diff --git a/docs/ALZLogo-Large.png b/docs/ALZLogo-Large.png deleted file mode 100644 index 343f25e4..00000000 Binary files a/docs/ALZLogo-Large.png and /dev/null differ diff --git a/docs/ALZLogo-Small.png b/docs/ALZLogo-Small.png deleted file mode 100644 index ef5b6797..00000000 Binary files a/docs/ALZLogo-Small.png and /dev/null differ diff --git a/docs/ALZLogo.png b/docs/ALZLogo.png deleted file mode 100644 index f831c043..00000000 Binary files a/docs/ALZLogo.png and /dev/null differ diff --git a/docs/rsz_alzlogo.png b/docs/rsz_alzlogo.png deleted file mode 100644 index ae486e05..00000000 Binary files a/docs/rsz_alzlogo.png and /dev/null differ diff --git a/docs/wiki/Contributing-to-Code.md b/docs/wiki/Contributing-to-Code.md deleted file mode 100644 index fecea92e..00000000 --- a/docs/wiki/Contributing-to-Code.md +++ /dev/null @@ -1,15 +0,0 @@ - -Please ensure you have read our [Contributing](Contributing) page before going any further. - -## Checklist - -- Fixes a bug or feature reported and accepted in our [Issues][Issues] log -- New features should be relevant to, and improve upon, existing core functionality -- PR contains documentation update -- PR is rebased against the latest `main` branch -- PR is squashed into one commit per logical change -- PR commit message should be concise but descriptive (will be used to generate release notes) - - - -[Issues]: https://github.com/Azure/alz-terraform-accelerator/issues "Our issues log" diff --git a/docs/wiki/Contributing-to-Documentation.md b/docs/wiki/Contributing-to-Documentation.md deleted file mode 100644 index 540a54e0..00000000 --- a/docs/wiki/Contributing-to-Documentation.md +++ /dev/null @@ -1,14 +0,0 @@ - -Please ensure you have read our [Contributing](Contributing) page before going any further. - -## Checklist - -- Fixes a documentation bug or feature reported and accepted in our [Issues][Issues] log -- New features should be relevant to, and improve upon, existing core documentation -- PR is rebased against the latest `main` branch -- PR is squashed into one commit per logical change -- PR commit message should be concise but descriptive (will be used to generate release notes) - - - -[Issues]: https://github.com/Azure/alz-terraform-accelerator/issues "Our issues log" diff --git a/docs/wiki/Contributing.md b/docs/wiki/Contributing.md deleted file mode 100644 index b41cbbc1..00000000 --- a/docs/wiki/Contributing.md +++ /dev/null @@ -1,20 +0,0 @@ - -This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit [https://cla.opensource.microsoft.com](https://cla.opensource.microsoft.com). - -When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. - -This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact with any additional questions or comments. - -Please familiarize yourself with our [Code of Conduct][Code-of-Conduct] and the [MIT License][License] associated with this repository to ensure all code contributions are submitted in accordance with these terms. - -## Next steps - -- [Raising an Issue](Raising-an-Issue) -- [Feature Requests](Feature-Requests) -- [Contributing to Code](Contributing-to-Code) -- [Contributing to Documentation](Contributing-to-Documentation) - - - -[Code-of-Conduct]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/CODE_OF_CONDUCT.md "Our Code-of-Conduct" -[License]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/LICENSE "Our license" diff --git a/docs/wiki/Feature-Requests.md b/docs/wiki/Feature-Requests.md deleted file mode 100644 index d5729d43..00000000 --- a/docs/wiki/Feature-Requests.md +++ /dev/null @@ -1,3 +0,0 @@ - - -Please raise a feature request as an [issue](https://github.com/Azure/ALZ-PowerShell-Module/issues) diff --git a/docs/wiki/Frequently-Asked-Questions.md b/docs/wiki/Frequently-Asked-Questions.md deleted file mode 100644 index fd4df173..00000000 --- a/docs/wiki/Frequently-Asked-Questions.md +++ /dev/null @@ -1,191 +0,0 @@ - -## Azure landing zones Terraform accelerator FAQ - -This article answers frequently asked questions relating to the Azure landing zones Terraform accelerator. - -> If you have a question not listed here, please raise an [issue](https://github.com/Azure/alz-terraform-accelerator/issues) and we'll do our best to help. - -## Questions about customisation - -### How do I use my own naming convention for the resources that are deployed? - -You can add any hidden variables to your inputs file, including the `resource_names` map. This map is used to set the names of the resources that are deployed. You can find the default values in the `terraform.tfvars` file in the bootstrap module. - -For example adding this to the end of your inputs file and updating to your standard: - -```yaml -# Extra Inputs -resource_names: - resource_group_state: "rg-{{service_name}}-{{environment_name}}-state-{{azure_location}}-{{postfix_number}}-test" - resource_group_identity: "rg-{{service_name}}-{{environment_name}}-identity-{{azure_location}}-{{postfix_number}}" - resource_group_agents: "rg-{{service_name}}-{{environment_name}}-agents-{{azure_location}}-{{postfix_number}}" - resource_group_network: "rg-{{service_name}}-{{environment_name}}-network-{{azure_location}}-{{postfix_number}}" - user_assigned_managed_identity_plan: "id-{{service_name}}-{{environment_name}}-{{azure_location}}-plan-{{postfix_number}}" - user_assigned_managed_identity_apply: "id-{{service_name}}-{{environment_name}}-{{azure_location}}-apply-{{postfix_number}}" - user_assigned_managed_identity_federated_credentials_plan: "id-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-plan" - user_assigned_managed_identity_federated_credentials_apply: "id-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-apply" - storage_account: "sto{{service_name_short}}{{environment_name_short}}{{azure_location_short}}{{postfix_number}}{{random_string}}" - storage_container: "{{environment_name}}-tfstate" - container_instance_01: "aci-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}" - container_instance_02: "aci-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number_plus_1}}" - container_instance_managed_identity: "id-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-aci" - agent_01: "agent-{{service_name}}-{{environment_name}}-{{postfix_number}}" - agent_02: "agent-{{service_name}}-{{environment_name}}-{{postfix_number_plus_1}}" - version_control_system_repository: "{{service_name}}-{{environment_name}}" - version_control_system_repository_templates: "{{service_name}}-{{environment_name}}-templates" - version_control_system_service_connection_plan: "sc-{{service_name}}-{{environment_name}}-plan" - version_control_system_service_connection_apply: "sc-{{service_name}}-{{environment_name}}-apply" - version_control_system_environment_plan: "{{service_name}}-{{environment_name}}-plan" - version_control_system_environment_apply: "{{service_name}}-{{environment_name}}-apply" - version_control_system_variable_group: "{{service_name}}-{{environment_name}}" - version_control_system_agent_pool: "{{service_name}}-{{environment_name}}" - version_control_system_group: "{{service_name}}-{{environment_name}}-approvers" - version_control_system_pipeline_name_ci: "01 Azure Landing Zones Continuous Integration" - version_control_system_pipeline_name_cd: "02 Azure Landing Zones Continuous Delivery" - virtual_network: "vnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}" - public_ip: "pip-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}" - nat_gateway: "nat-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}" - subnet_container_instances: "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-aci" - subnet_private_endpoints: "subnet-{{service_name}}-{{environment_name}}-{{azure_location}}-{{postfix_number}}-pe" - storage_account_private_endpoint: "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-sto-{{postfix_number}}" - container_registry: "acr{{service_name}}{{environment_name}}{{azure_location_short}}{{postfix_number}}{{random_string}}" - container_registry_private_endpoint: "pe-{{service_name}}-{{environment_name}}-{{azure_location}}-acr-{{postfix_number}}" - container_image_name: "azure-devops-agent" -``` - -Alternatively, you can take a copy of the `terraform.tfvars` file from the bootstrap module, update it and supply it via the `-bootstrapTfVarsOverridePath` parameter as an absolute path. - -## Questions about bootstrap clean up - -### I was just testing or I made a mistake, how do I remove the bootstrap environment and start again? - -After the Terraform apply has been completed there is an opportunity to remove the environment it just created. Follow these steps to run a `terraform destroy`. - -1. If you already ran the CD pipeline / action in phase 3 to deploy the ALZ, then you will need to run the pipeline / action again, but this time select the `destroy` option. This will delete the landing zone resources. If you don't do this, those resource will be left orphaned and you will have to clean them up manually. -1. Wait for the destroy run to complete before moving to the next step, you will need to approve it if you configured approvals. -1. Now run `Deploy-Accelerator` with the `-destroy` flag. E.g. `Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -o "./my-folder" -destroy`. -1. The module will run and ask if you want to use the existing variables, enter `use` to use them. -1. You can confirm the destroy by typing `yes` when prompted. -1. To fully clean up, you should now delete the folder that was created for the accelerator. E.g. `./my-folder`. -1. You'll now be able to run the `Deploy-Accelerator` command again to start fresh. - -## Questions about changing variables - -### I made a mistake in the variables I entered, do I need to re-enter them all? - -When you run the PowerShell module, it caches the responses you supply. If you make a mistake, you can re-run the `Deploy-Accelerator` command and it will ask you if you want to use the cached variables. If you hit enter here, then you will be able to skip through each variable in turn, check the set value and alter it if desired. - -### I want to update a variable after the bootstrap has been completed, how do I do that? - -When you run the PowerShell module, it caches the responses you supply. If you want to update a variable, you can re-run the `Deploy-Accelerator` command and it will ask you if you want to use the cached variables. If you hit enter here, then you will be able to skip through each variable in turn, check the set value and alter it if desired. - -> NOTE: In some cases changing a variable may result in a change to a starter module or CI / CD file. In this scenario you may see an error on Terraform Apply due to branch protection. You can disable branch protection and re-run the `Deploy-Accelerator` command to resolve this. - -## Questions about Upgrading to a newer version of the accelerator - -### How do I upgrade to a newer version of the accelerator? - -Follow the steps in the [Upgrade Guide][wiki_upgrade_process] to upgrade to a newer version of the accelerator. - -## Questions about Multiple landing zone deployments - -### I want to deploy multiple landing zones, but the PowerShell command keeps trying to overrwrite my existing environment - -After bootstrapping, the PowerShell leaves the folder structure intact, including the Terraform state file. This is by design, so you have an opportunity to amend or destroy the environment. - -If you want to deploy to a separate environment, the simplest approach is to specify a separate folder for each deployment using the `-Output` parameter. For example: - -- Deployment 1: `Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -Output "./deployment1"` -- Deployment 2: `Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -Output "./deployment2"` - -You can then deploy as many times as you like without interferring with a previous deployment. - -## Questions about Automating the PowerShell Module - -### I want to automate the PowerShell module, but it keeps prompting me for input, can I supply the answers? - ->NOTE: We now recommend this as the preferred approach and our documentation has been updated to reflect this. - -Yes, you can supply the variables to the PowerShell module by using the `-inputs` parameter. You just need to supply a single file that includes the variables for the bootstrap and the starter module. The ordering of the variables in the file is not important. - -The module will accept inputs as in json or yaml format. `.json,`, `.yaml` or `.yml` file extensions are supported. Examples of both are shown below. - -To call the module, you then specify the `-inputs` parameter with the path to the file containing the inputs. For example: - -```powershell -Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -Inputs "~/config/inputs.json" -``` - -yaml example: - -```yaml -starter: "basic" -azure_location: "uksouth" -``` - -json example: - -```json -{ - "starter": "basic", - "azure_location": "uksouth" -} -``` - -> NOTE: These examples show a partial set of variables. In this scenario, the module will prompt for the remaining variables. You can find the full list of variables in the quick start phase 2 and starter module documentation. - -Full yaml examples can be found under the `Input Files` section of the right-hand menu. - -### I get prompted to approve the Terraform plan, can I skip that? - -Yes, you can skip the approval of the Terraform plan by using the `-autoApprove` parameter. - -For example: - -```powershell -Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -Inputs "~/config/inputs.json" -autoApprove -``` - -## Questions about adding more subscriptions post initial deployment - -### I used a single subscription for the initial deployment, how do I split my landing zone to the recommended 3 subscriptions? - -There are some steps you need to take: - -1. Create a new subscription and take a note of the subscriptions ID. -1. Find the names of the user assigned managed identities that were created in the initial boostrap. There should be one for `plan` and one for `apply`. -1. Go to the `Access control (IAM)` section pf the subscription. Add the following permissions for each user assigned managed identity: - 1. `Reader` to the `plan` identity - 1. `Owner` to the `apply` identity -1. Go to your Terraform code in source control and update the `terraform.tfvars` file, specifying the new subscription id in the relevant variable. You will need to create a branch and raise a PR to do this. -1. You can now plan and apply from pipelines to update the subscriptions. - -## Questions about using custom starter modules - -### I want to use my own custom bootstrap module(s), how do I do that? - -Follow the structure and json schema in the [Azure/accelerator-bootstrap-modules](https://github.com/Azure/accelerator-bootstrap-modules). You can then target your custom bootstrap module by using the `bootstrapModuleUrl` or `bootstrapModuleOverrideFolderPath` parameters in the PowerShell module. For example: - -```powershell -Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -bootstrapModuleUrl "https://github.com/my-org/my-boostrap-modules" -``` - -```powershell -Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -bootstrapModuleOverrideFolderPath "./my-bootstrap-modules" -``` - -### I want to use my own custom starter modules, how do I do that? - -Follow the folder structure in this repository and create your own custom starter module(s). You can then target your custom starter module by using the `starterModuleOverrideFolderPath` parameters in the PowerShell module. For example: - -```powershell -Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -starterModuleOverrideFolderPath "~/my-custom-starter-modules" -``` - -Alternatively, if you are also supplying a custom bootstrap module, you can specify the starter module repo url in the `json` config file in the bootstrap module. - -[//]: # "************************" -[//]: # "INSERT LINK LABELS BELOW" -[//]: # "************************" - -[wiki_upgrade_process]: Upgrade-Guide "Wiki - Upgrade Process" diff --git a/docs/wiki/Home.md b/docs/wiki/Home.md index 3a9de632..a24b6a91 100644 --- a/docs/wiki/Home.md +++ b/docs/wiki/Home.md @@ -1,125 +1,4 @@ -Welcome to the Azure Landing Zones Accelerators for Bicep and Terraform! +The Azure Landing Zones IaC Accelerator documentation has been migrated to the [Azure Landing Zones](https://aka.ms/alz/tech-docs) documentation site. -The Azure landing zones [Terraform][alz_tf_module] and [Bicep][alz_bc_module] modules provide an opinionated approach for deploying and managing the core platform capabilities of [Azure landing zones architecture][alz_architecture] using Bicep or Terraform. - -This accelerator provides an opinionated approach for configuring and securing those modules in a continuous delivery environment. It has end to end automation for bootstrapping the modules. - -## Supported Version Control Systems (VCS) - -The accelerator supports both Azure DevOps and GitHub. We are only able to support the hosted versions of these services. - -If you are using self-hosted versions of these services or another VCS, you can still use the accelerator to produce the landing zone code by using the `alz_local` bootstrap module, but you will need to configure the VCS manually or with your own automation. - -## Accelerator features - -The accelerator bootstraps a continuous delivery environment for you. It supports both the Azure DevOps and GitHub version control system (VCS). It uses the [ALZ](https://www.powershellgallery.com/packages/ALZ) PowerShell module to gather required user input and apply a Terraform module to configure the bootstrap environment. - -> NOTE: For Bicep users, the accelerator uses Terraform to bootstrap the environment only. Bicep is used to deploy and update the Azure landing zone. - -The accelerator follows a 3 phase approach: - -1. Pre-requisites: Instructions to configure credentials and subscriptions. -2. Bootstrap: Run the PowerShell module to generate the continuous delivery environment. -3. Run: Update the module (if needed) to suit the needs of your organisation and deploy via continuous delivery. - -![Azure landing zone accelerator process][alz_accelerator_overview] - -The components of the environment are similar, but differ depending on your choice of VCS: - -![Components][components] - -### GitHub - -- Azure: - - Resource Group for State (Terraform only) - - Storage Account and Container for State (Terraform only) - - Resource Group for Identity - - User Assigned Managed Identities (UAMI) with Federated Credentials for Plan and Apply - - Permissions for the UAMI on state storage container, subscriptions and management groups - - [Optional] Container Registry for GitHub Runner image - - [Optional] Container Instances hosting GitHub Runners - - [Optional] Virtual network, subnets, private DNS zone and private endpoint. - -- GitHub - - Repository for the Module - - Repository for the Action Templates - - Starter Terraform module with tfvars - - Branch policy - - Action for Continuous Integration - - Action for Continuous Delivery - - Environment for Plan - - Environment for Apply - - Action Variables for Backend and Plan / Apply - - Team and Members for Apply Approval - - Customised OIDC Token Subject for governed Actions - - [Optional] Runner Group - -### Azure DevOps - -- Azure: - - Resource Group for State (Terraform only) - - Storage Account and Container for State (Terraform only) - - Resource Group for Identity - - User Assigned Managed Identities (UAMI) with Federated Credentials for Plan and Apply - - Permissions for the UAMI on state storage container, subscriptions and management groups - - [Optional] Container Registry for Azure DevOps Agent image - - [Optional] Container Instances hosting Azure DevOps Agents - - [Optional] Virtual network, subnets, private DNS zone and private endpoint. - -- Azure DevOps - - Project (can be supplied or created) - - Repository for the Module - - Repository for the Pipeline Templates - - Starter Terraform module with tfvars - - Branch policy - - Pipeline for Continuous Integration - - Pipeline for Continuous Delivery - - Environment for Plan - - Environment for Apply - - Variable Group for Backend - - Service Connections with Workload identity federation for Plan and Apply - - Service Connection Approvals, Template Validation and Concurrency Control - - Group and Members for Apply Approval - - [Optional] Agent Pool - -### Local File System - -This outputs the ALZ module files to the file system, so you can apply them manually or with your own VCS / automation. - -- Azure: - - Resource Group for State (Terraform only) - - Storage Account and Container for State (Terraform only) - - Resource Group for Identity - - User Assigned Managed Identities (UAMI) for Plan and Apply - - Permissions for the UAMI on state storage container, subscriptions and management groups - -- Local File System - - Starter module with variables - -## Next steps - -Check out the [User Guide](User-Guide). - -## Azure landing zones - -The following diagram and links detail the Azure landing zone, but you can learn a lot more about Azure landing zones [here](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/). - -![Azure landing zone conceptual architecture][alz_tf_overview] - - [//]: # (*****************************) - [//]: # (INSERT IMAGE REFERENCES BELOW) - [//]: # (*****************************) - -[alz_accelerator_overview]: media/alz-terraform-acclerator.png "A process flow showing the areas covered by the Azure landing zones Terraform accelerator." -[components]: media/components.png "The components deployed by the accelerator." - -[alz_tf_overview]: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/media/ns-arch-cust-expanded.svg "A conceptual architecture diagram highlighting the design areas covered by the Azure landing zones Terraform module." - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[alz_tf_module]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform: Azure landing zones module" -[alz_bc_module]: https://github.com/Azure/ALZ-Bicep "Bicep: Azure landing zones module" -[alz_architecture]: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone#azure-landing-zone-conceptual-architecture +You can find the docs here: [aka.ms/alz/acc](https://aka.ms/alz/acc). diff --git a/docs/wiki/Raising-an-Issue.md b/docs/wiki/Raising-an-Issue.md deleted file mode 100644 index ed57bf8e..00000000 --- a/docs/wiki/Raising-an-Issue.md +++ /dev/null @@ -1,9 +0,0 @@ - - -To raise an issue, please go to our [Issues][Issues] log and raise a new issue. - -Fill out the Bug or Feature template in full and submit the issue for triage. - - - -[Issues]: https://github.com/Azure/alz-terraform-accelerator/issues "Our issues log" diff --git a/docs/wiki/Troubleshooting.md b/docs/wiki/Troubleshooting.md deleted file mode 100644 index b9fa02f4..00000000 --- a/docs/wiki/Troubleshooting.md +++ /dev/null @@ -1,84 +0,0 @@ - -Having trouble using the module and unable to find a solution in the Wiki? - -If it isn't listed below, let us know about it in our [Issues][Issues] log. We'll do our best to help and you may find your issue documented here. - -## PowerShell ALZ Module Failing for non-obvious reasons - -For example, when running `Deploy-Accelerator` you may see an error like: - -- `Parameter cannot be processed because the parameter name 'i' is ambiguous. Possible matches include: -InformationAction -InformationVariable -alzIacProvider -userInputOverridePath.` - -This is most likely because you are not using the most recent release of the PowerShell module. Update the module and try again. If that doesn't work, follow on below. - -We have noted that some users have issues when they install the module in PowerShell 5.X instead of PowerShell 7.X. When you install a module in PowerShell 5.X (PS) it appears to override any modules installed with PowerShell 7.X (pwsh). In this scenario you need to uninstall the module from PS in order to be able to install it in pwsh. - -Follow these steps to ensure you have a working environment: - -1. Update the latest PowerShell Core / 7.X (pwsh) version. -2. Open a PS (PowerShell 5.1) terminal. You may need to be an administrator to do this. -3. Run `Uninstall-Module -Name ALZ`, then run `Get-InstalledModule -Name ALZ` -4. If the previous command shows a version of the module is still installed, then repeat the previous step until you no longer see an installed version. -5. Open a pwsh (PowerShell 7.X) terminal. -6. Run `Uninstall-Module -Name ALZ`, then run `Get-InstalledModule -Name ALZ` -7. If the previous command shows a version of the module is still installed, then repeat the previous step until you no longer see an installed version. -8. Run `Install-Module -Name ALZ` - -You should now be able to successfully run the `Deploy-Accelerator` command and continue. - -## 422 Error when deleting Runner Group - -When trying to destroy a GitHub environment with a runner group you may see an error like: - -`Error: DELETE https://api.github.com/orgs//actions/runner-groups/3: 422 This group cannot be deleted because it contains runners. Please remove or move them to another group before proceeding. []` - -Unfortunately, this requires manual intervantion at the moment. The runners do not delete themselves when the container instance is delete, so they will show in the offline state for 14 days prior to being deleted. - -To resolve this, you can manually delete the runners from Runner Group in the GitHub UI. You can then re-run the destroy to complete the clean up. - -This only affects you if you have Enterprise licensing and have chosen to use a Runner Group. More details can be found here: - - - -[Issues]: https://github.com/Azure/alz-terraform-accelerator/issues "Our issues log" - -## Error: creating Container Group - -If you see the following error, it is due to region (e.g. swedencentral) stating it supports availability zones, but it does not support them for Azure Container Instance. There is no way to detect this with automation, so requires a manual workaround at this time. - -In order to work around this issue, add the following setting to your input config file: - -```yaml -# GitHub -runner_container_zone_support: false - -# Azure DevOps -agent_container_zone_support: false -``` - -```text -╷ -│ Error: creating Container Group (Subscription: "0d754f66-65b4-4f64-97f5-221f0174ad48" -│ Resource Group Name: "rg-alz-r14c67r424-agents-swedencentral-001" -│ Container Group Name: "aci-alz-r14c67r424-swedencentral-002"): polling after ContainerGroupsCreateOrUpdate: polling failed: the Azure API returned the following error: -│ -│ Status: "Failed" -│ Code: "Failed" -│ Message: "The requested resource is not available in the location 'swedencentral' at this moment. Please retry with a different resource request or in another location. Resource requested: '2' CPU '4' GB memory 'Linux' OS" -│ Activity Id: "" -│ -│ --- -│ -│ API Response: -│ -│ ----[start]---- -│ {"id":"/subscriptions/**754f66-****-4f64-****-221f0174ad4**/resourceGroups/rg-alz-r14c67r424-agents-swedencentral-001/providers/Microsoft.ContainerInstance/containerGroups/aci-alz-r14c67r424-swedencentral-002","status":"Failed","startTime":"2024-11-29T11:15:39.9940663Z","properties":{"events":[{"count":1,"firstTimestamp":"2024-11-29T11:15:41.1163736Z","lastTimestamp":"2024-11-29T11:15:41.1163736Z","name":"InsufficientCapacity.","message":"The requested resource is not available in the location 'swedencentral' at this moment. Please retry with a different resource request or in another location. Resource requested: '2' CPU '4' GB memory 'Linux' OS","type":"Warning"}]},"error":{"message":"The requested resource is not available in the location 'swedencentral' at this moment. Please retry with a different resource request or in another location. Resource requested: '2' CPU '4' GB memory 'Linux' OS"}} -│ -----[end]----- -│ -│ -│ with module.azure.azurerm_container_group.alz["agent_02"], -│ on ../../modules/azure/container_instances.tf line 1, in resource "azurerm_container_group" "alz": -│ 1: resource "azurerm_container_group" "alz" { -│ -╵ -``` \ No newline at end of file diff --git a/docs/wiki/Upgrade-Guide.md b/docs/wiki/Upgrade-Guide.md deleted file mode 100644 index a2604ddf..00000000 --- a/docs/wiki/Upgrade-Guide.md +++ /dev/null @@ -1,43 +0,0 @@ - - -Although the accelerator is designed to be a one-time run, we have some rudimentary support for automatically upgrading to newer versions of the accelerator. - -This upgrade path is specifically for customers using the accelerator who haven't updated the repositories it deploys. If you have updated the repositories post initial bootstrap, you will need to take an alternative approach to upgrading. - -## Important Notes - -- The upgrade process does not support the scenario where you have made any changes to the deployed bootstrap or starter modules via git or the VCS system. If you run the upgrade it will overwrite your changes or fail. -- The upgrade process does not support breaking changes to major version of bootstrap or starter modules. If there is a breaking change, it will likely result in a destroy and re-create as part of the Terraform plan for the deployment. In most cases this may not be a problem, but you should validate prior to accepting the plan. -- If changes are made to the starter module as part of the upgrade, you will have to disable branch protection rules in the VCS system in order the update to succeed. To do this, you will need to navigate to the branch protection rules in the VCS system and disable them. The apply will see that they have been disabled and re-apply them for you automatically. - -## Upgrade Process - -If you want to upgrade to a newer version of the accelerator bootstrap and / or starter, you can follow the steps below. - -> NOTE: Behind the scenes the upgrade process copies the Terraform state file and the last set of cacched variables you entered, it is not any more intelligent than that. - -1. Run `Deploy-Accelerator`, targeting the same output folder you did for the previous version and optionally specify the version you wish to upgrade to. - - For example if you want to upgrade to specific versions of the starter and bootstrap module, you could run: - - ```powershell - Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -o "./my-folder" -starterRelease "2.0.1" -bootstrapRelease "2.0.2" - ``` - - - If you want to upgrade to the latest versions of both, you would run: - - ```powershell - Deploy-Accelerator -i "terraform" -b "alz_azuredevops" -o "./my-folder" - ``` - -2. You will see a message that starts with `AUTOMATIC UPGRADE:`. This will explain which version you will be upgrading from and to. E.g. `AUTOMATIC UPGRADE: We found version v2.0.0 of the bootstrap module that has been previously run. You can upgrade from this version to the new version v2.0.2` -3. You will then be prompted to confirm the upgrade. Type `upgrade` and hit enter. -4. The module will then run the upgrade process and you will see a success message once it completes. -5. The module will now follow the standard process and will pick up on the cached variables or input files and prompt you to use them. Type `use` to use the cached inputs or hit enter to update them or use input files. -6. If the new version of the accelerator has any new variables, you will be prompted to enter those manually if you haven't supplied them in an input file. -7. The module will then run the Terraform `init` and `apply` and you will see a success message once it completes. - -> NOTE: As per the important notes above. If the new version of the accelerator starter module has any changes to the files it creates, it may fail due to branch protection rules. If this happens, you will need to manually disable the branch protection rules and then re-run the `Deploy-Accelerator` command. