "virtual_machine_scale_sets" { source = "./modules/compute/virtual_machine_scale_set" depends_on = [ + module.application_gateways, + module.application_security_groups, module.availability_sets, module.dynamic_keyvault_secrets, - module.keyvault_access_policies, module.keyvault_access_policies_azuread_apps, - module.proximity_placement_groups, - time_sleep.azurerm_role_assignment_for[0] - #module.load_balancers, - module.application_gateways, - module.application_security_groups, - module.packer_service_principal, + module.keyvault_access_policies, + module.load_balancers, module.packer_build, - module.proximity_placement_groups + module.packer_service_principal, + module.proximity_placement_groups, + # triggers cyclic dependency + #time_sleep.azurerm_role_assignment_for[0] ] for_each = local.compute.virtual_machine_scale_sets diff --git a/locals.combined_objects.tf b/locals.combined_objects.tf index a2c0856b82..c0719b2a29 100644 --- a/locals.combined_objects.tf +++ b/locals.combined_objects.tf @@ -100,7 +100,6 @@ locals { combined_objects_iot_hub_consumer_groups = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_consumer_groups }), lookup(var.remote_objects, "iot_hub_consumer_groups", {})) combined_objects_iot_hub_dps = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_dps }), lookup(var.remote_objects, "iot_hub_dps", {})) combined_objects_iot_hub_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_shared_access_policy }), lookup(var.remote_objects, "iot_hub_shared_access_policy", {})) - combined_objects_iot_hub_shared_access_policy = merge(tomap({ (local.client_config.landingzone_key) = module.iot_hub_shared_access_policy }), try(var.remote_objects.iot_hub_shared_access_policy, {})) combined_objects_iot_security_device_group = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_device_group }), lookup(var.remote_objects, "iot_security_device_group", {})) combined_objects_iot_security_solution = merge(tomap({ (local.client_config.landingzone_key) = module.iot_security_solution }), lookup(var.remote_objects, "iot_security_solution", {})) combined_objects_keyvault_certificate_requests = merge(tomap({ (local.client_config.landingzone_key) = module.keyvault_certificate_requests }), lookup(var.remote_objects, "keyvault_certificate_requests", {})) @@ -156,6 +155,7 @@ locals { combined_objects_relay_namespace = merge(tomap({ (local.client_config.landingzone_key) = module.relay_namespace }), try(var.remote_objects.relay_namespace, {})) combined_objects_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = local.resource_groups }), try(var.remote_objects.resource_groups, {}), try(var.data_sources.resource_groups, {})) combined_objects_route_tables = merge(tomap({ (local.client_config.landingzone_key) = module.route_tables }), try(var.remote_objects.route_tables, {})) + combined_objects_search_services = merge(tomap({ (local.client_config.landingzone_key) = module.search_service }), lookup(var.remote_objects, "search_services", {}), lookup(var.data_sources, "search_services", {})) combined_objects_sentinel_watchlists = merge(tomap({ (local.client_config.landingzone_key) = module.sentinel_watchlists }), try(var.remote_objects.sentinel_watchlists, {})) combined_objects_servicebus_namespaces = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_namespaces }), try(var.remote_objects.servicebus_namespaces, {})) combined_objects_servicebus_queues = merge(tomap({ (local.client_config.landingzone_key) = module.servicebus_queues }), try(var.remote_objects.servicebus_queues, {})) @@ -182,6 +182,7 @@ locals { combined_objects_vmware_express_route_authorizations = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_express_route_authorizations }), try(var.remote_objects.vmware_express_route_authorizations, {})) combined_objects_vmware_private_clouds = merge(tomap({ (local.client_config.landingzone_key) = module.vmware_private_clouds }), try(var.remote_objects.vmware_private_clouds, {}), try(var.data_sources.vmware_private_clouds, {})) combined_objects_vpn_gateway_connections = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_connections }), try(var.remote_objects.vpn_gateway_connections, {})) + combined_objects_vpn_gateway_nat_rules = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_gateway_nat_rules }), lookup(var.remote_objects, "vpn_gateway_nat_rules", {})) combined_objects_vpn_sites = merge(tomap({ (local.client_config.landingzone_key) = module.vpn_sites }), try(var.remote_objects.vpn_sites, {})) combined_objects_web_pubsub_hubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsub_hubs }), try(var.remote_objects.web_pubsub_hubs, {})) combined_objects_web_pubsubs = merge(tomap({ (local.client_config.landingzone_key) = module.web_pubsubs }), try(var.remote_objects.web_pubsubs, {})) diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index e999dafd3d..1ec9d71196 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -70,7 +70,6 @@ resource "azurerm_kubernetes_cluster" "aks" { capacity_reservation_group_id = try(var.settings.capacity_reservation_group_id, null) custom_ca_trust_enabled = try(var.settings.custom_ca_trust_enabled, null) host_group_id = try(var.settings.host_group_id, null) - temporary_name_for_rotation = try(var.settings.default_node_pool.temporary_name_for_rotation, null) pod_subnet_id = can(var.settings.default_node_pool.pod_subnet_key) == false || can(var.settings.default_node_pool.pod_subnet.key) == false || can(var.settings.default_node_pool.pod_subnet_id) || can(var.settings.default_node_pool.pod_subnet.resource_id) ? try(var.settings.default_node_pool.pod_subnet_id, var.settings.default_node_pool.pod_subnet.resource_id, null) : var.vnets[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.vnet_key].subnets[try(var.settings.default_node_pool.pod_subnet_key, var.settings.default_node_pool.pod_subnet.key)].id vnet_subnet_id = can(var.settings.default_node_pool.vnet_subnet_id) || can(var.settings.default_node_pool.subnet.resource_id) ? try(var.settings.default_node_pool.vnet_subnet_id, var.settings.default_node_pool.subnet.resource_id) : var.vnets[try(var.settings.vnet.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.vnet.key, var.settings.vnet_key)].subnets[try(var.settings.default_node_pool.subnet_key, var.settings.default_node_pool.subnet.key)].id diff --git a/modules/logic_app/standard/module.tf b/modules/logic_app/standard/module.tf index 4a26ad4df3..ed5249fb9c 100644 --- a/modules/logic_app/standard/module.tf +++ b/modules/logic_app/standard/module.tf @@ -20,8 +20,6 @@ resource "azurerm_logic_app_standard" "logic_app_standard" { version = lookup(var.settings, "version", null) virtual_network_subnet_id = lookup(var.settings, "vnet_integration", null) != null ? can(var.settings.vnet_integration.subnet_id) ? var.settings.vnet_integration.subnet_id : try(var.vnets[try(var.settings.vnet_integration.lz_key, var.client_config.landingzone_key)][var.settings.vnet_integration.vnet_key].subnets[var.settings.vnet_integration.subnet_key].id, try(var.virtual_subnets[var.client_config.landingzone_key][var.settings.vnet_integration.subnet_key].id, var.virtual_subnets[var.settings.vnet_integration.lz_key][var.settings.vnet_integration.subnet_key].id)) : null - app_settings = local.app_settings - https_only = lookup(var.settings, "https_only", null) dynamic "site_config" { for_each = lookup(var.settings, "site_config", {}) != {} ? [1] : [] diff --git a/storage_container.tf b/storage_container.tf index 0664970160..0f546ae5a5 100644 --- a/storage_container.tf +++ b/storage_container.tf @@ -1,5 +1,6 @@ module "storage_containers" { source = "./modules/storage_account/container/" + # triggers cyclic dependency depends_on = [time_sleep.azurerm_role_assignment_for] for_each = local.storage.storage_containers From 2feb313418880db446690f33e58507fd78df5e22 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Fri, 4 Oct 2024 08:32:29 +0000 Subject: [PATCH 240/244] fix: cyclic dependencies --- modules/storage_account/storage_account.tf | 3 ++- storage_container.tf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/storage_account/storage_account.tf b/modules/storage_account/storage_account.tf index 17701d7039..5b660a1e78 100644 --- a/modules/storage_account/storage_account.tf +++ b/modules/storage_account/storage_account.tf @@ -24,7 +24,8 @@ resource "azurerm_storage_account" "stg" { account_kind = try(var.storage_account.account_kind, "StorageV2") access_tier = contains(["BlobStorage", "FileStorage", "StorageV2"], try(var.storage_account.account_kind, "StorageV2")) ? try(var.storage_account.access_tier, "Hot") : null allow_nested_items_to_be_public = try(var.storage_account.allow_nested_items_to_be_public, var.storage_account.allow_blob_public_access, false) - cross_tenant_replication_enabled = try(var.storage_account.cross_tenant_replication_enabled, null) + # Falsely defaults to true in this version 3.114.0 https://github.com/hashicorp/terraform-provider-azurerm/pull/26962 + cross_tenant_replication_enabled = try(var.storage_account.cross_tenant_replication_enabled, false) edge_zone = try(var.storage_account.edge_zone, null) enable_https_traffic_only = try(var.storage_account.enable_https_traffic_only, true) infrastructure_encryption_enabled = try(var.storage_account.infrastructure_encryption_enabled, null) diff --git a/storage_container.tf b/storage_container.tf index 0f546ae5a5..f7f3ae692e 100644 --- a/storage_container.tf +++ b/storage_container.tf @@ -1,7 +1,7 @@ module "storage_containers" { source = "./modules/storage_account/container/" # triggers cyclic dependency - depends_on = [time_sleep.azurerm_role_assignment_for] + #depends_on = [time_sleep.azurerm_role_assignment_for] for_each = local.storage.storage_containers settings = each.value From 34084f3f248567b4eb257597489798aab30acbcd Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Mon, 7 Oct 2024 12:21:23 +0000 Subject: [PATCH 241/244] fix: adding missing fix --- modules/compute/aks/aks.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/compute/aks/aks.tf b/modules/compute/aks/aks.tf index e999dafd3d..1ec9d71196 100644 --- a/modules/compute/aks/aks.tf +++ b/modules/compute/aks/aks.tf @@ -70,7 +70,6 @@ resource "azurerm_kubernetes_cluster" "aks" { capacity_reservation_group_id = try(var.settings.capacity_reservation_group_id, null) custom_ca_trust_enabled = try(var.settings.custom_ca_trust_enabled, null) host_group_id = try(var.settings.host_group_id, null) - temporary_name_for_rotation = try(var.settings.default_node_pool.temporary_name_for_rotation, null) pod_subnet_id = can(var.settings.default_node_pool.pod_subnet_key) == false || can(var.settings.default_node_pool.pod_subnet.key) == false || can(var.settings.default_node_pool.pod_subnet_id) || can(var.settings.default_node_pool.pod_subnet.resource_id) ? try(var.settings.default_node_pool.pod_subnet_id, var.settings.default_node_pool.pod_subnet.resource_id, null) : var.vnets[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.vnet_key].subnets[try(var.settings.default_node_pool.pod_subnet_key, var.settings.default_node_pool.pod_subnet.key)].id vnet_subnet_id = can(var.settings.default_node_pool.vnet_subnet_id) || can(var.settings.default_node_pool.subnet.resource_id) ? try(var.settings.default_node_pool.vnet_subnet_id, var.settings.default_node_pool.subnet.resource_id) : var.vnets[try(var.settings.vnet.lz_key, var.settings.lz_key, var.client_config.landingzone_key)][try(var.settings.vnet.key, var.settings.vnet_key)].subnets[try(var.settings.default_node_pool.subnet_key, var.settings.default_node_pool.subnet.key)].id From d6bd320c5dbbb3a8674967b31dd0cb72a611a41a Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Tue, 8 Oct 2024 08:04:27 +0000 Subject: [PATCH 242/244] fix: restoring our implementation --- .../messaging/eventgrid/eventgrid_system_topic/main.tf | 8 ++------ .../eventgrid_system_topic_event_subscription/main.tf | 7 +------ .../eventgrid_system_topic_event_subscription/module.tf | 7 ++++--- .../variables.tf | 2 +- 4 files changed, 8 insertions(+), 16 deletions(-) diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf index 2c2557d820..18070aadb3 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf @@ -14,14 +14,14 @@ locals { managed_local_identities = flatten([ for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ - var.remote_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + var.remote_objects.all.managed_identities[var.client_config.landingzone_key][managed_identity_key].id ] ]) managed_remote_identities = flatten([ for lz_key, value in try(var.settings.identity.remote, []) : [ for managed_identity_key in value.managed_identity_keys : [ - var.remote_objects.managed_identities[lz_key][managed_identity_key].id + var.remote_objects.all.managed_identities[lz_key][managed_identity_key].id ] ] ]) @@ -29,8 +29,4 @@ locals { provided_identities = try(var.settings.identity.managed_identity_ids, []) managed_identities = concat(local.provided_identities, local.managed_local_identities, local.managed_remote_identities) - resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects[var.settings.topic.resource_type][try(var.settings.topic.lz_key, var.client_config.landingzone_key)][var.settings.topic.resource_key].resource_group_name, null)) - - location = coalesce(try(var.settings.location, null), try(var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)].location, null), try(var.remote_objects[var.settings.topic.resource_type][try(var.settings.topic.lz_key, var.client_config.landingzone_key)][var.settings.topic.resource_key].location, null), "global") - } diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf index 6b36696ec8..6c3801cbd3 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf @@ -4,10 +4,5 @@ terraform { source = "aztfmod/azurecaf" } } -} - -locals { - system_topic = coalesce(try(var.settings.scope.id, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].name, null)) - resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.all.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].resource_group_name, null)) -} \ No newline at end of file +} diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf index 1bdb4b51fe..ba18df1bfc 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf @@ -1,3 +1,4 @@ + resource "azurecaf_name" "egstes" { name = var.settings.name resource_type = "azurerm_eventgrid_event_subscription" @@ -9,8 +10,8 @@ resource "azurecaf_name" "egstes" { } resource "azurerm_eventgrid_system_topic_event_subscription" "egstes" { name = azurecaf_name.egstes.result - system_topic = local.system_topic - resource_group_name = local.resource_group_name + system_topic = coalesce(try(var.settings.scope.id, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].name, null)) + resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.all.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].resource_group_name, null)) expiration_time_utc = try(var.settings.expiration_time_utc, null) event_delivery_schema = try(var.settings.event_delivery_schema, null) included_event_types = try(var.settings.included_event_types, null) @@ -201,7 +202,7 @@ resource "azurerm_eventgrid_system_topic_event_subscription" "egstes" { for_each = try(var.settings.delivery_identity, null) != null ? [var.settings.delivery_identity] : [] content { type = try(delivery_identity.value.type, null) - user_assigned_identity = coalesce(try(delivery_identity.value.id, null), try(var.remote_objects.managed_identities[try(delivery_identity.value.lz_key, var.client_config.landingzone_key)][delivery_identity.value.key].id)) + user_assigned_identity = try(delivery_identity.value.user_assigned_identity, null) } } dynamic "delivery_property" { diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf index fc7ff1a9bc..aade8e83bf 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf @@ -15,4 +15,4 @@ variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = map(any) default = {} -} \ No newline at end of file +} From 60d5a96728291109a1c6c9b37a8c9bd82a3bd0b0 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Tue, 8 Oct 2024 08:38:30 +0000 Subject: [PATCH 243/244] fix: restoring eventgrid implementation https://github.com/flender-group/terraform-azurerm-caf/pull/45 --- eventgrid.tf | 68 +++++++++++++------ locals.tf | 24 +++---- .../eventgrid/eventgrid_system_topic/main.tf | 10 ++- .../eventgrid_system_topic/module.tf | 50 ++++---------- .../eventgrid_system_topic/output.tf | 18 +++-- .../eventgrid_system_topic/variables.tf | 6 +- .../main.tf | 7 +- .../module.tf | 7 +- .../output.tf | 2 +- .../variables.tf | 2 +- 10 files changed, 107 insertions(+), 87 deletions(-) diff --git