diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 00195b17f..6e46e45b0 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:0.13.6-2103.0304 + image: aztfmod/rover:0.14.10-2104.0803 user: vscode labels: diff --git a/.github/workflows/landingzones.yml b/.github/workflows/landingzones-tf13.yml similarity index 72% rename from .github/workflows/landingzones.yml rename to .github/workflows/landingzones-tf13.yml index 32d1685fd..12782b4b9 100644 --- a/.github/workflows/landingzones.yml +++ b/.github/workflows/landingzones-tf13.yml @@ -3,23 +3,11 @@ # Licensed under the MIT License. # -name: landingzones - +name: landingzones-tf13 + on: - pull_request: - paths-ignore: - - 'documentation/**' - - '_pictures/**' - - 'README.md' - - 'CHANGELOG.md' - push: - paths-ignore: - - 'documentation/**' - - '_pictures/**' - - 'README.md' - - 'CHANGELOG.md' schedule: - - cron: '0 4 * * *' + - cron: '0 2 * * *' env: TF_CLI_ARGS: '-no-color' @@ -42,7 +30,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.13.6-2103.0304 + image: aztfmod/rover:0.13.6-2104.0803 options: --user 0 steps: @@ -57,8 +45,8 @@ jobs: - name: launchpad run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a apply \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/100 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/100 \ -level level0 \ -launchpad \ -parallelism=30 \ @@ -69,10 +57,13 @@ jobs: - name: foundations run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/100-passthrough \ + -tfstate caf_foundations.tfstate \ -level level1 \ -parallelism=30 \ - --environment ${{ github.run_id }} + --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' networking100: name: networking-100 @@ -84,14 +75,14 @@ jobs: fail-fast: false matrix: config_files: [ - "caf_networking/scenario/100-single-region-hub", - "caf_networking/scenario/101-multi-region-hub", - "caf_networking/scenario/105-hub-and-spoke", - "caf_networking/scenario/106-hub-virtual-wan-firewall" + "caf_solution/scenario/networking/100-single-region-hub", + "caf_solution/scenario/networking/101-multi-region-hub", + "caf_solution/scenario/networking/105-hub-and-spoke", + "caf_solution/scenario/networking/106-hub-virtual-wan-firewall" ] container: - image: aztfmod/rover:0.13.6-2103.0304 + image: aztfmod/rover:0.13.6-2104.0803 options: --user 0 steps: @@ -104,20 +95,20 @@ jobs: - name: deploy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a apply \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} - name: destroy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a destroy \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} \ -refresh=false \ -auto-approve @@ -135,7 +126,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.13.6-2103.0304 + image: aztfmod/rover:0.13.6-2104.0803 options: --user 0 steps: @@ -150,8 +141,8 @@ jobs: - name: launchpad-200-upgrade run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a apply \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/200 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/200 \ -level level0 \ -launchpad \ -parallelism=30 \ @@ -162,9 +153,13 @@ jobs: - name: foundations-200-upgrade run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a apply \ - -level level1 \ - --environment ${{ github.run_id }} + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/gitops \ + -tfstate caf_foundations.tfstate \ + -level level1 \ + -parallelism=30 \ + --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' networking200: name: networking-200 @@ -176,13 +171,13 @@ jobs: fail-fast: false matrix: config_files: [ - "caf_networking/scenario/200-single-region-hub", - "caf_networking/scenario/201-multi-region-hub", - "caf_networking/scenario/210-aks-private" + "caf_solution/scenario/networking/200-single-region-hub", + "caf_solution/scenario/networking/201-multi-region-hub", + "caf_solution/scenario/networking/210-aks-private" ] container: - image: aztfmod/rover:0.13.6-2103.0304 + image: aztfmod/rover:0.13.6-2104.0803 options: --user 0 steps: @@ -195,20 +190,20 @@ jobs: - name: deploy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a apply \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} - name: destroy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a destroy \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} \ -refresh=false \ -auto-approve @@ -225,7 +220,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.13.6-2103.0304 + image: aztfmod/rover:0.13.6-2104.0803 options: --user 0 steps: @@ -240,16 +235,19 @@ jobs: - name: foundations run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a destroy \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/gitops \ + -tfstate caf_foundations.tfstate \ -level level1 \ -parallelism=30 \ --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' \ -auto-approve - name: Remove launchpad run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a destroy \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/200 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a destroy \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/200 \ -level level0 \ -launchpad \ -parallelism=30 \ diff --git a/.github/workflows/landingzones-tf14.yml b/.github/workflows/landingzones-tf14.yml index 252c3e8d9..b32386bfd 100644 --- a/.github/workflows/landingzones-tf14.yml +++ b/.github/workflows/landingzones-tf14.yml @@ -4,10 +4,16 @@ # name: landingzones-tf14 - + on: + pull_request: + paths-ignore: + - 'documentation/**' + - '_pictures/**' + - 'README.md' + - 'CHANGELOG.md' schedule: - - cron: '0 1 * * *' + - cron: '0 0 * * *' env: TF_CLI_ARGS: '-no-color' @@ -30,7 +36,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.14.7-2103.0304 + image: aztfmod/rover:0.14.10-2104.0803 options: --user 0 steps: @@ -45,8 +51,8 @@ jobs: - name: launchpad run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a apply \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/100 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/100 \ -level level0 \ -launchpad \ -parallelism=30 \ @@ -57,10 +63,13 @@ jobs: - name: foundations run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/100-passthrough \ + -tfstate caf_foundations.tfstate \ -level level1 \ -parallelism=30 \ - --environment ${{ github.run_id }} + --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' networking100: name: networking-100 @@ -72,14 +81,14 @@ jobs: fail-fast: false matrix: config_files: [ - "caf_networking/scenario/100-single-region-hub", - "caf_networking/scenario/101-multi-region-hub", - "caf_networking/scenario/105-hub-and-spoke", - "caf_networking/scenario/106-hub-virtual-wan-firewall" + "caf_solution/scenario/networking/100-single-region-hub", + "caf_solution/scenario/networking/101-multi-region-hub", + "caf_solution/scenario/networking/105-hub-and-spoke", + "caf_solution/scenario/networking/106-hub-virtual-wan-firewall" ] container: - image: aztfmod/rover:0.14.7-2103.0304 + image: aztfmod/rover:0.14.10-2104.0803 options: --user 0 steps: @@ -92,20 +101,20 @@ jobs: - name: deploy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a apply \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} - name: destroy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a destroy \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} \ -refresh=false \ -auto-approve @@ -123,7 +132,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.14.7-2103.0304 + image: aztfmod/rover:0.14.10-2104.0803 options: --user 0 steps: @@ -138,8 +147,8 @@ jobs: - name: launchpad-200-upgrade run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a apply \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/200 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/200 \ -level level0 \ -launchpad \ -parallelism=30 \ @@ -150,9 +159,13 @@ jobs: - name: foundations-200-upgrade run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a apply \ - -level level1 \ - --environment ${{ github.run_id }} + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/gitops \ + -tfstate caf_foundations.tfstate \ + -level level1 \ + -parallelism=30 \ + --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' networking200: name: networking-200 @@ -164,13 +177,13 @@ jobs: fail-fast: false matrix: config_files: [ - "caf_networking/scenario/200-single-region-hub", - "caf_networking/scenario/201-multi-region-hub", - "caf_networking/scenario/210-aks-private" + "caf_solution/scenario/networking/200-single-region-hub", + "caf_solution/scenario/networking/201-multi-region-hub", + "caf_solution/scenario/networking/210-aks-private" ] container: - image: aztfmod/rover:0.14.7-2103.0304 + image: aztfmod/rover:0.14.10-2104.0803 options: --user 0 steps: @@ -183,20 +196,20 @@ jobs: - name: deploy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a apply \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} - name: destroy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a destroy \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} \ -refresh=false \ -auto-approve @@ -213,7 +226,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.14.7-2103.0304 + image: aztfmod/rover:0.14.10-2104.0803 options: --user 0 steps: @@ -228,16 +241,19 @@ jobs: - name: foundations run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a destroy \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/gitops \ + -tfstate caf_foundations.tfstate \ -level level1 \ -parallelism=30 \ --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' \ -auto-approve - name: Remove launchpad run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a destroy \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/200 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a destroy \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/200 \ -level level0 \ -launchpad \ -parallelism=30 \ diff --git a/.github/workflows/landingzones-tf15.yml b/.github/workflows/landingzones-tf15.yml index 79276e89e..58184cb32 100644 --- a/.github/workflows/landingzones-tf15.yml +++ b/.github/workflows/landingzones-tf15.yml @@ -4,10 +4,10 @@ # name: landingzones-tf15 - + on: schedule: - - cron: '0 0 * * *' + - cron: '0 3 * * *' env: TF_CLI_ARGS: '-no-color' @@ -30,7 +30,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.15.0-alpha20210210-2103.0304 + image: aztfmod/rover:0.15.0-rc2-2104.0803 options: --user 0 steps: @@ -45,8 +45,8 @@ jobs: - name: launchpad run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a apply \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/100 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/100 \ -level level0 \ -launchpad \ -parallelism=30 \ @@ -57,10 +57,13 @@ jobs: - name: foundations run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/100-passthrough \ + -tfstate caf_foundations.tfstate \ -level level1 \ -parallelism=30 \ - --environment ${{ github.run_id }} + --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' networking100: name: networking-100 @@ -72,14 +75,14 @@ jobs: fail-fast: false matrix: config_files: [ - "caf_networking/scenario/100-single-region-hub", - "caf_networking/scenario/101-multi-region-hub", - "caf_networking/scenario/105-hub-and-spoke", - "caf_networking/scenario/106-hub-virtual-wan-firewall" + "caf_solution/scenario/networking/100-single-region-hub", + "caf_solution/scenario/networking/101-multi-region-hub", + "caf_solution/scenario/networking/105-hub-and-spoke", + "caf_solution/scenario/networking/106-hub-virtual-wan-firewall" ] container: - image: aztfmod/rover:0.15.0-alpha20210210-2103.0304 + image: aztfmod/rover:0.15.0-rc2-2104.0803 options: --user 0 steps: @@ -92,20 +95,20 @@ jobs: - name: deploy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a apply \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} - name: destroy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a destroy \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} \ -refresh=false \ -auto-approve @@ -123,7 +126,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.15.0-alpha20210210-2103.0304 + image: aztfmod/rover:0.15.0-rc2-2104.0803 options: --user 0 steps: @@ -138,8 +141,8 @@ jobs: - name: launchpad-200-upgrade run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a apply \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/200 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/200 \ -level level0 \ -launchpad \ -parallelism=30 \ @@ -150,9 +153,13 @@ jobs: - name: foundations-200-upgrade run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a apply \ - -level level1 \ - --environment ${{ github.run_id }} + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a apply \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/gitops \ + -tfstate caf_foundations.tfstate \ + -level level1 \ + -parallelism=30 \ + --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' networking200: name: networking-200 @@ -164,13 +171,13 @@ jobs: fail-fast: false matrix: config_files: [ - "caf_networking/scenario/200-single-region-hub", - "caf_networking/scenario/201-multi-region-hub", - "caf_networking/scenario/210-aks-private" + "caf_solution/scenario/networking/200-single-region-hub", + "caf_solution/scenario/networking/201-multi-region-hub", + "caf_solution/scenario/networking/210-aks-private" ] container: - image: aztfmod/rover:0.15.0-alpha20210210-2103.0304 + image: aztfmod/rover:0.15.0-rc2-2104.0803 options: --user 0 steps: @@ -183,20 +190,20 @@ jobs: - name: deploy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a apply \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a apply \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} - name: destroy example run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution/ -a destroy \ -tfstate $(basename ${{ matrix.config_files }}).tfstate \ -level level2 \ -parallelism=30 \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \ + -var-folder ${GITHUB_WORKSPACE}/${{ matrix.config_files }} \ --environment ${{ github.run_id }} \ -refresh=false \ -auto-approve @@ -213,7 +220,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.15.0-alpha20210210-2103.0304 + image: aztfmod/rover:0.15.0-rc2-2104.0803 options: --user 0 steps: @@ -228,16 +235,19 @@ jobs: - name: foundations run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a destroy \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_solution -a destroy \ + -var-folder ${GITHUB_WORKSPACE}/caf_solution/scenario/foundations/gitops \ + -tfstate caf_foundations.tfstate \ -level level1 \ -parallelism=30 \ --environment ${{ github.run_id }} \ + '-var tags={testing_job_id="${{ github.run_id }}"}' \ -auto-approve - name: Remove launchpad run: | - /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a destroy \ - -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/200 \ + /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/caf_launchpad -a destroy \ + -var-folder ${GITHUB_WORKSPACE}/caf_launchpad/scenario/200 \ -level level0 \ -launchpad \ -parallelism=30 \ diff --git a/.gitignore b/.gitignore index 7afced0f7..a043b16a3 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,9 @@ **/terraform.tfstate.d **/terraform.tfstate.backup **/.terraform.tfstate.lock.info +**/.terraform.lock.hcl **/~*.