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) diff --git a/docs/wiki/User-Guide.md b/docs/wiki/User-Guide.md deleted file mode 100644 index 214782ce..00000000 --- a/docs/wiki/User-Guide.md +++ /dev/null @@ -1,20 +0,0 @@ - -## Table of Contents - -Please refer to the following to learn about the accelerator: - -- [Getting Started][wiki_getting_started] -- [Quick Start][wiki_quick_start] - - [Quick Start Phase 1][wiki_quick_start_phase_1] - - [Quick Start Phase 2][wiki_quick_start_phase_2] - - [Quick Start Phase 3][wiki_quick_start_phase_3] - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_getting_started]: %5BUser-Guide%5D-Getting-Started "Wiki - Getting Started" -[wiki_quick_start]: %5BUser-Guide%5D-Quick-Start "Wiki - Quick Start" -[wiki_quick_start_phase_1]: %5BUser-Guide%5D-Quick-Start-Phase-1 "Wiki - Quick Start - Phase 1" -[wiki_quick_start_phase_2]: %5BUser-Guide%5D-Quick-Start-Phase-2 "Wiki - Quick Start - Phase 2" -[wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" diff --git a/docs/wiki/[User-Guide]-Advanced-Scenarios.md b/docs/wiki/[User-Guide]-Advanced-Scenarios.md deleted file mode 100644 index 9a94aa54..00000000 --- a/docs/wiki/[User-Guide]-Advanced-Scenarios.md +++ /dev/null @@ -1,77 +0,0 @@ - - -## Scenario 1 - Secure island for bootstrap resources - -Depending on your security needs, you may wish to store the Azure resources deployed by the bootstrap in separate subscription and optionally a separate management group hierarchy to the Azure Landing Zone. This could be the case when you need to separate the concerns of deploying and maintaining the Azure Landing Zone from the day to day access of the Azure Landing Zone. - -The resources deployed by the bootstrap vary depending on the options you choose, but they may include the following: - -- Storage account for state file -- User assigned managed identities -- [Optional] Self hosted agents -- [Optional] Networking, DNS and Private End Point for storage account - -In order to use the secure island approach, you can follow these steps: - -### Option 1 - Separate subscription under separate management group hierarchy - -1. Create a new management group under `Tenant Root Group`. -1. Apply your desired policies and permissions to the new management group. -1. Create a new subscription for the bootstrap resources and place it in the new management group. Take note of the subscription id. -1. Grant owner rights to the account you are using to deploy the accelerator on the new subscription. -1. Run the bootstrap as normal, following the instructions in the [Quick Start][wiki_quick_start] guide. -1. When you get to step for updating the input config file variables, enter the subscription id of the new subscription you created into the `bootstrap_subscription_id` field. -1. Continue with the rest of the steps in the [Quick Start][wiki_quick_start] guide. - -This will result in the bootstrap resources being deployed in the new subscription and management group hierarchy, while the Azure Landing Zone is deployed into the defined management group hierarchy. - -### Option 2 - Separate subscription under Azure Landing Zones management group hierarchy - -1. Create a new subscription for the bootstrap resources. Take note of the subscription id. -2. Grant owner rights to the account you are using to deploy the accelerator on the new subscription. -3. Use the `complete` starter module to deploy the Azure Landing Zone. -4. Update the `config.yaml` file to include subscription placement for the new subscription using the `subscription-id-overrides` setting. For example: - - ```yaml - archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary. - root_name: es - root_id: Enterprise-Scale - deploy_corp_landing_zones: true - deploy_online_landing_zones: true - default_location: uksouth - disable_telemetry: true - deploy_management_resources: true - configure_management_resources: - location: uksouth - settings: - security_center: - config: - email_security_contact: "security_contact@replace_me" - advanced: - asc_export_resource_group_name: rg-asc-export - custom_settings_by_resource_type: - azurerm_resource_group: - management: - name: rg-management - azurerm_log_analytics_workspace: - management: - name: log-management - azurerm_automation_account: - management: - name: aa-management - subscription-id-overrides: - management: - - "00000000-0000-0000-0000-000000000000" # Your new subscription id - ``` - -5. Run the bootstrap as normal, following the instructions in the [Quick Start][wiki_quick_start] guide. -6. When you get to step for updating the input config file variables, enter the subscription id of the new subscription you created into the `bootstrap_subscription_id` field. -7. Continue with the rest of the steps in the [Quick Start][wiki_quick_start] guide. - -This will result in the bootstrap resources being deployed in the new subscription. When you then deploy the Azure Landing Zone your subscription will be moved under the `management` management group. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_quick_start]: %5BUser-Guide%5D-Quick-Start "Wiki - Quick start" diff --git a/docs/wiki/[User-Guide]-Getting-Started.md b/docs/wiki/[User-Guide]-Getting-Started.md deleted file mode 100644 index efe4d06e..00000000 --- a/docs/wiki/[User-Guide]-Getting-Started.md +++ /dev/null @@ -1,20 +0,0 @@ - -## Quick Start - -For the majority of users, this is the place to start. The quick start is a step by step guide to get your Azure Landing Zone environment up and running. - -Now follow the [Quick Start][wiki_quick_start] guide. - -## Advanced Users - -For those users with very specific requirements we provide some advanced capabilities that allow you to override some of the defaults. - -See our [FAQ][wiki_frequently_asked_questions] and [Advanced Scenarios][wiki_advanced_scenarios] for more info. - -[//]: # "************************" -[//]: # "INSERT LINK LABELS BELOW" -[//]: # "************************" - -[wiki_quick_start]: %5BUser-Guide%5D-Quick-Start "Wiki - Quick start" -[wiki_advanced_scenarios]: %5BUser-Guide%5D-Advanced-Scenarios "Wiki - Advanced Scenarios" -[wiki_frequently_asked_questions]: %5BUser-Guide%5D-FAQ "Wiki - FAQ" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-1-Service-Principal.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-1-Service-Principal.md deleted file mode 100644 index 6cc0509b..00000000 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-1-Service-Principal.md +++ /dev/null @@ -1,77 +0,0 @@ - -### 1.3.2 Authenticate via Service Principal (Skip this if using a User account) - -#### 1.3.2.1 Create Service Principal - -1. Navigate to the [Azure Portal](https://portal.azure.com) and sign in to your tenant. -1. Search for `Azure Active Directory` and open it. -1. Copy the `Tenant ID` field and save it somewhere safe, making a note it is the `ARM_TENANT_ID`. -1. Click `App registrations` in the left navigation. -1. Click `+ New registration`. -1. Choose a name (SPN) that you will remember and make a note of it, we recommend using `sp-alz-bootstrap`. -1. Type the chosen name into the `Name` field. -1. Leave the other settings as default and click `Register`. -1. Wait for it to be created. -1. Copy the `Application (client) ID` field and save it somewhere safe, making a note it is the `ARM_CLIENT_ID`. -1. Click `Certificates & secrets` in the left navigation. -1. Ensure the `Client secrets` tab is selected and click `+ New client secret`. -1. Enter `ALZ Bootstrap` in the `Description` field. -1. Change the `Expires` field, choose `Custom`. -1. Set the `Start` field to todays date. -1. Set the `End` field to tomorrows date. -1. Click `Add`. -1. Copy the `Value` field save it somewhere safe, making a note that it is the `ARM_CLIENT_SECRET`. - -#### 1.3.2.2 Create Permissions - -1. The service principal name (SPN) is the username of the User account or the name of the app registration you created. -1. Search for `Subscriptions` and click to navigate to the subscription view. -1. For each of the subscriptions you created in the previous step: - 1. Navigate to the subscription. - 1. Click `Access control (IAM)` in the left navigation. - 1. Click `+ Add` and choose `Add role assignment`. - 1. Choose the `Privileged administrator roles` tab. - 1. Click `Owner` to highlight the row and then click `Next`. - 1. Leave the `User, group or service principal` option checked. - 1. Click `+ Select Members` and search for your SPN in the search box on the right. - 1. Click on your User to highlight it and then click `Select` and then click `Next`. - 1. Click the `Allow user to assign all roles (highly privileged)` option. - 1. Click `Review + assign`, then click `Review + assign` again when the warning appears. - 1. Wait for the role to be assigned and move onto the next subscription. -1. Search for `Management Groups` and click to navigate to the management groups view. -1. Click the parent management group you plan to deploy the Landing Zone into (this could be `Tenant Root Group` or a new management group you created). -1. Click `Access control (IAM)` in the left navigation. -1. Click `+ Add` and choose `Add role assignment`. -1. Choose the `Privileged administrator roles` tab. -1. Click `Owner` to highlight the row and then click `Next`. -1. Click `Next`. -1. Leave the `User, group or service principal` option checked. -1. Click `+ Select Members` and search for your SPN in the search box on the right. -1. Click on your User to highlight it and then click `Select`. -1. Click `Review + assign`, then click `Review + assign` again when the warning appears. -1. Wait for the role to be assigned and you are done with this part. - -#### 1.3.2.3 Set Service Principal Credentials in Terminal - -1. Open a new PowerShell Core (pwsh) terminal. -1. Find the `ARM_TENANT_ID` you made a note of earlier. -1. Type `$env:ARM_TENANT_ID=""` and hit enter. -1. Find the `ARM_CLIENT_ID` you made a note of earlier. -1. Type `$env:ARM_CLIENT_ID=""` and hit enter. -1. Find the `ARM_CLIENT_SECRET` you made a note of earlier. -1. Type `$env:ARM_CLIENT_SECRET=""` and hit enter. -1. Find the subscription id of the management subscription you made a note of earlier. -1. Type `$env:ARM_SUBSCRIPTION_ID=""` and hit enter. - -[!NOTE] -If you close your PowerShell prompt prior to running the bootstrap, you need to re-enter these environment variables. - -## Next Steps - -Return to [Phase 1][wiki_quick_start_phase_1] step 1.4. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_quick_start_phase_1]: %5BUser-Guide%5D-Quick-Start-Phase-1 "Wiki - Quick Start - Phase 1" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-1.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-1.md deleted file mode 100644 index d5458598..00000000 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-1.md +++ /dev/null @@ -1,156 +0,0 @@ - -Phase 1 of the accelerator is to setup your pre-requisites. Follow the steps below to do that. - -## 1.1 Tools - -You'll need to install the following tools before getting started. - -- PowerShell 7.4 (or newer): [Follow the instructions for your operating system](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell) -- Azure CLI 2.55.0 (or newer): [Follow the instructions for your operating system](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) - -> NOTE: In all cases, ensure that the tools are available from a PowerShell core (pwsh) terminal. You may need to add them to your environment path if they are not. - -## 1.2 Azure Subscriptions - -We recommend setting up 3 subscriptions for Azure landing zones. These are management, identity and connectivity. See our [advanced scenarios][wiki_advanced_scenarios] section for alternatives. - -- Management: This is used to deploy the bootstrap and management resources, such as log analytics and automation accounts. -- Identity: This is used to deploy the identity resources, such as Azure AD and Azure AD Domain Services. -- Connectivity: This is used to deploy the hub networking resources, such as virtual networks and firewalls. - -You can read more about the management, identity and connectivity subscriptions in the [Landing Zone docs](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/deploy-landing-zones-with-terraform). - -To create the subscriptions you will need access to a billing agreement. The following links detail the permissions required for each type of agreement: - -- [Enterprise Agreement (EA)](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-enterprise-subscription) -- [Microsoft Customer Agreement (MCA)](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription) - -Once you have the access required, create the three subscriptions following your desired naming convention. - -Take note of the subscription id of each subscription as we will need them later. - -## 1.3 Azure Authentication and Permissions - -You need either an Azure User Account or Service Principal with the following permissions to run the bootstrap: - -- `Owner` on your chosen parent management group for the Azure landing zone. This could be `Tenant Root Group` or a new management group you create under there if preferred. - - Owner is required as this account will be granting permissions for the identities that run the management group deployment. Those identities will be granted least privilege permissions. -- `Owner` on each of your 3 Azure landing zone subscriptions. - -For simplicity we recommend using a User account since this is a one off process that you are unlikely to repeat. - -### 1.3.1 Authenticate via User Account - -1. Open a new PowerShell Core (pwsh) terminal. -1. Run `az login`. -1. You'll be redirected to a browser to login, perform MFA, etc. -1. Find the subscription id of the management subscription you made a note of earlier. -1. Type `az account set --subscription ""` and hit enter. -1. Type `az account show` and verify that you are connected to the management subscription. - -### 1.3.2 Authenticate via Service Principal (Skip this if using a User account) - -Follow the instructions in the [Service Principal][wiki_quick_start_phase_1_service_principal] section. - -## 1.4 Version Control Systems - -You'll need to decide if you are using GitHub, Azure DevOps or the Local File System and follow these steps: - -### 1.4.1 Azure DevOps - -#### 1.4.1.1 Azure DevOps Pre-Requisites - -When you first create an Azure DevOps organization, it will not have any Microsoft-hosted agents available. If you intend to use Microsoft-hosted agents, you must either license your org or request a free pipeline. - -1. Setup billing for your organization: [Set up billing for your organization](https://learn.microsoft.com/en-us/azure/devops/organizations/billing/set-up-billing-for-your-organization-vs?view=azure-devops) -2. Check for and request a free pipeline via the form here: [Configure and pay for parallel jobs](https://learn.microsoft.com/en-us/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops&tabs=ms-hosted#how-much-do-parallel-jobs-cost) - -If you choose the billing option, you'll then need to purchase at least one parallel pipeline. You can do this by following the instructions here: [Configure and pay for parallel jobs](https://learn.microsoft.com/en-us/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops&tabs=ms-hosted#how-do-i-buy-more-parallel-jobs). - -#### 1.4.1.2 Azure DevOps Personal Access Token (PAT) - -This first PAT is referred to as `token-1`. - -1. Navigate to [dev.azure.com](https://dev.azure.com) and sign in to your organization. -1. Ensure you navigate to the organization you want to deploy to. -1. Click the `User settings` icon in the top right and select `Personal access tokens`. -1. Click `+ New Token`. -1. Enter `Azure Landing Zone Terraform Accelerator` in the `Name` field. -1. Alter the `Expiration` drop down and select `Custom defined`. -1. Choose tomorrows date in the date picker. -1. Click the `Show all scopes` link at the bottom. -1. Check the following scopes: - 1. `Agent Pools`: `Read & manage` - 1. `Build`: `Read & execute` - 1. `Code`: `Full` - 1. `Environment`: `Read & manage` - 1. `Graph`: `Read & manage` - 1. `Pipeline Resources`: `Use & manage` - 1. `Project and Team`: `Read, write & manage` - 1. `Service Connections`: `Read, query & manage` - 1. `Variable Groups`: `Read, create & manage` -1. Click `Create`. -1. Copy the token and save it somewhere safe. -1. Click `Close`. - -If you are using self-hosted runners, you will need to create a second PAT that we'll refer to as `token-2` for them. You can do this by following the steps above with the following differences: - -1. Select the maximum value for the `Expiration` field (this allows up to 1 year). NOTE: You may want to set a shorter expiration date for security reasons. In either case, you will need to have a process in place to extend expiration the token before it expires. -1. Select only the `Agent Pools`: `Read & manage` scope. - -### 1.4.2 GitHub - -#### 1.4.2.1 GitHub Pre-Requisites - -The accelerator does not support GitHub personal accounts, since they don't support all the features required for security. You must have a GitHub organization account or the accelerator will fail on apply. You can create a free organization [here](https://github.com/organizations/plan). Learn more about account types [here](https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts). - -> NOTE: If you choose to use a `free` organization account the accelerator bootstrap will make your repositories public. It must do this to support the functionality required by the accelerator. This is not recommended for production environments. - -#### 1.4.2.2 GitHub Personal Access Token (PAT) - -> NOTE: The following instructions refer to `classic` personal access tokens. You can also use `fine-grained` access tokens which are still in beta to provide more granular permissions. These docs will be updated to reflect this in the future. - -This first PAT is referred to as `token-1`. - -1. Navigate to [github.com](https://github.com). -1. Click on your user icon in the top right and select `Settings`. -1. Scroll down and click on `Developer Settings` in the left navigation. -1. Click `Personal access tokens` in the left navigation and select `Tokens (classic)`. -1. Click `Generate new token` at the top and select `Generate new token (classic)`. -1. Enter `Azure Landing Zone Terraform Accelerator` in the `Note` field. -1. Alter the `Expiration` drop down and select `Custom`. -1. Choose tomorrows date in the date picker. -1. Check the following scopes: - 1. `repo` - 1. `workflow` - 1. `admin:org` - 1. `user`: `read:user` - 1. `user`: `user:email` - 1. `delete_repo` -1. Click `Generate token`. -1. Copy the token and save it somewhere safe. -1. If your organization uses single sign on, then click the `Configure SSO` link next to your new PAT. -1. Select your organization and click `Authorize`, then follow the prompts to allow SSO. - -If you are using self-hosted runners, you will need to create a second PAT that we'll refer to as `token-2` for them. You can do this by following the steps above with the following differences: - -1. Select `No expiration` for the `Expiration` field. NOTE: You may want to set an expiration date for security reasons, but you will need to have a process in place to regenerate the token in that scenario. -1. The scope required depends on the type of organization you are using: - 1. If you are using a Free organization or an Enterprise orgnization without a runner group, select only the `repo` scope. - 1. If you are using an Enterprise organization and a runner group, select the `admin:org` scope for classic tokens (or `organization_self_hosted_runners:write` for fine-grained tokens). - -### 1.4.3 Local File System - -You just need to ensure that you have a folder on your local file system that you can use to store the files, which your current session has access to. - -## Next Steps - -Now head to [Phase 2][wiki_quick_start_phase_2]. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_quick_start_phase_2]: %5BUser-Guide%5D-Quick-Start-Phase-2 "Wiki - Quick Start - Phase 2" -[wiki_quick_start_phase_1_service_principal]: %5BUser-Guide%5D-Quick-Start-Phase-1-Service-Principal "Wiki - Quick Start - Phase 1 - Service Principal" -[wiki_advanced_scenarios]: %5BUser-Guide%5D-Advanced-Scenarios "Wiki - Advanced Scenarios" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md deleted file mode 100644 index 94c0a0f8..00000000 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Azure-DevOps.md +++ /dev/null @@ -1,202 +0,0 @@ - -## 2.2.1 Azure DevOps - -You can choose to bootstrap with `bicep` or `terraform` skip to the relevant section below to do that. - -Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, we recommend creating an inputs file. This will make it easier to run the accelerator more than once in order to refine your preferred configuration. In the following docs, we'll show that approach, but if you want to be prompted for inputs, just go ahead and run `Deploy-Accelerator` now. - -### 2.2.1.1 Azure DevOps with Bicep - -1. Create a new folder on your local drive called `accelerator`. -1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. -1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. - - ```pwsh - # Windows - New-Item -ItemType "file" c:\accelerator\config\inputs.yaml -Force - New-Item -ItemType "directory" c:\accelerator\output - ``` - - ```pwsh - # Linux/Mac - New-Item -ItemType "file" /accelerator/config/inputs.yaml -Force - New-Item -ItemType "directory" /accelerator/output - ``` - - ```plaintext - 📂accelerator - ┣ 📂config - ┃ ┗ 📜inputs.yaml - ┗ 📂output - ``` - -1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from [inputs-azure-devops-bicep-complete.yaml][example_powershell_inputs_azure_devops_bicep_complete] into that file. -1. Check through the file and update each input as required. It is mandatory to update items with placeholders surrounded by angle brackets `<>`: - - >NOTE: The following inputs can also be supplied via environment variables. This may be useful for sensitive values you don't wish to persist to a file. The `Env Var Prefix` denotes the prefix the environment variable should have. The environment variable is formatting is `_`, e.g. `env:ALZ_iac_type = "bicep"` or `env:TF_VAR_azure_devops_personal_access_token = "*****..."`. - - | Input | Env Var Prefix | Placeholder | Description | - | - | - | -- | --- | - | `iac_type` | `ALZ` | `bicep` | This is the choice of `bicep` or `terraform`. Keep this as `bicep` for this example. | - | `bootstrap_module_name` | `ALZ` | `alz_azuredevops` | This is the choice of Version Control System. Keep this as `alz_azuredevops` for this example. | - | `starter_module_name` | `ALZ` | `complete` | This is the choice of [Starter Modules][wiki_starter_modules], which is the baseline configuration you want for your Azure landing zone. Keep this as `complete` for this example. | - | `bootstrap_location` | `TF_VAR` | `` | Replace `` with the Azure region where you would like to deploy the bootstrap resources in Azure. This field expects the `name` of the region, such as `uksouth`. You can find a full list of names by running `az account list-locations -o table`. | - | `starter_locations` | `TF_VAR` | `[,]` | Replace `` and `` with the Azure regions where you would like to deploy the starter module resources in Azure. This field expects the `name` of the regions in and array, such as `["uksouth", "ukwest"]`. You can find a full list of names by running `az account list-locations -o table`. | - | `root_parent_management_group_id` | `TF_VAR` | `""` | This is the id of the management group that will be the parent of the management group structure created by the accelerator. If you are using the `Tenant Root Group` management group, you leave this as an empty string `""` or supply the tenant id. | - | `subscription_id_management` | `TF_VAR` | `` | Replace `` with the id of the management subscription you created in the previous phase. | - | `subscription_id_identity` | `TF_VAR` | `` | Replace `` with the id of the identity subscription you created in the previous phase. | - | `subscription_id_connectivity` | `TF_VAR` | `` | Replace `` with the id of the connectivity subscription you created in the previous phase. | - | `azure_devops_personal_access_token` | `TF_VAR` | `` | Replace `` with the `token-1` Azure DevOps PAT you generated in a previous step. | - | `azure_devops_agents_personal_access_token` | `TF_VAR` | `` | Replace `` with the `token-2` Azure DevOps PAT you generated in the previous step specifically for the self-hosted agents. This only applies if you have `use_self_hosted_agents` set to `true`. You can set this to an empty string `""` if you are not using self-hosted agents. | - | `azure_devops_organization_name` | `TF_VAR` | `` | Replace `` with the name of your Azure DevOps organization. This is the section of the url after `dev.azure.com` or before `.visualstudio.com`. E.g. enter `my-org` for `https://dev.azure.com/my-org`. | - | `use_separate_repository_for_templates` | `TF_VAR` | `true` | Determine whether to create a separate repository to store pipeline templates as an extra layer of security. Set to `false` if you don't wish to secure your pipeline templates by using a separate repository. This will default to `true`. | - | `bootstrap_location` | `TF_VAR` | `` | Replace `` with the Azure region where you would like to deploy the bootstrap resources in Azure. This field expects the `name` of the region, such as `uksouth`. You can find a full list of names by running `az account list-locations -o table`. | - | `bootstrap_subscription_id` | `TF_VAR` | `""` | Enter the id of the subscription in which you would like to deploy the bootstrap resources in Azure. If left blank, the subscription you are connected to via `az login` will be used. In most cases this is the management subscription, but you can specifiy a separate subscription if you prefer. | - | `service_name` | `TF_VAR` | `alz` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg--mgmt-uksouth-001`. We recommend using `alz` for this. | - | `environment_name` | `TF_VAR` | `mgmt` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz--uksouth-001`. We recommend using `mgmt` for this. | - | `postfix_number` | `TF_VAR` | `1` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz-mgmt-uksouth-`. We recommend using `1` for this. | - | `azure_devops_use_organisation_legacy_url` | `TF_VAR` | `false` | If you have not migrated to the modern url (still using `https://.visualstudio.com`) for your Azure DevOps organisation, then set this to `true`. | - | `azure_devops_create_project` | `TF_VAR` | `true` | If you have an existing project you want to use rather than creating a new one, select `true`. We recommend creating a new project to ensure it is isolated by a strong security boundary. | - | `azure_devops_project_name` | `TF_VAR` | `` | Replace `` with the name of the Azure DevOps project to create or the name of an existing project if you set `azure_devops_create_project` to `false`. | - | `use_self_hosted_agents` | `TF_VAR` | `true` | This controls if you want to deploy self-hosted agents. This will default to `true`. | - | `use_private_networking` | `TF_VAR` | `true` | This controls whether private networking is deployed for your self-hosted agents and storage account. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `true`. | - | `allow_storage_access_from_my_ip` | `TF_VAR` | `false` | This is not relecant to Bicep and we'll remove the need to specify it later, leave it set to `false`. | - | `apply_approvers` | `TF_VAR` | `` | This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is an array of strings like `["abc@xyz.com", "def@xyz.com", "ghi@xyz.com"]`. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider. Use empty array `[]` to disable approvals. Note if supplying via the user interface, use a comma separated string like `abc@xyz.com,def@xyz.com,ghi@xyz.com`. | - | `create_branch_policies` | `TF_VAR` | `true` | This controls whether to create branch policies for the repository. This defaults to `true`. | - -1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - - [Bicep Complete Starter Module][wiki_starter_module_bicep_complete] -1. In your PowerShell Core (pwsh) terminal run the module: - - ```pwsh - # Windows (adjust the paths to match your setup) - Deploy-Accelerator -inputs "c:\accelerator\config\inputs.yaml" -output "c:\accelerator\output" - ``` - - ```pwsh - # Linux/Mac (adjust the paths to match your setup) - Deploy-Accelerator -inputs "/accelerator/config/inputs.yaml" -output "/accelerator/output" - ``` - -1. You will see a Terraform `init` and `apply` happen. -1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed. -1. If you are happy with the plan, then type `yes` and hit enter. -1. The Terraform will `apply` and your environment will be bootstrapped. - -### 2.2.1.2 Azure DevOps with Terraform - -1. Create a new folder on you local drive called `accelerator`. -1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. -1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. - - ```pwsh - # Windows - New-Item -ItemType "file" c:\accelerator\config\inputs.yaml -Force - New-Item -ItemType "directory" c:\accelerator\output - ``` - - ```pwsh - # Linux/Mac - New-Item -ItemType "file" /accelerator/config/inputs.yaml -Force - New-Item -ItemType "directory" /accelerator/output - ``` - - ```plaintext - 📂accelerator - ┣ 📂config - ┃ ┗ 📜inputs.yaml - ┗ 📂output - ``` - -1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from the relevant input file for your chosen starter module: - 1. Complete Multi Region - [inputs-azure-devops-terraform-complete-multi-region.yaml][example_powershell_inputs_azure_devops_terraform_complete_multi_region] - 1. Financial Services Industry Landing Zone - [inputs-azure-devops-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_azure_devops_terraform_financial_services_industry_landing_zone] - 1. Sovereign Landing Zone - [inputs-azure-devops-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_azure_devops_terraform_sovereign_landing_zone] - 1. Basic - [inputs-azure-devops-terraform-basic.yaml][example_powershell_inputs_azure_devops_terraform_basic] - 1. Hub Networking - [inputs-azure-devops-terraform-hubnetworking.yaml][example_powershell_inputs_azure_devops_terraform_hubnetworking] - 1. Complete - [inputs-azure-devops-terraform-complete.yaml][example_powershell_inputs_azure_devops_terraform_complete] - -1. Check through the file and update each input as required. It is mandatory to update items with placeholders surrounded by angle brackets `<>`: - - >NOTE: The following inputs can also be supplied via environment variables. This may be useful for sensitive values you don't wish to persist to a file. The `Env Var Prefix` denotes the prefix the environment variable should have. The environment variable is formatting is `_`, e.g. `env:ALZ_iac_type = "terraform"` or `env:TF_VAR_azure_devops_personal_access_token = "*****..."