a/eventgrid.tf b/eventgrid.tf index a13dfb0fd4..aa75ed9408 100755 --- a/eventgrid.tf +++ b/eventgrid.tf @@ -85,35 +85,63 @@ module "eventgrid_system_topic" { global_settings = local.global_settings client_config = local.client_config - settings = each.value base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} + settings = each.value - location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location - - remote_objects = local.remote_objects + remote_objects = { + aks_clusters = local.combined_objects_aks_clusters + api_management = local.combined_objects_api_management + app_services = local.combined_objects_app_services + azure_container_registries = local.combined_objects_azure_container_registries + communication_services = module.communication_services + event_hubs = local.combined_objects_event_hubs + eventgrid_domains = local.combined_objects_eventgrid_domains + eventgrid_topics = local.combined_objects_eventgrid_topics + eventhubs = local.combined_objects_event_hubs + functions = local.combined_objects_function_apps + iot_hub = local.combined_objects_iot_hub + keyvaults = local.combined_objects_keyvaults + machine_learning = local.combined_objects_machine_learning + managed_identities = local.combined_objects_managed_identities + maps_accounts = module.maps_accounts + redis_caches = local.combined_objects_redis_caches + resource_groups = local.combined_objects_resource_groups + servicebus_namespaces = local.combined_objects_servicebus_namespaces + servicebus_queues = local.combined_objects_servicebus_queues + servicebus_topic = local.combined_objects_servicebus_topics + signalr_services = local.combined_objects_signalr_services + storage_accounts = local.combined_objects_storage_accounts + subscriptions = local.combined_objects_subscriptions + } } + output "eventgrid_system_topic" { value = module.eventgrid_system_topic } -module "eventgrid_system_event_subscription" { - source = "./modules/messaging/eventgrid/eventgrid_system_event_subscription" - for_each = local.messaging.eventgrid_system_event_subscription + +module "azurerm_eventgrid_system_topic_event_subscription" { + source = "./modules/messaging/eventgrid/eventgrid_system_topic_event_subscription" + for_each = local.messaging.eventgrid_system_topic_event_subscription global_settings = local.global_settings client_config = local.client_config + base_tags = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {} settings = each.value - remote_objects = merge( - local.remote_objects, - { - functions = local.combined_objects_function_apps, - eventhubs = local.combined_objects_event_hubs, - eventgrid_system_topics = local.combined_objects_eventgrid_system_topics, - hybrid_connections = local.combined_objects_relay_hybrid_connection, - storage_account_queues = local.combined_objects_storage_account_queues - } - ) -} -output "eventgrid_system_event_subscription" { - value = module.eventgrid_system_event_subscription + + remote_objects = { + eventgrid_system_topics = local.combined_objects_eventgrid_system_topics + functions = local.combined_objects_function_apps + eventhubs = local.combined_objects_event_hubs + managed_identities = local.combined_objects_managed_identities + servicebus_topic = local.combined_objects_servicebus_topics + servicebus_queues = local.combined_objects_servicebus_queues + storage_accounts = local.combined_objects_storage_accounts + hybrid_connections = local.combined_objects_relay_hybrid_connection + storage_account_queues = local.combined_objects_storage_account_queues + } + } +#output "eventgrid_system_event_subscription" { +# value = module.eventgrid_system_event_subscription +#} diff --git a/locals.tf b/locals.tf index 2908216245..421b79d67c 100644 --- a/locals.tf +++ b/locals.tf @@ -256,18 +256,18 @@ locals { maps_accounts = try(var.maps.maps_accounts, {}) } messaging = { - signalr_services = try(var.messaging.signalr_services, {}) - servicebus_namespaces = try(var.messaging.servicebus_namespaces, {}) - servicebus_queues = try(var.messaging.servicebus_queues, {}) - servicebus_topics = try(var.messaging.servicebus_topics, {}) - eventgrid_domain = try(var.messaging.eventgrid_domain, {}) - eventgrid_topic = try(var.messaging.eventgrid_topic, {}) - eventgrid_event_subscription = try(var.messaging.eventgrid_event_subscription, {}) - eventgrid_domain_topic = try(var.messaging.eventgrid_domain_topic, {}) - eventgrid_system_topic = try(var.messaging.eventgrid_system_topic, {}) - eventgrid_system_event_subscription = try(var.messaging.eventgrid_system_event_subscription, {}) - web_pubsubs = try(var.messaging.web_pubsubs, {}) - web_pubsub_hubs = try(var.messaging.web_pubsub_hubs, {}) + signalr_services = try(var.messaging.signalr_services, {}) + servicebus_namespaces = try(var.messaging.servicebus_namespaces, {}) + servicebus_queues = try(var.messaging.servicebus_queues, {}) + servicebus_topics = try(var.messaging.servicebus_topics, {}) + eventgrid_domain = try(var.messaging.eventgrid_domain, {}) + eventgrid_topic = try(var.messaging.eventgrid_topic, {}) + eventgrid_event_subscription = try(var.messaging.eventgrid_event_subscription, {}) + eventgrid_domain_topic = try(var.messaging.eventgrid_domain_topic, {}) + eventgrid_system_topic = try(var.messaging.eventgrid_system_topic, {}) + eventgrid_system_topic_event_subscription = try(var.messaging.eventgrid_system_topic_event_subscription, {}) + web_pubsubs = try(var.messaging.web_pubsubs, {}) + web_pubsub_hubs = try(var.messaging.web_pubsub_hubs, {}) } networking = { diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf index 18070aadb3..32a4638b9a 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic/main.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic/main.tf @@ -14,14 +14,14 @@ locals { managed_local_identities = flatten([ for managed_identity_key in try(var.settings.identity.managed_identity_keys, []) : [ - var.remote_objects.all.managed_identities[var.client_config.landingzone_key][managed_identity_key].id + var.remote_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id ] ]) managed_remote_identities = flatten([ for lz_key, value in try(var.settings.identity.remote, []) : [ for managed_identity_key in value.managed_identity_keys : [ - var.remote_objects.all.managed_identities[lz_key][managed_identity_key].id + var.remote_objects.managed_identities[lz_key][managed_identity_key].id ] ] ]) @@ -29,4 +29,8 @@ locals { provided_identities = try(var.settings.identity.managed_identity_ids, []) managed_identities = concat(local.provided_identities, local.managed_local_identities, local.managed_remote_identities) -} + resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects[var.settings.topic.resource_type][try(var.settings.topic.lz_key, var.client_config.landingzone_key)][var.settings.topic.resource_key].resource_group_name, null)) + + location = coalesce(try(var.settings.location, null), try(var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][try(var.settings.resource_group.key, var.settings.resource_group_key)].location, null), try(var.remote_objects[var.settings.topic.resource_type][try(var.settings.topic.lz_key, var.client_config.landingzone_key)][var.settings.topic.resource_key].location, null), "global") + +} \ No newline at end of file diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/module.tf b/modules/messaging/eventgrid/eventgrid_system_topic/module.tf index eb281653dd..d022c99051 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic/module.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic/module.tf @@ -1,4 +1,4 @@ -resource "azurecaf_name" "egt" { +resource "azurecaf_name" "egst" { name = var.settings.name resource_type = "azurerm_eventgrid_topic" prefixes = var.global_settings.prefixes @@ -7,46 +7,22 @@ resource "azurecaf_name" "egt" { passthrough = var.global_settings.passthrough use_slug = var.global_settings.use_slug } - -resource "azurerm_eventgrid_system_topic" "egt" { - name = azurecaf_name.egt.result - resource_group_name = can(var.settings.resource_group.name) ? var.settings.resource_group.name : var.remote_objects.