* **/*.log **/backend.azurerm.tf -public \ No newline at end of file +public +aztfmod \ No newline at end of file diff --git a/README.md b/README.md index c77598245..92c17f5f7 100644 --- a/README.md +++ b/README.md @@ -22,29 +22,6 @@ Cloud Adoption Framework for Azure Terraform landing zones is an Open Source pro * Propose a prescriptive guidance on how to enable DevOps for infrastructure as code on Microsoft Azure. * Foster a community of Azure *Terraformers* using a common set of practices and sharing best practices. -## What's new in this release - -This release is relying extensively on Terraform 0.13 capabilities (module iterations, conditional modules, variables validation, etc.). - -Those new features allow more complex and more dynamic code composition. The following concepts are used: - -* **Multi-subscription deployment**: initial support to deploy landing zones in any subscription from the launchpad subscription. -* **Autonomous module consumption**: consumption of the CAF module outside of landing zones. -* **Starter kit extension**: added new scenarios for sandpit environment, added support for AKS. -* **Verified by Hashicorp status**: status achieved for new CAF module and provider. -* **No-code environment composition**: a landing zone environment can be composed customizing variable files and code must be robust enough to accommodate combinations and composition. -* **Flexible foundations to meet customer needs**: everything is customizable at all layers. -* **Key-based configuration and customization**: all configuration objects will call each other based on the object keys. -* **Iteration-based objects deployment**: a landing zone calls all its modules, iterating on complex objects for technical resources deployment. -* **Enterprise-scale support**: added support for foundations landing zones to optionally leverage Azure Enterprise-scale module. -* **Terraform Cloud/Enterprise bootstrap**: added initial support for Hashicorp Terraform Cloud/Enterprise to support environment bootstrap. - - - ## Getting started When starting an enterprise deployment, we recommend you start creating a configuration repository where you craft the configuration files for your environments. @@ -61,21 +38,19 @@ Currently we provide you with the following core sample landing zones: | Name | Level | Purpose | |--|--|--| -| [caf_launchpad](./landingzones/caf_launchpad) | 0 | provides the state management capabilities and security features leveraging Azure storage for the backend, provides secret management and modular approach to support plugin for Azure DevOps automated pipeline creation (and others) | -| [caf_foundations](./landingzones/caf_foundations) | 1 | setup all the fundamentals for a subscription (logging, accounting, security.). You can find all details of the caf_foundations landing zone [Here](./landingzones/caf_foundations/README.md) | -| [caf_shared_services](./landingzones/caf_shared_services) | 2 | provides shared services like monitoring, Azure Backup, Azure Site Recovery etc. | -| [caf_networking](./landingzones/caf_networking) | 2 | enables creation of any Azure networking combination of Virtual Networks-based hub-and-spoke topologies or Azure Virtual WAN based topologies. | -| [caf_solutions](./landingzones/caf_solutions) | 3 | "universal" landing zone that allow you to compose with any object from the CAF module and beyond. | +| [caf_launchpad](./caf_launchpad) | 0 | provides the state management capabilities and security features leveraging Azure storage for the backend, provides secret management and modular approach to support plugin for Azure DevOps automated pipeline creation (and others) | +| [caf_solution](./caf_solution) | 1-4 | "universal" landing zone that allow you to compose with any object from the CAF module and beyond. | ## Repositories | Repo | Description | |---------------------------------------------------------------------------------------------------|------------------------------------------------------------| +| [starter kit](https://github.com/azure/caf-terraform-landingzones-starter) | landing zones configuration repository | | [caf-terraform-landingzones](https://github.com/azure/caf-terraform-landingzones) (You are here!) | landing zones repo with sample and core documentations | | [rover](https://github.com/aztfmod/rover) | devops toolset for operating landing zones | | [azure_caf_provider](https://github.com/aztfmod/terraform-provider-azurecaf) | custom provider for naming conventions | -| [modules](https://registry.terraform.io/modules/aztfmod) | set of curated modules available in the Terraform registry | +| [module](https://github.com/aztfmod/terraform-azurerm-caf) | CAF universal module available in the Terraform registry | ## Community diff --git a/landingzones/caf_eslz/backend.azurerm b/caf_launchpad/backend.azurerm similarity index 100% rename from landingzones/caf_eslz/backend.azurerm rename to caf_launchpad/backend.azurerm diff --git a/landingzones/caf_launchpad/documentation/img/launchpad-100.PNG b/caf_launchpad/documentation/img/launchpad-100.PNG similarity index 100% rename from landingzones/caf_launchpad/documentation/img/launchpad-100.PNG rename to caf_launchpad/documentation/img/launchpad-100.PNG diff --git a/landingzones/caf_launchpad/documentation/img/launchpad-200.png b/caf_launchpad/documentation/img/launchpad-200.png similarity index 100% rename from landingzones/caf_launchpad/documentation/img/launchpad-200.png rename to caf_launchpad/documentation/img/launchpad-200.png diff --git a/landingzones/caf_launchpad/documentation/img/launchpad_workflow.png b/caf_launchpad/documentation/img/launchpad_workflow.png similarity index 100% rename from landingzones/caf_launchpad/documentation/img/launchpad_workflow.png rename to caf_launchpad/documentation/img/launchpad_workflow.png diff --git a/landingzones/caf_launchpad/documentation/variables.md b/caf_launchpad/documentation/variables.md similarity index 100% rename from landingzones/caf_launchpad/documentation/variables.md rename to caf_launchpad/documentation/variables.md diff --git a/landingzones/caf_launchpad/dynamic_secrets.tf b/caf_launchpad/dynamic_secrets.tf similarity index 80% rename from landingzones/caf_launchpad/dynamic_secrets.tf rename to caf_launchpad/dynamic_secrets.tf index 5dd97a475..a6f773359 100644 --- a/landingzones/caf_launchpad/dynamic_secrets.tf +++ b/caf_launchpad/dynamic_secrets.tf @@ -1,7 +1,7 @@ -module dynamic_keyvault_secrets { +module "dynamic_keyvault_secrets" { source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "~>5.2.0" + version = "~>5.3.0" for_each = try(var.dynamic_keyvault_secrets, {}) diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf new file mode 100644 index 000000000..8c243a0ee --- /dev/null +++ b/caf_launchpad/landingzone.tf @@ -0,0 +1,54 @@ +module "launchpad" { + source = "aztfmod/caf/azurerm" + version = "~>5.3.0" + + azuread_api_permissions = var.azuread_api_permissions + azuread_apps = var.azuread_apps + azuread_groups = var.azuread_groups + azuread_roles = var.azuread_roles + azuread_users = var.azuread_users + current_landingzone_key = var.landingzone.key + custom_role_definitions = var.custom_role_definitions + enable = var.enable + event_hub_namespaces = var.event_hub_namespaces + global_settings = local.global_settings + keyvault_access_policies = var.keyvault_access_policies + keyvault_access_policies_azuread_apps = var.keyvault_access_policies_azuread_apps + keyvaults = var.keyvaults + log_analytics = var.log_analytics + logged_aad_app_objectId = var.logged_aad_app_objectId + logged_user_objectId = var.logged_user_objectId + managed_identities = var.managed_identities + resource_groups = var.resource_groups + role_mapping = var.role_mapping + storage_accounts = var.storage_accounts + subscriptions = var.subscriptions + tags = local.tags + tenant_id = var.tenant_id + user_type = var.user_type + + diagnostics = { + diagnostics_definition = try(var.diagnostics.diagnostics_definition, var.diagnostics_definition) + diagnostics_destinations = try(var.diagnostics.diagnostics_destinations, var.diagnostics_destinations) + diagnostic_event_hub_namespaces = try(var.diagnostics.diagnostic_event_hub_namespaces, var.diagnostic_event_hub_namespaces) + diagnostic_log_analytics = try(var.diagnostics.diagnostic_log_analytics, var.diagnostic_log_analytics) + diagnostic_storage_accounts = try(var.diagnostics.diagnostic_storage_accounts, var.diagnostic_storage_accounts) + } + + compute = { + virtual_machines = try(var.compute.virtual_machines, var.virtual_machines) + bastion_hosts = try(var.compute.bastion_hosts, var.bastion_hosts) + } + + networking = { + vnets = try(var.networking.vnets, var.vnets) + network_security_group_definition = try(var.networking.network_security_group_definition, var.network_security_group_definition) + public_ip_addresses = try(var.networking.public_ip_addresses, var.public_ip_addresses) + azurerm_routes = try(var.networking.azurerm_routes, var.azurerm_routes) + route_tables = try(var.networking.route_tables, var.route_tables) + } + + security = { + keyvault_keys = var.keyvault_keys + } +} diff --git a/landingzones/caf_launchpad/main.tf b/caf_launchpad/main.tf similarity index 74% rename from landingzones/caf_launchpad/main.tf rename to caf_launchpad/main.tf index 7064f4f8f..2c52ea02b 100644 --- a/landingzones/caf_launchpad/main.tf +++ b/caf_launchpad/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.43" + version = "~> 2.50" } azuread = { source = "hashicorp/azuread" @@ -34,11 +34,7 @@ terraform { provider "azurerm" { - features { - key_vault { - purge_soft_delete_on_destroy = true - } - } + features {} } resource "random_string" "prefix" { @@ -49,19 +45,12 @@ resource "random_string" "prefix" { number = false } -resource "random_string" "alpha1" { - count = var.prefix == null ? 1 : 0 - length = 1 - special = false - upper = false - number = false -} - locals { landingzone_tag = { - landingzone = var.landingzone.key + "landingzone" = var.landingzone.key } - tags = merge(local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = var.environment }, { "rover_version" = var.rover_version }, var.tags) + + tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) global_settings = { default_region = var.default_region @@ -69,8 +58,8 @@ locals { inherit_tags = var.inherit_tags passthrough = var.passthrough prefix = var.prefix - prefixes = var.prefix == "" ? null : [try(var.prefix, random_string.prefix.0.result)] - prefix_with_hyphen = var.prefix == "" ? "" : try(format("%s-", var.prefix) , format("%s-", random_string.prefix.0.result)) + prefixes = var.prefix == "" ? null : [try(random_string.prefix.0.result, var.prefix)] + prefix_with_hyphen = var.prefix == "" ? null : format("%s", try(random_string.prefix.0.result, var.prefix)) random_length = var.random_length regions = var.regions tags = var.tags diff --git a/caf_launchpad/output.tf b/caf_launchpad/output.tf new file mode 100644 index 000000000..313425b12 --- /dev/null +++ b/caf_launchpad/output.tf @@ -0,0 +1,16 @@ + +output "objects" { + value = tomap( + { (var.landingzone.key) = { + for key, value in module.launchpad : key => value + if try(value, {}) != {} + } + } + ) + sensitive = true +} + +output "tfstates" { + value = local.tfstates + sensitive = true +} diff --git a/landingzones/caf_launchpad/readme.md b/caf_launchpad/readme.md similarity index 100% rename from landingzones/caf_launchpad/readme.md rename to caf_launchpad/readme.md diff --git a/landingzones/caf_launchpad/scenario/100/README.md b/caf_launchpad/scenario/100/README.md similarity index 100% rename from landingzones/caf_launchpad/scenario/100/README.md rename to caf_launchpad/scenario/100/README.md diff --git a/landingzones/caf_launchpad/scenario/100/configuration.tfvars b/caf_launchpad/scenario/100/configuration.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/100/configuration.tfvars rename to caf_launchpad/scenario/100/configuration.tfvars diff --git a/landingzones/caf_launchpad/scenario/100/dynamic_secrets.tfvars b/caf_launchpad/scenario/100/dynamic_secrets.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/100/dynamic_secrets.tfvars rename to caf_launchpad/scenario/100/dynamic_secrets.tfvars diff --git a/landingzones/caf_launchpad/scenario/100/iam_role_mapping.tfvars b/caf_launchpad/scenario/100/iam_role_mapping.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/100/iam_role_mapping.tfvars rename to caf_launchpad/scenario/100/iam_role_mapping.tfvars diff --git a/landingzones/caf_launchpad/scenario/100/keyvaults.tfvars b/caf_launchpad/scenario/100/keyvaults.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/100/keyvaults.tfvars rename to caf_launchpad/scenario/100/keyvaults.tfvars diff --git a/landingzones/caf_launchpad/scenario/100/storage_accounts.tfvars b/caf_launchpad/scenario/100/storage_accounts.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/100/storage_accounts.tfvars rename to caf_launchpad/scenario/100/storage_accounts.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/configuration.tfvars b/caf_launchpad/scenario/200/configuration.tfvars similarity index 94% rename from landingzones/caf_launchpad/scenario/200/configuration.tfvars rename to caf_launchpad/scenario/200/configuration.tfvars index 36645019e..cbd14725f 100644 --- a/landingzones/caf_launchpad/scenario/200/configuration.tfvars +++ b/caf_launchpad/scenario/200/configuration.tfvars @@ -84,17 +84,11 @@ resource_groups = { security = { name = "launchpad-security" } - networking = { - name = "launchpad-networking" - } ops = { name = "operations" } siem = { name = "siem-logs" } - bastion_launchpad = { - name = "launchpad-bastion" - } } diff --git a/landingzones/caf_launchpad/scenario/200/diagnostic_event_hub_namespaces.tfvars b/caf_launchpad/scenario/200/diagnostic_event_hub_namespaces.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/diagnostic_event_hub_namespaces.tfvars rename to caf_launchpad/scenario/200/diagnostic_event_hub_namespaces.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/diagnostic_log_analytics.tfvars b/caf_launchpad/scenario/200/diagnostic_log_analytics.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/diagnostic_log_analytics.tfvars rename to caf_launchpad/scenario/200/diagnostic_log_analytics.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/diagnostic_storage_accounts.tfvars b/caf_launchpad/scenario/200/diagnostic_storage_accounts.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/diagnostic_storage_accounts.tfvars rename to caf_launchpad/scenario/200/diagnostic_storage_accounts.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/diagnostics_definition.tfvars b/caf_launchpad/scenario/200/diagnostics_definition.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/diagnostics_definition.tfvars rename to caf_launchpad/scenario/200/diagnostics_definition.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/diagnostics_destinations.tfvars b/caf_launchpad/scenario/200/diagnostics_destinations.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/diagnostics_destinations.tfvars rename to caf_launchpad/scenario/200/diagnostics_destinations.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/dynamic_secrets.tfvars b/caf_launchpad/scenario/200/dynamic_secrets.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/dynamic_secrets.tfvars rename to caf_launchpad/scenario/200/dynamic_secrets.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/iam_azuread.tfvars b/caf_launchpad/scenario/200/iam_azuread.tfvars similarity index 99% rename from landingzones/caf_launchpad/scenario/200/iam_azuread.tfvars rename to caf_launchpad/scenario/200/iam_azuread.tfvars index 4a4856f72..9c7bedc6a 100644 --- a/landingzones/caf_launchpad/scenario/200/iam_azuread.tfvars +++ b/caf_launchpad/scenario/200/iam_azuread.tfvars @@ -115,7 +115,7 @@ azuread_users = { password_expire_in_days = 180 # Value must match with var.keyvaults[keyname] to store username and password for password rotation - keyvault_key = "secrets" + keyvault_key = "level0" } } diff --git a/landingzones/caf_launchpad/scenario/200/iam_azuread_api_permissions.tfvars b/caf_launchpad/scenario/200/iam_azuread_api_permissions.