`. - - | Input | Env Var Prefix | Placeholder | Description | - | - | - | -- | --- | - | `iac_type` | `ALZ` | `terraform` | This is the choice of `bicep` or `terraform`. Keep this as `terraform` for this example. | - | `bootstrap_module_name` | `ALZ` | `alz_azuredevops` | This is the choice of Version Control System. Keep this as `alz_azuredevops` for this example. | - | `starter_module_name` | `ALZ` | `complete_multi_region` | This is the choice of [Starter Modules][wiki_starter_modules], which is the baseline configuration you want for your Azure landing zone. Choose `complete_multi_region`, `complete`, `hubnetworking` or `basic` for this example. | - | `bootstrap_location` | `TF_VAR` | `` | Replace `` with the Azure region where you would like to deploy the bootstrap resources in Azure. This field expects the `name` of the region, such as `uksouth`. You can find a full list of names by running `az account list-locations -o table`. | - | `starter_locations` | `TF_VAR` | `[,]` | Replace `` and `` with the Azure regions where you would like to deploy the starter module resources in Azure. This field expects the `name` of the regions in and array, such as `["uksouth", "ukwest"]`. You can find a full list of names by running `az account list-locations -o table`. | - | `root_parent_management_group_id` | `TF_VAR` | `""` | This is the id of the management group that will be the parent of the management group structure created by the accelerator. If you are using the `Tenant Root Group` management group, you leave this as an empty string `""` or supply the tenant id. | - | `subscription_id_management` | `TF_VAR` | `` | Replace `` with the id of the management subscription you created in the previous phase. | - | `subscription_id_identity` | `TF_VAR` | `` | Replace `` with the id of the identity subscription you created in the previous phase. | - | `subscription_id_connectivity` | `TF_VAR` | `` | Replace `` with the id of the connectivity subscription you created in the previous phase. | - | `azure_devops_personal_access_token` | `TF_VAR` | `` | Replace `` with the `token-1` Azure DevOps PAT you generated in a previous step. | - | `azure_devops_agents_personal_access_token` | `TF_VAR` | `` | Replace `` with the `token-2` Azure DevOps PAT you generated in the previous step specifically for the self-hosted agents. This only applies if you have `use_self_hosted_agents` set to `true`. You can set this to an empty string `""` if you are not using self-hosted agents. | - | `azure_devops_organization_name` | `TF_VAR` | `` | Replace `` with the name of your Azure DevOps organization. This is the section of the url after `dev.azure.com` or before `.visualstudio.com`. E.g. enter `my-org` for `https://dev.azure.com/my-org`. | - | `use_separate_repository_for_templates` | `TF_VAR` | `true` | Determine whether to create a separate repository to store pipeline templates as an extra layer of security. Set to `false` if you don't wish to secure your pipeline templates by using a separate repository. This will default to `true`. | - | `bootstrap_subscription_id` | `TF_VAR` | `""` | Enter the id of the subscription in which you would like to deploy the bootstrap resources in Azure. If left blank, the subscription you are connected to via `az login` will be used. In most cases this is the management subscription, but you can specifiy a separate subscription if you prefer. | - | `service_name` | `TF_VAR` | `alz` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg--mgmt-uksouth-001`. We recommend using `alz` for this. | - | `environment_name` | `TF_VAR` | `mgmt` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz--uksouth-001`. We recommend using `mgmt` for this. | - | `postfix_number` | `TF_VAR` | `1` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz-mgmt-uksouth-`. We recommend using `1` for this. | - | `azure_devops_use_organisation_legacy_url` | `TF_VAR` | `false` | If you have not migrated to the modern url (still using `https://.visualstudio.com`) for your Azure DevOps organisation, then set this to `true`. | - | `azure_devops_create_project` | `TF_VAR` | `true` | If you have an existing project you want to use rather than creating a new one, select `true`. We recommend creating a new project to ensure it is isolated by a strong security boundary. | - | `azure_devops_project_name` | `TF_VAR` | `` | Replace `` with the name of the Azure DevOps project to create or the name of an existing project if you set `azure_devops_create_project` to `false`. | - | `use_self_hosted_agents` | `TF_VAR` | `true` | This controls if you want to deploy self-hosted agents. This will default to `true`. | - | `use_private_networking` | `TF_VAR` | `true` | This controls whether private networking is deployed for your self-hosted agents and storage account. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `true`. | - | `allow_storage_access_from_my_ip` | `TF_VAR` | `false` | This controls whether to allow access to the storage account from your IP address. This is only needed for trouble shooting. This only applies if you have `use_private_networking` set to `true`. This defaults to `false`. | - | `apply_approvers` | `TF_VAR` | `` | This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is an array of strings like `["abc@xyz.com", "def@xyz.com", "ghi@xyz.com"]`. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider. Use empty array `[]` to disable approvals. Note if supplying via the user interface, use a comma separated string like `abc@xyz.com,def@xyz.com,ghi@xyz.com`. | - | `create_branch_policies` | `TF_VAR` | `true` | This controls whether to create branch policies for the repository. This defaults to `true`. | - | `architecture_definition_name` | `TF_VAR` | N/A | This is the name of the architecture definition to use when applying the ALZ archetypes via the architecture definition template. This is only relevant to some starter modules, such as the `sovereign_landing_zone` starter module. This defaults to `null`. | - -1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - - [Terraform Complete Multi Region Starter Module][wiki_starter_module_terraform_complete_multi_region]: Management groups, policies, Multi Region hub networking with fully custom configuration. - - [Terraform Financial Services Industry Landing Zone Starter Module][wiki_starter_module_terraform_financial_services_industry_landing_zone]: Management groups, policies, hub networking for the Financial Services Industry Landing Zone. - - [Terraform Sovereign Landing Zone Starter Module][wiki_starter_module_terraform_sovereign_landing_zone]: Management groups, policies, hub networking for the Sovereign Landing Zone. - - [Terraform Basic Starter Module][wiki_starter_module_terraform_basic]: Management groups and policies. - - [Terraform Hub Networking Starter Module][wiki_starter_module_terraform_hubnetworking]: Management groups, policies and hub networking. - - [Terraform Complete Starter Module][wiki_starter_module_terraform_complete]: Management groups, policies, hub networking with fully custom configuration. - -1. In your PowerShell Core (pwsh) terminal run the module: - - >NOTE: The following examples include 2 input files. This is the recommended approach for the `complete_multi_region` starter module. However, all inputs can be combined into a single file if desired and other starter modules only require a single input file. - - ```pwsh - # Windows (adjust the paths to match your setup) - Deploy-Accelerator -inputs "c:\accelerator\config\inputs.yaml", "c:\accelerator\config\networking.yaml" -output "c:\accelerator\output" - ``` - - ```pwsh - # Linux/Mac (adjust the paths to match your setup) - Deploy-Accelerator -inputs "/accelerator/config/inputs.yaml", "/accelerator/config/networking.yaml" -output "/accelerator/output" - ``` - -1. You will see a Terraform `init` and `apply` happen. -1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed. -1. If you are happy with the plan, then type `yes` and hit enter. -1. The Terraform will `apply` and your environment will be bootstrapped. - -## Next Steps - -Now head to [Phase 3][wiki_quick_start_phase_3]. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_starter_modules]: %5BUser-Guide%5D-Starter-Modules "Wiki - Starter Modules" -[wiki_starter_module_bicep_complete]: %5BUser-Guide%5D-Starter-Module-Bicep-Complete "Wiki - Starter Modules - Bicep Complete" -[wiki_starter_module_terraform_basic]: %5BUser-Guide%5D-Starter-Module-Terraform-Basic "Wiki - Starter Modules - Terraform Basic" -[wiki_starter_module_terraform_hubnetworking]: %5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking "Wiki - Start Modules - Terraform Hub Networking" -[wiki_starter_module_terraform_complete]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete "Wiki - Starter Modules - Terraform Complete" -[wiki_starter_module_terraform_complete_multi_region]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete-Multi-Region "Wiki - Starter Modules - Terraform Complete Multi Region" -[wiki_starter_module_terraform_financial_services_industry_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone "Wiki - Starter Modules - Terraform Financial Services Industry Landing Zone" -[wiki_starter_module_terraform_sovereign_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone "Wiki - Starter Modules - Terraform Sovereign Landing Zone" -[wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" -[example_powershell_inputs_azure_devops_bicep_complete]: examples/powershell-inputs/inputs-azure-devops-bicep-complete.yaml "Example - PowerShell Inputs - Azure DevOps - Bicep - Complete" -[example_powershell_inputs_azure_devops_terraform_basic]: examples/powershell-inputs/inputs-azure-devops-terraform-basic.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Basic" -[example_powershell_inputs_azure_devops_terraform_hubnetworking]: examples/powershell-inputs/inputs-azure-devops-terraform-hubnetworking.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Hub Networking" -[example_powershell_inputs_azure_devops_terraform_complete]: examples/powershell-inputs/inputs-azure-devops-terraform-complete.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete" -[example_powershell_inputs_azure_devops_terraform_complete_multi_region]: examples/powershell-inputs/inputs-azure-devops-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete Multi Region" -[example_powershell_inputs_azure_devops_terraform_financial_services_industry_landing_zone]: examples/powershell-inputs/inputs-azure-devops-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Financial Services Industry Landing Zone" -[example_powershell_inputs_azure_devops_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-azure-devops-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Sovereign Landing Zone" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md deleted file mode 100644 index 492d6014..00000000 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-GitHub.md +++ /dev/null @@ -1,188 +0,0 @@ - -## 2.2.2 GitHub - -You can choose to bootstrap with `bicep` or `terraform` skip to the relevant section below to do that. - -Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, we recommend creating an inputs file. This will make it easier to run the accelerator more than once in order to refine your preferred configuration. In the following docs, we'll show that approach, but if you want to be prompted for inputs, just go ahead and run `Deploy-Accelerator` now. - -### 2.2.2.1 GitHub with Bicep - -1. Create a new folder on your local drive called `accelerator`. -1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. -1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. - - ```pwsh - # Windows - New-Item -ItemType "file" c:\accelerator\config\inputs.yaml -Force - New-Item -ItemType "directory" c:\accelerator\output - - # Linux/Mac - New-Item -ItemType "file" /accelerator/config/inputs.yaml -Force - New-Item -ItemType "directory" /accelerator/output - ``` - - ```plaintext - 📂accelerator - ┣ 📂config - ┃ ┗ 📜inputs.yaml - ┗ 📂output - ``` - -1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from [inputs-github-bicep-complete.yaml][example_powershell_inputs_github_bicep_complete] into that file. -1. Check through the file and update each input as required. It is mandatory to update items with placeholders surrounded by angle brackets `<>`: - - >NOTE: The following inputs can also be supplied via environment variables. This may be useful for sensitive values you don't wish to persist to a file. The `Env Var Prefix` denotes the prefix the environment variable should have. The environment variable is formatting is `_`, e.g. `env:ALZ_iac_type = "bicep"` or `env:TF_VAR_github_personal_access_token = "*****..."`. - - | Input | Env Var Prefix | Placeholder | Description | - | - | - | -- | --- | - | `iac_type` | `ALZ` | `bicep` | This is the choice of `bicep` or `terraform`. Keep this as `bicep` for this example. | - | `bootstrap_module_name` | `ALZ` | `alz_github` | This is the choice of Version Control System. Keep this as `alz_github` for this example. | - | `starter_module_name` | `ALZ` | `complete` | This is the choice of [Starter Modules][wiki_starter_modules], which is the baseline configuration you want for your Azure landing zone. Keep this as `complete` for this example. | - | `bootstrap_location` | `TF_VAR` | `` | Replace `` with the Azure region where you would like to deploy the bootstrap resources in Azure. This field expects the `name` of the region, such as `uksouth`. You can find a full list of names by running `az account list-locations -o table`. | - | `starter_locations` | `TF_VAR` | `[,]` | Replace `` and `` with the Azure regions where you would like to deploy the starter module resources in Azure. This field expects the `name` of the regions in and array, such as `["uksouth", "ukwest"]`. You can find a full list of names by running `az account list-locations -o table`. | - | `root_parent_management_group_id` | `TF_VAR` | `""` | This is the id of the management group that will be the parent of the management group structure created by the accelerator. If you are using the `Tenant Root Group` management group, you leave this as an empty string `""` or supply the tenant id. | - | `subscription_id_management` | `TF_VAR` | `` | Replace `` with the id of the management subscription you created in the previous phase. | - | `subscription_id_identity` | `TF_VAR` | `` | Replace `` with the id of the identity subscription you created in the previous phase. | - | `subscription_id_connectivity` | `TF_VAR` | `` | Replace `` with the id of the connectivity subscription you created in the previous phase. | - | `github_personal_access_token` | `TF_VAR` | `` | Replace `` with the `token-1` GitHub PAT you generated in a previous step. | - | `github_runners_personal_access_token` | `TF_VAR` | `` | Replace `` with the `token-2` GitHub PAT you generated in the previous step specifically for the self-hosted runners. This only applies if you have `use_self_hosted_agents` set to `true`. You can set this to an empty string `""` if you are not using self-hosted runners. | - | `github_organization_name` | `TF_VAR` | `` | Replace `` with the name of your GitHub organization. This is the section of the url after `github.com`. E.g. enter `my-org` for `https://github.com/my-org`. | - | `use_separate_repository_for_templates` | `TF_VAR` | `true` | Determine whether to create a separate repository to store workflow templates as an extra layer of security. Set to `false` if you don't wish to secure your workflow templates by using a separate repository. This will default to `true`. | - | `bootstrap_subscription_id` | `TF_VAR` | `""` | Enter the id of the subscription in which you would like to deploy the bootstrap resources in Azure. If left blank, the subscription you are connected to via `az login` will be used. In most cases this is the management subscription, but you can specifiy a separate subscription if you prefer. | - | `service_name` | `TF_VAR` | `alz` | This is used to build up the names of your Azure and GitHub resources, for example `rg--mgmt-uksouth-001`. We recommend using `alz` for this. | - | `environment_name` | `TF_VAR` | `mgmt` | This is used to build up the names of your Azure and GitHub resources, for example `rg-alz--uksouth-001`. We recommend using `mgmt` for this. | - | `postfix_number` | `TF_VAR` | `1` | This is used to build up the names of your Azure and GitHub resources, for example `rg-alz-mgmt-uksouth-`. We recommend using `1` for this. | - | `use_self_hosted_agents` | `TF_VAR` | `true` | This controls if you want to deploy self-hosted agents. This will default to `true`. | - | `use_private_networking` | `TF_VAR` | `true` | This controls whether private networking is deployed for your self-hosted agents and storage account. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `true`. | - | `allow_storage_access_from_my_ip` | `TF_VAR` | `false` | This is not relevant to Bicep and we'll remove the need to specify it later, leave it set to `false`. | - | `apply_approvers` | `TF_VAR` | `` | This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is an array of strings like `["abc@xyz.com", "def@xyz.com", "ghi@xyz.com"]`. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider. Use empty array `[]` to disable approvals. Note if supplying via the user interface, use a comma separated string like `abc@xyz.com,def@xyz.com,ghi@xyz.com`. | - | `create_branch_policies` | `TF_VAR` | `true` | This controls whether to create branch policies for the repository. This defaults to `true`. | - -1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - - [Bicep Complete Starter Module][wiki_starter_module_bicep_complete] -1. In your PowerShell Core (pwsh) terminal run the module: - - ```pwsh - # Windows (adjust the paths to match your setup) - Deploy-Accelerator -inputs "c:\accelerator\config\inputs.yaml" -output "c:\accelerator\output" - - # Linux/Mac (adjust the paths to match your setup) - Deploy-Accelerator -inputs "/accelerator/config/inputs.yaml" -output "/accelerator/output" - ``` - -1. You will see a Terraform `init` and `apply` happen. -1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed. -1. If you are happy with the plan, then type `yes` and hit enter. -1. The Terraform will `apply` and your environment will be bootstrapped. - -### 2.2.2.2 GitHub with Terraform - -1. Create a new folder on you local drive called `accelerator`. -1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. -1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. - - ```pwsh - # Windows - New-Item -ItemType "file" c:\accelerator\config\inputs.yaml -Force - New-Item -ItemType "directory" c:\accelerator\output - - # Linux/Mac - New-Item -ItemType "file" /accelerator/config/inputs.yaml -Force - New-Item -ItemType "directory" /accelerator/output - ``` - - ```plaintext - 📂accelerator - ┣ 📂config - ┃ ┗ 📜inputs.yaml - ┗ 📂output - ``` - -1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from the relevant input file for your chosen starter module: - 1. Complete Multi Region - [inputs-github-terraform-complete-multi-region.yaml][example_powershell_inputs_github_terraform_complete_multi_region] - 1. Financial Services Industry Landing Zone - [inputs-github-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_github_terraform_financial_services_industry_landing_zone] - 1. Sovereign Landing Zone - [inputs-github-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_github_terraform_sovereign_landing_zone] - 1. Basic - [inputs-github-terraform-basic.yaml][example_powershell_inputs_github_terraform_basic] - 1. Hub Networking - [inputs-github-terraform-hubnetworking.yaml][example_powershell_inputs_github_terraform_hubnetworking] - 1. Complete - [inputs-github-terraform-complete.yaml][example_powershell_inputs_github_terraform_complete] -1. Check through the file and update each input as required. It is mandatory to update items with placeholders surrounded by angle brackets `<>`: - - >NOTE: The following inputs can also be supplied via environment variables. This may be useful for sensitive values you don't wish to persist to a file. The `Env Var Prefix` denotes the prefix the environment variable should have. The environment variable is formatting is `_`, e.g. `env:ALZ_iac_type = "terraform"` or `env:TF_VAR_github_personal_access_token = "*****..."`. - - | Input | Env Var Prefix | Placeholder | Description | - | - | - | -- | --- | - | `iac_type` | `ALZ` | `terraform` | This is the choice of `bicep` or `terraform`. Keep this as `terraform` for this example. | - | `bootstrap_module_name` | `ALZ` | `alz_github` | This is the choice of Version Control System. Keep this as `alz_github` for this example. | - | `starter_module_name` | `ALZ` | `complete_multi_region` | This is the choice of [Starter Modules][wiki_starter_modules], which is the baseline configuration you want for your Azure landing zone. Choose `complete_multi_region`, `complete`, `hubnetworking` or `basic` for this example. | - | `bootstrap_location` | `TF_VAR` | `` | Replace `` with the Azure region where you would like to deploy the bootstrap resources in Azure. This field expects the `name` of the region, such as `uksouth`. You can find a full list of names by running `az account list-locations -o table`. | - | `starter_locations` | `TF_VAR` | `[,]` | Replace `` and `` with the Azure regions where you would like to deploy the starter module resources in Azure. This field expects the `name` of the regions in and array, such as `["uksouth", "ukwest"]`. You can find a full list of names by running `az account list-locations -o table`. | - | `root_parent_management_group_id` | `TF_VAR` | `""` | This is the id of the management group that will be the parent of the management group structure created by the accelerator. If you are using the `Tenant Root Group` management group, you leave this as an empty string `""` or supply the tenant id. | - | `subscription_id_management` | `TF_VAR` | `` | Replace `` with the id of the management subscription you created in the previous phase. | - | `subscription_id_identity` | `TF_VAR` | `` | Replace `` with the id of the identity subscription you created in the previous phase. | - | `subscription_id_connectivity` | `TF_VAR` | `` | Replace `` with the id of the connectivity subscription you created in the previous phase. | - | `github_personal_access_token` | `TF_VAR` | `` | Replace `` with the `token-1` GitHub PAT you generated in a previous step. | - | `github_runners_personal_access_token` | `TF_VAR` | `` | Replace `` with the `token-2` GitHub PAT you generated in the previous step specifically for the self-hosted runners. This only applies if you have `use_self_hosted_agents` set to `true`. You can set this to an empty string `""` if you are not using self-hosted runners. | - | `github_organization_name` | `TF_VAR` | `` | Replace `` with the name of your GitHub organization. This is the section of the url after `github.com`. E.g. enter `my-org` for `https://github.com/my-org`. | - | `use_separate_repository_for_templates` | `TF_VAR` | `true` | Determine whether to create a separate repository to store workflow templates as an extra layer of security. Set to `false` if you don't wish to secure your workflow templates by using a separate repository. This will default to `true`. | - | `bootstrap_subscription_id` | `TF_VAR` | `""` | Enter the id of the subscription in which you would like to deploy the bootstrap resources in Azure. If left blank, the subscription you are connected to via `az login` will be used. In most cases this is the management subscription, but you can specifiy a separate subscription if you prefer. | - | `service_name` | `TF_VAR` | `alz` | This is used to build up the names of your Azure and GitHub resources, for example `rg--mgmt-uksouth-001`. We recommend using `alz` for this. | - | `environment_name` | `TF_VAR` | `mgmt` | This is used to build up the names of your Azure and GitHub resources, for example `rg-alz--uksouth-001`. We recommend using `mgmt` for this. | - | `postfix_number` | `TF_VAR` | `1` | This is used to build up the names of your Azure and GitHub resources, for example `rg-alz-mgmt-uksouth-`. We recommend using `1` for this. | - | `use_self_hosted_agents` | `TF_VAR` | `true` | This controls if you want to deploy self-hosted agents. This will default to `true`. | - | `use_private_networking` | `TF_VAR` | `true` | This controls whether private networking is deployed for your self-hosted agents and storage account. This only applies if you have `use_self_hosted_agents` set to `true`. This defaults to `true`. | - | `allow_storage_access_from_my_ip` | `TF_VAR` | `false` | This controls whether to allow access to the storage account from your IP address. This is only needed for trouble shooting. This only applies if you have `use_private_networking` set to `true`. This defaults to `false`. | - | `apply_approvers` | `TF_VAR` | `` | This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is an array of strings like `["abc@xyz.com", "def@xyz.com", "ghi@xyz.com"]`. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider. Use empty array `[]` to disable approvals. Note if supplying via the user interface, use a comma separated string like `abc@xyz.com,def@xyz.com,ghi@xyz.com`. | - | `create_branch_policies` | `TF_VAR` | `true` | This controls whether to create branch policies for the repository. This defaults to `true`. | - | `architecture_definition_name` | `TF_VAR` | N/A | This is the name of the architecture definition to use when applying the ALZ archetypes via the architecture definition template. This is only relevant to some starter modules, such as the `sovereign_landing_zone` starter module. This defaults to `null`. | - -1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - - [Terraform Complete Multi Region Starter Module][wiki_starter_module_terraform_complete_multi_region]: Management groups, policies, Multi Region hub networking with fully custom configuration. - - [Terraform Financial Services Industry Landing Zone Starter Module][wiki_starter_module_terraform_financial_services_industry_landing_zone]: Management groups, policies, hub networking for the Financial Services Industry Landing Zone. - - [Terraform Sovereign Landing Zone Starter Module][wiki_starter_module_terraform_sovereign_landing_zone]: Management groups, policies, hub networking for the Sovereign Landing Zone. - - [Terraform Basic Starter Module][wiki_starter_module_terraform_basic]: Management groups and policies. - - [Terraform Hub Networking Starter Module][wiki_starter_module_terraform_hubnetworking]: Management groups, policies and hub networking. - - [Terraform Complete Starter Module][wiki_starter_module_terraform_complete]: Management groups, policies, hub networking with fully custom configuration. - -1. In your PowerShell Core (pwsh) terminal run the module: - - >NOTE: The following examples include 2 input files. This is the recommended approach for the `complete_multi_region` starter module. However, all inputs can be combined into a single file if desired and other starter modules only require a single input file. - - ```pwsh - # Windows (adjust the paths to match your setup) - Deploy-Accelerator -inputs "c:\accelerator\config\inputs.yaml", "c:\accelerator\config\networking.yaml" -output "c:\accelerator\output" - ``` - - ```pwsh - # Linux/Mac (adjust the paths to match your setup) - Deploy-Accelerator -inputs "/accelerator/config/inputs.yaml", "/accelerator/config/networking.yaml" -output "/accelerator/output" - ``` - -1. You will see a Terraform `init` and `apply` happen. -1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed. -1. If you are happy with the plan, then type `yes` and hit enter. -1. The Terraform will `apply` and your environment will be bootstrapped. - -## Next Steps - -Now head to [Phase 3][wiki_quick_start_phase_3]. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_starter_modules]: %5BUser-Guide%5D-Starter-Modules "Wiki - Starter Modules" -[wiki_starter_module_bicep_complete]: %5BUser-Guide%5D-Starter-Module-Bicep-Complete "Wiki - Starter Modules - Bicep Complete" -[wiki_starter_module_terraform_basic]: %5BUser-Guide%5D-Starter-Module-Terraform-Basic "Wiki - Starter Modules - Terraform Basic" -[wiki_starter_module_terraform_hubnetworking]: %5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking "Wiki - Start Modules - Terraform Hub Networking" -[wiki_starter_module_terraform_complete]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete "Wiki - Starter Modules - Terraform Complete" -[wiki_starter_module_terraform_complete_multi_region]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete-Multi-Region "Wiki - Starter Modules - Terraform Complete Multi Region" -[wiki_starter_module_terraform_financial_services_industry_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone "Wiki - Starter Modules - Terraform Financial Services Industry Landing Zone" -[wiki_starter_module_terraform_sovereign_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone "Wiki - Starter Modules - Terraform Sovereign Landing Zone" -[wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" -[example_powershell_inputs_github_bicep_complete]: examples/powershell-inputs/inputs-github-bicep-complete.yaml "Example - PowerShell Inputs - GitHub - Bicep - Complete" -[example_powershell_inputs_github_terraform_basic]: examples/powershell-inputs/inputs-github-terraform-basic.yaml "Example - PowerShell Inputs - GitHub - Terraform - Basic" -[example_powershell_inputs_github_terraform_hubnetworking]: examples/powershell-inputs/inputs-github-terraform-hubnetworking.yaml "Example - PowerShell Inputs - GitHub - Terraform - Hub Networking" -[example_powershell_inputs_github_terraform_complete]: examples/powershell-inputs/inputs-github-terraform-complete.