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name - location = var.location - - source_arm_resource_id = try( - var.settings.source_resource_id, - var.remote_objects[var.settings.source_resource.type][try(var.settings.source_resource.lz_key, var.client_config.landingzone_key)][var.settings.source_resource.key].id, - null - ) - - # topic_type can be one of these, more resource types can be supported - # Microsoft.AppConfiguration.ConfigurationStores - # Microsoft.Communication.CommunicationServices - # Microsoft.ContainerRegistry.Registries - # Microsoft.Devices.IoTHubs - # Microsoft.EventGrid.Domains - # Microsoft.EventGrid.Topics - # Microsoft.Eventhub.Namespaces - # Microsoft.KeyVault.vaults - # Microsoft.MachineLearningServices.Workspaces - # Microsoft.Maps.Accounts - # Microsoft.Media.MediaServices - # Microsoft.Resources.ResourceGroups - # Microsoft.Resources.Subscriptions - # Microsoft.ServiceBus.Namespaces - # Microsoft.SignalRService.SignalR - # Microsoft.Storage.StorageAccounts - # Microsoft.Web.ServerFarms - # Microsoft.Web.Sites - topic_type = var.settings.topic_type +resource "azurerm_eventgrid_system_topic" "egst" { + name = azurecaf_name.egst.result + resource_group_name = local.resource_group_name + location = local.location dynamic "identity" { - for_each = try(var.settings.identity, null) != null ? [var.settings.identity] : [] + for_each = can(var.settings.identity) ? [var.settings.identity] : [] + content { type = try(identity.value.type, null) - identity_ids = try(identity.value.identity_ids, null) + identity_ids = try(local.managed_identities, null) } } - tags = local.tags -} + source_arm_resource_id = coalesce(try(var.settings.topic.resource_id, null), try(var.remote_objects[var.settings.topic.resource_type][try(var.settings.topic.lz_key, var.client_config.landingzone_key)][var.settings.topic.resource_key].id, null)) + topic_type = var.settings.topic_type + tags = local.tags + +} \ No newline at end of file diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/output.tf b/modules/messaging/eventgrid/eventgrid_system_topic/output.tf index 8306f0555f..de02274266 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic/output.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic/output.tf @@ -1,12 +1,20 @@ output "id" { - value = azurerm_eventgrid_system_topic.egt.id + value = azurerm_eventgrid_system_topic.egst.id description = "The EventGrid System Topic ID." } output "name" { - value = azurerm_eventgrid_system_topic.egt.name + value = azurerm_eventgrid_system_topic.egst.name description = "The EventGrid System Topic Name." } -output "identity" { - value = azurerm_eventgrid_system_topic.egt.identity - description = "An `identity` block as defined below, which contains the Managed Service Identity information for this Event Grid System Topic." +output "resource_group_name" { + value = azurerm_eventgrid_system_topic.egst.resource_group_name + description = "The EventGrid System Topic Resource Group Name." +} +output "endpoint" { + value = azurerm_eventgrid_system_topic.egst.metric_arm_resource_id + description = "The Metric ARM Resource ID of the Event Grid System Topic." } +output "identity" { + value = azurerm_eventgrid_system_topic.egst.identity + description = "An `identity` block as defined below, which contains the Managed Service Identity information for this Event Grid Topic." +} \ No newline at end of file diff --git a/modules/messaging/eventgrid/eventgrid_system_topic/variables.tf b/modules/messaging/eventgrid/eventgrid_system_topic/variables.tf index 62afdf0290..fae9ec496b 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic/variables.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic/variables.tf @@ -1,8 +1,8 @@ variable "global_settings" { - description = "Global settings object" + description = "Global settings object (see module README.md)" } variable "client_config" { - description = "Client configuration object." + description = "Client configuration object (see module README.md)." } variable "settings" { description = "(Required) Used to handle passthrough paramenters." @@ -19,4 +19,4 @@ variable "base_tags" { variable "location" { description = "Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created." default = null -} +} \ No newline at end of file diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf index 6c3801cbd3..6b36696ec8 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/main.tf @@ -4,5 +4,10 @@ terraform { source = "aztfmod/azurecaf" } } - } + + +locals { + system_topic = coalesce(try(var.settings.scope.id, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].name, null)) + resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.all.