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/iam_azuread_api_permissions.tfvars rename to caf_launchpad/scenario/200/iam_azuread_api_permissions.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/iam_custom_roles.tfvars b/caf_launchpad/scenario/200/iam_custom_roles.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/iam_custom_roles.tfvars rename to caf_launchpad/scenario/200/iam_custom_roles.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/iam_keyvault_policies.tfvars b/caf_launchpad/scenario/200/iam_keyvault_policies.tfvars similarity index 83% rename from landingzones/caf_launchpad/scenario/200/iam_keyvault_policies.tfvars rename to caf_launchpad/scenario/200/iam_keyvault_policies.tfvars index e755b1ebd..368bc00c7 100644 --- a/landingzones/caf_launchpad/scenario/200/iam_keyvault_policies.tfvars +++ b/caf_launchpad/scenario/200/iam_keyvault_policies.tfvars @@ -43,14 +43,6 @@ keyvault_access_policies_azuread_apps = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } } - - - secrets = { - caf_launchpad_level0 = { - azuread_app_key = "caf_launchpad_level0" - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - } - } } keyvault_access_policies = { @@ -100,15 +92,4 @@ keyvault_access_policies = { } } - - secrets = { - keyvault_level0_rw = { - azuread_group_key = "keyvault_level0_rw" - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - } - keyvault_password_rotation = { - azuread_group_key = "keyvault_password_rotation" - secret_permissions = ["Set", "Get", "List", "Delete", ] - } - } } diff --git a/landingzones/caf_launchpad/scenario/200/iam_managed_identities.tfvars b/caf_launchpad/scenario/200/iam_managed_identities.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/iam_managed_identities.tfvars rename to caf_launchpad/scenario/200/iam_managed_identities.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/iam_role_mapping.tfvars b/caf_launchpad/scenario/200/iam_role_mapping.tfvars similarity index 95% rename from landingzones/caf_launchpad/scenario/200/iam_role_mapping.tfvars rename to caf_launchpad/scenario/200/iam_role_mapping.tfvars index 23a919f2a..263e940a4 100644 --- a/landingzones/caf_launchpad/scenario/200/iam_role_mapping.tfvars +++ b/caf_launchpad/scenario/200/iam_role_mapping.tfvars @@ -50,13 +50,6 @@ role_mapping = { } } } - networking = { - "Reader" = { - azuread_groups = { - keys = ["caf_launchpad_Reader"] - } - } - } ops = { "Reader" = { azuread_groups = { diff --git a/landingzones/caf_launchpad/scenario/200/keyvaults.tfvars b/caf_launchpad/scenario/200/keyvaults.tfvars similarity index 83% rename from landingzones/caf_launchpad/scenario/200/keyvaults.tfvars rename to caf_launchpad/scenario/200/keyvaults.tfvars index 9b407a31d..91ed6deb8 100644 --- a/landingzones/caf_launchpad/scenario/200/keyvaults.tfvars +++ b/caf_launchpad/scenario/200/keyvaults.tfvars @@ -170,35 +170,4 @@ keyvaults = { } - secrets = { - name = "secrets" - resource_group_key = "security" - region = "region1" - sku_name = "premium" - soft_delete_enabled = true - - # you can setup up to 5 profiles - diagnostic_profiles = { - operations = { - definition_key = "default_all" - destination_type = "log_analytics" - destination_key = "central_logs" - } - siem = { - definition_key = "siem_all" - destination_type = "storage" - destination_key = "all_regions" - } - } - - creation_policies = { - logged_in_user = { - # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy - # More examples in /examples/keyvault - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - } - } - - - } } diff --git a/landingzones/caf_launchpad/scenario/200/readme.md b/caf_launchpad/scenario/200/readme.md similarity index 100% rename from landingzones/caf_launchpad/scenario/200/readme.md rename to caf_launchpad/scenario/200/readme.md diff --git a/landingzones/caf_launchpad/scenario/200/storage_accounts.tfvars b/caf_launchpad/scenario/200/storage_accounts.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/storage_accounts.tfvars rename to caf_launchpad/scenario/200/storage_accounts.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/subscriptions.tfvars b/caf_launchpad/scenario/200/subscriptions.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/subscriptions.tfvars rename to caf_launchpad/scenario/200/subscriptions.tfvars diff --git a/landingzones/caf_launchpad/scripts/cloud-init-install-rover-tools.config b/caf_launchpad/scripts/cloud-init-install-rover-tools.config similarity index 100% rename from landingzones/caf_launchpad/scripts/cloud-init-install-rover-tools.config rename to caf_launchpad/scripts/cloud-init-install-rover-tools.config diff --git a/landingzones/caf_launchpad/variables.tf b/caf_launchpad/variables.tf similarity index 50% rename from landingzones/caf_launchpad/variables.tf rename to caf_launchpad/variables.tf index acf69cd2f..6ff3d9dd7 100644 --- a/landingzones/caf_launchpad/variables.tf +++ b/caf_launchpad/variables.tf @@ -1,191 +1,211 @@ # Map of the current tfstate -variable tfstate_storage_account_name { +variable "tfstate_storage_account_name" { default = null } -variable tfstate_container_name { +variable "tfstate_container_name" { default = null } -variable tfstate_key { +variable "tfstate_key" { default = null } -variable tfstate_resource_group_name { +variable "tfstate_resource_group_name" { default = null } -variable tenant_id {} -variable landingzone { +variable "tenant_id" {} +variable "landingzone" { description = "The landing zone name is used to reference the tfstate in configuration files. Therefore while set it is recommended not to change" } -variable passthrough { +variable "passthrough" { default = false } -variable random_length { +variable "random_length" { default = null } -variable inherit_tags { +variable "inherit_tags" { default = false } -variable default_region { +variable "default_region" { description = "Define the default region where services are deployed if the location is not set at the resource level" default = "region1" } -variable regions { - type = map +variable "regions" { + type = map(any) description = "List of the regions where services can be deployed. This impact the diagnostics logs settings" default = { region1 = "southeastasia" } } -variable enable { +variable "enable" { description = "Map of services defined in the configuration file you want to disable during a deployment" default = {} } -variable prefix { +variable "prefix" { default = null } -variable use_slug { +variable "use_slug" { default = true } -variable log_analytics { +variable "log_analytics" { default = {} } -variable event_hub_namespaces { +variable "event_hub_namespaces" { default = {} } # Do not change the default value to be able to upgrade to the standard launchpad -variable tf_name { +variable "tf_name" { description = "Name of the terraform state in the blob storage (Does not include the extension .tfstate). Setup by the rover. Leave empty in the configuration file" default = "" } -variable resource_groups {} +variable "resource_groups" {} -variable storage_accounts {} -variable diagnostic_storage_accounts { +variable "storage_accounts" {} +variable "keyvaults" {} +variable "keyvault_access_policies" { default = {} } -variable diagnostic_event_hub_namespaces { +variable "keyvault_keys" { default = {} } -variable diagnostic_log_analytics { - default = {} -} -variable keyvaults {} -variable keyvault_access_policies { - default = {} -} -variable dynamic_keyvault_secrets {} +variable "dynamic_keyvault_secrets" {} -variable subscriptions { +variable "subscriptions" { default = {} } ## Azure Active Directory -variable azuread_apps { +variable "azuread_apps" { default = {} } -variable azuread_groups { +variable "azuread_groups" { default = {} } -variable azuread_users { +variable "azuread_users" { default = {} } -variable azuread_roles { +variable "azuread_roles" { default = {} } -variable managed_identities { +variable "managed_identities" { default = {} } -variable virtual_machines { - description = "Virtual machine object" - default = {} +variable "networking" { + default = {} } -variable bastion_hosts { +variable "compute" { default = {} } -variable launchpad_key_names {} +variable "launchpad_key_names" {} -variable custom_role_definitions { +variable "custom_role_definitions" { default = {} } -variable role_mapping { +variable "role_mapping" { default = { built_in_role_mapping = {} custom_role_mapping = {} } } -variable tags { - type = map +variable "tags" { + type = map(any) default = {} } -variable rover_version {} +variable "rover_version" {} -variable user_type {} +variable "user_type" {} -variable logged_user_objectId { +variable "logged_user_objectId" { default = null } -variable logged_aad_app_objectId { +variable "logged_aad_app_objectId" { default = null } -variable aad_users { +variable "aad_users" { default = {} } -variable aad_roles { +variable "aad_roles" { default = {} } -variable azuread_api_permissions { +variable "azuread_api_permissions" { default = {} } -variable environment { +variable "environment" { type = string description = "This variable is set by the rover during the deployment based on the -env or -environment flags. Default to sandpit" } -variable diagnostics_definition { +variable "diagnostics" { + default = {} +} + +variable "diagnostics_definition" { + default = {} +} + +variable "diagnostics_destinations" { + default = {} +} + +variable "diagnostic_event_hub_namespaces" { default = {} } -variable diagnostics_destinations { + +variable "diagnostic_log_analytics" { default = {} } -variable vnets { +variable "diagnostic_storage_accounts" { default = {} } -variable network_security_group_definition { +variable "keyvault_access_policies_azuread_apps" { default = {} } -variable public_ip_addresses { +variable "virtual_machines" { default = {} } -variable route_tables { + +variable "bastion_hosts" { default = {} } -variable azurerm_routes { + +variable "vnets" { default = {} } -variable keyvault_access_policies_azuread_apps { +variable "network_security_group_definition" { default = {} } + +variable "public_ip_addresses" { + default = {} +} + +variable "azurerm_routes" { + default = {} +} + +variable "route_tables" { + default = {} +} \ No newline at end of file diff --git a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml new file mode 100644 index 000000000..c430b2385 --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml @@ -0,0 +1,16 @@ +apiVersion: aadpodidentity.k8s.io/v1 +kind: AzureIdentity +metadata: + name: podmi-caf-rover-platform-level0 +spec: + type: 0 + resourceID: ${resource_id} + clientID: ${client_id} +--- +apiVersion: aadpodidentity.k8s.io/v1 +kind: AzureIdentityBinding +metadata: + name: podmi-gitlab-runner-binding +spec: + azureIdentity: podmi-caf-rover-platform-level0 + selector: podmi-caf-rover-platform-level0 \ No newline at end of file diff --git a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf new file mode 100644 index 000000000..05f60b4d1 --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf @@ -0,0 +1,120 @@ +resource "kubernetes_namespace" "ns" { + metadata { + name = var.aad_pod_identity.namespace + } +} + +module "build" { + depends_on = [kubernetes_namespace.ns] + source = "./build" + for_each = try(data.kustomization_overlay.aad_pod_identity, {}) + + settings = each.value +} + + + +data "kustomization_overlay" "aad_pod_identity" { + for_each = local.msi + + resources = [ + "aad-msi-binding.yaml", + ] + + namespace = var.aad_pod_identity.namespace + + patches { + patch = <<-EOF + - op: replace + path: /spec/resourceID + value: ${each.value.id} + EOF + + target = { + kind = "AzureIdentity" + } + } + + patches { + patch = <<-EOF + - op: replace + path: /spec/clientID + value: ${each.value.client_id} + EOF + + target = { + kind = "AzureIdentity" + } + } + + patches { + patch = <<-EOF + - op: replace + path: /metadata/name + value: ${each.value.azureIdentity} + EOF + + target = { + kind = "AzureIdentity" + } + } + + patches { + patch = <<-EOF + - op: replace + path: /metadata/name + value: ${each.value.azureIdentity}-binding + EOF + + target = { + kind = "AzureIdentityBinding" + } + } + + patches { + patch = <<-EOF + - op: replace + path: /spec/azureIdentity + value: ${each.value.azureIdentity} + EOF + + target = { + kind = "AzureIdentityBinding" + } + } + + patches { + patch = <<-EOF + - op: replace + path: /spec/selector + value: ${each.value.selector} + EOF + + target = { + kind = "AzureIdentityBinding" + } + } +} + +output "manifests" { + value = data.kustomization_overlay.aad_pod_identity +} + +locals { + msi = { + for msi in flatten( + [ + for key, value in var.managed_identities : [ + for msi_key in value.msi_keys : { + key = key + msi_key = msi_key + client_id = local.remote.managed_identities[value.lz_key][msi_key].client_id + id = local.remote.managed_identities[value.lz_key][msi_key].id + azureIdentity = value["aad_msi_bindings"][msi_key].azureIdentity + selector = value["aad_msi_bindings"][msi_key].selector + } + ] + ] + ) : format("%s-%s", msi.key, msi.msi_key) => msi + } +} diff --git a/landingzones/caf_foundations/backend.azurerm b/caf_solution/add-ons/aad-pod-identity/backend.azurerm similarity index 100% rename from landingzones/caf_foundations/backend.azurerm rename to caf_solution/add-ons/aad-pod-identity/backend.azurerm diff --git a/caf_solution/add-ons/aad-pod-identity/build/kustomization_build.tf b/caf_solution/add-ons/aad-pod-identity/build/kustomization_build.tf new file mode 100644 index 000000000..985bd96f5 --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/build/kustomization_build.tf @@ -0,0 +1,16 @@ +resource "kustomization_resource" "p0" { + for_each = var.settings.ids_prio[0] + manifest = var.settings.manifests[each.value] +} + +resource "kustomization_resource" "p1" { + depends_on = [kustomization_resource.p0] + for_each = var.settings.ids_prio[1] + manifest = var.settings.manifests[each.value] +} + +resource "kustomization_resource" "p2" { + depends_on = [kustomization_resource.p1] + for_each = var.settings.ids_prio[2] + manifest = var.settings.manifests[each.value] +} diff --git a/caf_solution/add-ons/aad-pod-identity/build/main.tf b/caf_solution/add-ons/aad-pod-identity/build/main.tf new file mode 100644 index 000000000..e65c6fa22 --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/build/main.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + kustomization = { + source = "kbst/kustomization" + } + } +} \ No newline at end of file diff --git a/caf_solution/add-ons/aad-pod-identity/build/variables.tf b/caf_solution/add-ons/aad-pod-identity/build/variables.tf new file mode 100644 index 000000000..f5c321890 --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/build/variables.tf @@ -0,0 +1,2 @@ +variable "settings" { +} diff --git a/caf_solution/add-ons/aad-pod-identity/local.remote_tfstates.tf b/caf_solution/add-ons/aad-pod-identity/local.remote_tfstates.tf new file mode 100644 index 000000000..d458c18a1 --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/local.remote_tfstates.tf @@ -0,0 +1,54 @@ +locals { + landingzone = { + current = { + storage_account_name = var.tfstate_storage_account_name + container_name = var.tfstate_container_name + resource_group_name = var.tfstate_resource_group_name + } + lower = { + storage_account_name = var.lower_storage_account_name + container_name = var.lower_container_name + resource_group_name = var.lower_resource_group_name + } + } +} + +data "terraform_remote_state" "remote" { + for_each = try(var.landingzone.tfstates, {}) + + backend = var.landingzone.backend_type + config = { + storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name + container_name = try(each.value.container, local.landingzone[try(each.value.level, "current")].container_name) + resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name + subscription_id = var.tfstate_subscription_id + key = each.value.tfstate + } +} + +locals { + landingzone_tag = { + "landingzone" = var.landingzone.key + } + + global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].global_settings + diagnostics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics + + remote = { + tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) + global_settings = local.global_settings + diagnostics = local.diagnostics + + + aks_clusters = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].aks_clusters, {})) + } + managed_identities = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].managed_identities, {})) + } + vnets = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].vnets, {})) + } + } + +} diff --git a/caf_solution/add-ons/aad-pod-identity/main.tf b/caf_solution/add-ons/aad-pod-identity/main.tf new file mode 100644 index 000000000..f0cc7ddbe --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/main.