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete" -[example_powershell_inputs_github_terraform_complete_multi_region]: examples/powershell-inputs/inputs-github-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete Multi Region" -[example_powershell_inputs_github_terraform_financial_services_industry_landing_zone]: examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - GitHub - Terraform - Financial Services Industry Landing Zone" -[example_powershell_inputs_github_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-github-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - GitHub - Terraform - Sovereign Landing Zone" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Local.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Local.md deleted file mode 100644 index 34cccf47..00000000 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-2-Local.md +++ /dev/null @@ -1,179 +0,0 @@ - -## 2.2.3 Local File System - -You can choose to bootstrap with `bicep` or `terraform` skip to the relevant section below to do that. - -Although you can just run `Deploy-Accelerator` and fill out the prompted inputs, we recommend creating an inputs file. This will make it easier to run the accelerator more than once in order to refine your preferred configuration. In the following docs, we'll show that approach, but if you want to be prompted for inputs, just go ahead and run `Deploy-Accelerator` now. - -### 2.2.3.1 Local File System with Bicep - -1. Create a new folder on your local drive called `accelerator`. -1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. -1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. - - ```pwsh - # Windows - New-Item -ItemType "file" c:\accelerator\config\inputs.yaml -Force - New-Item -ItemType "directory" c:\accelerator\output - - # Linux/Mac - New-Item -ItemType "file" /accelerator/config/inputs.yaml -Force - New-Item -ItemType "directory" /accelerator/output - ``` - - ```plaintext - 📂accelerator - ┣ 📂config - ┃ ┗ 📜inputs.yaml - ┗ 📂output - ``` - -1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from [inputs-local-bicep-complete.yaml][example_powershell_inputs_local_bicep_complete] into that file. -1. Check through the file and update each input as required. It is mandatory to update items with placeholders surrounded by angle brackets `<>`: - - >NOTE: The following inputs can also be supplied via environment variables. This may be useful for sensitive values you don't wish to persist to a file. The `Env Var Prefix` denotes the prefix the environment variable should have. The environment variable is formatting is `_`, e.g. `env:ALZ_iac_type = "bicep"` or `env:TF_VAR_target_directory = "./accelerator/target"`. - - | Input | Env Var Prefix | Placeholder | Description | - | - | - | -- | --- | - | `iac_type` | `ALZ` | `bicep` | This is the choice of `bicep` or `terraform`. Keep this as `bicep` for this example. | - | `bootstrap_module_name` | `ALZ` | `alz_local` | This is the choice of Version Control System. Keep this as `alz_local` for this example. | - | `starter_module_name` | `ALZ` | `complete` | This is the choice of [Starter Modules][wiki_starter_modules], which is the baseline configuration you want for your Azure landing zone. Keep this as `complete` for this example. | - | `bootstrap_location` | `TF_VAR` | `` | Replace `` with the Azure region where you would like to deploy the bootstrap resources in Azure. This field expects the `name` of the region, such as `uksouth`. You can find a full list of names by running `az account list-locations -o table`. | - | `starter_locations` | `TF_VAR` | `[,]` | Replace `` and `` with the Azure regions where you would like to deploy the starter module resources in Azure. This field expects the `name` of the regions in and array, such as `["uksouth", "ukwest"]`. You can find a full list of names by running `az account list-locations -o table`. | - | `root_parent_management_group_id` | `TF_VAR` | `""` | This is the id of the management group that will be the parent of the management group structure created by the accelerator. If you are using the `Tenant Root Group` management group, you leave this as an empty string `""` or supply the tenant id. | - | `subscription_id_management` | `TF_VAR` | `` | Replace `` with the id of the management subscription you created in the previous phase. | - | `subscription_id_identity` | `TF_VAR` | `` | Replace `` with the id of the identity subscription you created in the previous phase. | - | `subscription_id_connectivity` | `TF_VAR` | `` | Replace `` with the id of the connectivity subscription you created in the previous phase. | - | `target_directory` | `TF_VAR` | `""` | This is the directory where the ALZ module code will be created. This defaults a directory called `local-output` in the root of the accelerator output directory if not supplied. | - | `create_bootstrap_resources_in_azure` | `TF_VAR` | `true` | This determines whether the bootstrap will create the bootstrap resources in Azure. This defaults to `true`. | - | `bootstrap_subscription_id` | `TF_VAR` | `""` | Enter the id of the subscription in which you would like to deploy the bootstrap resources in Azure. If left blank, the subscription you are connected to via `az login` will be used. In most cases this is the management subscription, but you can specifiy a separate subscription if you prefer. | - | `service_name` | `TF_VAR` | `alz` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg--mgmt-uksouth-001`. We recommend using `alz` for this. | - | `environment_name` | `TF_VAR` | `mgmt` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz--uksouth-001`. We recommend using `mgmt` for this. | - | `postfix_number` | `TF_VAR` | `1` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz-mgmt-uksouth-`. We recommend using `1` for this. | - | `grant_permissions_to_current_user` | `TF_VAR` | `true` | This determines whether the bootstrap will grant the current user permissions to the management group structure created by the accelerator. This defaults to `true` so that the starter module can be immediately deployed from the local file system. Set this to `false` if you itend to wire up CI/CD with your own provider. | - -1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - - [Bicep Complete Starter Module][wiki_starter_module_bicep_complete] -1. In your PowerShell Core (pwsh) terminal run the module: - - ```pwsh - # Windows (adjust the paths to match your setup) - Deploy-Accelerator -inputs "c:\accelerator\config\inputs.yaml" -output "c:\accelerator\output" - - # Linux/Mac (adjust the paths to match your setup) - Deploy-Accelerator -inputs "/accelerator/config/inputs.yaml" -output "/accelerator/output" - ``` - -1. You will see a Terraform `init` and `apply` happen. -1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed. -1. If you are happy with the plan, then type `yes` and hit enter. -1. The Terraform will `apply` and your environment will be bootstrapped. -1. You will find the output in the `/accelerator/output/local-output` folder if you didn't specifiy a different location for `target_directory`. - -### 2.2.3.2 Local File System with Terraform - -1. Create a new folder on you local drive called `accelerator`. -1. Inside the accelerator create two folders called `config` and `output`. You'll store you input file inside config and the output folder will be the place that the accelerator stores files while it works. -1. Inside the `config` folder create a new file called `inputs.yaml`. You can use `json` if you prefer, but our examples here are `yaml`. - - ```pwsh - # Windows - New-Item -ItemType "file" c:\accelerator\config\inputs.yaml -Force - New-Item -ItemType "directory" c:\accelerator\output - - # Linux/Mac - New-Item -ItemType "file" /accelerator/config/inputs.yaml -Force - New-Item -ItemType "directory" /accelerator/output - ``` - - ```plaintext - 📂accelerator - ┣ 📂config - ┃ ┗ 📜inputs.yaml - ┗ 📂output - ``` - -1. Open your `inputs.yaml` file in Visual Studio Code (or your preferred editor) and copy the content from the relevant input file for your chosen starter module: - 1. Complete Multi Region - [inputs-local-terraform-complete-multi-region.yaml][example_powershell_inputs_local_terraform_complete_multi_region] - 1. Financial Services Industry Landing Zone - [inputs-local-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_local_terraform_financial_service_industry_landing_zone] - 1. Sovereign Landing Zone - [inputs-local-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_local_terraform_sovereign_landing_zone] - 1. Basic - [inputs-local-terraform-basic.yaml][example_powershell_inputs_local_terraform_basic] - 1. Hub Networking - [inputs-local-terraform-hubnetworking.yaml][example_powershell_inputs_local_terraform_hubnetworking] - 1. Complete - [inputs-local-terraform-complete.yaml][example_powershell_inputs_local_terraform_complete] - -1. Check through the file and update each input as required. It is mandatory to update items with placeholders surrounded by angle brackets `<>`: - - >NOTE: The following inputs can also be supplied via environment variables. This may be useful for sensitive values you don't wish to persist to a file. The `Env Var Prefix` denotes the prefix the environment variable should have. The environment variable is formatting is `_`, e.g. `env:ALZ_iac_type = "terraform"` or `env:TF_VAR_target_directory = "./accelerator/target"`. - - | Input | Env Var Prefix | Placeholder | Description | - | - | - | -- | --- | - | `iac_type` | `ALZ` | `terraform` | This is the choice of `bicep` or `terraform`. Keep this as `terraform` for this example. | - | `bootstrap_module_name` | `ALZ` | `alz_local` | This is the choice of Version Control System. Keep this as `alz_local` for this example. | - | `starter_module_name` | `ALZ` | `complete_multi_region` | This is the choice of [Starter Modules][wiki_starter_modules], which is the baseline configuration you want for your Azure landing zone. Choose `complete_multi_region`, `complete`, `hubnetworking` or `basic` for this example. | - | `bootstrap_location` | `TF_VAR` | `` | Replace `` with the Azure region where you would like to deploy the bootstrap resources in Azure. This field expects the `name` of the region, such as `uksouth`. You can find a full list of names by running `az account list-locations -o table`. | - | `starter_locations` | `TF_VAR` | `[,]` | Replace `` and `` with the Azure regions where you would like to deploy the starter module resources in Azure. This field expects the `name` of the regions in and array, such as `["uksouth", "ukwest"]`. You can find a full list of names by running `az account list-locations -o table`. | - | `root_parent_management_group_id` | `TF_VAR` | `""` | This is the id of the management group that will be the parent of the management group structure created by the accelerator. If you are using the `Tenant Root Group` management group, you leave this as an empty string `""` or supply the tenant id. | - | `subscription_id_management` | `TF_VAR` | `` | Replace `` with the id of the management subscription you created in the previous phase. | - | `subscription_id_identity` | `TF_VAR` | `` | Replace `` with the id of the identity subscription you created in the previous phase. | - | `subscription_id_connectivity` | `TF_VAR` | `` | Replace `` with the id of the connectivity subscription you created in the previous phase. | - | `target_directory` | `TF_VAR` | `""` | This is the directory where the ALZ module code will be created. This defaults a directory called `local-output` in the root of the accelerator output directory if not supplied. | - | `create_bootstrap_resources_in_azure` | `TF_VAR` | `true` | This determines whether the bootstrap will create the bootstrap resources in Azure. This defaults to `true`. | - | `bootstrap_subscription_id` | `TF_VAR` | `""` | Enter the id of the subscription in which you would like to deploy the bootstrap resources in Azure. If left blank, the subscription you are connected to via `az login` will be used. In most cases this is the management subscription, but you can specifiy a separate subscription if you prefer. | - | `service_name` | `TF_VAR` | `alz` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg--mgmt-uksouth-001`. We recommend using `alz` for this. | - | `environment_name` | `TF_VAR` | `mgmt` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz--uksouth-001`. We recommend using `mgmt` for this. | - | `postfix_number` | `TF_VAR` | `1` | This is used to build up the names of your Azure and Azure DevOps resources, for example `rg-alz-mgmt-uksouth-`. We recommend using `1` for this. | - | `grant_permissions_to_current_user` | `TF_VAR` | `true` | This determines whether the bootstrap will grant the current user permissions to the management group structure and stroage account created by the accelerator. This defaults to `true` so that the starter module can be immediately deployed from the local file system. Set this to `false` if you itend to wire up CI/CD with your own provider. | - | `architecture_definition_name` | `TF_VAR` | N/A | This is the name of the architecture definition to use when applying the ALZ archetypes via the architecture definition template. This is only relevant to some starter modules, such as the `sovereign_landing_zone` starter module. This defaults to `null`. | - -1. Now head over to your chosen starter module documentation to get the specific inputs for that module. Come back here when you are done. - - [Terraform Complete Multi Region Starter Module][wiki_starter_module_terraform_complete_multi_region]: Management groups, policies, Multi Region hub networking with fully custom configuration. - - [Terraform Financial Services Industry Landing Zone Starter Module][wiki_starter_module_terraform_financial_services_industry_landing_zone]: Management groups, policies, hub networking for the Financial Services Industry Landing Zone. - - [Terraform Sovereign Landing Zone Starter Module][wiki_starter_module_terraform_sovereign_landing_zone]: Management groups, policies, hub networking for the Sovereign Landing Zone. - - [Terraform Basic Starter Module][wiki_starter_module_terraform_basic]: Management groups and policies. - - [Terraform Hub Networking Starter Module][wiki_starter_module_terraform_hubnetworking]: Management groups, policies and hub networking. - - [Terraform Complete Starter Module][wiki_starter_module_terraform_complete]: Management groups, policies, hub networking with fully custom configuration. - -1. In your PowerShell Core (pwsh) terminal run the module: - - >NOTE: The following examples include 2 input files. This is the recommended approach for the `complete_multi_region` starter module. However, all inputs can be combined into a single file if desired and other starter modules only require a single input file. - - ```pwsh - # Windows (adjust the paths to match your setup) - Deploy-Accelerator -inputs "c:\accelerator\config\inputs.yaml", "c:\accelerator\config\networking.yaml" -output "c:\accelerator\output" - ``` - - ```pwsh - # Linux/Mac (adjust the paths to match your setup) - Deploy-Accelerator -inputs "/accelerator/config/inputs.yaml", "/accelerator/config/networking.yaml" -output "/accelerator/output" - ``` - -1. You will see a Terraform `init` and `apply` happen. -1. There will be a pause after the `plan` phase you allow you to validate what is going to be deployed. -1. If you are happy with the plan, then type `yes` and hit enter. -1. The Terraform will `apply` and your environment will be bootstrapped. -1. You will find the output in the `/accelerator/output/local-output` folder if you didn't specifiy a different location for `target_directory`. - -## Next Steps - -Now head to [Phase 3][wiki_quick_start_phase_3]. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_starter_modules]: %5BUser-Guide%5D-Starter-Modules "Wiki - Starter Modules" -[wiki_starter_module_bicep_complete]: %5BUser-Guide%5D-Starter-Module-Bicep-Complete "Wiki - Starter Modules - Bicep Complete" -[wiki_starter_module_terraform_basic]: %5BUser-Guide%5D-Starter-Module-Terraform-Basic "Wiki - Starter Modules - Terraform Basic" -[wiki_starter_module_terraform_hubnetworking]: %5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking "Wiki - Start Modules - Terraform Hub Networking" -[wiki_starter_module_terraform_complete]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete "Wiki - Starter Modules - Terraform Complete" -[wiki_starter_module_terraform_complete_multi_region]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete-Multi-Region "Wiki - Starter Modules - Terraform Complete Multi Region" -[wiki_starter_module_terraform_financial_services_industry_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone "Wiki - Starter Modules - Terraform Financial Services Industry Landing Zone" -[wiki_starter_module_terraform_sovereign_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone "Wiki - Starter Modules - Terraform Sovereign Landing Zone" -[wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" -[example_powershell_inputs_local_bicep_complete]: examples/powershell-inputs/inputs-local-bicep-complete.yaml "Example - PowerShell Inputs - Local - Bicep - Complete" -[example_powershell_inputs_local_terraform_basic]: examples/powershell-inputs/inputs-local-terraform-basic.yaml "Example - PowerShell Inputs - Local - Terraform - Basic" -[example_powershell_inputs_local_terraform_hubnetworking]: examples/powershell-inputs/inputs-local-terraform-hubnetworking.yaml "Example - PowerShell Inputs - Local - Terraform - Hub Networking" -[example_powershell_inputs_local_terraform_complete]: examples/powershell-inputs/inputs-local-terraform-complete.yaml "Example - PowerShell Inputs - Local - Terraform - Complete" -[example_powershell_inputs_local_terraform_complete_multi_region]: examples/powershell-inputs/inputs-local-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - Local - Terraform - Complete Multi Region" -[example_powershell_inputs_local_terraform_financial_service_industry_landing_zone]: examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - Local - Terraform - Financial Services Industry Landing Zone" -[example_powershell_inputs_local_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-local-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Local - Terraform - Sovereign Landing Zone" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-2.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-2.md deleted file mode 100644 index c76e7936..00000000 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-2.md +++ /dev/null @@ -1,41 +0,0 @@ - -Phase 2 of the accelerator is to run the bootstrap. Follow the steps below to do that. - -## 2.1 Install the ALZ PowerShell module - -The ALZ PowerShell module is used to run the bootstrap phase. It is available on the [PowerShell Gallery](https://www.powershellgallery.com/packages/ALZ/). You can install it using the following steps: - -1. Open a PowerShell Core (pwsh) terminal. -2. Check if you already have the ALZ module installed by runnung `Get-InstalledModule -Name ALZ`. You'll see something like this if it is already installed: - -```powershell -Version Name Repository Description -------- ---- ---------- ----------- -1.0.0 ALZ PSGallery Azure Landing Zones Powershell Module -``` - -3. If the module is already installed, run `Update-Module -Name ALZ` to ensure you have the latest version. -4. If the module is not installed, run `Install-Module -Name ALZ`. - -## 2.2 Run the Bootstrap - -You are now ready to run the bootstrap and setup your environment. If you want to use custom names for your resources or automate the bootstrap, please refer to our [FAQs](https://github.com/Azure/alz-terraform-accelerator/wiki/Frequently-Asked-Questions) section. - -The inputs differ depending on the version control system and infrastructure as code tooling you have chosen. Click through to the relevant page for detailed instructions: - -- [Azure DevOps][wiki_quick_start_phase_2_azure_devops] -- [GitHub][wiki_quick_start_phase_2_github] -- [Local file system][wiki_quick_start_phase_2_local] - -## Next Steps - -Once the steps in the VCS specific section are completed, head to [Phase 3][wiki_quick_start_phase_3]. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_quick_start_phase_2_azure_devops]: %5BUser-Guide%5D-Quick-Start-Phase-2-Azure-DevOps "Wiki - Quick Start - Phase 2 - Azure DevOps" -[wiki_quick_start_phase_2_github]: %5BUser-Guide%5D-Quick-Start-Phase-2-GitHub "Wiki - Quick Start - Phase 2 - GitHub" -[wiki_quick_start_phase_2_local]: %5BUser-Guide%5D-Quick-Start-Phase-2-Local "Wiki - Quick Start - Phase 2 - Local" -[wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" diff --git a/docs/wiki/[User-Guide]-Quick-Start-Phase-3.md b/docs/wiki/[User-Guide]-Quick-Start-Phase-3.md deleted file mode 100644 index 97ecb320..00000000 --- a/docs/wiki/[User-Guide]-Quick-Start-Phase-3.md +++ /dev/null @@ -1,68 +0,0 @@ - -Phase 3 of the accelerator is to run pipeline. Follow the steps below to do that. - -## 3.1 Deploy the Landing Zone - -Now you have created your bootstrapped environment you can deploy you Azure landing zone by triggering the continuous delivery pipeline in your version control system. - -> [!NOTE] -> If you encounter permission errors while running the pipelines, please note that it may take some time for permissions to fully propagate. Although the pipelines include retry logic to manage this, it can sometimes take up to 30 minutes for the permissions to take effect. - -### 3.1.1 Azure DevOps - -1. Navigate to [dev.azure.com](https://dev.azure.com) and sign in to your organization. -1. Navigate to your project. -1. Click `Pipelines` in the left navigation. -1. Click the `02 Azure Landing Zones Continuous Delivery` pipeline. -1. Click `Run pipeline` in the top right. -1. Take the defaults and click `Run`. -1. Your pipeline will run a `plan`. -1. If you provided `apply_approvers` to the bootstrap, it will prompt you to approve the `apply` stage. -1. Your pipeline will run an `apply` and deploy an Azure landing zone based on the starter module you choose. - -### 3.1.2 GitHub - -1. Navigate to [github.com](https://github.com). -1. Navigate to your repository. -1. Click `Actions` in the top navigation. -1. Click the `02 Azure Landing Zones Continuous Delivery` pipeline in the left navigation. -1. Click `Run workflow` in the top right, then keep the default branch and click `Run workflow`. -1. Your pipeline will run a `plan`. -1. If you provided `apply_approvers` to the bootstrap, it will prompt you to approve the `apply` job. -1. Your pipeline will run an `apply` and deploy an Azure landing zone based on the starter module you choose. - -### 3.1.3 Local file system - -Follow the steps below to deploy the landing zone locally. If you want to hook it up to you custom version control system, follow their documentation on how to that. - -#### 3.1.3.1 Bicep - -The Bicep option outputs a `deploy-local.ps1` file that you can use to deploy the ALZ. - ->NOTE: If you set the `grant_permissions_to_current_user` input to `false` in the bootstrap, you will need to set permissions on your management group and subscriptions before the commands will succeed. - -1. Ensure you have the latest versions of the [AZ PowerShell Module](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell) and [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install) installed. -1. Open a new PowerShell Core (pwsh) terminal or use the one you already have open. -1. Navigate to the directory shown in the `module_output_directory_path` output from the bootstrap. -1. Login to Azure using `Connect-AzAccount -TenantId 00000000-0000-0000-0000-000000000000 -SubscriptionId 00000000-0000-0000-0000-000000000000`. -1. (Optional) Examine the `./scripts/deploy-local.ps1` to understand what it is doing. -1. Run `./scripts/deploy-local.ps1`. -1. A what if will run and then you'll be prompted to check it and run the deploy. -1. Type `yes` and hit enter to run the deploy. -1. The ALZ will now be deployed, this may take some time. - -#### 3.1.3.2 Terraform - -The Terraform option outputs a `deploy-local.ps1` file that you can use to deploy the ALZ. - ->NOTE: If you set the `grant_permissions_to_current_user` input to `false` in the bootstrap, you will need to set permissions on your management group, subscriptions and storage account before the commands will succeed. - -1. Open a new PowerShell Core (pwsh) terminal or use the one you already have open. -1. Navigate to the directory shown in the `module_output_directory_path` output from the bootstrap. -1. (Optional) Ensure you are still logged in to Azure using `az login --tenant 00000000-0000-0000-0000-000000000000`. -1. (Optional) Connect to your target subscription using `az account set --subscription 00000000-0000-0000-0000-000000000000`. -1. (Optional) Examine the `./scripts/deploy-local.ps1` to understand what it is doing. -1. Run `./scripts/deploy-local.ps1`. -1. A plan will run and then you'll be prompted to check it and run the deploy. -1. Type `yes` and hit enter to run the deploy. -1. The ALZ will now be deployed, this may take some time. diff --git a/docs/wiki/[User-Guide]-Quick-Start.md b/docs/wiki/[User-Guide]-Quick-Start.md deleted file mode 100644 index a20c98f4..00000000 --- a/docs/wiki/[User-Guide]-Quick-Start.md +++ /dev/null @@ -1,28 +0,0 @@ - -## Introduction - -The quick start guide takes you through the steps to prepare your pre-requisites and then run the PowerShell module. - -The accelerator bootstraps a continuous delivery environment for you. It supports both the Azure DevOps and GitHub version control system (VCS). It uses the [ALZ](https://www.powershellgallery.com/packages/ALZ) PowerShell module to gather required user input and apply a Terraform module to configure the bootstrap environment. - -The accelerator follows a 3 phase approach: - -- [Quick Start Phase 1][wiki_quick_start_phase_1]: Instructions to configure credentials and subscriptions. -- [Quick Start Phase 2][wiki_quick_start_phase_2]: Run the PowerShell script to generate the continuous delivery environment. -- [Quick Start Phase 3][wiki_quick_start_phase_3]: Update the module (if needed) to suit the needs of your organisation and deploy via continuous delivery. - -![Azure landing zone accelerator process][alz_accelerator_overview] - - [//]: # (*****************************) - [//]: # (INSERT IMAGE REFERENCES BELOW) - [//]: # (*****************************) - -[alz_accelerator_overview]: media/alz-terraform-acclerator.png "A process flow showing the areas covered by the Azure landing zones Terraform accelerator." - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_quick_start_phase_1]: %5BUser-Guide%5D-Quick-Start-Phase-1 "Wiki - Quick Start - Phase 1" -[wiki_quick_start_phase_2]: %5BUser-Guide%5D-Quick-Start-Phase-2 "Wiki - Quick Start - Phase 2" -[wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" diff --git a/docs/wiki/[User-Guide]-Starter-Module-Bicep-Complete.md b/docs/wiki/[User-Guide]-Starter-Module-Bicep-Complete.md deleted file mode 100644 index e738cb48..00000000 --- a/docs/wiki/[User-Guide]-Starter-Module-Bicep-Complete.md +++ /dev/null @@ -1,26 +0,0 @@ - -The `complete` starter module is currently the only option available for Bicep. - -The following table describes the inputs required for the `complete` starter module. - -| Input | Placeholder | Description | -| - | -- | --- | -| `Prefix` | `landing-zone` | This is the defaut prefix for names of resources and management groups. | -| `SecondaryLocation` | `westus2` | The secondary location for the landing zone. Only used if the `networkType` has a multi-region configuration specified. | -| `Environment` | `live` | The environment name for the landing zone. This can be any lower case string. (e.g. `live` or `canary`) | -| `networkType` | `hubNetworking` | The type of network configuration to deploy. Currently only `hubNetworking`, `hubNetworkingMultiRegion`, `vwanConnectivity,` `vwanConnectivityMultiRegion` or `none` are supported. | -| `SecurityContact` | `` | The email address of the security contact for the landing zone. | - -Example input files can be found here: - -- [inputs-azure-devops-bicep-complete.yaml][example_powershell_inputs_azure_devops_bicep_complete] -- [inputs-github-bicep-complete.yaml][example_powershell_inputs_github_bicep_complete] -- [inputs-local-bicep-complete.yaml][example_powershell_inputs_local_bicep_complete] - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[example_powershell_inputs_azure_devops_bicep_complete]: examples/powershell-inputs/inputs-azure-devops-bicep-complete.yaml "Example - PowerShell Inputs - Azure DevOps - Bicep - Complete" -[example_powershell_inputs_github_bicep_complete]: examples/powershell-inputs/inputs-github-bicep-complete.yaml "Example - PowerShell Inputs - GitHub - Bicep - Complete" -[example_powershell_inputs_local_bicep_complete]: examples/powershell-inputs/inputs-local-bicep-complete.yaml "Example - PowerShell Inputs - Local - Bicep - Complete" diff --git a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Basic.md b/docs/wiki/[User-Guide]-Starter-Module-Terraform-Basic.md deleted file mode 100644 index cfe9c47b..00000000 --- a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Basic.md +++ /dev/null @@ -1,23 +0,0 @@ - -The `basic` starter module deploys the management group hierarchy, management resources and policies only. - -Example input files can be found here: - -- [inputs-azure-devops-terraform-basic.yaml][example_powershell_inputs_azure_devops_terraform_basic] -- [inputs-github-terraform-basic.yaml][example_powershell_inputs_github_terraform_basic] -- [inputs-local-terraform-basic.yaml][example_powershell_inputs_local_terraform_basic] - -The following table describes the inputs required for the `basic` starter module. - -| Input | Placeholder | Description | -| - | -- | --- | -| `root_id` | `` | This is the prefix for the ID of management groups. | -| `root_name` | `` | This is the prefix for the name of management groups. | - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[example_powershell_inputs_azure_devops_terraform_basic]: examples/powershell-inputs/inputs-azure-devops-terraform-basic.