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].resource_group_name, null)) +} \ No newline at end of file diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf index ba18df1bfc..1bdb4b51fe 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/module.tf @@ -1,4 +1,3 @@ - resource "azurecaf_name" "egstes" { name = var.settings.name resource_type = "azurerm_eventgrid_event_subscription" @@ -10,8 +9,8 @@ resource "azurecaf_name" "egstes" { } resource "azurerm_eventgrid_system_topic_event_subscription" "egstes" { name = azurecaf_name.egstes.result - system_topic = coalesce(try(var.settings.scope.id, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].name, null)) - resource_group_name = coalesce(try(var.settings.resource_group.name, null), try(var.remote_objects.all.resource_groups[try(var.settings.resource_group.lz_key, var.client_config.landingzone_key)][var.settings.resource_group.key].name, null), try(var.remote_objects.eventgrid_system_topics[try(var.settings.scope.lz_key, var.client_config.landingzone_key)][var.settings.scope.key].resource_group_name, null)) + system_topic = local.system_topic + resource_group_name = local.resource_group_name expiration_time_utc = try(var.settings.expiration_time_utc, null) event_delivery_schema = try(var.settings.event_delivery_schema, null) included_event_types = try(var.settings.included_event_types, null) @@ -202,7 +201,7 @@ resource "azurerm_eventgrid_system_topic_event_subscription" "egstes" { for_each = try(var.settings.delivery_identity, null) != null ? [var.settings.delivery_identity] : [] content { type = try(delivery_identity.value.type, null) - user_assigned_identity = try(delivery_identity.value.user_assigned_identity, null) + user_assigned_identity = coalesce(try(delivery_identity.value.id, null), try(var.remote_objects.managed_identities[try(delivery_identity.value.lz_key, var.client_config.landingzone_key)][delivery_identity.value.key].id)) } } dynamic "delivery_property" { diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/output.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/output.tf index a269931f46..65b6b9b2c8 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/output.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/output.tf @@ -1,4 +1,4 @@ output "id" { value = azurerm_eventgrid_system_topic_event_subscription.egstes.id description = "The ID of the EventGrid Event Subscription." -} +} \ No newline at end of file diff --git a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf index aade8e83bf..fc7ff1a9bc 100644 --- a/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf +++ b/modules/messaging/eventgrid/eventgrid_system_topic_event_subscription/variables.tf @@ -15,4 +15,4 @@ variable "base_tags" { description = "Base tags for the resource to be inherited from the resource group." type = map(any) default = {} -} +} \ No newline at end of file From 223aeb129444db13d761ea1597724f59496f2595 Mon Sep 17 00:00:00 2001 From: "janik.muenk" Date: Tue, 8 Oct 2024 09:27:34 +0000 Subject: [PATCH 244/244] fix: public_network_access_enabled --- modules/databases/postgresql_flexible_server/server.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/databases/postgresql_flexible_server/server.tf b/modules/databases/postgresql_flexible_server/server.tf index b67e68a400..d588827ccf 100644 --- a/modules/databases/postgresql_flexible_server/server.tf +++ b/modules/databases/postgresql_flexible_server/server.tf @@ -17,6 +17,8 @@ resource "azurerm_postgresql_flexible_server" "postgresql" { zone = try(var.settings.zone, null) storage_mb = try(var.settings.storage_mb, null) auto_grow_enabled = try(var.settings.auto_grow_enabled, null) + + public_network_access_enabled = try(var.settings.public_network_access_enabled, false) delegated_subnet_id = var.remote_objects.subnet_id private_dns_zone_id = var.remote_objects.private_dns_zone_id