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.51.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0.2" + } + kustomization = { + source = "kbst/kustomization" + version = "~> 0.4.0" + } + } + required_version = ">= 0.13" +} diff --git a/caf_solution/add-ons/aad-pod-identity/providers.tf b/caf_solution/add-ons/aad-pod-identity/providers.tf new file mode 100644 index 000000000..be2b3abb1 --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/providers.tf @@ -0,0 +1,32 @@ + +provider "azurerm" { + features { + } +} + +provider "kubernetes" { + host = local.k8sconfigs[var.aks_cluster_key].host + username = local.k8sconfigs[var.aks_cluster_key].username + password = local.k8sconfigs[var.aks_cluster_key].password + client_certificate = local.k8sconfigs[var.aks_cluster_key].client_certificate + client_key = local.k8sconfigs[var.aks_cluster_key].client_key + cluster_ca_certificate = local.k8sconfigs[var.aks_cluster_key].cluster_ca_certificate +} + +provider "kustomization" { + kubeconfig_raw = local.k8sconfigs[var.aks_cluster_key].kube_admin_config_raw +} + +locals { + k8sconfigs = { + for key, value in var.aks_clusters : key => { + kube_admin_config_raw = local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config_raw + host = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.host : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.host + username = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.username : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.username + password = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.password : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.password + client_certificate = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.client_certificate) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.client_certificate) + client_key = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.client_key) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.client_key) + cluster_ca_certificate = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.cluster_ca_certificate) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.cluster_ca_certificate) + } + } +} \ No newline at end of file diff --git a/caf_solution/add-ons/aad-pod-identity/variables.tf b/caf_solution/add-ons/aad-pod-identity/variables.tf new file mode 100644 index 000000000..971033737 --- /dev/null +++ b/caf_solution/add-ons/aad-pod-identity/variables.tf @@ -0,0 +1,36 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" {} +variable "lower_container_name" {} +variable "lower_resource_group_name" {} + +variable "tfstate_subscription_id" { + description = "This value is propulated by the rover. subscription id hosting the remote tfstates" +} +variable "tfstate_storage_account_name" {} +variable "tfstate_container_name" {} +variable "tfstate_key" {} +variable "tfstate_resource_group_name" {} + +variable "landingzone" {} +variable "rover_version" { + default = null +} +variable "tags" { + default = {} +} + +###### + +variable "aks_cluster_key" { + description = "AKS cluster key to deploy the Gitlab Helm charts. The key must be defined in the variable aks_clusters" +} +variable "aks_cluster_vnet_key" { + +} +variable "aks_clusters" {} +variable "vnets" {} +variable "managed_identities" { + description = "Map of the user managed identities." +} + +variable "aad_pod_identity" {} \ No newline at end of file diff --git a/caf_solution/add-ons/aks-secure-baseline/aks-pod-identity-assignment.tf b/caf_solution/add-ons/aks-secure-baseline/aks-pod-identity-assignment.tf new file mode 100644 index 000000000..96c672df0 --- /dev/null +++ b/caf_solution/add-ons/aks-secure-baseline/aks-pod-identity-assignment.tf @@ -0,0 +1,58 @@ + +# Get the details of the node pool's resource group created by AKS +data "azurerm_resource_group" "noderg" { + for_each = var.aks_clusters + name = local.remote.aks_clusters[each.value.lz_key][each.value.key].node_resource_group +} + +# +# Set permissions to the kubelet and cluster identity +# +resource "azurerm_role_assignment" "kubelet_noderg_miop" { + for_each = var.aks_clusters + + scope = data.azurerm_resource_group.noderg[each.key].id + role_definition_name = "Managed Identity Operator" + principal_id = local.remote.aks_clusters[each.value.lz_key][each.value.key].kubelet_identity[0].object_id +} + +resource "azurerm_role_assignment" "kubelet_noderg_vmcontrib" { + for_each = var.aks_clusters + + scope = data.azurerm_resource_group.noderg[each.key].id + role_definition_name = "Virtual Machine Contributor" + principal_id = local.remote.aks_clusters[each.value.lz_key][each.value.key].kubelet_identity[0].object_id +} + + +resource "azurerm_role_assignment" "kubelet_vnet_networkcontrib" { + for_each = toset(var.vnets[var.aks_cluster_vnet_key].subnet_keys) + + scope = local.remote.vnets[var.vnets[var.aks_cluster_vnet_key].lz_key][var.vnets[var.aks_cluster_vnet_key].key].subnets[each.value].id + role_definition_name = "Network Contributor" + principal_id = local.remote.aks_clusters[var.aks_clusters[var.aks_cluster_key].lz_key][var.aks_cluster_key].identity[0].principal_id +} + +resource "azurerm_role_assignment" "kubelet_user_msi" { + for_each = local.msi_to_grant_permissions + + scope = each.value.id + role_definition_name = "Managed Identity Operator" + principal_id = local.remote.aks_clusters[var.aks_clusters[var.aks_cluster_key].lz_key][var.aks_cluster_key].kubelet_identity[0].object_id +} + +locals { + msi_to_grant_permissions = { + for msi in flatten( + [ + for key, value in var.managed_identities : [ + for msi_key in value.msi_keys : { + key = key + msi_key = msi_key + id = local.remote.managed_identities[value.lz_key][msi_key].id + } + ] + ] + ) : format("%s-%s", msi.key, msi.msi_key) => msi + } +} diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/backend.azurerm b/caf_solution/add-ons/aks-secure-baseline/backend.azurerm similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/backend.azurerm rename to caf_solution/add-ons/aks-secure-baseline/backend.azurerm diff --git a/caf_solution/add-ons/aks-secure-baseline/kustomization.yaml b/caf_solution/add-ons/aks-secure-baseline/kustomization.yaml new file mode 100644 index 000000000..373d8b437 --- /dev/null +++ b/caf_solution/add-ons/aks-secure-baseline/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - https://raw.githubusercontent.com/Azure/caf-terraform-landingzones-starter/starter/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/flux.yaml \ No newline at end of file diff --git a/caf_solution/add-ons/aks-secure-baseline/local.remote_tfstates.tf b/caf_solution/add-ons/aks-secure-baseline/local.remote_tfstates.tf new file mode 100644 index 000000000..d458c18a1 --- /dev/null +++ b/caf_solution/add-ons/aks-secure-baseline/local.remote_tfstates.tf @@ -0,0 +1,54 @@ +locals { + landingzone = { + current = { + storage_account_name = var.tfstate_storage_account_name + container_name = var.tfstate_container_name + resource_group_name = var.tfstate_resource_group_name + } + lower = { + storage_account_name = var.lower_storage_account_name + container_name = var.lower_container_name + resource_group_name = var.lower_resource_group_name + } + } +} + +data "terraform_remote_state" "remote" { + for_each = try(var.landingzone.tfstates, {}) + + backend = var.landingzone.backend_type + config = { + storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name + container_name = try(each.value.container, local.landingzone[try(each.value.level, "current")].container_name) + resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name + subscription_id = var.tfstate_subscription_id + key = each.value.tfstate + } +} + +locals { + landingzone_tag = { + "landingzone" = var.landingzone.key + } + + global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].global_settings + diagnostics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics + + remote = { + tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) + global_settings = local.global_settings + diagnostics = local.diagnostics + + + aks_clusters = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].aks_clusters, {})) + } + managed_identities = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].managed_identities, {})) + } + vnets = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].vnets, {})) + } + } + +} diff --git a/caf_solution/add-ons/aks-secure-baseline/main.tf b/caf_solution/add-ons/aks-secure-baseline/main.tf new file mode 100644 index 000000000..ac7602c81 --- /dev/null +++ b/caf_solution/add-ons/aks-secure-baseline/main.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.51.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0.2" + } + kustomization = { + source = "kbst/kustomization" + version = ">= 0.4.0" + } + } + required_version = ">= 0.13" +} diff --git a/caf_solution/add-ons/aks-secure-baseline/providers.tf b/caf_solution/add-ons/aks-secure-baseline/providers.tf new file mode 100644 index 000000000..be2b3abb1 --- /dev/null +++ b/caf_solution/add-ons/aks-secure-baseline/providers.tf @@ -0,0 +1,32 @@ + +provider "azurerm" { + features { + } +} + +provider "kubernetes" { + host = local.k8sconfigs[var.aks_cluster_key].host + username = local.k8sconfigs[var.aks_cluster_key].username + password = local.k8sconfigs[var.aks_cluster_key].password + client_certificate = local.k8sconfigs[var.aks_cluster_key].client_certificate + client_key = local.k8sconfigs[var.aks_cluster_key].client_key + cluster_ca_certificate = local.k8sconfigs[var.aks_cluster_key].cluster_ca_certificate +} + +provider "kustomization" { + kubeconfig_raw = local.k8sconfigs[var.aks_cluster_key].kube_admin_config_raw +} + +locals { + k8sconfigs = { + for key, value in var.aks_clusters : key => { + kube_admin_config_raw = local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config_raw + host = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.host : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.host + username = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.username : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.username + password = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.password : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.password + client_certificate = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.client_certificate) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.client_certificate) + client_key = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.client_key) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.client_key) + cluster_ca_certificate = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.cluster_ca_certificate) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.cluster_ca_certificate) + } + } +} \ No newline at end of file diff --git a/caf_solution/add-ons/aks-secure-baseline/secure-baseline.tf b/caf_solution/add-ons/aks-secure-baseline/secure-baseline.tf new file mode 100644 index 000000000..f2208c9bd --- /dev/null +++ b/caf_solution/add-ons/aks-secure-baseline/secure-baseline.tf @@ -0,0 +1,22 @@ +# Process the Kustomization in the current folder +data "kustomization_build" "flux" { + path = "." +} + +resource "kustomization_resource" "cluster_secure_baseline_p0" { + # depends_on = [kubernetes_namespace.cluster_secure_baseline] + for_each = data.kustomization_build.flux.ids_prio[0] + manifest = data.kustomization_build.flux.manifests[each.value] +} + +resource "kustomization_resource" "cluster_secure_baseline_p1" { + depends_on = [kustomization_resource.cluster_secure_baseline_p0] + for_each = data.kustomization_build.flux.ids_prio[1] + manifest = data.kustomization_build.flux.manifests[each.value] +} + +resource "kustomization_resource" "cluster_secure_baseline_p2" { + depends_on = [kustomization_resource.cluster_secure_baseline_p1] + for_each = data.kustomization_build.flux.ids_prio[2] + manifest = data.kustomization_build.flux.manifests[each.value] +} diff --git a/caf_solution/add-ons/aks-secure-baseline/variables.tf b/caf_solution/add-ons/aks-secure-baseline/variables.tf new file mode 100644 index 000000000..971033737 --- /dev/null +++ b/caf_solution/add-ons/aks-secure-baseline/variables.tf @@ -0,0 +1,36 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" {} +variable "lower_container_name" {} +variable "lower_resource_group_name" {} + +variable "tfstate_subscription_id" { + description = "This value is propulated by the rover. subscription id hosting the remote tfstates" +} +variable "tfstate_storage_account_name" {} +variable "tfstate_container_name" {} +variable "tfstate_key" {} +variable "tfstate_resource_group_name" {} + +variable "landingzone" {} +variable "rover_version" { + default = null +} +variable "tags" { + default = {} +} + +###### + +variable "aks_cluster_key" { + description = "AKS cluster key to deploy the Gitlab Helm charts. The key must be defined in the variable aks_clusters" +} +variable "aks_cluster_vnet_key" { + +} +variable "aks_clusters" {} +variable "vnets" {} +variable "managed_identities" { + description = "Map of the user managed identities." +} + +variable "aad_pod_identity" {} \ No newline at end of file diff --git a/landingzones/caf_solutions/add-ons/aks_applications/app/main.tf b/caf_solution/add-ons/aks_applications/app/main.tf similarity index 100% rename from landingzones/caf_solutions/add-ons/aks_applications/app/main.tf rename to caf_solution/add-ons/aks_applications/app/main.tf diff --git a/landingzones/caf_solutions/add-ons/aks_applications/app/module.tf b/caf_solution/add-ons/aks_applications/app/module.tf similarity index 100% rename from landingzones/caf_solutions/add-ons/aks_applications/app/module.tf rename to caf_solution/add-ons/aks_applications/app/module.tf diff --git a/landingzones/caf_solutions/add-ons/aks_applications/app/output.tf b/caf_solution/add-ons/aks_applications/app/output.tf similarity index 100% rename from landingzones/caf_solutions/add-ons/aks_applications/app/output.tf rename to caf_solution/add-ons/aks_applications/app/output.tf diff --git a/caf_solution/add-ons/aks_applications/app/variables.tf b/caf_solution/add-ons/aks_applications/app/variables.tf new file mode 100644 index 000000000..4a0225192 --- /dev/null +++ b/caf_solution/add-ons/aks_applications/app/variables.tf @@ -0,0 +1,5 @@ +variable "cluster" {} + +variable "namespaces" {} + +variable "helm_charts" {} \ No newline at end of file diff --git a/landingzones/caf_solutions/add-ons/aks_applications/applications.tf b/caf_solution/add-ons/aks_applications/applications.tf similarity index 100% rename from landingzones/caf_solutions/add-ons/aks_applications/applications.tf rename to caf_solution/add-ons/aks_applications/applications.tf diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/backend.azurerm b/caf_solution/add-ons/aks_applications/backend.azurerm similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/backend.azurerm rename to caf_solution/add-ons/aks_applications/backend.azurerm diff --git a/landingzones/caf_solutions/add-ons/aks_applications/locals.remote_tfstates.tf b/caf_solution/add-ons/aks_applications/locals.remote_tfstates.tf similarity index 74% rename from landingzones/caf_solutions/add-ons/aks_applications/locals.remote_tfstates.tf rename to caf_solution/add-ons/aks_applications/locals.remote_tfstates.tf index 3d367287d..cf16e86c6 100644 --- a/landingzones/caf_solutions/add-ons/aks_applications/locals.remote_tfstates.tf +++ b/caf_solution/add-ons/aks_applications/locals.remote_tfstates.tf @@ -42,12 +42,12 @@ locals { clusters = local.remote.aks_clusters[var.landingzone.global_settings_key] k8sconfigs = { for key, value in values(local.clusters) : key => { - host = value.enable_rbac ? value.kube_config.0.host : value.kube_config.0.host - username = value.enable_rbac ? value.kube_config.0.username : value.kube_config.0.username - password = value.enable_rbac ? value.kube_config.0.password : value.kube_config.0.password - client_certificate = value.enable_rbac ? base64decode(value.kube_config.0.client_certificate) : base64decode(value.kube_config.0.client_certificate) - client_key = value.enable_rbac ? base64decode(value.kube_config.0.client_key) : base64decode(value.kube_config.0.client_key) - cluster_ca_certificate = value.enable_rbac ? base64decode(value.kube_config.0.cluster_ca_certificate) : base64decode(value.kube_config.0.cluster_ca_certificate) + host = value.enable_rbac ? value.kube_admin_config.0.host : value.kube_config.0.host + username = value.enable_rbac ? value.kube_admin_config.0.username : value.kube_config.0.username + password = value.enable_rbac ? value.kube_admin_config.0.password : value.kube_config.0.password + client_certificate = value.enable_rbac ? base64decode(value.kube_admin_config.0.client_certificate) : base64decode(value.kube_config.0.client_certificate) + client_key = value.enable_rbac ? base64decode(value.kube_admin_config.0.client_key) : base64decode(value.kube_config.0.client_key) + cluster_ca_certificate = value.enable_rbac ? base64decode(value.kube_admin_config.0.cluster_ca_certificate) : base64decode(value.kube_config.0.cluster_ca_certificate) } } diff --git a/landingzones/caf_solutions/add-ons/aks_applications/main.tf b/caf_solution/add-ons/aks_applications/main.tf similarity index 98% rename from landingzones/caf_solutions/add-ons/aks_applications/main.tf rename to caf_solution/add-ons/aks_applications/main.tf index 69ab5ac44..2222bc4d2 100644 --- a/landingzones/caf_solutions/add-ons/aks_applications/main.tf +++ b/caf_solution/add-ons/aks_applications/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.49" + version = "~> 2.43" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/landingzones/caf_solutions/add-ons/aks_applications/output.tf b/caf_solution/add-ons/aks_applications/output.tf similarity index 100% rename from landingzones/caf_solutions/add-ons/aks_applications/output.tf rename to caf_solution/add-ons/aks_applications/output.tf diff --git a/caf_solution/add-ons/aks_applications/variables.tf b/caf_solution/add-ons/aks_applications/variables.tf new file mode 100644 index 000000000..7ad77ea93 --- /dev/null +++ b/caf_solution/add-ons/aks_applications/variables.tf @@ -0,0 +1,36 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" {} +variable "lower_container_name" {} +variable "lower_resource_group_name" {} + +variable "tfstate_storage_account_name" {} +variable "tfstate_container_name" {} +variable "tfstate_resource_group_name" {} +# variable tfstate_key {} + +variable "global_settings" { + default = {} +} + +# variable tenant_id {} +variable "landingzone" {} + +variable "namespaces" {} + +variable "tags" { + default = null + type = map(any) +} + +variable "helm_charts" {} + +variable "rover_version" { + default = null +} + +variable "cluster_re1_key" { + default = null +} +variable "cluster_re2_key" { + default = null +} \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/azdo.tf b/caf_solution/add-ons/azure_devops/azdo.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/azdo.tf rename to caf_solution/add-ons/azure_devops/azdo.tf diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/azdo_agent_pools.tf b/caf_solution/add-ons/azure_devops/azdo_agent_pools.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/azdo_agent_pools.tf rename to caf_solution/add-ons/azure_devops/azdo_agent_pools.tf diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/azdo_pipelines.tf b/caf_solution/add-ons/azure_devops/azdo_pipelines.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/azdo_pipelines.tf rename to caf_solution/add-ons/azure_devops/azdo_pipelines.tf diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/azdo_service_endpoint.tf b/caf_solution/add-ons/azure_devops/azdo_service_endpoint.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/azdo_service_endpoint.tf rename to caf_solution/add-ons/azure_devops/azdo_service_endpoint.tf diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/azdo_variable_groups.tf b/caf_solution/add-ons/azure_devops/azdo_variable_groups.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/azdo_variable_groups.tf rename to caf_solution/add-ons/azure_devops/azdo_variable_groups.tf diff --git a/landingzones/caf_launchpad/backend.azurerm b/caf_solution/add-ons/azure_devops/backend.azurerm similarity index 100% rename from landingzones/caf_launchpad/backend.azurerm rename to caf_solution/add-ons/azure_devops/backend.azurerm diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/documentation/images/pat_token.png b/caf_solution/add-ons/azure_devops/documentation/images/pat_token.png similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/documentation/images/pat_token.png rename to caf_solution/add-ons/azure_devops/documentation/images/pat_token.png diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/locals.remote_tfstates.tf b/caf_solution/add-ons/azure_devops/locals.remote_tfstates.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/locals.remote_tfstates.tf rename to caf_solution/add-ons/azure_devops/locals.remote_tfstates.tf diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/main.tf b/caf_solution/add-ons/azure_devops/main.tf similarity index 95% rename from landingzones/caf_launchpad/add-ons/azure_devops/main.tf rename to caf_solution/add-ons/azure_devops/main.tf index 37fc556e3..3cf3eb96f 100644 --- a/landingzones/caf_launchpad/add-ons/azure_devops/main.tf +++ b/caf_solution/add-ons/azure_devops/main.tf @@ -1,7 +1,7 @@ terraform { required_providers { azurerm = { - source = "hashicorp/azurerm" + source = "hashicorp/azurerm" version = "~> 2.43" } azuread = { @@ -30,7 +30,7 @@ terraform { } azurecaf = { source = "aztfmod/azurecaf" - version = "~> 1.2.0" + version = "~>1.1.0" } } required_version = ">= 0.13" diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/output.tf b/caf_solution/add-ons/azure_devops/output.tf similarity index 80% rename from landingzones/caf_launchpad/add-ons/azure_devops/output.tf rename to caf_solution/add-ons/azure_devops/output.tf index c8ebf3f9d..a46105168 100644 --- a/landingzones/caf_launchpad/add-ons/azure_devops/output.tf +++ b/caf_solution/add-ons/azure_devops/output.tf @@ -1,4 +1,4 @@ -output keyvaults { +output "keyvaults" { value = map( var.landingzone.key, module.caf.keyvaults ) diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/readme.md b/caf_solution/add-ons/azure_devops/readme.md similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/readme.md rename to caf_solution/add-ons/azure_devops/readme.md diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/scenario/200-contoso_demo/azure_devops.tfvars b/caf_solution/add-ons/azure_devops/scenario/200-contoso_demo/azure_devops.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/scenario/200-contoso_demo/azure_devops.tfvars rename to caf_solution/add-ons/azure_devops/scenario/200-contoso_demo/azure_devops.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/scenario/200-contoso_demo/configurations.tfvars b/caf_solution/add-ons/azure_devops/scenario/200-contoso_demo/configurations.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/scenario/200-contoso_demo/configurations.tfvars rename to caf_solution/add-ons/azure_devops/scenario/200-contoso_demo/configurations.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/scenario/200-contoso_demo/pipeline/rover.yaml b/caf_solution/add-ons/azure_devops/scenario/200-contoso_demo/pipeline/rover.yaml similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops/scenario/200-contoso_demo/pipeline/rover.yaml rename to caf_solution/add-ons/azure_devops/scenario/200-contoso_demo/pipeline/rover.yaml diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/solution.tf b/caf_solution/add-ons/azure_devops/solution.tf similarity index 98% rename from landingzones/caf_launchpad/add-ons/azure_devops/solution.tf rename to caf_solution/add-ons/azure_devops/solution.tf index e519166e8..718e923ba 100644 --- a/landingzones/caf_launchpad/add-ons/azure_devops/solution.tf +++ b/caf_solution/add-ons/azure_devops/solution.tf @@ -1,6 +1,6 @@ module "caf" { source = "aztfmod/caf/azurerm" - version = "~>5.2.0" + version = "~>5.1.0" current_landingzone_key = var.landingzone.key tenant_id = var.tenant_id diff --git a/caf_solution/add-ons/azure_devops/variables.tf b/caf_solution/add-ons/azure_devops/variables.tf new file mode 100644 index 000000000..87dcc831a --- /dev/null +++ b/caf_solution/add-ons/azure_devops/variables.tf @@ -0,0 +1,102 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" {} +variable "lower_container_name" {} +variable "lower_resource_group_name" {} + +variable "tfstate_storage_account_name" {} +variable "tfstate_container_name" {} +variable "tfstate_key" {} +variable "tfstate_resource_group_name" {} + +variable "tfstate_subscription_id" { + description = "This value is propulated by the rover. subscription id hosting the remote tfstates" +} + +variable "global_settings" { + default = {} +} +variable "tenant_id" {} +variable "landingzone" { +} +variable "rover_version" { + default = null +} + +variable "logged_user_objectId" { + default = null +} +variable "logged_aad_app_objectId" { + default = null +} +variable "tags" { + default = null +} +variable "app_service_environments" { + default = {} +} +variable "app_service_plans" { + default = {} +} +variable "app_services" { + default = {} +} +variable "diagnostics_definition" { + default = {} +} +variable "resource_groups" { + default = {} +} +variable "network_security_group_definition" { + default = {} +} +variable "vnets" { + default = {} +} +variable "azurerm_redis_caches" { + default = {} +} +variable "mssql_servers" { + default = {} +} +variable "storage_accounts" { + default = {} +} +variable "storage_account_blobs" { + default = {} +} +variable "azuread_groups" { + default = {} +} +variable "keyvaults" { + default = {} +} +variable "keyvault_access_policies" { + default = {} +} +variable "keyvault_access_policies_azuread_apps" { + default = {} +} +variable "virtual_machines" { + default = {} +} +variable "diagnostic_storage_accounts" { + default = {} +} +variable "virtual_machine_extension_scripts" { + default = {} +} +variable "azure_devops" { + default = {} +} +variable "role_mapping" { + default = {} +} +variable "custom_role_definitions" { + default = {} +} +variable "azuread_apps" { + default = {} +} +variable "dynamic_keyvault_secrets" { + default = {} +} \ No newline at end of file diff --git a/landingzones/caf_networking/backend.azurerm b/caf_solution/add-ons/azure_devops_agent/backend.azurerm similarity index 100% rename from landingzones/caf_networking/backend.azurerm rename to caf_solution/add-ons/azure_devops_agent/backend.azurerm diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/dynamic_secrets.tf b/caf_solution/add-ons/azure_devops_agent/dynamic_secrets.tf similarity index 79% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/dynamic_secrets.tf rename to caf_solution/add-ons/azure_devops_agent/dynamic_secrets.tf index 7d3f50ba1..63f0367a4 100644 --- a/landingzones/caf_launchpad/add-ons/azure_devops_agent/dynamic_secrets.tf +++ b/caf_solution/add-ons/azure_devops_agent/dynamic_secrets.tf @@ -1,7 +1,7 @@ -module dynamic_keyvault_secrets { +module "dynamic_keyvault_secrets" { source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "~>5.2.0" + version = "~>5.1.0" for_each = try(var.dynamic_keyvault_secrets, {}) diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/extensions/devops_selfhosted_agent.tf b/caf_solution/add-ons/azure_devops_agent/extensions/devops_selfhosted_agent.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/extensions/devops_selfhosted_agent.tf rename to caf_solution/add-ons/azure_devops_agent/extensions/devops_selfhosted_agent.tf diff --git a/caf_solution/add-ons/azure_devops_agent/extensions/variables.tf b/caf_solution/add-ons/azure_devops_agent/extensions/variables.tf new file mode 100644 index 000000000..9b8d2f8c3 --- /dev/null +++ b/caf_solution/add-ons/azure_devops_agent/extensions/variables.tf @@ -0,0 +1,3 @@ +variable "virtual_machine_id" {} +variable "extensions" {} +variable "settings" {} \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/locals.current_tfstates.tf b/caf_solution/add-ons/azure_devops_agent/locals.current_tfstates.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/locals.current_tfstates.tf rename to caf_solution/add-ons/azure_devops_agent/locals.current_tfstates.tf diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/main.tf b/caf_solution/add-ons/azure_devops_agent/main.tf similarity index 95% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/main.tf rename to caf_solution/add-ons/azure_devops_agent/main.tf index f0376bf7c..67d570897 100644 --- a/landingzones/caf_launchpad/add-ons/azure_devops_agent/main.tf +++ b/caf_solution/add-ons/azure_devops_agent/main.tf @@ -1,7 +1,7 @@ terraform { required_providers { azurerm = { - source = "hashicorp/azurerm" + source = "hashicorp/azurerm" version = "~> 2.43" } azuread = { @@ -30,7 +30,7 @@ terraform { } azurecaf = { source = "aztfmod/azurecaf" - version = "~> 1.2.0" + version = "~>1.1.0" } } required_version = ">= 0.13" diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/output.tf b/caf_solution/add-ons/azure_devops_agent/output.tf similarity index 71% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/output.tf rename to caf_solution/add-ons/azure_devops_agent/output.tf index 816e24587..e19cb88aa 100644 --- a/landingzones/caf_launchpad/add-ons/azure_devops_agent/output.tf +++ b/caf_solution/add-ons/azure_devops_agent/output.tf @@ -1,34 +1,34 @@ -output managed_identities { +output "managed_identities" { value = local.combined.managed_identities sensitive = false } -output azuread_groups { +output "azuread_groups" { value = local.combined.azuread_groups sensitive = true } -output keyvaults { +output "keyvaults" { value = local.combined.keyvaults sensitive = false } -output vnets { +output "vnets" { value = local.remote.vnets sensitive = false } -output global_settings { +output "global_settings" { value = local.global_settings sensitive = true } -output diagnostics { +output "diagnostics" { value = local.diagnostics sensitive = true } -output tfstates { +output "tfstates" { value = local.tfstates sensitive = true } \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/readme.md b/caf_solution/add-ons/azure_devops_agent/readme.md similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/readme.md rename to caf_solution/add-ons/azure_devops_agent/readme.md diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/configuration.tfvars b/caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/configuration.