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Basic" -[example_powershell_inputs_github_terraform_basic]: examples/powershell-inputs/inputs-github-terraform-basic.yaml "Example - PowerShell Inputs - GitHub - Terraform - Basic" -[example_powershell_inputs_local_terraform_basic]: examples/powershell-inputs/inputs-local-terraform-basic.yaml "Example - PowerShell Inputs - Local - Terraform - Basic" diff --git a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete-Multi-Region.md b/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete-Multi-Region.md deleted file mode 100644 index baa1564d..00000000 --- a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete-Multi-Region.md +++ /dev/null @@ -1,92 +0,0 @@ - -The `complete_multi_region` starter module provides full customization of the Azure Landing Zone. It is multi-regional by default and can support 1 or more regions. - -The ALZ PowerShell Module can accept multiple input files and we recommend using a separate file for the `complete_multi_region` starter module. This allows you to more easily manage and maintain your configuration files. - -## Inputs - -The following tables describe the inputs required for the `complete_multi_region` starter module. Depending on you choice of networking technology, you will need to supply the relevant inputs. - -### Shared Inputs - -| Input | Placeholder | Description | -| - | -- | --- | -| `management_settings_es` | `{}` | This is the management resource configuration for the ES (Enterprise Scale) versions of the management modules. Full details of the inputs can be seen [here](https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest) | -| `connectivity_type` | `hub_and_spoke_vnet` | This is the choice of networking technology. Allowed values are `hub_and_spoke_vnet`, `virtual_wan` or `none`. | -| `connectivity_resource_groups` | `{}` | The resource groups used by the connectivity resources must be specified here. See the example files for usage. | -| ~~`management_use_avm`~~ | `false` | [NOTE: This variable will be implemented in a future version, setting to `true` will result in an error] This input is to specify to use the AVM (Azure Verified Modules) versions of the management modules. Defaults to `false`. | -| ~~`management_settings_avm`~~ | `{}` | [NOTE: This variable will be implemented in a future version] This is the management resource configuration for the AVM (Azure Verified Modules) versions of the management modules. | - -### Hub and Spoke Virtual Network Inputs - -| Input | Placeholder | Description | -| - | -- | --- | -| `hub_and_spoke_vnet_settings` | `{}` | This is for configuring global resources, such as the DDOS protection plan. See the example files for usage. | -| `hub_and_spoke_vnet_virtual_networks` | `{}` | This is the details configuration of each region for the hub networks. There are three top level components for each region: `hub_virtual_network`, `virtual_network_gateways` and `private_dns_zones`. Detailed information for `hub_virtual_network` inputs can be found [here](https://registry.terraform.io/modules/Azure/avm-ptn-hubnetworking). Detailed information for `virtual_network_gateways` can be found [here](https://registry.terraform.io/modules/Azure/avm-ptn-vnetgateway/azurerm/latest). See the example files for usage. | - -### Virtual WAN Inputs - -| Input | Placeholder | Description | -| - | -- | --- | -| `virtual_wan_settings` | `{}` | This is for configuring global resources, such as the Virtual WAN and DDOS protection plan. See the example files for usage. | -| `virtual_wan_virtual_hubs` | `{}` | This is the details configuration of each region for the virtual hubs. There are three top level components for each region: `hub`, `firewall` and `private_dns_zones`. Detailed information for `hub` and `firewall` inputs can be found [here](https://registry.terraform.io/modules/Azure/avm-ptn-virtualwan/azurerm/latest). See the example files for usage. | - -Example ALZ PowerShell input files can be found here: - -- [inputs-azure-devops-terraform-complete-multi-region.yaml][example_powershell_inputs_azure_devops_terraform_complete_multi_region] -- [inputs-github-terraform-complete-multi-region.yaml][example_powershell_inputs_github_terraform_complete_multi_region] -- [inputs-local-terraform-complete-multi-region.yaml][example_powershell_inputs_local_terraform_complete_multi_region] - -Example network technology specific input files can be found here: - -- Multi region hub and spoke virtual network: [config-hub-and-spoke-vnet-multi-region.yaml][example_starter_module_complete_config_hub_spoke_multi_region] -- Multi region virtual WAN: [config-virtual-wan-multi-region.yaml][example_starter_module_complete_config_vwan_multi_region] -- Single region hub and spoke virtual network: [config-hub-and-spoke-vnet-single-region.yaml][example_starter_module_complete_config_hub_spoke_single_region] -- Single region virtual WAN: [config-virtual-wan-single-region.yaml][example_starter_module_complete_config_vwan_single_region] - -## Further details on the Complete Multi Region Starter Module and config file - -The example config files have helpful templated variables such as `starter_location_##` and `root_parent_management_group_id` which get prompted for during the ALZ PowerShell Module run. Alternatively, you can opt to not use the templated variables and hard-code the values in your config file. - -> **Note:** We currently use the `caf-enterprise-scale` module for management groups and policies, and the Azure Verified Modules for connectivity resources. - -### High Level Design - -![Alt text](./media/starter-module-hubnetworking.png) - -### Terraform Modules - -The following modules are composed together in the `complete_multi_region` starter module. - -#### `caf-enterprise-scale` - -The `caf-enterprise-scale` module is used to deploy the management group hierarchy, policy assignments and management resources. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale). - -#### `avm-ptn-hubnetworking` - -The `avm-ptn-hubnetworking` module is used to deploy connectivity resources such as Virtual Networks and Firewalls. -This module can be extended to deploy multiple Virtual Networks at scale, Route Tables, and Resource Locks. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-hu). - -#### `avm-ptn-vnetgateway` - -The `avm-ptn-vnetgateway` module is used to deploy a Virtual Network Gateway inside your Virtual Network. Further configuration can be added (depending on requirements) to deploy Local Network Gateways, configure Virtual Network Gateway Connections, deploy ExpressRoute Gateways, and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vnetgateway). - -#### `avm-ptn-vwan` - -The `avm-ptn-vwan` module is used to deploy a Virtual WAN. Further configuration can be added (depending on requirements) to deploy VPN Sites, configure VPN Connections, and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vwan). - -#### `avm-ptn-network-private-link-private-dns-zones` - -The `avm-ptn-network-private-link-private-dns-zones` module is used to deploy Private DNS Zones for Private Link Services. Further configuration can be added depending on requirements. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-network-private-link-private-dns-zones). - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[example_starter_module_complete_config_hub_spoke_single_region]: examples/starter-module-config/complete-multi-region/config-hub-and-spoke-vnet-single-region.yaml "Example - Starter Module Config - Complete - Hub and Spoke VNet Single Region" -[example_starter_module_complete_config_vwan_single_region]: examples/starter-module-config/complete-multi-region/config-virtual-wan-single-region.yaml "Example - Starter Module Config - Complete - Virtual WAN Single Region" -[example_starter_module_complete_config_hub_spoke_multi_region]: examples/starter-module-config/complete-multi-region/config-hub-and-spoke-vnet-multi-region.yaml "Example - Starter Module Config - Complete - Hub and Spoke VNet Multi Region" -[example_starter_module_complete_config_vwan_multi_region]: examples/starter-module-config/complete-multi-region/config-virtual-wan-multi-region.yaml "Example - Starter Module Config - Complete - Virtual WAN Multi Region" -[example_powershell_inputs_azure_devops_terraform_complete_multi_region]: examples/powershell-inputs/inputs-azure-devops-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete Multi Region" -[example_powershell_inputs_github_terraform_complete_multi_region]: examples/powershell-inputs/inputs-github-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete Multi Region" -[example_powershell_inputs_local_terraform_complete_multi_region]: examples/powershell-inputs/inputs-local-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - Local - Terraform - Complete Multi Region" diff --git a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete-VNext.md b/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete-VNext.md deleted file mode 100644 index 658a3452..00000000 --- a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete-VNext.md +++ /dev/null @@ -1,69 +0,0 @@ - -> **WARNING:** The Complete vNext starter module is a work in progress. Do not use this for any production workloads. - -The `complete_vnext` starter module provides full customization of the Azure Landing Zone using the `config.yaml` file. The `config.yaml` file provides the ability to enable and disable modules, configure module inputs and outputs, and configure module resources. -A custom `config.yaml` file can be passed to the `configuration_file_path` argument of the ALZ PowerShell Module. This allows you to firstly design your Azure Landing Zone, and then deploy it. - -If not specified, the default `config.yaml` file will be used, which can be seen [here](https://github.com/Azure/alz-terraform-accelerator/blob/main/templates/complete_vnext/config.yaml). - -Example input files can be found here: - -- [inputs-azure-devops-terraform-complete_vnext.yaml][example_powershell_inputs_azure_devops_terraform_complete_vnext] -- [inputs-github-terraform-complete_vnext.yaml][example_powershell_inputs_github_terraform_complete_vnext] -- [inputs-local-terraform-complete_vnext.yaml][example_powershell_inputs_local_terraform_complete_vnext] - -The following table describes the inputs required for the `complete_vnext` starter module. - -| Input | Placeholder | Description | -| - | -- | --- | -| `configuration_file_path` | `` | This is the absolute path to the configuration file. E.g. `c:\my-config\config.yaml` or `~/my-config/config.yaml`. For YAML on Windows you will need to escape the `\`, i.e. `c:\\my-config\\config.yaml`. | -| `default_postfix` | `` | This is the default postfix used for resource names. | - -## Further details on the Complete Starter Module and config file - -The `config.yaml` file also comes with helpful templated variables such as `default_location` and `root_parent_management_group_id` which get prompted for during the ALZ PowerShell Module run. Alternatively, you can opt to not use the templated variables and hard-code the values in the `config.yaml` file. - -> **Note:** We recommend that you use the `caf-enterprise-scale` module for management groups and policies, and the `hubnetworking` module for connectivity resources. However, connectivity resources can be deployed using the `caf-enterprise-scale` module if you desire. - -The schema for the `config.yaml` is documented here - [Configuration YAML Schema][wiki_yaml_schema_reference]. - -### High Level Design - -![Alt text](./media/starter-module-hubnetworking.png) - -### Terraform Modules - -#### `caf-enterprise-scale` - -The `caf-enterprise-scale` module is used to deploy the management group hierarchy, policy assignments and management resources. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale). - -#### `hubnetworking` - -The `hubnetworking` module is used to deploy connectivity resources such as Virtual Networks and Firewalls. -This module can be extended to deploy multiple Virtual Networks at scale, Route Tables, and Resource Locks. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-hubnetworking). - -#### `avm-ptn-vnetgateway` - -The `avm-ptn-vnetgateway` module is used to deploy a Virtual Network Gateway inside your Virtual Network. Further configuration can be added (depending on requirements) to deploy Local Network Gateways, configure Virtual Network Gateway Connections, deploy ExpressRoute Gateways, and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vnetgateway). - -#### `avm-ptn-vwan` - -The `avm-ptn-vwan` module is used to deploy a Virtual WAN. Further configuration can be added (depending on requirements) to deploy VPN Sites, configure VPN Connections, and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vwan). - -#### Design your Azure Landing Zone through a custom config file - -Create a custom yaml config to tailor to your needs, for example an Azure Landing Zone with a three-region mesh: - -- Example config file for hub and spoke: [config-hub-spoke.yaml][example_starter_module_complete_vnext_config_hub_spoke] -- Example config file for Virtual WAN: [config-vwan.yaml][example_starter_module_complete_vnext_config_vwan] - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_yaml_schema_reference]: %5BUser-Guide%5D-YAML-Schema-Reference "Wiki - YAML Schema Reference" -[example_starter_module_complete_vnext_config_hub_spoke]: examples/starter-module-config/complete_vnext/config-hub-spoke.yaml "Example - Starter Module Config - Complete - Hub and Spoke" -[example_starter_module_complete_vnext_config_vwan]: examples/starter-module-config/complete_vnext/config-vwan.yaml "Example - Starter Module Config - Complete - Virtual WAN" -[example_powershell_inputs_azure_devops_terraform_complete_vnext]: examples/powershell-inputs/inputs-azure-devops-terraform-complete_vnext.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete vNext" -[example_powershell_inputs_github_terraform_complete_vnext]: examples/powershell-inputs/inputs-github-terraform-complete_vnext.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete vNext" -[example_powershell_inputs_local_terraform_complete_vnext]: examples/powershell-inputs/inputs-local-terraform-complete_vnext.yaml "Example - PowerShell Inputs - Local - Terraform - Complete vNext" diff --git a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete.md b/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete.md deleted file mode 100644 index 89ed89d4..00000000 --- a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Complete.md +++ /dev/null @@ -1,67 +0,0 @@ - -The `complete` starter module provides full customization of the Azure Landing Zone using the `config.yaml` file. The `config.yaml` file provides the ability to enable and disable modules, configure module inputs and outputs, and configure module resources. -A custom `config.yaml` file can be passed to the `configuration_file_path` argument of the ALZ PowerShell Module. This allows you to firstly design your Azure Landing Zone, and then deploy it. - -If not specified, the default `config.yaml` file will be used, which can be seen [here](https://github.com/Azure/alz-terraform-accelerator/blob/main/templates/complete/config.yaml). - -Example input files can be found here: - -- [inputs-azure-devops-terraform-complete.yaml][example_powershell_inputs_azure_devops_terraform_complete] -- [inputs-github-terraform-complete.yaml][example_powershell_inputs_github_terraform_complete] -- [inputs-local-terraform-complete.yaml][example_powershell_inputs_local_terraform_complete] - -The following table describes the inputs required for the `complete` starter module. - -| Input | Placeholder | Description | -| - | -- | --- | -| `configuration_file_path` | `` | This is the absolute path to the configuration file. E.g. `c:\my-config\config.yaml` or `~/my-config/config.yaml`. For YAML on Windows you will need to escape the `\`, i.e. `c:\\my-config\\config.yaml`. | -| `default_postfix` | `` | This is the default postfix used for resource names. | - -## Further details on the Complete Starter Module and config file - -The `config.yaml` file also comes with helpful templated variables such as `starter_location` and `root_parent_management_group_id` which get prompted for during the ALZ PowerShell Module run. Alternatively, you can opt to not use the templated variables and hard-code the values in the `config.yaml` file. - -> **Note:** We recommend that you use the `caf-enterprise-scale` module for management groups and policies, and the `hubnetworking` module for connectivity resources. However, connectivity resources can be deployed using the `caf-enterprise-scale` module if you desire. - -The schema for the `config.yaml` is documented here - [Configuration YAML Schema][wiki_yaml_schema_reference]. - -### High Level Design - -![Alt text](./media/starter-module-hubnetworking.png) - -### Terraform Modules - -#### `caf-enterprise-scale` - -The `caf-enterprise-scale` module is used to deploy the management group hierarchy, policy assignments and management resources. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale). - -#### `hubnetworking` - -The `hubnetworking` module is used to deploy connectivity resources such as Virtual Networks and Firewalls. -This module can be extended to deploy multiple Virtual Networks at scale, Route Tables, and Resource Locks. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-hubnetworking). - -#### `avm-ptn-vnetgateway` - -The `avm-ptn-vnetgateway` module is used to deploy a Virtual Network Gateway inside your Virtual Network. Further configuration can be added (depending on requirements) to deploy Local Network Gateways, configure Virtual Network Gateway Connections, deploy ExpressRoute Gateways, and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vnetgateway). - -#### `avm-ptn-vwan` - -The `avm-ptn-vwan` module is used to deploy a Virtual WAN. Further configuration can be added (depending on requirements) to deploy VPN Sites, configure VPN Connections, and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vwan). - -#### Design your Azure Landing Zone through a custom config file - -Create a custom yaml config to tailor to your needs, for example an Azure Landing Zone with a three-region mesh: - -- Example config file for hub and spoke: [config-hub-spoke.yaml][example_starter_module_complete_config_hub_spoke] -- Example config file for Virtual WAN: [config-vwan.yaml][example_starter_module_complete_config_vwan] - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_yaml_schema_reference]: %5BUser-Guide%5D-YAML-Schema-Reference "Wiki - YAML Schema Reference" -[example_starter_module_complete_config_hub_spoke]: examples/starter-module-config/complete/config-hub-spoke.yaml "Example - Starter Module Config - Complete - Hub and Spoke" -[example_starter_module_complete_config_vwan]: examples/starter-module-config/complete/config-vwan.yaml "Example - Starter Module Config - Complete - Virtual WAN" -[example_powershell_inputs_azure_devops_terraform_complete]: examples/powershell-inputs/inputs-azure-devops-terraform-complete.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete" -[example_powershell_inputs_github_terraform_complete]: examples/powershell-inputs/inputs-github-terraform-complete.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete" -[example_powershell_inputs_local_terraform_complete]: examples/powershell-inputs/inputs-local-terraform-complete.yaml "Example - PowerShell Inputs - Local - Terraform - Complete" diff --git a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone.md b/docs/wiki/[User-Guide]-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone.md deleted file mode 100644 index a5d907ab..00000000 --- a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone.md +++ /dev/null @@ -1,380 +0,0 @@ - -The `financial_services_landing_zone` starter module provides full customization of the Financial Services Industry Landing Zone (FSILZ) using the `inputs.yaml` file. The `inputs.yaml` file provides the ability to enable and disable modules, configure module inputs and outputs, and configure module resources. -A custom `inputs.yaml` file can be passed to the `inputs` argument of the ALZ PowerShell Module. This allows you to firstly design your Azure Landing Zone, and then deploy it. - -The default `inputs.yaml` file will need to be modified based on the documentation below. - -Example input files can be found here: - -- [inputs-azure-devops-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_azure_devops_terraform_financial_services_industry_landing_zone] -- [inputs-github-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_github_terraform_financial_services_industry_landing_zone] -- [inputs-local-terraform-financial-services-landing-zone.yaml][example_powershell_inputs_local_terraform_financial_services_industry_landing_zone] - -The following table describes the inputs for the `financial_services_landing_zone` starter module. - -| Input | Required | Type | Default Value | Description | -| - | -- | --- | ---- | ----- | -| `allowed_locations` | Required | List | | This is a list of Azure regions all workloads running outside of the Confidential Management Group scopes are allowed to be deployed into. | -| `allowed_locations_for_confidential_computing` | Required | List | | This is a list of Azure regions all workloads running inside of the Confidential Management Group scopes are allowed to be deployed into. | -| `az_firewall_policies_enabled` | | Boolean | `true` | Set to `true` to deploy a default Azure Firewall Policy resource if `enable_firewall` is also `true`. | -| `apply_alz_archetypes_via_architecture_definition_template` | | Boolean | `true` | This controls whether to apply the ALZ archetypes (polcy assignments) to the Financial Services Industry Landing Zone deployment. | -| `bastion_outbound_ssh_rdp_ports` | | List | `["22", "3389"]` | List of outbound remote access ports to enable on the Azure Bastion NSG if `deploy_bastion` is also `true`. | -| `custom_subnets` | | Map | See `inputs.yaml` for default object. | Map of subnets and their configurations to create within the hub network. | -| `customer` | | String | `"Country/Region"` | Customer name to use when branding the compliance dashboard. | -| `customer_policy_sets` | | Map | See the Custom Compliance section below for details. | Map of customer specified policy initiatives to apply alongside the Financial Services Industry Landing Zone | -| `default_postfix` | Required | String | | Postfix value to append to all resources. | -| `default_prefix` | | String | | Prefix value to append to all resources. | -| `deploy_bastion` | | Boolean | `true` | Set to `true` to deploy Azure Bastion within the hub network. | -| `deploy_ddos_protection` | | Boolean | `true` | Set to `true` to deploy Azure DDoS Protection within the hub network. | -| `deploy_hub_network` | | Boolean | `true` | Set to `true` to deploy the hub network. | -| `deploy_log_analytics_workspace` | | Boolean | `true` | Set to `true` to deploy Azure Log Analytics Workspace. | -| `enable_firewall` | | Boolean | `true` | Set to `true` to deploy Azure Firewall within the hub network. | -| `enable_telemetry` | | Boolean | `true` | Set to `false` to opt out of telemetry tracking. We use telemetry data to understand usage rates to help prioritize future development efforts. | -| `express_route_gateway_config` | | Map | `{name: "noconfigEr"}` | Leave as default to not deploy an ExpressRoute Gateway. See the Network Connectivity section below for details. | -| `hub_network_address_prefix` | | CIDR | "10.20.0.0/16" | This is the CIDR to use for the hub network. | -| `landing_zone_management_group_children` | | Map | | See the Customize Application Landing Zones section below for details. | -| `log_analytics_workspace_retention_in_days` | | Numeric | 365 | Number of days to retain logs in the Log Analytics Workspace. | -| `ms_defender_for_cloud_email_security_contact` | | Email | `security_contact@replaceme.com` | Email address to use for Microsoft Defender for Cloud. | -| `policy_assignment_enforcement_mode` | | String | `Default` | The enforcement mode to use for the Financial Services Industry Baseline Policy initiatives. | -| `policy_effect` | | String | `Deny` | The effect to use for the Financial Services Industry Baseline Policy initiatives, when policies support multiple effects. | -| `policy_exemptions` | | Map | See the Custom Compliance section below for details. | Map of customer specified policy exemptions to use alongside the Financial Services Industry Landing Zone. | -| `subscription_billing_scope` | Required | String | | Only required if you have not provided existing subscription IDs for management, connectivity, and identity. | -| `tags` | | Map | See the Custom Tagging section below for details. | Set of tags to apply to all resources deployed. | -| `use_premium_firewall` | | Boolean | `true` | Set to `true` to deploy Premium SKU of the Azure Firewall if `enable_firewall` is also `true`. | -| `vpn_gateway_config` | | Map | `{name: "noconfigEr"}` | Leave as default to not deploy an VPN Gateway. See the Network Connectivity section below for details. | - -## Custom Compliance - -### Custom Policy Sets - -An example of the format for the `customer_policy_sets` map is as follows: - -```yaml -customer_policy_sets: { - assignment1: { - policySetDefinitionId: "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f", - policySetAssignmentName: "FedRAMPHigh", - policySetAssignmentDisplayName: "FedRAMP High", - policySetAssignmentDescription: "FedRAMP High", - policySetManagementGroupAssignmentScope: "/providers/Microsoft.management/managementGroups/", - policyParameterFilePath: "../modules/compliance/policy_parameters/policySetParameterSampleFile.json" - } -} -``` - -### Policy Exemptions - -An example of the format for the `policy_exemptions` map is as follows: - -```yaml -policy_exemptions: { - policy_exemption1: { - name: "globalexemption", - display_name: "global", - description: "test", - management_group_id: "/providers/Microsoft.management/managementGroups/", - policy_assignment_id: "/providers/microsoft.management/managementGroups//providers/microsoft.Authorization/policyassignments/enforce-fsi-global", - policy_definition_reference_ids: ["AllowedLocations"] - } -} -``` - -## Customize Application Landing Zones - -### Landing Zone Management Group Children - -An example of the format for the `landing_zone_management_group_children` map is as follows: - -```yaml -landing_zone_management_group_children: { - child1: { - id: "child1", - displayName: "Landing zone child one" - } -} -``` - -## Custom Tagging - -### Tags - -An example of the format for the `tags` map is as follows: - -```yaml -tags: { - Environment: "Production", - ServiceName: "FSILZ" -} -``` - -## Network Connectivity - -### ExpressRoute Gateway Config - -An example of the format for the `express_route_gateway_config` map is as follows: - -```yaml -express_route_gateway_config: { - name: "express_route", - gatewayType: "ExpressRoute", - sku: "ErGw1AZ", - vpnType: "RouteBased", - vpnGatewayGeneration: null, - enableBgp: false, - activeActive: false, - enableBgpRouteTranslationForNat: false, - enableDnsForwarding: false, - asn: 65515, - bgpPeeringAddress: "", - peerWeight: 5 -} -``` - -### VPN Gateway Config - -An example of the format for the `vpn_gateway_config` map is as follows: - -```yaml -vpn_gateway_config: { - name: "vpn_gateway", - gatewayType: "Vpn", - sku: "VpnGw1", - vpnType: "RouteBased", - vpnGatewayGeneration: "Generation1", - enableBgp: false, - activeActive: false, - enableBgpRouteTranslationForNat: false, - enableDnsForwarding: false, - bgpPeeringAddress: "", - asn: 65515, - peerWeight: 5, - vpnClientConfiguration: { - vpnAddressSpace: ["10.2.0.0/24"] - } -} -``` - -## Known Issues - -The following are known issues with the Public Preview release for the Financial Services Industry Landing Zone. - -### Multiple Inputs for Location - -The inputs for `bootstrap_location` and `starter_locations` must be identical. - -### Terraform Plan or Apply Fails After Updating tfvars - -Any updates should be made to the inputs file(e.g., inputs-local-terraform-financial-services-landing-zone.yaml) and re-run the ALZ powershell & rerun the Phase 3 of Deployment. - -### Invalid Hub Network Address Prefix or Subnet Address Prefix - -There is no validation done to ensure subnets fall within the hub network CIDR or that subnets do not overlap. These issues will be uncovered during apply. - -### Unable to Build Authorizer for Resource Manager API - -It is necessary to rerun `az login` after creating subscriptions for terraform to pick up that they exist. - -### Unable to Update Address Prefixes - -Updating the address prefix on either the hub network or subnets is not supported at this time. - -### Unable to Change Top Level or Sub Level Management Group Names - -Modifying the Top Level or Sub Level Management Group name is not supported at this time. - -### Tags are Not Applied to All Resources - -Certain resources are not receiving the default tags. This will be addressed in a future release. - -### Default Compliance Score is not 100% - -Certain resources will show as being out of compliance by default. This will be addressed in a future release. - -## Further details on the Financial Services Industry Landing Zone Starter Module - -The Terraform-based deployment for the Financial Services Industry Landing Zone (FSILZ) provides an Enterprise Scale Landing Zone with compliance posture - -### High Level Design - -![Alt text](./media/starter-module-microsoft_cloud_for_financial_services_industry.png) - -### Terraform Modules - -#### `alz-archetypes` and `fsilz-archetypes` - -The `alz-archetypes` and `fsilz-archetypes` are different from Terraform modules, but are used to deploy the management group hierarchy, policy assignments and management resources including the Financial Services Industry policies. For more information on the archetypes, view the [ALZ archetypes](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/alz/) and the [FSILZ archetypes](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/fsi/). - -#### `subscription-vending` - -The `subscription-vending` module is used to deploy the subscriptions and move them within the right management group scopes. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-lz-vending/tree/main/modules/subscription). - -#### `hubnetworking` - -The `hubnetworking` module is used to deploy the hub VNET, Azure Firewall , Route Tables, and other networking primitives into the connectivity subscription. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-hubnetworking). - -#### `private-link` - -The `private-link` module is used to deploy default private link private DNS Zones. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-network-private-link-private-dns-zones). - -#### `alz-management` - -The `alz-management` module is used to deploy a set of management resources such as those for centralized logging. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-alz-management). - -#### `resource-group` - -The `resource-group` module is used to deploy a variety of resource groups within the default subscriptions. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-resources-resourcegroup). - -#### `portal-dashboard` - -The `portal-dashboard` module is used to deploy the default compliance dashboard. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-portal-dashboard). - -#### `azure-bastion` - -The `azure-bastion` module is used to deploy Azure Bastion for remote access. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-bastionhost). - -#### `firewall-policy` - -The `firewall-policy` module is used to deploy a default Azure Firewall Policy for further configuration. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-firewallpolicy). - -#### `ddos-protection` - -The `ddos-protection` module is used to deploy a Standard SKU DDoS Protection Plan resource for network security. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-ddosprotectionplan). - -#### `public-ip` - -The `public-ip` module is used to deploy a Azure Public IP resoures for offerings that need inbound public internet access such as the VPN and ExpressRoute Gateways. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-publicipaddress). - -#### `networksecuritygroup` - -The `networksecuritygroup` module is used to deploy a default NSG for the Azure Bastion subnet to restrict ingress and egress network access. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-networksecuritygroup). - -### Exemptions - -#### 1. Customer might change Policy assignments at Management Groups level - -Please follow the below example to change the Policy Assignments (example: Data Residency being moved to Root level) - -In deployment workspace, navigate to: -bootstrap\{version}\modules\template_architecture_definition\templates\fsi.alz_architecture_definition.json.tftpl - -Update fsi.alz_architecture_definition.json.tftpl file with preferred archetype management group assignments, e.g., to add so_01_data_residency to the “Financial Services Industry Landing Zone” management group, make the following change: - -Before update: - -```json -{ - "name": "${architecture_definition_name}", - "management_groups": [ - { - "archetypes": [${root_archetypes}, "fsi_root", "tr_01_logging", "re_01_zonal_residency", "so_04_cmk"], - "display_name": "FSI Landing Zone", - "exists": false, - "id": "${root_management_group_id}", - "parent_id": null - }, - ] - ... -} -``` - -After update: - -```json -{ - "name": "${architecture_definition_name}", - "management_groups": [ - { - "archetypes": [${root_archetypes}, "fsi_root", "tr_01_logging", "re_01_zonal_residency", "so_04_cmk", "so_01_data_residency"], - "display_name": "FSI Landing Zone", - "exists": false, - "id": "${root_management_group_id}", - "parent_id": null - }, - ] - ... -} -``` - -Run Deploy-Accelerator command from phase 2 and then continue with phase 3 - -#### 2. Instructions for setting Policy Assignment parameter values - -Please follow the below example to change the Policy Assignment parameter values (e.g., DDOS Protection Plan ID needs to be updated) - -Please Note: Policy Assignment parameter values are only applicable for DDOS Protection Plan & Log Analytics Workspace - -In the "management_groups" module located in file: - -starter\{version}\microsoft_cloud_for_industry\financial_services_landing_zone\locals.tf - -Users should go into locals.tf file & update the values for ddosProtectionPlanId & logAnalyticsWorkspaceId. - -Code needing update: - -```terraform - fsi_policy_default_values = { - policyEffect = jsonencode({ value = var.policy_effect }) - allowedLocationsForConfidentialComputing = jsonencode({ value = var.allowed_locations_for_confidential_computing }) - allowedLocations = jsonencode({ value = var.allowed_locations }) - ddosProtectionPlanId = jsonencode({ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.Network/ddosProtectionPlans/placeholder" }) - ddosProtectionPlanEffect = jsonencode({ value = var.deploy_ddos_protection ? "Audit" : "Disabled" }) - emailSecurityContact = jsonencode({ value = var.ms_defender_for_cloud_email_security_contact }) - logAnalyticsWorkspaceId = jsonencode({ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/placeholder/providers/Microsoft.OperationalInsights/workspaces/placeholder-la" }) - } -``` - -Below is an example of where to locate the DDOS Protection Plan & Log Analytics Workspace IDs from the Financial Services Industry starter module terrafrom output. The output will be displayed after the deployment has completed: - -```text -Apply complete! Resources: 862 added, 0 changed, 0 destroyed. - -Outputs: - -dashboard_info = < -The `hubnetworking` starter module deploys the management group hierarchy, management resources, policies and hub networking. - -Example input files can be found here: - -- [inputs-azure-devops-terraform-hubnetworking.yaml][example_powershell_inputs_azure_devops_terraform_hubnetworking] -- [inputs-github-terraform-hubnetworking.yaml][example_powershell_inputs_github_terraform_hubnetworking] -- [inputs-local-terraform-hubnetworking.yaml][example_powershell_inputs_local_terraform_hubnetworking] - -The following table describes the inputs required for the `hubnetworking` starter module. - -| Input | Placeholder | Description | -| - | -- | --- | -| `root_id` | `` | This is the prefix for the ID of management groups. | -| `root_name` | `` | This is the prefix for the name of management groups. | -| `hub_virtual_network_address_prefix` | `` | This is the ip address prefix for the hub virtual network. This must be a valid CIDR, e.g. `10.0.0.0/16`. | -| `firewall_subnet_address_prefix` | `` | This is the ip address prefix for the firewall subnet. This must be a valid CIDR, e.g. `10.0.0.0/24`. | -| `gateway_subnet_address_prefix` | `` | This is the ip address prefix for the gateway subnet. This must be a valid CIDR, e.g. `10.0.1.0/24`. | -| `virtual_network_gateway_creation_enabled` | `true` | Determines whether or not to deploy the gateway. | - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[example_powershell_inputs_azure_devops_terraform_hubnetworking]: examples/powershell-inputs/inputs-azure-devops-terraform-hubnetworking.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Hub Networking" -[example_powershell_inputs_github_terraform_hubnetworking]: examples/powershell-inputs/inputs-github-terraform-hubnetworking.yaml "Example - PowerShell Inputs - GitHub - Terraform - Hub Networking" -[example_powershell_inputs_local_terraform_hubnetworking]: examples/powershell-inputs/inputs-local-terraform-hubnetworking.yaml "Example - PowerShell Inputs - Local - Terraform - Hub Networking" diff --git a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Sovereign-Landing-Zone.md b/docs/wiki/[User-Guide]-Starter-Module-Terraform-Sovereign-Landing-Zone.md deleted file mode 100644 index 987c9a44..00000000 --- a/docs/wiki/[User-Guide]-Starter-Module-Terraform-Sovereign-Landing-Zone.md +++ /dev/null @@ -1,270 +0,0 @@ - -The `sovereign_landing_zone` starter module provides full customization of the Sovereign Landing Zone (SLZ) using the `inputs.yaml` file. The `inputs.yaml` file provides the ability to enable and disable modules, configure module inputs and outputs, and configure module resources. -A custom `inputs.yaml` file can be passed to the `inputs` argument of the ALZ PowerShell Module. This allows you to firstly design your Azure Landing Zone, and then deploy it. - -The default `inputs.yaml` file will need to be modified based on the documentation below. - -Example input files can be found here: - -- [inputs-azure-devops-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_azure_devops_terraform_sovereign_landing_zone] -- [inputs-github-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_github_terraform_sovereign_landing_zone] -- [inputs-local-terraform-sovereign-landing-zone.yaml][example_powershell_inputs_local_terraform_sovereign_landing_zone] - -The following table describes the inputs for the `sovereign_landing_zone` starter module. - -| Input | Required | Type | Default Value | Description | -| - | -- | --- | ---- | ----- | -| `allowed_locations` | Required | List | | This is a list of Azure regions all workloads running outside of the Confidential Management Group scopes are allowed to be deployed into. | -| `allowed_locations_for_confidential_computing` | Required | List | | This is a list of Azure regions all workloads running inside of the Confidential Management Group scopes are allowed to be deployed into. | -| `az_firewall_policies_enabled` | | Boolean | `true` | Set to `true` to deploy a default Azure Firewall Policy resource if `enable_firewall` is also `true`. | -| `apply_alz_archetypes_via_architecture_definition_template` | | Boolean | `true` | This controls whether to apply the ALZ archetypes (polcy assignments) to the SLZ deployment. | -| `bastion_outbound_ssh_rdp_ports` | | List | `["22", "3389"]` | List of outbound remote access ports to enable on the Azure Bastion NSG if `deploy_bastion` is also `true`. | -| `custom_subnets` | | Map | See `inputs.yaml` for default object. | Map of subnets and their configurations to create within the hub network. | -| `customer` | | String | `"Country/Region"` | Customer name to use when branding the compliance dashboard. | -| `customer_policy_sets` | | Map | See the Custom Compliance section below for details. | Map of customer specified policy initiatives to apply alongside the SLZ. | -| `default_postfix` | | String | | Postfix value to append to all resources. | -| `default_prefix` | Required | String | `slz` | Prefix value to append to all resources. | -| `deploy_bastion` | | Boolean | `true` | Set to `true` to deploy Azure Bastion within the hub network. | -| `deploy_ddos_protection` | | Boolean | `true` | Set to `true` to deploy Azure DDoS Protection within the hub network. | -| `deploy_hub_network` | | Boolean | `true` | Set to `true` to deploy the hub network. | -| `deploy_log_analytics_workspace` | | Boolean | `true` | Set to `true` to deploy Azure Log Analytics Workspace. | -| `enable_firewall` | | Boolean | `true` | Set to `true` to deploy Azure Firewall within the hub network. | -| `enable_telemetry` | | Boolean | `true` | Set to `false` to opt out of telemetry tracking. We use telemetry data to understand usage rates to help prioritize future development efforts. | -| `express_route_gateway_config` | | Map | `{name: "noconfigEr"}` | Leave as default to not deploy an ExpressRoute Gateway. See the Network Connectivity section below for details. | -| `hub_network_address_prefix` | | CIDR | "10.20.0.0/16" | This is the CIDR to use for the hub network. | -| `landing_zone_management_group_children` | | Map | | See the Customize Application Landing Zones section below for details. | -| `log_analytics_workspace_retention_in_days` | | Numeric | 365 | Number of days to retain logs in the Log Analytics Workspace. | -| `ms_defender_for_cloud_email_security_contact` | | Email | `security_contact@replaceme.com` | Email address to use for Microsoft Defender for Cloud. | -| `policy_assignment_enforcement_mode` | | String | `Default` | The enforcement mode to use for the Sovereign Baseline Policy initiatives. | -| `policy_effect` | | String | `Deny` | The effect to use for the Sovereign Baseline Policy initiatives, when policies support multiple effects. | -| `policy_exemptions` | | Map | See the Custom Compliance section below for details. | Map of customer specified policy exemptions to use alongside the SLZ. | -| `subscription_billing_scope` | | String | | Only required if you have not provided existing subscription IDs for management, connectivity, and identity. | -| `tags` | | Map | See the Custom Tagging section below for details. | Set of tags to apply to all resources deployed. | -| `use_premium_firewall` | | Boolean | `true` | Set to `true` to deploy Premium SKU of the Azure Firewall if `enable_firewall` is also `true`. | -| `vpn_gateway_config` | | Map | `{name: "noconfigEr"}` | Leave as default to not deploy an VPN Gateway. See the Network Connectivity section below for details. | - -## Custom Compliance - -### Custom Policy Sets - -An example of the format for the `customer_policy_sets` map is as follows: - -```yaml -customer_policy_sets: { - assignment1: { - policySetDefinitionId: "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f", - policySetAssignmentName: "FedRAMPHigh", - policySetAssignmentDisplayName: "FedRAMP High", - policySetAssignmentDescription: "FedRAMP High", - policySetManagementGroupAssignmentScope: "/providers/Microsoft.management/managementGroups/", - policyParameterFilePath: "./policy_parameters/policySetParameterSampleFile.json" - } -} -``` - -### Policy Exemptions - -An example of the format for the `policy_exemptions` map is as follows: - -```yaml -policy_exemptions: { - policy_exemption1: { - name: "globalexemption", - display_name: "global", - description: "test", - management_group_id: "/providers/Microsoft.management/managementGroups/", - policy_assignment_id: "/providers/microsoft.management/managementGroups//providers/microsoft.Authorization/policyassignments/enforce-sovereign-global", - policy_definition_reference_ids: ["AllowedLocations"] - } -} -``` - -## Customize Application Landing Zones - -### Landing Zone Management Group Children - -An example of the format for the `landing_zone_management_group_children` map is as follows: - -```yaml -landing_zone_management_group_children: { - child1: { - id: "child1", - displayName: "Landing zone child one" - } -} -``` - -## Custom Tagging - -### Tags - -An example of the format for the `tags` map is as follows: - -```yaml -tags: { - Environment: "Production", - ServiceName: "SLZ" -} -``` - -## Network Connectivity - -### ExpressRoute Gateway Config - -An example of the format for the `express_route_gateway_config` map is as follows: - -```yaml -express_route_gateway_config: { - name: "express_route", - gatewayType: "ExpressRoute", - sku: "ErGw1AZ", - vpnType: "RouteBased", - vpnGatewayGeneration: null, - enableBgp: false, - activeActive: false, - enableBgpRouteTranslationForNat: false, - enableDnsForwarding: false, - asn: 65515, - bgpPeeringAddress: "", - peerWeight: 5 -} -``` - -### VPN Gateway Config - -An example of the format for the `vpn_gateway_config` map is as follows: - -```yaml -vpn_gateway_config: { - name: "vpn_gateway", - gatewayType: "Vpn", - sku: "VpnGw1", - vpnType: "RouteBased", - vpnGatewayGeneration: "Generation1", - enableBgp: false, - activeActive: false, - enableBgpRouteTranslationForNat: false, - enableDnsForwarding: false, - bgpPeeringAddress: "", - asn: 65515, - peerWeight: 5, - vpnClientConfiguration: { - vpnAddressSpace: ["10.2.0.0/24"] - } -} -``` - -## Known Issues - -The following are known issues with the Public Preview release for the SLZ. - -### Multiple Resources Destroyed and Recreated During Second Execution - -Occasionally, terraform will attempt to recreate many resources under a subscription despite no resource configurations being changed. A temporary work around can be done by updating `locals.tf` with the following: - -```terraform -locals { - subscription_id_management = "management_subscription_id" - subscription_id_connectivity = "connectivity_subscription_id" - subscription_id_identity = "identity_subscription_id" -} -``` - -### Multiple Inputs for Location - -The inputs for `bootstrap_location` and `starter_locations` must be identical, using the first region in starter_locations as the default location. Therefore, starter_locations is required and must include at least one region. In a future release, we will have defaults and overrides for these values. - -### Terraform Plan or Apply Fails After Updating tfvars - -Any updates should be made to the `inputs.yaml` file and the tfvars will be updated upon executing the `Deploy-Accelerator` PowerShell command. - -### Invalid Hub Network Address Prefix or Subnet Address Prefix - -There is no validation done to ensure subnets fall within the hub network CIDR or that subnets do not overlap. These issues will be uncovered during apply. - -### Unable to Build Authorizer for Resource Manager API - -It is necessary to rerun `az login` after creating subscriptions for terraform to pick up that they exist. - -### Unable to Update Address Prefixes - -Updating the address prefix on either the hub network or subnets is not supported at this time. - -### Unable to Change Top Level or Sub Level Management Group Names - -Modifying the Top Level or Sub Level Management Group name is not supported at this time. - -### Tags are Not Applied to All Resources - -Certain resources are not receiving the default tags. This will be addressed in a future release. - -### Default Compliance Score is not 100% - -Certain resources will show as being out of compliance by default. This will be addressed in a future release. - -## Further details on the Sovereign Landing Zone Starter Module - -The Terraform-based deployment for the Sovereign Landing Zone (SLZ) provides an Enterprise Scale Landing Zone with equivalent compliance posture equal to that of our [Bicep implementation][bicep_implementation_slz]. There is not currently a migration path between the two implementations, however multiple landing zones can be created with either deployment technology in the same Azure tenant. - -### High Level Design - -![Alt text](./media/starter-module-microsoft_cloud_for_sovereignty.png) - -### Terraform Modules - -#### `alz-archetypes` and `slz-archetypes` - -The `alz-archetypes` and `slz-archetypes` are different from Terraform modules, but are used to deploy the management group hierarchy, policy assignments and management resources including the sovereign baseline policies. For more information on the archetypes, view the [ALZ archetypes](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/alz/) and the [SLZ archetypes](https://github.com/Azure/Azure-Landing-Zones-Library/blob/main/platform/slz/). - -#### `subscription-vending` - -The `subscription-vending` module is used to deploy the subscriptions and move them within the right management group scopes. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-lz-vending/tree/main/modules/subscription). - -#### `hubnetworking` - -The `hubnetworking` module is used to deploy the hub VNET, Azure Firewall , Route Tables, and other networking primitives into the connectivity subscription. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-hubnetworking). - -#### `private-link` - -The `private-link` module is used to deploy default private link private DNS Zones. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-network-private-link-private-dns-zones). - -#### `alz-management` - -The `alz-management` module is used to deploy a set of management resources such as those for centralized logging. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-ptn-alz-management). - -#### `resource-group` - -The `resource-group` module is used to deploy a variety of resource groups within the default subscriptions. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-resources-resourcegroup). - -#### `portal-dashboard` - -The `portal-dashboard` module is used to deploy the default compliance dashboard. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-portal-dashboard). - -#### `azure-bastion` - -The `azure-bastion` module is used to deploy Azure Bastion for remote access. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-bastionhost). - -#### `firewall-policy` - -The `firewall-policy` module is used to deploy a default Azure Firewall Policy for further configuration. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-firewallpolicy). - -#### `ddos-protection` - -The `ddos-protection` module is used to deploy a Standard SKU DDoS Protection Plan resource for network security. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-ddosprotectionplan). - -#### `public-ip` - -The `public-ip` module is used to deploy a Azure Public IP resoures for offerings that need inbound public internet access such as the VPN and ExpressRoute Gateways. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-publicipaddress). - -#### `networksecuritygroup` - -The `networksecuritygroup` module is used to deploy a default NSG for the Azure Bastion subnet to restrict ingress and egress network access. For more information on the module itself see [here](https://github.com/Azure/terraform-azurerm-avm-res-network-networksecuritygroup). - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[example_powershell_inputs_azure_devops_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-azure-devops-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Devops - Terraform - Sovereign Landing Zone" -[example_powershell_inputs_github_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-github-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Local - Terraform - Sovereign Landing Zone" -[example_powershell_inputs_local_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-local-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Local - Terraform - Sovereign Landing Zone" -[bicep_implementation_slz]: https://aka.ms/slz/bicep "Sovereign Landing Zone (Bicep)" diff --git a/docs/wiki/[User-Guide]-Starter-Modules.md b/docs/wiki/[User-Guide]-Starter-Modules.md deleted file mode 100644 index 991cb407..00000000 --- a/docs/wiki/[User-Guide]-Starter-Modules.md +++ /dev/null @@ -1,21 +0,0 @@ - - -The Azure landing zones accelerator includes a number of starter modules that provide opinionated implementations of the Bicep or Terraform Azure landing zones modules. - -These are called starter modules because the expectation is you'll update these modules as the needs of your organization evolves and you want to add or remove features to your landing zone. - -Each starter module expects different inputs and the following pages detail those inputs. You'll be prompted for these inputs when you run the Accelerator PowerShell module. - -- [Bicep Complete Starter Module][wiki_starter_module_bicep_complete]: Management groups, policies and hub networking. -- [Terraform Basic Starter Module][wiki_starter_module_terraform_basic]: Management groups and policies. -- [Terraform Hub Networking Starter Module][wiki_starter_module_terraform_hubnetworking]: Management groups, policies and hub networking. -- [Terraform Complete Starter Module][wiki_starter_module_terraform_complete]: Management groups, policies, hub networking with fully custom configuration. - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) - -[wiki_starter_module_bicep_complete]: %5BUser-Guide%5D-Starter-Module-Bicep-Complete "Wiki - Starter Modules - Bicep Complete" -[wiki_starter_module_terraform_basic]: %5BUser-Guide%5D-Starter-Module-Terraform-Basic "Wiki - Starter Modules - Terraform Basic" -[wiki_starter_module_terraform_hubnetworking]: %5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking "Wiki - Start Modules - Terraform Hub Networking" -[wiki_starter_module_terraform_complete]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete "Wiki - Starter Modules - Terraform Complete" diff --git a/docs/wiki/[User-Guide]-YAML-Schema-Reference.md b/docs/wiki/[User-Guide]-YAML-Schema-Reference.md deleted file mode 100644 index 3766741f..00000000 --- a/docs/wiki/[User-Guide]-YAML-Schema-Reference.md +++ /dev/null @@ -1,222 +0,0 @@ - - -## `archetypes` - -Specifies the archetypes to be used through the `caf-enterprise-scale` module. - -```yaml - -archetypes: # Arguments from https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/v4.2.0/variables.tf converted to YAML. - disable_telemetry: # boolean - default_location: # string - root_parent_id: # string - archetype_config_overrides: # object - configure_connectivity_resources: # object - configure_identity_resources: # object - configure_management_resources: # object - create_duration_delay: # object - custom_landing_zones: # object - custom_policy_roles: # object - default_tags: # object - deploy_connectivity_resources: # boolean - deploy_corp_landing_zones: # boolean - deploy_core_landing_zones: # boolean - deploy_demo_landing_zones: # boolean - deploy_diagnostics_for_mg: # boolean - deploy_identity_resources: # boolean - deploy_management_resources: # boolean - deploy_online_landing_zones: # boolean - deploy_sap_landing_zones: # boolean - destroy_duration_delay: # object - disable_base_module_tags: # boolean - library_path: # string - policy_non_compliance_message_default: # string - policy_non_compliance_message_default_enabled: # boolean - policy_non_compliance_message_enabled: # boolean - policy_non_compliance_message_enforced_replacement: # string - policy_non_compliance_message_enforcement_placeholder: # string - policy_non_compliance_message_not_enforced_replacement: # string - policy_non_compliance_message_not_supported_definitions: # list - resource_custom_timeouts: # object - root_id: # string - root_name: # string - strict_subscription_association: # boolean - subscription_id_connectivity: # string - subscription_id_identity: # string - subscription_id_management: # string - subscription_id_overrides: # object - template_file_variables: # string - -``` - -### `archetypes` Example - -```yaml - -archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary. - root_name: es - root_id: Enterprise-Scale - deploy_corp_landing_zones: true - deploy_online_landing_zones: true - default_location: uksouth - disable_telemetry: true - deploy_management_resources: true - default_tags: - environment: dev - costcenter: 12345 - configure_management_resources: - location: uksouth - settings: - security_center: - config: - email_security_contact: "security_contact@replace_me" - custom_landing_zones: - eucustomers: - display_name: EU Customers - parent_management_group_id: es-landing-zones - -``` - -## `connectivity` - -Specifies the connectivity configuration to be used. - -```yaml - -connectivity: [ hubnetworking ] # Type of connectivity to be deployed (e.g. hubnetworking or virtual wan.) - -``` - -## `connectivity.hubnetworking` - -Specifies the hub networking configuration to be used from the `terraform-azurerm-hubnetworking` module. - -```yaml - -connectivity: - hubnetworking: # # Arguments from https://github.com/Azure/terraform-azurerm-hubnetworking/blob/v1.1.1/variables.tf converted to YAML. - hub_virtual_networks: # object - -``` - -### `connectivity.hubnetworking` Example - -```yaml -connectivity: - hubnetworking: - hub_virtual_networks: - hub-one: - name: vnet-hub - resource_group_name: rg-connectivity - location: uksouth - address_space: - - 10.0.0.0/16 - firewall: - name: fw-hub - sku_name: AZFW_VNet - sku_tier: Standard - subnet_address_prefix: 10.0.1.0/24 - -``` - -## `connectivity.hubnetworking.hub_virtual_networks..virtual_network_gateway` - -Specifies the virtual network gateway configuration to be used from the `terraform-azurerm-avm-ptn-vnetgateway` module. - -```yaml - -connectivity: - hubnetworking: - hub_virtual_networks: - : - name: # string - resource_group_name: # string - location: # string - address_space: # list - virtual_network_gateway: # Arguments from https://github.com/Azure/terraform-azurerm-avm-ptn-vnetgateway/blob/v0.3.0/variables.tf converted to YAML. - name: # string - sku: # string - subnet_address_prefix: # string - subnet_creation_enabled: # boolean - type: # string - default_tags: # object - edge_zone: # string - express_route_circuits: # object - ip_configurations: # object - local_network_gateways: # object - tags: # object - vpn_active_active_enabled: # boolean - vpn_bgp_enabled: # boolean - vpn_bgp_settings: # object - vpn_generation: # string - vpn_point_to_site: # object - vpn_type: # string - vpn_private_ip_address_enabled: # boolean - route_table_bgp_route_propagation_enabled: # boolean - route_table_creation_enabled: # boolean - route_table_name: # string - route_table_tags: # object - -``` - -### `connectivity.hubnetworking.hub_virtual_networks..virtual_network_gateway` Example - -```yaml -connectivity: - hubnetworking: - hub_virtual_networks: - hub-one: - name: vnet-hub - resource_group_name: rg-connectivity - location: uksouth - address_space: - - 10.0.0.0/16 - firewall: - name: fw-hub - sku_name: AZFW_VNet - sku_tier: Standard - subnet_address_prefix: 10.0.1.0/24 - virtual_network_gateway: - name: vgw-hub - sku: VpnGw1 - type: Vpn - subnet_address_prefix: 10.0.2.0/24 -``` - -## `connectivity.vwan` - -Specifies the hub networking configuration to be used from the `terraform-azurerm-avm-ptn-virtualwan` module. - -```yaml - -connectivity: - vwan: # Arguments from https://github.com/Azure/terraform-azurerm-avm-ptn-virtualwan/blob/v0.4.0/variables.tf converted to YAML. - allow_branch_to_branch_traffic: # boolean - create_resource_group: # boolean - disable_vpn_encryption: # boolean - enable_telemetry: # boolean - er_circuit_connections: # object - expressroute_gateways: # object - firewalls: # object - location: # string - office365_local_breakout_category - p2s_gateway_vpn_server_configurations: # object - p2s_gateways: # object - resource_group_name: # string - resource_group_tags: # object - routing_intents: # object - telemetry_resource_group_name: # string - type: # string - virtual_hubs: # object - virtual_network_connections: # object - virtual_wan_name: # string - virtual_wan_tags: # object - vpn_gateways: # object - vpn_site_connections: # object - vpn_sites: # object - tags: # object -``` - - [//]: # (************************) - [//]: # (INSERT LINK LABELS BELOW) - [//]: # (************************) diff --git a/docs/wiki/_Footer.md b/docs/wiki/_Footer.md index d54dfe76..b63ca680 100644 --- a/docs/wiki/_Footer.md +++ b/docs/wiki/_Footer.md @@ -1,4 +1 @@ -**This wiki is being actively developed** - -If you discover any documentation bugs or would like to request new content, please raise them as an [issue](https://github.com/Azure/ALZ-PowerShell-Module/issues) or feel free to contribute to the wiki via a [pull request](https://github.com/Azure/ALZ-PowerShell-Module/pulls). The wiki docs are located in the repository in the `docs/wiki/` folder. diff --git a/docs/wiki/_Sidebar.md b/docs/wiki/_Sidebar.md index f671c3d8..0d3862c6 100644 --- a/docs/wiki/_Sidebar.md +++ b/docs/wiki/_Sidebar.md @@ -1,123 +1 @@ -![Azure logo](media/Logo-Small.png) - -## Azure landing zones accelerators - -- [Home][wiki_home] -- [User guide][wiki_user_guide] - - [Getting started][wiki_getting_started] - - [Quick Start][wiki_quick_start] - - [Phase 1 - Pre-requisites][wiki_quick_start_phase_1] - - [Service Principal][wiki_quick_start_phase_1_service_principal] - - [Phase 2 - Bootstrap][wiki_quick_start_phase_2] - - [Azure DevOps][wiki_quick_start_phase_2_azure_devops] - - [GitHub][wiki_quick_start_phase_2_github] - - [Local][wiki_quick_start_phase_2_local] - - [Phase 