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/configuration.tfvars rename to caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/configuration.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/keyvaults.tfvars b/caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/keyvaults.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/keyvaults.tfvars rename to caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/keyvaults.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/storage_accounts.tfvars b/caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/storage_accounts.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/storage_accounts.tfvars rename to caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/storage_accounts.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/virtual_machines.tfvars b/caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/virtual_machines.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/virtual_machines.tfvars rename to caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level0/virtual_machines.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/configuration.tfvars b/caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/configuration.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/configuration.tfvars rename to caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/configuration.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/keyvaults.tfvars b/caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/keyvaults.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/keyvaults.tfvars rename to caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/keyvaults.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/storage_accounts.tfvars b/caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/storage_accounts.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/storage_accounts.tfvars rename to caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/storage_accounts.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/virtual_machines.tfvars b/caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/virtual_machines.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/virtual_machines.tfvars rename to caf_solution/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1/virtual_machines.tfvars diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scripts/cloud-init-install-rover-tools.config b/caf_solution/add-ons/azure_devops_agent/scripts/cloud-init-install-rover-tools.config similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scripts/cloud-init-install-rover-tools.config rename to caf_solution/add-ons/azure_devops_agent/scripts/cloud-init-install-rover-tools.config diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scripts/devops_runtime_baremetal.sh b/caf_solution/add-ons/azure_devops_agent/scripts/devops_runtime_baremetal.sh similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scripts/devops_runtime_baremetal.sh rename to caf_solution/add-ons/azure_devops_agent/scripts/devops_runtime_baremetal.sh diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/scripts/devops_runtime_docker.sh b/caf_solution/add-ons/azure_devops_agent/scripts/devops_runtime_docker.sh similarity index 100% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/scripts/devops_runtime_docker.sh rename to caf_solution/add-ons/azure_devops_agent/scripts/devops_runtime_docker.sh diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/solution.tf b/caf_solution/add-ons/azure_devops_agent/solution.tf similarity index 98% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/solution.tf rename to caf_solution/add-ons/azure_devops_agent/solution.tf index fb687582d..3316f9894 100644 --- a/landingzones/caf_launchpad/add-ons/azure_devops_agent/solution.tf +++ b/caf_solution/add-ons/azure_devops_agent/solution.tf @@ -1,6 +1,6 @@ module "caf" { source = "aztfmod/caf/azurerm" - version = "~>5.2.0" + version = "~>5.1.0" current_landingzone_key = var.landingzone.key tenant_id = var.tenant_id diff --git a/caf_solution/add-ons/azure_devops_agent/variables.tf b/caf_solution/add-ons/azure_devops_agent/variables.tf new file mode 100644 index 000000000..45c344a59 --- /dev/null +++ b/caf_solution/add-ons/azure_devops_agent/variables.tf @@ -0,0 +1,102 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" {} +variable "lower_container_name" {} +variable "lower_resource_group_name" {} + +variable "tfstate_storage_account_name" {} +variable "tfstate_container_name" {} +variable "tfstate_key" {} +variable "tfstate_resource_group_name" {} + +variable "tfstate_subscription_id" { + description = "This value is propulated by the rover. subscription id hosting the remote tfstates" +} + +variable "global_settings" { + default = {} +} +variable "tenant_id" {} +variable "landingzone" { +} +variable "rover_version" { + default = null +} + +variable "logged_user_objectId" { + default = null +} +variable "logged_aad_app_objectId" { + default = null +} +variable "tags" { + default = null +} +variable "app_service_environments" { + default = {} +} +variable "app_service_plans" { + default = {} +} +variable "app_services" { + default = {} +} +variable "diagnostics_definition" { + default = {} +} +variable "resource_groups" { + default = {} +} +variable "network_security_group_definition" { + default = {} +} +variable "vnets" { + default = {} +} +variable "azurerm_redis_caches" { + default = {} +} +variable "mssql_servers" { + default = {} +} +variable "storage_accounts" { + default = {} +} +variable "storage_account_blobs" { + default = {} +} +variable "azuread_groups" { + default = {} +} +variable "keyvaults" { + default = {} +} +variable "keyvault_access_policies" { + default = {} +} +variable "virtual_machines" { + default = {} +} +variable "diagnostic_storage_accounts" { + default = {} +} +variable "virtual_machine_extension_scripts" { + default = {} +} +variable "azure_devops" { + default = {} +} +variable "role_mapping" { + default = {} +} +variable "custom_role_definitions" { + default = {} +} +variable "azuread_apps" { + default = {} +} +variable "dynamic_keyvault_secrets" { + default = {} +} +variable "managed_identities" { + default = {} +} \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/vm_extention_devops_agent.tf b/caf_solution/add-ons/azure_devops_agent/vm_extention_devops_agent.tf similarity index 98% rename from landingzones/caf_launchpad/add-ons/azure_devops_agent/vm_extention_devops_agent.tf rename to caf_solution/add-ons/azure_devops_agent/vm_extention_devops_agent.tf index fa9a97718..898d03288 100644 --- a/landingzones/caf_launchpad/add-ons/azure_devops_agent/vm_extention_devops_agent.tf +++ b/caf_solution/add-ons/azure_devops_agent/vm_extention_devops_agent.tf @@ -13,7 +13,7 @@ data "azurerm_key_vault_secret" "agent_pat" { } -module vm_extensions { +module "vm_extensions" { source = "./extensions" depends_on = [module.caf] for_each = { diff --git a/caf_solution/add-ons/caf_eslz/archetype_config_overrides.tf b/caf_solution/add-ons/caf_eslz/archetype_config_overrides.tf new file mode 100644 index 000000000..ead14f952 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/archetype_config_overrides.tf @@ -0,0 +1,94 @@ +locals { + + archetype_config_overrides = { + for mg_id, mg_value in try(var.archetype_config_overrides, {}) : mg_id => { + + archetype_id = mg_value.archetype_id + + access_control = { + for mapping in + flatten( + [ + for role, roles in try(mg_value.access_control, {}) : { + role = role + ids = coalescelist( + flatten( + [ + for resource_type, value in roles : [ + for resource_key in try(value.resource_keys, []) : [ + local.caf[resource_type][value.lz_key][resource_key][value.attribute_key] + ] + ] + ] + ) //flatten + , + flatten( + [ + for resource_type, value in roles : [ + for principal_id in try(value.principal_ids, []) : [ + principal_id + ] + ] + ] + ) //flatten + ) //coalescelist (ids) + } + ] + ) : mapping.role => mapping.ids + } + + parameters = { + for param_key, param_value in try(mg_value.parameters, {}) : param_key => { + for key, value in param_value : key => jsonencode(try(local.caf[value.output_key][value.lz_key][value.resource_type][value.resource_key][value.attribute_key], value.value)) + } + + } + } + } + +} + +# output caf { +# value = local.caf +# } + + +## Process the following variable + +# archetype_config_overrides = { + +# root = { // var.root_id +# archetype_id = "es_root" +# parameters = { +# "Deploy-Resource-Diag" = { +# "logAnalytics" = { +# # value = "resource_id" +# lz_key = "caf_foundations_sharedservices" +# output_key = "diagnostics" +# resource_type = "log_analytics" +# resource_key = "eus_logs_ss" +# attribute_key = "id" +# } +# } +# } +# access_control = { +# "Contributor" = { +# "managed_identities" = { +# # principal_ids = ["principal_id1", "principal_id2"] +# lz_key = "launchpad" +# attribute_key = "principal_id" +# resource_keys = [ +# "level1" +# ] +# } +# } +# } +# } //root + +# # decommissioned = {} +# # sandboxes = {} +# # landing-zones = {} +# # platform = {} +# # connectivity = {} +# # management = {} +# } \ No newline at end of file diff --git a/landingzones/caf_shared_services/backend.azurerm b/caf_solution/add-ons/caf_eslz/backend.azurerm similarity index 100% rename from landingzones/caf_shared_services/backend.azurerm rename to caf_solution/add-ons/caf_eslz/backend.azurerm diff --git a/caf_solution/add-ons/caf_eslz/custom_landing_zones.tf b/caf_solution/add-ons/caf_eslz/custom_landing_zones.tf new file mode 100644 index 000000000..6b2b1a714 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/custom_landing_zones.tf @@ -0,0 +1,12 @@ +locals { + + custom_landing_zones = { + for lz_key, lz_value in var.custom_landing_zones : lz_key => { + display_name = lz_value.display_name + parent_management_group_id = lz_value.parent_management_group_id + subscription_ids = lz_value.subscription_ids + archetype_config = lz_value.archetype_config + } + } + +} \ No newline at end of file diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf new file mode 100644 index 000000000..1e3972eff --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -0,0 +1,18 @@ +# For full description on enterprise_scale module usage, please refer to https://github.com/Azure/terraform-azurerm-caf-enterprise-scale + +module "enterprise_scale" { + source = "Azure/caf-enterprise-scale/azurerm" + version = "~> 0.1.0" + + root_parent_id = data.azurerm_client_config.current.tenant_id + default_location = local.global_settings.regions[local.global_settings.default_region] + + #path to the policies definition and assignment repo + library_path = var.library_path + archetype_config_overrides = local.archetype_config_overrides + custom_landing_zones = local.custom_landing_zones + deploy_core_landing_zones = var.deploy_core_landing_zones + root_id = var.root_id + root_name = var.root_name + subscription_id_overrides = var.subscription_id_overrides +} \ No newline at end of file diff --git a/caf_solution/add-ons/caf_eslz/lib/archetype_definitions/README.md b/caf_solution/add-ons/caf_eslz/lib/archetype_definitions/README.md new file mode 100644 index 000000000..cb8923540 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/lib/archetype_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default archetypes + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/archetype_definitions diff --git a/caf_solution/add-ons/caf_eslz/lib/policy_assignments/README.md b/caf_solution/add-ons/caf_eslz/lib/policy_assignments/README.md new file mode 100644 index 000000000..def2a5a6d --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/lib/policy_assignments/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy assignments + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments diff --git a/caf_solution/add-ons/caf_eslz/lib/policy_definitions/README.md b/caf_solution/add-ons/caf_eslz/lib/policy_definitions/README.md new file mode 100644 index 000000000..e47f922fd --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/lib/policy_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions diff --git a/caf_solution/add-ons/caf_eslz/lib/policy_set_definitions/README.md b/caf_solution/add-ons/caf_eslz/lib/policy_set_definitions/README.md new file mode 100644 index 000000000..c09d2c016 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/lib/policy_set_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy set definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions diff --git a/caf_solution/add-ons/caf_eslz/lib/role_definitions/README.md b/caf_solution/add-ons/caf_eslz/lib/role_definitions/README.md new file mode 100644 index 000000000..2230928aa --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/lib/role_definitions/README.md @@ -0,0 +1,11 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + + +# List of the default role defitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions diff --git a/caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf b/caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf new file mode 100644 index 000000000..48fc5bc32 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf @@ -0,0 +1,51 @@ +locals { + landingzone = { + current = { + storage_account_name = var.tfstate_storage_account_name + container_name = var.tfstate_container_name + resource_group_name = var.tfstate_resource_group_name + } + lower = { + storage_account_name = var.lower_storage_account_name + container_name = var.lower_container_name + resource_group_name = var.lower_resource_group_name + } + } +} + +data "terraform_remote_state" "remote" { + for_each = try(var.landingzone.tfstates, {}) + + backend = var.landingzone.backend_type + config = { + storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name + container_name = local.landingzone[try(each.value.level, "current")].container_name + resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name + subscription_id = var.tfstate_subscription_id + key = each.value.tfstate + } +} + +locals { + landingzone_tag = { + "landingzone" = var.landingzone.key + } + + global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].global_settings + diagnostics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics + + caf = { + tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) + + global_settings = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].global_settings, {})) + } + diagnostics = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].diagnostics, {})) + } + managed_identities = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].managed_identities, {})) + } + } + +} diff --git a/caf_solution/add-ons/caf_eslz/main.tf b/caf_solution/add-ons/caf_eslz/main.tf new file mode 100644 index 000000000..9f0c7006e --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/main.tf @@ -0,0 +1,18 @@ + +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.52.0" + } + } + required_version = ">= 0.13" +} + + +provider "azurerm" { + features {} +} + +data "azurerm_client_config" "current" {} + diff --git a/caf_solution/add-ons/caf_eslz/scenario/contoso/archetype_config_overrides.tfvars b/caf_solution/add-ons/caf_eslz/scenario/contoso/archetype_config_overrides.tfvars new file mode 100644 index 000000000..781917ec1 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/scenario/contoso/archetype_config_overrides.tfvars @@ -0,0 +1,77 @@ +archetype_config_overrides = { + + root = { + archetype_id = "es_root" + parameters = { + "Deploy-Resource-Diag" = { + "logAnalytics" = { + # value = "resource_id" + lz_key = "caf_foundations_sharedservices" + output_key = "diagnostics" + resource_type = "log_analytics" + resource_key = "central_logs_region1" + attribute_key = "id" + } + } + } + access_control = { + "Contributor" = { + "managed_identities" = { + # principal_ids = ["principal_id1", "principal_id2"] + lz_key = "launchpad" + attribute_key = "principal_id" + resource_keys = [ + "level1" + ] + } + } + } + } + + # decommissioned = { + # archetype_id = "es_decommissioned" + # parameters = {} + # access_control = {} + # } + + # sandboxes = { + # archetype_id = "es_sandboxes" + # parameters = {} + # access_control = {} + # } + + landing-zones = { + archetype_id = "es_landing_zones" + parameters = {} + access_control = { + "Contributor" = { + "managed_identities" = { + # principal_ids = ["principal_id1", "principal_id2"] + lz_key = "launchpad" + attribute_key = "principal_id" + resource_keys = [ + "level3", "subscription_creation_landingzones" + ] + } + } + } + } + + # platform = { + # archetype_id = "es_platform" + # parameters = {} + # access_control = {} + # } + + # connectivity = { + # archetype_id = "es_connectivity_foundation" + # parameters = {} + # access_control = {} + # } + + # management = { + # archetype_id = "es_management" + # parameters = {} + # access_control = {} + # } +} \ No newline at end of file diff --git a/caf_solution/add-ons/caf_eslz/scenario/contoso/custom_landing_zones.tfvars b/caf_solution/add-ons/caf_eslz/scenario/contoso/custom_landing_zones.tfvars new file mode 100644 index 000000000..48dc2d807 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/scenario/contoso/custom_landing_zones.tfvars @@ -0,0 +1,47 @@ +custom_landing_zones = { + + contoso-devops = { + display_name = "Devops" + parent_management_group_id = "contoso-platform" + subscription_ids = [] + archetype_config = { + archetype_id = "default_empty" + parameters = {} + access_control = {} + } + } + + contoso-staging = { + display_name = "Staging" + parent_management_group_id = "contoso-landing-zones" + subscription_ids = [] + archetype_config = { + archetype_id = "default_empty" + parameters = {} + access_control = {} + } + } + + contoso-dev = { + display_name = "Dev" + parent_management_group_id = "contoso-landing-zones" + subscription_ids = [] + archetype_config = { + archetype_id = "default_empty" + parameters = {} + access_control = {} + } + } + + contoso-production = { + display_name = "Production" + parent_management_group_id = "contoso-landing-zones" + subscription_ids = [] + archetype_config = { + archetype_id = "default_empty" + parameters = {} + access_control = {} + } + } + +} \ No newline at end of file diff --git a/caf_solution/add-ons/caf_eslz/scenario/contoso/enterprise_scale.tfvars b/caf_solution/add-ons/caf_eslz/scenario/contoso/enterprise_scale.tfvars new file mode 100644 index 000000000..8aa30df26 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/scenario/contoso/enterprise_scale.tfvars @@ -0,0 +1,4 @@ +library_path = "landingzones/caf_solution/add-ons/caf_eslz/scenario/contoso" // Adjust the path as needed +root_id = "contoso" +root_name = "Contoso" +deploy_core_landing_zones = true \ No newline at end of file diff --git a/caf_solution/add-ons/caf_eslz/scenario/contoso/landingzone.tfvars b/caf_solution/add-ons/caf_eslz/scenario/contoso/landingzone.tfvars new file mode 100644 index 000000000..5ef87fc15 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/scenario/contoso/landingzone.tfvars @@ -0,0 +1,19 @@ +landingzone = { + backend_type = "azurerm" + global_settings_key = "caf_foundations_sharedservices" + level = "level1" + key = "caf_foundations_enterprise_scale" + tfstates = { + // Remote tfstate to retrieve default location and log analytics workspace + caf_foundations_sharedservices = { + level = "current" + tfstate = "caf_foundations_sharedservices.tfstate" + } + // Remote tfstate to retrieve the MSI created by the launchpad and set permissions on the MG hierarchy + // Requires scenarion 200 to get access to Log Analytics key 'central_logs_region1' + launchpad = { + level = "lower" + tfstate = "caf_launchpad.tfstate" + } + } +} \ No newline at end of file diff --git a/caf_solution/add-ons/caf_eslz/scenario/contoso/subscription_id_overrides.tfvars b/caf_solution/add-ons/caf_eslz/scenario/contoso/subscription_id_overrides.tfvars new file mode 100644 index 000000000..915ca2691 --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/scenario/contoso/subscription_id_overrides.tfvars @@ -0,0 +1,10 @@ +subscription_id_overrides = { + root = [] + decommissioned = [] + sandboxes = [] + landing-zones = [] + platform = [] + connectivity = [] + management = [] + identity = [] +} \ No newline at end of file diff --git a/caf_solution/add-ons/caf_eslz/variables.tf b/caf_solution/add-ons/caf_eslz/variables.tf new file mode 100644 index 000000000..dcf13848c --- /dev/null +++ b/caf_solution/add-ons/caf_eslz/variables.tf @@ -0,0 +1,147 @@ + +variable "landing_zones_variables" { + default = {} +} +# Map of the remote data state +variable "lower_storage_account_name" { + description = "This value is propulated by the rover" +} +variable "lower_container_name" { + description = "This value is propulated by the rover" +} +variable "lower_resource_group_name" { + description = "This value is propulated by the rover" +} + +variable "tfstate_subscription_id" { + description = "This value is propulated by the rover. subscription id hosting the remote tfstates" +} +variable "tfstate_storage_account_name" { + description = "This value is propulated by the rover" +} +variable "tfstate_container_name" { + description = "This value is propulated by the rover" +} +variable "tfstate_resource_group_name" { + description = "This value is propulated by the rover" +} + +variable "diagnostics_definition" { + default = {} +} + +variable "landingzone" { + default = { + backend_type = "azurerm" + global_settings_key = "launchpad" + level = "level1" + key = "enterprise_scale" + tfstates = { + launchpad = { + level = "lower" + tfstate = "caf_launchpad.tfstate" + } + } + } +} + + +variable "user_type" {} +variable "tenant_id" {} +variable "rover_version" {} +variable "logged_user_objectId" { + default = null +} +variable "tags" { + type = map(any) + default = {} +} + + +variable "root_id" { + type = string + description = "If specified, will set a custom Name (ID) value for the Enterprise-scale \"root\" Management Group, and append this to the ID for all core Enterprise-scale Management Groups." + default = "es" + + validation { + condition = can(regex("^[a-zA-Z0-9-]{2,10}$", var.root_id)) + error_message = "The root_id value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens." + } +} + +variable "root_name" { + type = string + description = "If specified, will set a custom Display Name value for the Enterprise-scale \"root\" Management Group." + default = "Enterprise-Scale" + + validation { + condition = can(regex("^[A-Za-z][A-Za-z0-9- ._]{1,22}[A-Za-z0-9]?$", var.root_name)) + error_message = "The root_name value must be between 2 to 24 characters long, start with a letter, end with a letter or number, and can only contain space, hyphen, underscore or period characters." + } +} + +variable "deploy_core_landing_zones" { + type = bool + description = "If set to true, will include the core Enterprise-scale Management Group hierarchy." + default = false +} + +variable "archetype_config_overrides" { + # type = map(any) + description = "If specified, will set custom Archetype configurations to the default Enterprise-scale Management Groups." + default = {} +} + +variable "subscription_id_overrides" { + type = map(list(string)) + description = "If specified, will be used to assign subscription_ids to the default Enterprise-scale Management Groups." + default = {} +} + +variable "deploy_demo_landing_zones" { + type = bool + description = "If set to true, will include the demo \"Landing Zone\" Management Groups." + default = false +} + +variable "custom_landing_zones" { + type = map( + object({ + display_name = string + parent_management_group_id = string + subscription_ids = list(string) + archetype_config = object({ + archetype_id = string + parameters = any + access_control = any + }) + }) + ) + description = "If specified, will deploy additional Management Groups alongside Enterprise-scale core Management Groups." + default = {} + + validation { + condition = can(regex("^[a-z0-9-]{2,36}$", keys(var.custom_landing_zones)[0])) || length(keys(var.custom_landing_zones)) == 0 + error_message = "The custom_landing_zones keys must be between 2 to 36 characters long and can only contain lowercase letters, numbers and hyphens." + } +} + +variable "library_path" { + type = string + description = "If specified, sets the path to a custom library folder for archetype artefacts." + default = "" +} + +variable "template_file_variables" { + type = map(any) + description = "If specified, provides the ability to define custom template variables used when reading in template files from the built-in and custom library_path." + default = {} +} + +variable "default_location" { + type = string + description = "If specified, will use set the default location used for resource deployments where needed." + default = "eastus" + + # Need to add validation covering all Azure locations +} diff --git a/landingzones/caf_solutions/add-ons/aks_applications/backend.azurerm b/caf_solution/add-ons/databricks/backend.azurerm similarity index 100% rename from landingzones/caf_solutions/add-ons/aks_applications/backend.azurerm rename to caf_solution/add-ons/databricks/backend.azurerm diff --git a/landingzones/caf_solutions/add-ons/databricks/databricks.tf b/caf_solution/add-ons/databricks/databricks.tf similarity index 91% rename from landingzones/caf_solutions/add-ons/databricks/databricks.tf rename to caf_solution/add-ons/databricks/databricks.tf index dcb9053ec..1c81174b7 100644 --- a/landingzones/caf_solutions/add-ons/databricks/databricks.tf +++ b/caf_solution/add-ons/databricks/databricks.tf @@ -9,13 +9,13 @@ provider "databricks" { # azure_tenant_id = var.tenant_id } -module databricks { +module "databricks" { source = "../../modules/databricks" settings = var.databricks } -output databricks { +output "databricks" { value = module.databricks sensitive = false } diff --git a/landingzones/caf_solutions/add-ons/databricks/locals.remote_tfstates.tf b/caf_solution/add-ons/databricks/locals.remote_tfstates.tf similarity index 100% rename from landingzones/caf_solutions/add-ons/databricks/locals.remote_tfstates.tf rename to caf_solution/add-ons/databricks/locals.remote_tfstates.tf diff --git a/landingzones/caf_solutions/add-ons/databricks/main.tf b/caf_solution/add-ons/databricks/main.tf similarity index 93% rename from landingzones/caf_solutions/add-ons/databricks/main.tf rename to caf_solution/add-ons/databricks/main.tf index 516a9e382..1325d0f88 100644 --- a/landingzones/caf_solutions/add-ons/databricks/main.tf +++ b/caf_solution/add-ons/databricks/main.tf @@ -1,16 +1,16 @@ terraform { required_providers { azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.48" + source = "hashicorp/azurerm" + version = "~> 2.43" } azurecaf = { source = "aztfmod/azurecaf" - version = "~> 1.2.0" + version = "1.0.0" } databricks = { source = "databrickslabs/databricks" - version = "~> 0.3.1" + version = "~> 0.2.5" } } required_version = ">= 0.13" diff --git a/caf_solution/add-ons/databricks/variables.tf b/caf_solution/add-ons/databricks/variables.tf new file mode 100644 index 000000000..6c3a9e993 --- /dev/null +++ b/caf_solution/add-ons/databricks/variables.tf @@ -0,0 +1,154 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" {} +variable "lower_container_name" {} +variable "lower_resource_group_name" {} + +variable "tfstate_storage_account_name" {} +variable "tfstate_container_name" {} +variable "tfstate_key" {} +variable "tfstate_resource_group_name" {} + +variable "global_settings" { + default = {} +} + +variable "landingzone" { + default = "" +} + +variable "environment" { + default = "sandpit" +} +variable "rover_version" { + default = null +} +variable "max_length" { + default = 40 +} +variable "logged_user_objectId" { + default = null +} +variable "logged_aad_app_objectId" { + default = null +} +variable "tags" { + default = null + type = map(any) +} +variable "diagnostic_log_analytics" { + default = {} +} +variable "app_service_environments" { + default = {} +} +variable "app_service_plans" { + default = {} +} +variable "app_services" { + default = {} +} +variable "diagnostics_definition" { + default = null +} +variable "resource_groups" { + default = null +} +variable "network_security_group_definition" { + default = {} +} +variable "vnets" { + default = {} +} +variable "azurerm_redis_caches" { + default = {} +} +variable "mssql_servers" { + default = {} +} +variable "mssql_databases" { + default = {} +} +variable "mssql_elastic_pools" { + default = {} +} +variable "storage_accounts" { + default = {} +} +variable "azuread_groups" { + default = {} +} +variable "keyvaults" { + default = {} +} +variable "keyvault_access_policies" { + default = {} +} +variable "virtual_machines" { + default = {} +} +variable "azure_container_registries" { + default = {} +} +variable "bastion_hosts" { + default = {} +} +variable "public_ip_addresses" { + default = {} +} +variable "diagnostic_storage_accounts" { + default = {} +} +variable "managed_identities" { + default = {} +} +variable "private_dns" { + default = {} +} +variable "synapse_workspaces" { + default = {} +} +variable "azurerm_application_insights" { + default = {} +} +variable "role_mapping" { + default = {} +} +variable "aks_clusters" { + default = {} +} +variable "databricks_workspaces" { + default = {} +} +variable "machine_learning_workspaces" { + default = {} +} +variable "monitoring" { + default = {} +} +variable "virtual_wans" { + default = {} +} +variable "event_hub_namespaces" { + default = {} +} +variable "application_gateways" { + default = {} +} +variable "application_gateway_applications" { + default = {} +} +variable "dynamic_keyvault_secrets" { + default = {} +} +variable "disk_encryption_sets" { + default = {} +} +variable "keyvault_keys" { + default = {} +} +variable "databricks" { + default = {} +} +variable "var_folder_path" { + default = {} +} \ No newline at end of file diff --git a/landingzones/caf_solutions/add-ons/databricks/backend.azurerm b/caf_solution/add-ons/helm-charts/backend.azurerm similarity index 100% rename from landingzones/caf_solutions/add-ons/databricks/backend.azurerm rename to caf_solution/add-ons/helm-charts/backend.azurerm diff --git a/caf_solution/add-ons/helm-charts/charts.tf b/caf_solution/add-ons/helm-charts/charts.tf new file mode 100644 index 000000000..74b16be73 --- /dev/null +++ b/caf_solution/add-ons/helm-charts/charts.tf @@ -0,0 +1,21 @@ + +resource "kubernetes_namespace" "gitlab_runners" { + for_each = var.aks_namespaces + + metadata { + name = each.value + } +} + +resource "helm_release" "chart" { + depends_on = [kubernetes_namespace.gitlab_runners] + for_each = var.helm_charts + + chart = each.value.chart + name = each.value.name + namespace = each.value.namespace + repository = try(each.value.repository, null) + timeout = try(each.value.timeout, 4000) + values = [file(each.value.value_file)] + wait = try(each.value.wait, true) +} \ No newline at end of file diff --git a/caf_solution/add-ons/helm-charts/local.remote_tfstates.tf b/caf_solution/add-ons/helm-charts/local.remote_tfstates.tf new file mode 100644 index 000000000..c87b31046 --- /dev/null +++ b/caf_solution/add-ons/helm-charts/local.remote_tfstates.tf @@ -0,0 +1,49 @@ +locals { + landingzone = { + current = { + storage_account_name = var.tfstate_storage_account_name + container_name = var.tfstate_container_name + resource_group_name = var.tfstate_resource_group_name + } + lower = { + storage_account_name = var.lower_storage_account_name + container_name = var.lower_container_name + resource_group_name = var.lower_resource_group_name + } + } +} + +data "terraform_remote_state" "remote" { + for_each = try(var.landingzone.tfstates, {}) + + backend = var.landingzone.backend_type + config = { + storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name + container_name = local.landingzone[try(each.value.level, "current")].container_name + resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name + subscription_id = var.tfstate_subscription_id + key = each.value.tfstate + } +} + +locals { + landingzone_tag = { + "landingzone" = var.landingzone.key + } + + global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].global_settings + diagnostics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics + + remote = { + tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) + global_settings = local.global_settings + diagnostics = local.diagnostics + + + aks_clusters = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].aks_clusters, {})) + } + + } + +} diff --git a/caf_solution/add-ons/helm-charts/main.tf b/caf_solution/add-ons/helm-charts/main.tf new file mode 100644 index 000000000..263eade2a --- /dev/null +++ b/caf_solution/add-ons/helm-charts/main.