3 - Run][wiki_quick_start_phase_3] - - [Starter Modules][wiki_starter_modules] - - [Bicep - Complete][wiki_starter_module_bicep_complete] - - [Terraform - Complete Multi Region][wiki_starter_module_terraform_complete_multi_region] - - [Example Multi Region Hub and Spoke config][example_starter_module_complete_config_hub_spoke_multi_region] - - [Example Multi Region Virtual WAN config][example_starter_module_complete_config_vwan_multi_region] - - [Example Single Region Hub and Spoke config][example_starter_module_complete_config_hub_spoke_single_region] - - [Example Single Region Virtual WAN config][example_starter_module_complete_config_vwan_single_region] - - [Terraform - Financial Services Industry Landing Zone][wiki_starter_module_terraform_financial_services_industry_landing_zone] - - [Terraform - Sovereign Landing Zone][wiki_starter_module_terraform_sovereign_landing_zone] - - [Terraform - Basic][wiki_starter_module_terraform_basic] - - [Terraform - Hub Networking][wiki_starter_module_terraform_hubnetworking] - - [Terraform - Complete][wiki_starter_module_terraform_complete] - - [Configuration YAML Schema][wiki_yaml_schema_reference] - - [Example Hub and Spoke config][example_starter_module_complete_config_hub_spoke] - - [Example Virtual WAN config][example_starter_module_complete_config_vwan] - - Input Files - - [Azure DevOps Bicep Complete][example_powershell_inputs_azure_devops_bicep_complete] - - [Azure DevOps Terraform Complete Multi Region][example_powershell_inputs_azure_devops_terraform_complete_multi_region] - - [Azure DevOps Terraform Financial Services Industry Landing Zone][example_powershell_inputs_azure_devops_terraform_financial_services_industry_landing_zone] - - [Azure DevOps Terraform Sovereign Landing Zone][example_powershell_inputs_azure_devops_terraform_sovereign_landing_zone] - - [Azure DevOps Terraform Basic][example_powershell_inputs_azure_devops_terraform_basic] - - [Azure DevOps Terraform Hub Networking][example_powershell_inputs_azure_devops_terraform_hubnetworking] - - [Azure DevOps Terraform Complete][example_powershell_inputs_azure_devops_terraform_complete] - - [GitHub Bicep Complete][example_powershell_inputs_github_bicep_complete] - - [GitHub Terraform Complete Multi Region][example_powershell_inputs_github_terraform_complete_multi_region] - - [GitHub Terraform Financial Services Industry Landing Zone][example_powershell_inputs_github_terraform_financial_services_industry_landing_zone] - - [GitHub Terraform Sovereign Landing Zone][example_powershell_inputs_github_terraform_sovereign_landing_zone] - - [GitHub Terraform Basic][example_powershell_inputs_github_terraform_basic] - - [GitHub Terraform Hub Networking][example_powershell_inputs_github_terraform_hubnetworking] - - [GitHub Terraform Complete][example_powershell_inputs_github_terraform_complete] - - [Local Bicep Complete][example_powershell_inputs_local_bicep_complete] - - [Local Terraform Complete Multi Region][example_powershell_inputs_local_terraform_complete_multi_region] - - [Local Terraform Financial Services Industry Landing Zone][example_powershell_inputs_local_terraform_financial_services_industry_landing_zone] - - [Local Terraform Sovereign Landing Zone][example_powershell_inputs_local_terraform_sovereign_landing_zone] - - [Local Terraform Basic][example_powershell_inputs_local_terraform_basic] - - [Local Terraform Hub Networking][example_powershell_inputs_local_terraform_hubnetworking] - - [Local Terraform Complete][example_powershell_inputs_local_terraform_complete] -- [Frequently Asked Questions][wiki_frequently_asked_questions] -- [Upgrade Guide][wiki_upgrade_guide] -- [Advanced Scenarios][wiki_advanced_scenarios] -- [Troubleshooting][wiki_troubleshooting] -- [Contributing][wiki_contributing] - - [Raising an issue][wiki_raising_an_issue] - - [Feature requests][wiki_feature_requests] - - [Contributing to code][wiki_contributing_to_code] - - [Contributing to documentation][wiki_contributing_to_documentation] - -[//]: # "************************" -[//]: # "INSERT LINK LABELS BELOW" -[//]: # "************************" - -[wiki_home]: Home "Wiki - Home" -[wiki_user_guide]: User-Guide "Wiki - User guide" -[wiki_getting_started]: %5BUser-Guide%5D-Getting-Started "Wiki - Getting started" -[wiki_quick_start]: %5BUser-Guide%5D-Quick-Start "Wiki - Quick start" -[wiki_quick_start_phase_1]: %5BUser-Guide%5D-Quick-Start-Phase-1 "Wiki - Quick Start - Phase 1" -[wiki_quick_start_phase_1_service_principal]: %5BUser-Guide%5D-Quick-Start-Phase-1-Service-Principal "Wiki - Quick Start - Phase 1 - Service Principal" -[wiki_quick_start_phase_2]: %5BUser-Guide%5D-Quick-Start-Phase-2 "Wiki - Quick Start - Phase 2" -[wiki_quick_start_phase_2_azure_devops]: %5BUser-Guide%5D-Quick-Start-Phase-2-Azure-DevOps "Wiki - Quick Start - Phase 2 - Azure DevOps" -[wiki_quick_start_phase_2_github]: %5BUser-Guide%5D-Quick-Start-Phase-2-GitHub "Wiki - Quick Start - Phase 2 - GitHub" -[wiki_quick_start_phase_2_local]: %5BUser-Guide%5D-Quick-Start-Phase-2-Local "Wiki - Quick Start - Phase 2 - Local" -[wiki_quick_start_phase_3]: %5BUser-Guide%5D-Quick-Start-Phase-3 "Wiki - Quick Start - Phase 3" -[wiki_starter_modules]: %5BUser-Guide%5D-Starter-Modules "Wiki - Starter Modules" -[wiki_starter_module_bicep_complete]: %5BUser-Guide%5D-Starter-Module-Bicep-Complete "Wiki - Starter Modules - Bicep Complete" -[wiki_starter_module_terraform_basic]: %5BUser-Guide%5D-Starter-Module-Terraform-Basic "Wiki - Starter Modules - Terraform Basic" -[wiki_starter_module_terraform_hubnetworking]: %5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking "Wiki - Start Modules - Terraform Hub Networking" -[wiki_starter_module_terraform_complete]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete "Wiki - Starter Modules - Terraform Complete" -[wiki_starter_module_terraform_complete_multi_region]: %5BUser-Guide%5D-Starter-Module-Terraform-Complete-Multi-Region "Wiki - Starter Modules - Terraform Complete Multi Region" -[wiki_yaml_schema_reference]: %5BUser-Guide%5D-YAML-Schema-Reference "Wiki - YAML Schema Reference" -[wiki_frequently_asked_questions]: Frequently-Asked-Questions "Wiki - Frequently Asked Questions" -[wiki_troubleshooting]: Troubleshooting "Wiki - Troubleshooting" -[wiki_contributing]: Contributing "Wiki - Contributing" -[wiki_raising_an_issue]: Raising-an-Issue "Wiki - Raising an issue" -[wiki_feature_requests]: Feature-Requests "Wiki - Feature requests" -[wiki_contributing_to_code]: Contributing-to-Code "Wiki - Contributing to code" -[wiki_contributing_to_documentation]: Contributing-to-Documentation "Wiki - Contributing to documentation" -[wiki_upgrade_guide]: Upgrade-Guide "Wiki - Upgrade Guide" -[wiki_advanced_scenarios]: %5BUser-Guide%5D-Advanced-Scenarios "Wiki - Advanced Scenarios" -[example_powershell_inputs_azure_devops_bicep_complete]: examples/powershell-inputs/inputs-azure-devops-bicep-complete.yaml "Example - PowerShell Inputs - Azure DevOps - Bicep - Complete" -[example_powershell_inputs_github_bicep_complete]: examples/powershell-inputs/inputs-github-bicep-complete.yaml "Example - PowerShell Inputs - GitHub - Bicep - Complete" -[example_powershell_inputs_local_bicep_complete]: examples/powershell-inputs/inputs-local-bicep-complete.yaml "Example - PowerShell Inputs - Local - Bicep - Complete" -[example_powershell_inputs_azure_devops_terraform_basic]: examples/powershell-inputs/inputs-azure-devops-terraform-basic.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Basic" -[example_powershell_inputs_github_terraform_basic]: examples/powershell-inputs/inputs-github-terraform-basic.yaml "Example - PowerShell Inputs - GitHub - Terraform - Basic" -[example_powershell_inputs_local_terraform_basic]: examples/powershell-inputs/inputs-local-terraform-basic.yaml "Example - PowerShell Inputs - Local - Terraform - Basic" -[example_powershell_inputs_azure_devops_terraform_hubnetworking]: examples/powershell-inputs/inputs-azure-devops-terraform-hubnetworking.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Hub Networking" -[example_powershell_inputs_github_terraform_hubnetworking]: examples/powershell-inputs/inputs-github-terraform-hubnetworking.yaml "Example - PowerShell Inputs - GitHub - Terraform - Hub Networking" -[example_powershell_inputs_local_terraform_hubnetworking]: examples/powershell-inputs/inputs-local-terraform-hubnetworking.yaml "Example - PowerShell Inputs - Local - Terraform - Hub Networking" -[example_powershell_inputs_azure_devops_terraform_complete]: examples/powershell-inputs/inputs-azure-devops-terraform-complete.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete" -[example_powershell_inputs_github_terraform_complete]: examples/powershell-inputs/inputs-github-terraform-complete.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete" -[example_powershell_inputs_local_terraform_complete]: examples/powershell-inputs/inputs-local-terraform-complete.yaml "Example - PowerShell Inputs - Local - Terraform - Complete" -[example_powershell_inputs_azure_devops_terraform_complete_multi_region]: examples/powershell-inputs/inputs-azure-devops-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Complete Multi Region" -[example_powershell_inputs_github_terraform_complete_multi_region]: examples/powershell-inputs/inputs-github-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - GitHub - Terraform - Complete Multi Region" -[example_powershell_inputs_local_terraform_complete_multi_region]: examples/powershell-inputs/inputs-local-terraform-complete-multi-region.yaml "Example - PowerShell Inputs - Local - Terraform - Complete Multi Region" -[example_powershell_inputs_azure_devops_terraform_financial_services_industry_landing_zone]: examples/powershell-inputs/inputs-azure-devops-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Financial Services Industry Landing Zone" -[example_powershell_inputs_github_terraform_financial_services_industry_landing_zone]: examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - GitHub - Terraform - Financial Services Industry Landing Zone" -[example_powershell_inputs_local_terraform_financial_services_industry_landing_zone]: examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml "Example - PowerShell Inputs - Local - Terraform - Financial Services Industry Landing Zone" -[example_powershell_inputs_azure_devops_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-azure-devops-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Azure DevOps - Terraform - Sovereign Landing Zone" -[example_powershell_inputs_github_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-github-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - GitHub - Terraform - Sovereign Landing Zone" -[example_powershell_inputs_local_terraform_sovereign_landing_zone]: examples/powershell-inputs/inputs-local-terraform-sovereign-landing-zone.yaml "Example - PowerShell Inputs - Local - Terraform - Sovereign Landing Zone" -[example_starter_module_complete_config_hub_spoke]: examples/starter-module-config/complete/config-hub-spoke.yaml "Example - Starter Module Config - Complete - Hub and Spoke" -[example_starter_module_complete_config_vwan]: examples/starter-module-config/complete/config-vwan.yaml "Example - Starter Module Config - Complete - Virtual WAN" -[example_starter_module_complete_config_hub_spoke_single_region]: examples/starter-module-config/complete-multi-region/config-hub-and-spoke-vnet-single-region.yaml "Example - Starter Module Config - Complete - Hub and Spoke VNet Single Region" -[example_starter_module_complete_config_vwan_single_region]: examples/starter-module-config/complete-multi-region/config-virtual-wan-single-region.yaml "Example - Starter Module Config - Complete - Virtual WAN Single Region" -[example_starter_module_complete_config_hub_spoke_multi_region]: examples/starter-module-config/complete-multi-region/config-hub-and-spoke-vnet-multi-region.yaml "Example - Starter Module Config - Complete - Hub and Spoke VNet Multi Region" -[example_starter_module_complete_config_vwan_multi_region]: examples/starter-module-config/complete-multi-region/config-virtual-wan-multi-region.yaml "Example - Starter Module Config - Complete - Virtual WAN Multi Region" -[wiki_starter_module_terraform_financial_services_industry_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Financial-Services-Industry-Landing-Zone "Wiki - Starter Modules - Terraform - Financial Services Industry Landing Zone" -[wiki_starter_module_terraform_sovereign_landing_zone]: %5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone "Wiki - Starter Modules - Terraform - Sovereign Landing Zone" diff --git a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-bicep-complete.yaml b/docs/wiki/examples/powershell-inputs/inputs-azure-devops-bicep-complete.yaml deleted file mode 100644 index 1e88b175..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-bicep-complete.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Azure-DevOps#2211-azure-devops-with-bicep - -# Basic Inputs -iac_type: "bicep" -bootstrap_module_name: "alz_azuredevops" -starter_module_name: "complete" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -azure_devops_personal_access_token: "" -azure_devops_agents_personal_access_token: "" -azure_devops_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -azure_devops_use_organisation_legacy_url: false -azure_devops_create_project: true -azure_devops_project_name: "" -use_self_hosted_agents: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Complete Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Bicep-Complete) -Prefix: "alz" -Environment: "live" -networkType: "hubNetworking" -SecurityContact: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-basic.yaml b/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-basic.yaml deleted file mode 100644 index a5265a30..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-basic.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Azure-DevOps#2212-azure-devops-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_azuredevops" -starter_module_name: "basic" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -azure_devops_personal_access_token: "" -azure_devops_agents_personal_access_token: "" -azure_devops_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -azure_devops_use_organisation_legacy_url: false -azure_devops_create_project: true -azure_devops_project_name: "" -use_self_hosted_agents: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Basic Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Basic) -root_id: "" -root_name: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-complete-vnext.yaml b/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-complete-vnext.yaml deleted file mode 100644 index 94f80df1..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-complete-vnext.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Azure-DevOps#2212-azure-devops-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_azuredevops" -starter_module_name: "complete_vnext" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -azure_devops_personal_access_token: "" -azure_devops_agents_personal_access_token: "" -azure_devops_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -azure_devops_use_organisation_legacy_url: false -azure_devops_create_project: true -azure_devops_project_name: "" -use_self_hosted_agents: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Complete vNext Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Complete-vNext) -configuration_file_path: "" # Only required for the `complete` starter module. NOTE: This must be an absolute path. -default_postfix: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-complete.yaml b/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-complete.yaml deleted file mode 100644 index 77794731..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-complete.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Azure-DevOps#2212-azure-devops-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_azuredevops" -starter_module_name: "complete" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -azure_devops_personal_access_token: "" -azure_devops_agents_personal_access_token: "" -azure_devops_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -azure_devops_use_organisation_legacy_url: false -azure_devops_create_project: true -azure_devops_project_name: "" -use_self_hosted_agents: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Complete Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Complete) -configuration_file_path: "" # Only required for the `complete` starter module. NOTE: This must be an absolute path. -default_postfix: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-financial-services-landing-zone.yaml b/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-financial-services-landing-zone.yaml deleted file mode 100644 index 643c3382..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-financial-services-landing-zone.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -# Basic Inputs -iac: "terraform" -bootstrap: "alz_azuredevops" -starter: "financial_services_landing_zone" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] # NOTE: FSI only support a single region by design -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -azure_devops_personal_access_token: "" -azure_devops_agents_personal_access_token: "" -azure_devops_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "fsi" -environment_name: "mgmt" -postfix_number: 1 -azure_devops_use_organisation_legacy_url: false -azure_devops_create_project: true -azure_devops_project_name: "" -use_self_hosted_agents: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true -architecture_definition_name: "fsi" -apply_alz_archetypes_via_architecture_definition_template: true - -# Starter Module Specific Variables -allowed_locations: [] -allowed_locations_for_confidential_computing: [] -az_firewall_policies_enabled: true -bastion_outbound_ssh_rdp_ports: ["22", "3389"] -custom_subnets: { - AzureBastionSubnet: { - address_prefixes: "10.20.15.0/24", - name: "AzureBastionSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - AzureFirewallSubnet: { - address_prefixes: "10.20.254.0/24", - name: "AzureFirewallSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - GatewaySubnet: { - address_prefixes: "10.20.252.0/24", - name: "GatewaySubnet", - networkSecurityGroupId: "", - routeTableId: "" - } -} -customer: "Country/Region" -customer_policy_sets: {} -default_postfix: "" -default_prefix: "fsi" -deploy_bastion: true -deploy_ddos_protection: true -deploy_hub_network: true -deploy_log_analytics_workspace: true -enable_firewall: true -enable_telemetry: true -express_route_gateway_config: {name: "noconfigEr"} -hub_network_address_prefix: "10.20.0.0/16" -landing_zone_management_group_children: {} -log_analytics_workspace_retention_in_days: "365" -ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" -policy_assignment_enforcement_mode: "Default" -policy_effect: "Deny" -policy_exemptions: {} -subscription_billing_scope: "" -tags: {} -top_level_management_group_name: "Financial Services Landing Zone" -use_premium_firewall: true -vpn_gateway_config: {name: "noconfigVpn"} - -# Advanced Inputs -bootstrap_module_version: "v4.1.8" -starter_module_version: "latest" diff --git a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-hubnetworking.yaml b/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-hubnetworking.yaml deleted file mode 100644 index cd736d27..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-hubnetworking.yaml +++ /dev/null @@ -1,48 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Azure-DevOps#2212-azure-devops-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_azuredevops" -starter_module_name: "hubnetworking" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -azure_devops_personal_access_token: "" -azure_devops_agents_personal_access_token: "" -azure_devops_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -azure_devops_use_organisation_legacy_url: false -azure_devops_create_project: true -azure_devops_project_name: "" -use_self_hosted_agents: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Hub Networking Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking) -root_id: "" -root_name: "" -hub_virtual_network_address_prefix: "" -firewall_subnet_address_prefix: "" -gateway_subnet_address_prefix: "" -virtual_network_gateway_creation_enabled: "true" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-sovereign-landing-zone.yaml b/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-sovereign-landing-zone.yaml deleted file mode 100644 index bf5c9e76..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-azure-devops-terraform-sovereign-landing-zone.yaml +++ /dev/null @@ -1,90 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Azure-DevOps#2212-azure-devops-with-terraform - -# Basic Inputs -iac: "terraform" -bootstrap: "alz_azuredevops" -starter: "sovereign_landing_zone" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] # NOTE: SLZ only support a single region by design -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -azure_devops_personal_access_token: "" -azure_devops_agents_personal_access_token: "" -azure_devops_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "slz" -environment_name: "mgmt" -postfix_number: 1 -azure_devops_use_organisation_legacy_url: false -azure_devops_create_project: true -azure_devops_project_name: "" -use_self_hosted_agents: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true -architecture_definition_name: "slz" -apply_alz_archetypes_via_architecture_definition_template: true - -# Sovereign Landing Zone Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone) -allowed_locations: [] -allowed_locations_for_confidential_computing: [] -az_firewall_policies_enabled: true -bastion_outbound_ssh_rdp_ports: ["22", "3389"] -custom_subnets: { - AzureBastionSubnet: { - address_prefixes: "10.20.15.0/24", - name: "AzureBastionSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - AzureFirewallSubnet: { - address_prefixes: "10.20.254.0/24", - name: "AzureFirewallSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - GatewaySubnet: { - address_prefixes: "10.20.252.0/24", - name: "GatewaySubnet", - networkSecurityGroupId: "", - routeTableId: "" - } -} -customer: "Country/Region" -customer_policy_sets: {} -default_postfix: "" -default_prefix: "slz" -deploy_bastion: true -deploy_ddos_protection: true -deploy_hub_network: true -deploy_log_analytics_workspace: true -enable_firewall: true -enable_telemetry: true -express_route_gateway_config: {name: "noconfigEr"} -hub_network_address_prefix: "10.20.0.0/16" -landing_zone_management_group_children: {} -log_analytics_workspace_retention_in_days: "365" -ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" -policy_assignment_enforcement_mode: "Default" -policy_effect: "Deny" -policy_exemptions: {} -subscription_billing_scope: "" -tags: {} -top_level_management_group_name: "Sovereign Landing Zone" -use_premium_firewall: true -vpn_gateway_config: {name: "noconfigVpn"} - -# Advanced Inputs -bootstrap_module_version: "v4.1.8" -starter_module_version: "latest" diff --git a/docs/wiki/examples/powershell-inputs/inputs-github-bicep-complete.yaml b/docs/wiki/examples/powershell-inputs/inputs-github-bicep-complete.yaml deleted file mode 100644 index 68890ce1..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-github-bicep-complete.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-GitHub#2221-github-with-bicep - -# Basic Inputs -iac_type: "bicep" -bootstrap_module_name: "alz_github" -starter_module_name: "complete" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -github_personal_access_token: "" -github_runners_personal_access_token: "" -github_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -use_self_hosted_runners: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Bicep-Complete) -Prefix: "alz" -Environment: "live" -networkType: "hubNetworking" -SecurityContact: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-basic.yaml b/docs/wiki/examples/powershell-inputs/inputs-github-terraform-basic.yaml deleted file mode 100644 index e958d7b7..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-basic.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-GitHub#2222-github-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_github" -starter_module_name: "basic" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -github_personal_access_token: "" -github_runners_personal_access_token: "" -github_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -use_self_hosted_runners: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Basic Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Basic) -root_id: "" -root_name: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-complete-vnext.yaml b/docs/wiki/examples/powershell-inputs/inputs-github-terraform-complete-vnext.yaml deleted file mode 100644 index d941dd56..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-complete-vnext.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-GitHub#2222-github-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_github" -starter_module_name: "complete_vnext" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -github_personal_access_token: "" -github_runners_personal_access_token: "" -github_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -use_self_hosted_runners: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Complete vNext Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Complete-vNext) -configuration_file_path: "" # Only required for the `complete` starter module. NOTE: This must be an absolute path. -default_postfix: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-complete.yaml b/docs/wiki/examples/powershell-inputs/inputs-github-terraform-complete.yaml deleted file mode 100644 index 7c2cac08..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-complete.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-GitHub#2222-github-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_github" -starter_module_name: "complete" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -github_personal_access_token: "" -github_runners_personal_access_token: "" -github_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -use_self_hosted_runners: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Complete Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Complete) -configuration_file_path: "" # Only required for the `complete` starter module. NOTE: This must be an absolute path. -default_postfix: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml b/docs/wiki/examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml deleted file mode 100644 index 038926f6..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-financial-services-landing-zone.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -# Basic Inputs -iac: "terraform" -bootstrap: "alz_github" -starter: "financial_services_landing_zone" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] # NOTE: FSI only support a single region by design -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -github_personal_access_token: "" -github_runners_personal_access_token: "" -github_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "fsi" -environment_name: "mgmt" -postfix_number: 1 -use_self_hosted_runners: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true -architecture_definition_name: "fsi" -apply_alz_archetypes_via_architecture_definition_template: true - -# Starter Module Specific Variables -allowed_locations: [] -allowed_locations_for_confidential_computing: [] -az_firewall_policies_enabled: true -bastion_outbound_ssh_rdp_ports: ["22", "3389"] -custom_subnets: { - AzureBastionSubnet: { - address_prefixes: "10.20.15.0/24", - name: "AzureBastionSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - AzureFirewallSubnet: { - address_prefixes: "10.20.254.0/24", - name: "AzureFirewallSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - GatewaySubnet: { - address_prefixes: "10.20.252.0/24", - name: "GatewaySubnet", - networkSecurityGroupId: "", - routeTableId: "" - } -} -customer: "Country/Region" -customer_policy_sets: {} -default_postfix: "" -default_prefix: "fsi" -deploy_bastion: true -deploy_ddos_protection: true -deploy_hub_network: true -deploy_log_analytics_workspace: true -enable_firewall: true -enable_telemetry: true -express_route_gateway_config: {name: "noconfigEr"} -hub_network_address_prefix: "10.20.0.0/16" -landing_zone_management_group_children: {} -log_analytics_workspace_retention_in_days: "365" -ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" -policy_assignment_enforcement_mode: "Default" -policy_effect: "Deny" -policy_exemptions: {} -subscription_billing_scope: "" -tags: {} -top_level_management_group_name: "Financial Services Landing Zone" -use_premium_firewall: true -vpn_gateway_config: {name: "noconfigVpn"} - -# Advanced Inputs -bootstrap_module_version: "v4.1.8" -starter_module_version: "latest" diff --git a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-hubnetworking.yaml b/docs/wiki/examples/powershell-inputs/inputs-github-terraform-hubnetworking.yaml deleted file mode 100644 index 3dbe457a..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-hubnetworking.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-GitHub#2222-github-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_github" -starter_module_name: "hubnetworking" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -github_personal_access_token: "" -github_runners_personal_access_token: "" -github_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -use_self_hosted_runners: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true - -# Hub Networking Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking) -root_id: "" -root_name: "" -hub_virtual_network_address_prefix: "" -firewall_subnet_address_prefix: "" -gateway_subnet_address_prefix: "" -virtual_network_gateway_creation_enabled: "true" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-sovereign-landing-zone.yaml b/docs/wiki/examples/powershell-inputs/inputs-github-terraform-sovereign-landing-zone.yaml deleted file mode 100644 index 565888ef..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-github-terraform-sovereign-landing-zone.yaml +++ /dev/null @@ -1,87 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-GitHub#2222-github-with-terraform - -# Basic Inputs -iac: "terraform" -bootstrap: "alz_github" -starter: "sovereign_landing_zone" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] # NOTE: SLZ only support a single region by design -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -github_personal_access_token: "" -github_runners_personal_access_token: "" -github_organization_name: "" -use_separate_repository_for_templates: true -bootstrap_subscription_id: "" -service_name: "slz" -environment_name: "mgmt" -postfix_number: 1 -use_self_hosted_runners: true -use_private_networking: true -allow_storage_access_from_my_ip: false -apply_approvers: [""] -create_branch_policies: true -architecture_definition_name: "slz" -apply_alz_archetypes_via_architecture_definition_template: true - -# Sovereign Landing Zone Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone) -allowed_locations: [] -allowed_locations_for_confidential_computing: [] -az_firewall_policies_enabled: true -bastion_outbound_ssh_rdp_ports: ["22", "3389"] -custom_subnets: { - AzureBastionSubnet: { - address_prefixes: "10.20.15.0/24", - name: "AzureBastionSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - AzureFirewallSubnet: { - address_prefixes: "10.20.254.0/24", - name: "AzureFirewallSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - GatewaySubnet: { - address_prefixes: "10.20.252.0/24", - name: "GatewaySubnet", - networkSecurityGroupId: "", - routeTableId: "" - } -} -customer: "Country/Region" -customer_policy_sets: {} -default_postfix: "" -default_prefix: "slz" -deploy_bastion: true -deploy_ddos_protection: true -deploy_hub_network: true -deploy_log_analytics_workspace: true -enable_firewall: true -enable_telemetry: true -express_route_gateway_config: {name: "noconfigEr"} -hub_network_address_prefix: "10.20.0.0/16" -landing_zone_management_group_children: {} -log_analytics_workspace_retention_in_days: "365" -ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" -policy_assignment_enforcement_mode: "Default" -policy_effect: "Deny" -policy_exemptions: {} -subscription_billing_scope: "" -tags: {} -top_level_management_group_name: "Sovereign Landing Zone" -use_premium_firewall: true -vpn_gateway_config: {name: "noconfigVpn"} - -# Advanced Inputs -bootstrap_module_version: "v4.1.8" -starter_module_version: "latest" diff --git a/docs/wiki/examples/powershell-inputs/inputs-local-bicep-complete.yaml b/docs/wiki/examples/powershell-inputs/inputs-local-bicep-complete.yaml deleted file mode 100644 index c011d339..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-local-bicep-complete.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Local#2231-local-file-system-with-bicep - -# Basic Inputs -iac_type: "bicep" -bootstrap_module_name: "alz_local" -starter_module_name: "complete" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -target_directory: "" -create_bootstrap_resources_in_azure: "true" -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 - -# Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Bicep-Complete) -Prefix: "alz" -Environment: "live" -networkType: "hubNetworking" -SecurityContact: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-basic.yaml b/docs/wiki/examples/powershell-inputs/inputs-local-terraform-basic.yaml deleted file mode 100644 index 7b32a47e..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-basic.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Local#2232-local-file-system-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_local" -starter_module_name: "basic" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -target_directory: "" -create_bootstrap_resources_in_azure: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -grant_permissions_to_current_user: true - -# Basic Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Basic) -root_id: "" -root_name: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-complete-vnext.yaml b/docs/wiki/examples/powershell-inputs/inputs-local-terraform-complete-vnext.yaml deleted file mode 100644 index 7ee44229..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-complete-vnext.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Local#2232-local-file-system-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_local" -starter_module_name: "complete_vnext" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -target_directory: "" -create_bootstrap_resources_in_azure: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -grant_permissions_to_current_user: true - -# Complete vNext Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Complete-vNext) -configuration_file_path: "" # Only required for the `complete` starter module. NOTE: This must be an absolute path. -default_postfix: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-complete.yaml b/docs/wiki/examples/powershell-inputs/inputs-local-terraform-complete.yaml deleted file mode 100644 index 801c6486..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-complete.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Local#2232-local-file-system-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_local" -starter_module_name: "complete" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -target_directory: "" -create_bootstrap_resources_in_azure: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -grant_permissions_to_current_user: true - -# Complete Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Complete) -configuration_file_path: "" # Only required for the `complete` starter module. NOTE: This must be an absolute path. -default_postfix: "" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml b/docs/wiki/examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml deleted file mode 100644 index adb676e7..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-financial-services-landing-zone.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -# Basic Inputs -iac: "terraform" -bootstrap: "alz_local" -starter: "financial_services_landing_zone" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] # NOTE: FSI only support a single region by design -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -target_directory: "" -create_bootstrap_resources_in_azure: false -bootstrap_subscription_id: "" -service_name: "fsi" -environment_name: "mgmt" -postfix_number: 1 -architecture_definition_name: "fsi" -apply_alz_archetypes_via_architecture_definition_template: true - -# Starter Module Specific Variables -allowed_locations: [] -allowed_locations_for_confidential_computing: [] -az_firewall_policies_enabled: true -bastion_outbound_ssh_rdp_ports: ["22", "3389"] -custom_subnets: { - AzureBastionSubnet: { - address_prefixes: "10.20.15.0/24", - name: "AzureBastionSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - AzureFirewallSubnet: { - address_prefixes: "10.20.254.0/24", - name: "AzureFirewallSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - GatewaySubnet: { - address_prefixes: "10.20.252.0/24", - name: "GatewaySubnet", - networkSecurityGroupId: "", - routeTableId: "" - } -} -customer: "Country/Region" -customer_policy_sets: {} -default_postfix: "" -default_prefix: "fsi" -deploy_bastion: true -deploy_ddos_protection: true -deploy_hub_network: true -deploy_log_analytics_workspace: true -enable_firewall: true -enable_telemetry: true -express_route_gateway_config: {name: "noconfigEr"} -hub_network_address_prefix: "10.20.0.0/16" -landing_zone_management_group_children: {} -log_analytics_workspace_retention_in_days: "365" -ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" -policy_assignment_enforcement_mode: "Default" -policy_effect: "Deny" -policy_exemptions: {} -subscription_billing_scope: "" -tags: {} -top_level_management_group_name: "Financial Services Landing Zone" -use_premium_firewall: true -vpn_gateway_config: {name: "noconfigVpn"} - -# Advanced Inputs -bootstrap_module_version: "v4.1.8" -starter_module_version: "latest" diff --git a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-hubnetworking.yaml b/docs/wiki/examples/powershell-inputs/inputs-local-terraform-hubnetworking.yaml deleted file mode 100644 index 9c03ff08..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-hubnetworking.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Local#2232-local-file-system-with-terraform - -# Basic Inputs -iac_type: "terraform" -bootstrap_module_name: "alz_local" -starter_module_name: "hubnetworking" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -target_directory: "" -create_bootstrap_resources_in_azure: true -bootstrap_subscription_id: "" -service_name: "alz" -environment_name: "mgmt" -postfix_number: 1 -grant_permissions_to_current_user: true - -# Hub Networking Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-HubNetworking) -root_id: "" -root_name: "" -hub_virtual_network_address_prefix: "" -firewall_subnet_address_prefix: "" -gateway_subnet_address_prefix: "" -virtual_network_gateway_creation_enabled: "true" - -# Advanced Inputs -bootstrap_module_version: "latest" -starter_module_version: "latest" -#output_folder_path: "/accelerator/output" diff --git a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-sovereign-landing-zone.yaml b/docs/wiki/examples/powershell-inputs/inputs-local-terraform-sovereign-landing-zone.yaml deleted file mode 100644 index 1c56c6a5..00000000 --- a/docs/wiki/examples/powershell-inputs/inputs-local-terraform-sovereign-landing-zone.yaml +++ /dev/null @@ -1,80 +0,0 @@ ---- -# For detailed instructions on using this file, visit: -# https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Quick-Start-Phase-2-Local#2232-local-file-system-with-terraform - -# Basic Inputs -iac: "terraform" -bootstrap: "alz_local" -starter: "sovereign_landing_zone" - -# Shared Interface Inputs -bootstrap_location: "" -starter_locations: [""] # NOTE: SLZ only support a single region by design -root_parent_management_group_id: "" -subscription_id_management: "" -subscription_id_identity: "" -subscription_id_connectivity: "" - -# Bootstrap Inputs -target_directory: "" -create_bootstrap_resources_in_azure: false -bootstrap_subscription_id: "" -service_name: "slz" -environment_name: "mgmt" -postfix_number: 1 -architecture_definition_name: "slz" -apply_alz_archetypes_via_architecture_definition_template: true - -# Sovereign Landing Zone Starter Module Specific Variables -# (Details: https://github.com/Azure/ALZ-PowerShell-Module/wiki/%5BUser-Guide%5D-Starter-Module-Terraform-Sovereign-Landing-Zone) -allowed_locations: [] -allowed_locations_for_confidential_computing: [] -az_firewall_policies_enabled: true -bastion_outbound_ssh_rdp_ports: ["22", "3389"] -custom_subnets: { - AzureBastionSubnet: { - address_prefixes: "10.20.15.0/24", - name: "AzureBastionSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - AzureFirewallSubnet: { - address_prefixes: "10.20.254.0/24", - name: "AzureFirewallSubnet", - networkSecurityGroupId: "", - routeTableId: "" - }, - GatewaySubnet: { - address_prefixes: "10.20.252.0/24", - name: "GatewaySubnet", - networkSecurityGroupId: "", - routeTableId: "" - } -} -customer: "Country/Region" -customer_policy_sets: {} -default_postfix: "" -default_prefix: "slz" -deploy_bastion: true -deploy_ddos_protection: true -deploy_hub_network: true -deploy_log_analytics_workspace: true -enable_firewall: true -enable_telemetry: true -express_route_gateway_config: {name: "noconfigEr"} -hub_network_address_prefix: "10.20.0.0/16" -landing_zone_management_group_children: {} -log_analytics_workspace_retention_in_days: "365" -ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com" -policy_assignment_enforcement_mode: "Default" -policy_effect: "Deny" -policy_exemptions: {} -subscription_billing_scope: "" -tags: {} -top_level_management_group_name: "Sovereign Landing Zone" -use_premium_firewall: true -vpn_gateway_config: {name: "noconfigVpn"} - -# Advanced Inputs -bootstrap_module_version: "v4.1.8" -starter_module_version: "latest" diff --git a/docs/wiki/examples/starter-module-config/complete/config-hub-spoke.yaml b/docs/wiki/examples/starter-module-config/complete/config-hub-spoke.yaml deleted file mode 100644 index eec3a002..00000000 --- a/docs/wiki/examples/starter-module-config/complete/config-hub-spoke.yaml +++ /dev/null @@ -1,235 +0,0 @@ -# This file contains templated variables to avoid repeating the same hard-coded values. -# Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use: -# `starter_location`: This is an Azure location sourced from the `starter_location` variable. This can be used to set the location of resources. -# `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency. -# `root_parent_management_group_id`: This is the id of the management group that the ALZ hierarchy will be nested under. -# `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`. -# `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`. -# `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`. ---- -archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary. - # Base variables - root_name: Contoso - root_id: contoso - subscription_id_connectivity: ${subscription_id_connectivity} - subscription_id_identity: ${subscription_id_identity} - subscription_id_management: ${subscription_id_management} - root_parent_id: ${root_parent_management_group_id} - deploy_core_landing_zones: true - deploy_corp_landing_zones: true - deploy_online_landing_zones: true - default_location: ${starter_location} - deploy_management_resources: true - deploy_connectivity_resources: true - deploy_identity_resources: true - disable_telemetry: true - - # Management - configure_management_resources: - location: ${starter_location} - settings: - log_analytics: - enabled: true - config: - retention_in_days: 50 - enable_monitoring_for_vm: true - enable_monitoring_for_vmss: true - enable_solution_for_agent_health_assessment: true - enable_solution_for_anti_malware: true - enable_solution_for_change_tracking: true - enable_solution_for_service_map: true - enable_solution_for_sql_assessment: true - enable_solution_for_sql_vulnerability_assessment: true - enable_solution_for_sql_advanced_threat_detection: true - enable_solution_for_updates: true - enable_solution_for_vm_insights: true - enable_solution_for_container_insights: true - enable_sentinel: true - security_center: - enabled: true - config: - email_security_contact: "user@contoso.com" - enable_defender_for_apis: true - enable_defender_for_app_services: true - enable_defender_for_arm: true - enable_defender_for_containers: true - enable_defender_for_cosmosdbs: true - enable_defender_for_cspm: true - enable_defender_for_dns: true - enable_defender_for_key_vault: true - enable_defender_for_oss_databases: true - enable_defender_for_servers: true - enable_defender_for_servers_vulnerability_assessments: true - enable_defender_for_sql_servers: true - enable_defender_for_sql_server_vms: true - enable_defender_for_storage: true - location: ${starter_location} - tags: null - advanced: - asc_export_resource_group_name: rg-asc-export - custom_settings_by_resource_type: - azurerm_resource_group: - management: - name: rg-management - azurerm_log_analytics_workspace: - management: - name: log-management - azurerm_automation_account: - management: - name: aa-management - - # Networking - configure_connectivity_resources: - settings: - hub_networks: - - config: - address_space: - - 10.100.0.0/16 - location: ${starter_location} - link_to_ddos_protection_plan: false - dns_servers: [] - bgp_community: "" - subnets: [] - virtual_network_gateway: - enabled: true - config: - address_prefix: 10.100.1.0/24 - gateway_sku_expressroute: ErGw2AZ - gateway_sku_vpn: null - advanced_vpn_settings: - enable_bgp: null - active_active: null - private_ip_address_allocation: "" - default_local_network_gateway_id: "" - vpn_client_configuration: [] - bgp_settings: [] - custom_route: [] - azure_firewall: - enabled: false - config: - address_prefix: 10.100.0.0/24 - enable_dns_proxy: true - sku_tier: "" - base_policy_id: "" - private_ip_ranges: [] - threat_intelligence_mode: "" - threat_intelligence_allowlist: {} - availability_zones: - zone_1: true - zone_2: true - zone_3: true - spoke_virtual_network_resource_ids: [] - enable_outbound_virtual_network_peering: true - enable_hub_network_mesh_peering: false - vwan_hub_networks: [] - ddos_protection_plan: - enabled: false - config: - location: ${starter_location} - dns: - enabled: true - config: - location: null - enable_private_link_by_service: - azure_api_management: true - azure_app_configuration_stores: true - azure_arc: true - azure_automation_dscandhybridworker: true - azure_automation_webhook: true - azure_backup: true - azure_batch_account: true - azure_bot_service_bot: true - azure_bot_service_token: true - azure_cache_for_redis: true - azure_cache_for_redis_enterprise: true - azure_container_registry: true - azure_cosmos_db_cassandra: true - azure_cosmos_db_gremlin: true - azure_cosmos_db_mongodb: true - azure_cosmos_db_sql: true - azure_cosmos_db_table: true - azure_data_explorer: true - azure_data_factory: true - azure_data_factory_portal: true - azure_data_health_data_services: true - azure_data_lake_file_system_gen2: true - azure_database_for_mariadb_server: true - azure_database_for_mysql_server: true - azure_database_for_postgresql_server: true - azure_digital_twins: true - azure_event_grid_domain: true - azure_event_grid_topic: true - azure_event_hubs_namespace: true - azure_file_sync: true - azure_hdinsights: true - azure_iot_dps: true - azure_iot_hub: true - azure_key_vault: true - azure_key_vault_managed_hsm: true - azure_kubernetes_service_management: true - azure_machine_learning_workspace: true - azure_managed_disks: true - azure_media_services: true - azure_migrate: true - azure_monitor: true - azure_purview_account: true - azure_purview_studio: true - azure_relay_namespace: true - azure_search_service: true - azure_service_bus_namespace: true - azure_site_recovery: true - azure_sql_database_sqlserver: true - azure_synapse_analytics_dev: true - azure_synapse_analytics_sql: true - azure_synapse_studio: true - azure_web_apps_sites: true - azure_web_apps_static_sites: true - cognitive_services_account: true - microsoft_power_bi: true - signalr: true - signalr_webpubsub: true - storage_account_blob: true - private_link_locations: - - ${starter_location} - public_dns_zones: [] - private_dns_zones: [] - enable_private_dns_zone_virtual_network_link_on_hubs: true - enable_private_dns_zone_virtual_network_link_on_spokes: true - virtual_network_resource_ids_to_link: [] - location: ${starter_location} - tags: null - advanced: null - - # Identity - configure_identity_resources: - settings: - identity: - enabled: true - config: - enable_deny_public_ip: true - enable_deny_rdp_from_internet: true - enable_deny_subnet_without_nsg: true - enable_deploy_azure_backup_on_vms: true - -# ** vNext ** -# vNext is currently under development and will contain the next version of Terraform providers for CAF ALZ deployment. - -# connectivity: -# hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. -# hub_virtual_networks: -# primary: -# name: vnet-hub -# resource_group_name: rg-connectivity -# location: ${starter_location} -# address_space: -# - 10.0.0.0/16 -# firewall: -# name: fw-hub -# sku_name: AZFW_VNet -# sku_tier: Standard -# subnet_address_prefix: 10.0.1.0/24 -# virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary. -# name: vgw-hub -# sku: VpnGw1 -# type: Vpn -# subnet_address_prefix: 10.0.2.0/24 diff --git a/docs/wiki/examples/starter-module-config/complete/config-vwan.yaml b/docs/wiki/examples/starter-module-config/complete/config-vwan.yaml deleted file mode 100644 index 3298321f..00000000 --- a/docs/wiki/examples/starter-module-config/complete/config-vwan.yaml +++ /dev/null @@ -1,229 +0,0 @@ -# This file contains templated variables to avoid repeating the same hard-coded values. -# Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use: -# `starter_location`: This is an Azure location sourced from the `starter_location` variable. This can be used to set the location of resources. -# `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency. -# `root_parent_management_group_id`: This is the id of the management group that the ALZ hierarchy will be nested under. -# `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`. -# `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`. -# `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`. ---- -archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary. - # Base variables - root_name: Contoso - root_id: contoso - subscription_id_connectivity: ${subscription_id_connectivity} - subscription_id_identity: ${subscription_id_identity} - subscription_id_management: ${subscription_id_management} - root_parent_id: ${root_parent_management_group_id} - deploy_core_landing_zones: true - deploy_corp_landing_zones: true - deploy_online_landing_zones: true - default_location: ${starter_location} - deploy_management_resources: true - deploy_connectivity_resources: true - deploy_identity_resources: true - disable_telemetry: true - - # Management - configure_management_resources: - location: ${starter_location} - settings: - log_analytics: - enabled: true - config: - retention_in_days: 50 - enable_monitoring_for_vm: true - enable_monitoring_for_vmss: true - enable_solution_for_agent_health_assessment: true - enable_solution_for_anti_malware: true - enable_solution_for_change_tracking: true - enable_solution_for_service_map: true - enable_solution_for_sql_assessment: true - enable_solution_for_sql_vulnerability_assessment: true - enable_solution_for_sql_advanced_threat_detection: true - enable_solution_for_updates: true - enable_solution_for_vm_insights: true - enable_solution_for_container_insights: true - enable_sentinel: true - security_center: - enabled: true - config: - email_security_contact: "user@contoso.com" - enable_defender_for_apis: true - enable_defender_for_app_services: true - enable_defender_for_arm: true - enable_defender_for_containers: true - enable_defender_for_cosmosdbs: true - enable_defender_for_cspm: true - enable_defender_for_dns: true - enable_defender_for_key_vault: true - enable_defender_for_oss_databases: true - enable_defender_for_servers: true - enable_defender_for_servers_vulnerability_assessments: true - enable_defender_for_sql_servers: true - enable_defender_for_sql_server_vms: true - enable_defender_for_storage: true - location: ${starter_location} - tags: null - advanced: - asc_export_resource_group_name: rg-asc-export - custom_settings_by_resource_type: - azurerm_resource_group: - management: - name: rg-management - azurerm_log_analytics_workspace: - management: - name: log-management - azurerm_automation_account: - management: - name: aa-management - - # Networking - configure_connectivity_resources: - settings: - hub_networks: [] - vwan_hub_networks: - - enabled: true - config: - address_prefix: 10.200.0.0/22 - location: ${starter_location} - sku: "" - routes: [] - expressroute_gateway: - enabled: true - config: - scale_unit: 1 - vpn_gateway: - enabled: true - config: - bgp_settings: [] - routing_preference: "" - scale_unit: 1 - azure_firewall: - enabled: false - config: - enable_dns_proxy: true - dns_servers: [] - sku_tier: "Standard" - base_policy_id: "" - private_ip_ranges: [] - threat_intelligence_mode: "" - threat_intelligence_allowlist: {} - availability_zones: - zone_1: true - zone_2: true - zone_3: true - spoke_virtual_network_resource_ids: [] - enable_outbound_virtual_network_peering: true - enable_hub_network_mesh_peering: false - ddos_protection_plan: - enabled: false - config: - location: ${starter_location} - dns: - enabled: true - config: - location: null - enable_private_link_by_service: - azure_api_management: true - azure_app_configuration_stores: true - azure_arc: true - azure_automation_dscandhybridworker: true - azure_automation_webhook: true - azure_backup: true - azure_batch_account: true - azure_bot_service_bot: true - azure_bot_service_token: true - azure_cache_for_redis: true - azure_cache_for_redis_enterprise: true - azure_container_registry: true - azure_cosmos_db_cassandra: true - azure_cosmos_db_gremlin: true - azure_cosmos_db_mongodb: true - azure_cosmos_db_sql: true - azure_cosmos_db_table: true - azure_data_explorer: true - azure_data_factory: true - azure_data_factory_portal: true - azure_data_health_data_services: true - azure_data_lake_file_system_gen2: true - azure_database_for_mariadb_server: true - azure_database_for_mysql_server: true - azure_database_for_postgresql_server: true - azure_digital_twins: true - azure_event_grid_domain: true - azure_event_grid_topic: true - azure_event_hubs_namespace: true - azure_file_sync: true - azure_hdinsights: true - azure_iot_dps: true - azure_iot_hub: true - azure_key_vault: true - azure_key_vault_managed_hsm: true - azure_kubernetes_service_management: true - azure_machine_learning_workspace: true - azure_managed_disks: true - azure_media_services: true - azure_migrate: true - azure_monitor: true - azure_purview_account: true - azure_purview_studio: true - azure_relay_namespace: true - azure_search_service: true - azure_service_bus_namespace: true - azure_site_recovery: true - azure_sql_database_sqlserver: true - azure_synapse_analytics_dev: true - azure_synapse_analytics_sql: true - azure_synapse_studio: true - azure_web_apps_sites: true - azure_web_apps_static_sites: true - cognitive_services_account: true - microsoft_power_bi: true - signalr: true - signalr_webpubsub: true - storage_account_blob: true - private_link_locations: - - ${starter_location} - public_dns_zones: [] - private_dns_zones: [] - enable_private_dns_zone_virtual_network_link_on_hubs: true - enable_private_dns_zone_virtual_network_link_on_spokes: true - virtual_network_resource_ids_to_link: [] - location: ${starter_location} - tags: null - advanced: null - - # Identity - configure_identity_resources: - settings: - identity: - enabled: true - config: - enable_deny_public_ip: true - enable_deny_rdp_from_internet: true - enable_deny_subnet_without_nsg: true - enable_deploy_azure_backup_on_vms: true - -# ** vNext ** -# vNext is currently under development and will contain the next version of Terraform providers for CAF ALZ deployment. - -# connectivity: -# hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. -# hub_virtual_networks: -# primary: -# name: vnet-hub -# resource_group_name: rg-connectivity -# location: ${starter_location} -# address_space: -# - 10.0.0.0/16 -# firewall: -# name: fw-hub -# sku_name: AZFW_VNet -# sku_tier: Standard -# subnet_address_prefix: 10.0.1.0/24 -# virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary. -# name: vgw-hub -# sku: VpnGw1 -# type: Vpn -# subnet_address_prefix: 10.0.2.0/24 diff --git a/docs/wiki/media/ALZ Accelerator Drawings.pptx b/docs/wiki/media/ALZ Accelerator Drawings.pptx deleted file mode 100644 index 42a1f1fe..00000000 Binary files a/docs/wiki/media/ALZ Accelerator Drawings.pptx and /dev/null differ diff --git a/docs/wiki/media/ALZLogo.png b/docs/wiki/media/ALZLogo.png deleted file mode 100644 index f831c043..00000000 Binary files a/docs/wiki/media/ALZLogo.png and /dev/null differ diff --git a/docs/wiki/media/Logo-Small.png b/docs/wiki/media/Logo-Small.png deleted file mode 100644 index 4a641a30..00000000 Binary files a/docs/wiki/media/Logo-Small.png and /dev/null differ diff --git a/docs/wiki/media/Logo.png b/docs/wiki/media/Logo.png deleted file mode 100644 index e4e5f669..00000000 Binary files a/docs/wiki/media/Logo.png and /dev/null differ diff --git a/docs/wiki/media/MS-Azure_logo_horiz_c-gray_rgb.png b/docs/wiki/media/MS-Azure_logo_horiz_c-gray_rgb.png deleted file mode 100644 index 4b1879ea..00000000 Binary files a/docs/wiki/media/MS-Azure_logo_horiz_c-gray_rgb.png and /dev/null differ diff --git a/docs/wiki/media/MS-Azure_logo_horiz_c-white_rgb.png b/docs/wiki/media/MS-Azure_logo_horiz_c-white_rgb.png deleted file mode 100644 index e1204c5a..00000000 Binary files a/docs/wiki/media/MS-Azure_logo_horiz_c-white_rgb.png and /dev/null differ diff --git a/docs/wiki/media/MS-Azure_logo_horiz_white_rgb.png b/docs/wiki/media/MS-Azure_logo_horiz_white_rgb.png deleted file mode 100644 index a06f0501..00000000 Binary files a/docs/wiki/media/MS-Azure_logo_horiz_white_rgb.png and /dev/null differ diff --git a/docs/wiki/media/Terraform_PrimaryLogo_ColorWhite_RGB.png b/docs/wiki/media/Terraform_PrimaryLogo_ColorWhite_RGB.png deleted file mode 100644 index b9959cef..00000000 Binary files a/docs/wiki/media/Terraform_PrimaryLogo_ColorWhite_RGB.png and /dev/null differ diff --git a/docs/wiki/media/Terraform_PrimaryLogo_Color_RGB.png b/docs/wiki/media/Terraform_PrimaryLogo_Color_RGB.png deleted file mode 100644 index 2bd59f42..00000000 Binary files a/docs/wiki/media/Terraform_PrimaryLogo_Color_RGB.png and /dev/null differ diff --git a/docs/wiki/media/Terraform_PrimaryLogo_White_RGB.png b/docs/wiki/media/Terraform_PrimaryLogo_White_RGB.png deleted file mode 100644 index 32f16b6e..00000000 Binary files a/docs/wiki/media/Terraform_PrimaryLogo_White_RGB.png and /dev/null differ diff --git a/docs/wiki/media/alz-terraform-acclerator.png b/docs/wiki/media/alz-terraform-acclerator.png deleted file mode 100644 index 4837c1ec..00000000 Binary files a/docs/wiki/media/alz-terraform-acclerator.png and /dev/null differ diff --git a/docs/wiki/media/azure.svg b/docs/wiki/media/azure.svg deleted file mode 100644 index 45e44a9e..00000000 --- a/docs/wiki/media/azure.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/docs/wiki/media/components.png b/docs/wiki/media/components.png deleted file mode 100644 index 36fc27dd..00000000 Binary files a/docs/wiki/media/components.png and /dev/null differ diff --git a/docs/wiki/media/ps_black_64.svg b/docs/wiki/media/ps_black_64.svg deleted file mode 100644 index a238b21f..00000000 --- a/docs/wiki/media/ps_black_64.svg +++ /dev/null @@ -1,120 +0,0 @@ - - - -image/svg+xml \ No newline at end of file diff --git a/docs/wiki/media/starter-module-basic.png b/docs/wiki/media/starter-module-basic.png deleted file mode 100644 index 1ada24f2..00000000 Binary files a/docs/wiki/media/starter-module-basic.png and /dev/null differ diff --git a/docs/wiki/media/starter-module-hubnetworking.png b/docs/wiki/media/starter-module-hubnetworking.png deleted file mode 100644 index a772597c..00000000 Binary files a/docs/wiki/media/starter-module-hubnetworking.png and /dev/null differ diff --git a/docs/wiki/media/starter-module-microsoft_cloud_for_financial_services_industry.png b/docs/wiki/media/starter-module-microsoft_cloud_for_financial_services_industry.png deleted file mode 100644 index 3442218b..00000000 Binary files a/docs/wiki/media/starter-module-microsoft_cloud_for_financial_services_industry.png and /dev/null differ diff --git a/docs/wiki/media/starter-module-microsoft_cloud_for_sovereignty.png b/docs/wiki/media/starter-module-microsoft_cloud_for_sovereignty.png deleted file mode 100644 index 2f9a71b8..00000000 Binary files a/docs/wiki/media/starter-module-microsoft_cloud_for_sovereignty.png and /dev/null differ diff --git a/docs/wiki/media/variables-archetype_config_overrides-mapping.png b/docs/wiki/media/variables-archetype_config_overrides-mapping.png deleted file mode 100644 index c051d7c9..00000000 Binary files a/docs/wiki/media/variables-archetype_config_overrides-mapping.png and /dev/null differ