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.51.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0.2" + } + helm = { + source = "hashicorp/helm" + version = "~> 2.0.3" + } + } + required_version = ">= 0.13" +} diff --git a/caf_solution/add-ons/helm-charts/providers.tf b/caf_solution/add-ons/helm-charts/providers.tf new file mode 100644 index 000000000..3beaf3ead --- /dev/null +++ b/caf_solution/add-ons/helm-charts/providers.tf @@ -0,0 +1,39 @@ + +provider "azurerm" { + features { + } +} + +provider "kubernetes" { + host = local.k8sconfigs[var.aks_cluster_key].host + username = local.k8sconfigs[var.aks_cluster_key].username + password = local.k8sconfigs[var.aks_cluster_key].password + client_certificate = local.k8sconfigs[var.aks_cluster_key].client_certificate + client_key = local.k8sconfigs[var.aks_cluster_key].client_key + cluster_ca_certificate = local.k8sconfigs[var.aks_cluster_key].cluster_ca_certificate +} + +provider "helm" { + kubernetes { + host = local.k8sconfigs[var.aks_cluster_key].host + username = local.k8sconfigs[var.aks_cluster_key].username + password = local.k8sconfigs[var.aks_cluster_key].password + client_certificate = local.k8sconfigs[var.aks_cluster_key].client_certificate + client_key = local.k8sconfigs[var.aks_cluster_key].client_key + cluster_ca_certificate = local.k8sconfigs[var.aks_cluster_key].cluster_ca_certificate + } +} + +locals { + k8sconfigs = { + for key, value in var.aks_clusters : key => { + kube_admin_config_raw = local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config_raw + host = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.host : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.host + username = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.username : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.username + password = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.password : local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.password + client_certificate = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.client_certificate) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.client_certificate) + client_key = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.client_key) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.client_key) + cluster_ca_certificate = local.remote.aks_clusters[value.lz_key][value.key].enable_rbac ? base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_admin_config.0.cluster_ca_certificate) : base64decode(local.remote.aks_clusters[value.lz_key][value.key].kube_config.0.cluster_ca_certificate) + } + } +} \ No newline at end of file diff --git a/caf_solution/add-ons/helm-charts/variables.tf b/caf_solution/add-ons/helm-charts/variables.tf new file mode 100644 index 000000000..2c4c62f35 --- /dev/null +++ b/caf_solution/add-ons/helm-charts/variables.tf @@ -0,0 +1,32 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" {} +variable "lower_container_name" {} +variable "lower_resource_group_name" {} + +variable "tfstate_subscription_id" { + description = "This value is propulated by the rover. subscription id hosting the remote tfstates" +} +variable "tfstate_storage_account_name" {} +variable "tfstate_container_name" {} +variable "tfstate_key" {} +variable "tfstate_resource_group_name" {} + +variable "landingzone" {} +variable "rover_version" { + default = null +} +variable "tags" { + default = null +} + +variable "helm_charts" {} +variable "aks_namespaces" { + default = {} +} +variable "aks_cluster_key" { + description = "AKS cluster key to deploy the Gitlab Helm charts. The key must be defined in the variable aks_clusters" +} +variable "aks_cluster_vnet_key" { + +} +variable "aks_clusters" {} \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/terraform_cloud/example/tfc.tfvars b/caf_solution/add-ons/terraform_cloud/example/tfc.tfvars similarity index 100% rename from landingzones/caf_launchpad/add-ons/terraform_cloud/example/tfc.tfvars rename to caf_solution/add-ons/terraform_cloud/example/tfc.tfvars diff --git a/landingzones/caf_launchpad/add-ons/terraform_cloud/main.tf b/caf_solution/add-ons/terraform_cloud/main.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/terraform_cloud/main.tf rename to caf_solution/add-ons/terraform_cloud/main.tf diff --git a/landingzones/caf_launchpad/add-ons/terraform_cloud/readme.md b/caf_solution/add-ons/terraform_cloud/readme.md similarity index 100% rename from landingzones/caf_launchpad/add-ons/terraform_cloud/readme.md rename to caf_solution/add-ons/terraform_cloud/readme.md diff --git a/landingzones/caf_launchpad/add-ons/terraform_cloud/terraform_cloud.tf b/caf_solution/add-ons/terraform_cloud/terraform_cloud.tf similarity index 100% rename from landingzones/caf_launchpad/add-ons/terraform_cloud/terraform_cloud.tf rename to caf_solution/add-ons/terraform_cloud/terraform_cloud.tf diff --git a/caf_solution/add-ons/terraform_cloud/variables.tf b/caf_solution/add-ons/terraform_cloud/variables.tf new file mode 100644 index 000000000..499b0aba5 --- /dev/null +++ b/caf_solution/add-ons/terraform_cloud/variables.tf @@ -0,0 +1,85 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" { + default = {} +} +variable "lower_container_name" { + default = {} +} +variable "lower_resource_group_name" { + default = {} +} + +variable "tfstate_storage_account_name" { + default = {} +} +variable "tfstate_container_name" { + default = {} +} +variable "tfstate_key" { + default = {} +} +variable "tfstate_resource_group_name" { + default = {} +} + +variable "global_settings" { + default = {} +} +variable "tenant_id" { + default = {} +} +variable "landingzone" { + default = {} +} + +variable "rover_version" { + default = null +} + +variable "logged_user_objectId" { + default = null +} +variable "logged_aad_app_objectId" { + default = null +} +variable "tags" { + default = null +} +variable "keyvaults" { + default = {} +} +variable "keyvault_access_policies" { + default = {} +} +variable "role_mapping" { + default = {} +} +variable "secrets_from_keys" { + default = {} +} +variable "custom_role_definitions" { + default = {} +} +variable "azuread_apps" { + default = {} +} + +variable "tfe_organizations" { + default = {} +} + +variable "tfe_workspaces" { + default = {} +} + +variable "tfe_variables" { + default = {} +} + +variable "tfe_servers" { + default = {} +} + +variable "tfe_agents" { + default = {} +} \ No newline at end of file diff --git a/landingzones/caf_solutions/backend.azurerm b/caf_solution/backend.azurerm similarity index 100% rename from landingzones/caf_solutions/backend.azurerm rename to caf_solution/backend.azurerm diff --git a/caf_solution/dynamic_secrets.tf b/caf_solution/dynamic_secrets.tf new file mode 100644 index 000000000..54558fa00 --- /dev/null +++ b/caf_solution/dynamic_secrets.tf @@ -0,0 +1,15 @@ +module "dynamic_keyvault_secrets" { + source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" + version = "~>5.3.0" + + for_each = { + for keyvault_key, secrets in try(var.dynamic_keyvault_secrets, {}) : keyvault_key => { + for key, value in secrets : key => value + if try(value.value, null) == null + } + } + + settings = each.value + keyvault = module.solution.keyvaults[each.key] + objects = module.solution +} \ No newline at end of file diff --git a/caf_solution/landingzone.tf b/caf_solution/landingzone.tf new file mode 100644 index 000000000..0763302b2 --- /dev/null +++ b/caf_solution/landingzone.tf @@ -0,0 +1,55 @@ +module "solution" { + source = "aztfmod/caf/azurerm" + version = "~>5.3.0" + + azuread_api_permissions = var.azuread_api_permissions + azuread_apps = var.azuread_apps + azuread_groups = var.azuread_groups + azuread_roles = var.azuread_roles + azuread_users = var.azuread_users + compute = local.compute + current_landingzone_key = var.landingzone.key + custom_role_definitions = var.custom_role_definitions + data_factory = local.data_factory + database = local.database + diagnostic_storage_accounts = var.diagnostic_storage_accounts + diagnostics_definition = var.diagnostics_definition + diagnostics_destinations = var.diagnostics_destinations + event_hub_namespaces = var.event_hub_namespaces + global_settings = local.global_settings + keyvault_access_policies = var.keyvault_access_policies + keyvault_certificate_issuers = var.keyvault_certificate_issuers + keyvaults = var.keyvaults + log_analytics = var.log_analytics + logged_aad_app_objectId = var.logged_aad_app_objectId + logged_user_objectId = var.logged_user_objectId + logic_app = var.logic_app + managed_identities = var.managed_identities + networking = local.networking + remote_objects = local.remote + resource_groups = var.resource_groups + role_mapping = var.role_mapping + security = local.security + shared_services = local.shared_services + storage = local.storage + storage_accounts = var.storage_accounts + subscription_billing_role_assignments = var.subscription_billing_role_assignments + subscriptions = var.subscriptions + tags = var.tags + tenant_id = var.tenant_id + tfstates = var.tfstates + user_type = var.user_type + webapp = local.webapp + + diagnostics = { + diagnostics_definition = local.diagnostics.diagnostics_definition + diagnostics_destinations = local.diagnostics.diagnostics_destinations + storage_accounts = local.diagnostics.storage_accounts + log_analytics = local.diagnostics.log_analytics + event_hub_namespaces = local.diagnostics.event_hub_namespaces + diagnostic_event_hub_namespaces = try(local.diagnostics.diagnostic_event_hub_namespaces, var.diagnostic_event_hub_namespaces) + diagnostic_log_analytics = try(local.diagnostics.diagnostic_log_analytics, var.diagnostic_log_analytics) + diagnostic_storage_accounts = try(local.diagnostics.diagnostic_storage_accounts, var.diagnostic_storage_accounts) + } + +} diff --git a/caf_solution/local.compute.tf b/caf_solution/local.compute.tf new file mode 100644 index 000000000..f0aa3a454 --- /dev/null +++ b/caf_solution/local.compute.tf @@ -0,0 +1,14 @@ +locals { + compute = merge( + var.compute, + { + aks_clusters = var.aks_clusters + availability_sets = var.availability_sets + azure_container_registries = var.azure_container_registries + bastion_hosts = var.bastion_hosts + container_groups = var.container_groups + proximity_placement_groups = var.proximity_placement_groups + virtual_machines = var.virtual_machines + } + ) +} diff --git a/caf_solution/local.data_factory.tf b/caf_solution/local.data_factory.tf new file mode 100644 index 000000000..14861c1c7 --- /dev/null +++ b/caf_solution/local.data_factory.tf @@ -0,0 +1,22 @@ +locals { + data_factory = merge( + var.data_factory, + { + data_factory_pipeline = var.data_factory_pipeline + data_factory_trigger_schedule = var.data_factory_trigger_schedule + datasets = { + azure_blob = try(var.datasets.azure_blob, {}) + cosmosdb_sqlapi = try(var.datasets.cosmosdb_sqlapi, {}) + delimited_text = try(var.datasets.delimited_text, {}) + http = try(var.datasets.http, {}) + json = try(var.datasets.json, {}) + mysql = try(var.datasets.mysql, {}) + postgresql = try(var.datasets.postgresql, {}) + sql_server_table = try(var.datasets.sql_server_table, {}) + } + linked_services = { + azure_blob_storage = try(var.linked_services.azure_blob_storage, {}) + } + } + ) +} diff --git a/caf_solution/local.database.tf b/caf_solution/local.database.tf new file mode 100644 index 000000000..4671bc5ba --- /dev/null +++ b/caf_solution/local.database.tf @@ -0,0 +1,31 @@ +locals { + database = merge( + var.database, + { + app_config = var.app_config + azurerm_redis_caches = var.azurerm_redis_caches + cosmos_dbs = var.cosmos_dbs + databricks_workspaces = var.databricks_workspaces + machine_learning_workspaces = var.machine_learning_workspaces + mariadb_databases = var.mariadb_databases + mariadb_servers = var.mariadb_servers + mssql_databases = var.mssql_databases + mssql_elastic_pools = var.mssql_elastic_pools + mssql_failover_groups = var.mssql_failover_groups + mssql_managed_databases = var.mssql_managed_databases + mssql_managed_databases_backup_ltr = var.mssql_managed_databases_backup_ltr + mssql_managed_databases_restore = var.mssql_managed_databases_restore + mssql_managed_instances = var.mssql_managed_instances + mssql_managed_instances_secondary = var.mssql_managed_instances_secondary + mssql_mi_administrators = var.mssql_mi_administrators + mssql_mi_failover_groups = var.mssql_mi_failover_groups + mssql_mi_secondary_tdes = var.mssql_mi_secondary_tdes + mssql_mi_tdes = var.mssql_mi_tdes + mssql_servers = var.mssql_servers + mysql_databases = var.mysql_databases + mysql_servers = var.mysql_servers + postgresql_servers = var.postgresql_servers + synapse_workspaces = var.synapse_workspaces + } + ) +} diff --git a/caf_solution/local.logic_app.tf b/caf_solution/local.logic_app.tf new file mode 100644 index 000000000..297cfefc1 --- /dev/null +++ b/caf_solution/local.logic_app.tf @@ -0,0 +1,15 @@ +locals { + logic_app = merge( + var.logic_app, + { + integration_service_environment = var.integration_service_environment + logic_app_action_custom = var.logic_app_action_custom + logic_app_action_http = var.logic_app_action_http + logic_app_integration_account = var.logic_app_integration_account + logic_app_trigger_custom = var.logic_app_trigger_custom + logic_app_trigger_http_request = var.logic_app_trigger_http_request + logic_app_trigger_recurrence = var.logic_app_trigger_recurrence + logic_app_workflow = var.logic_app_workflow + } + ) +} diff --git a/caf_solution/local.networking.tf b/caf_solution/local.networking.tf new file mode 100644 index 000000000..299bc4b11 --- /dev/null +++ b/caf_solution/local.networking.tf @@ -0,0 +1,42 @@ +locals { + networking = merge( + var.networking, + { + application_gateway_applications = var.application_gateway_applications + application_gateways = var.application_gateways + application_security_groups = var.application_security_groups + azurerm_firewall_application_rule_collection_definition = var.azurerm_firewall_application_rule_collection_definition + azurerm_firewall_nat_rule_collection_definition = var.azurerm_firewall_nat_rule_collection_definition + azurerm_firewall_network_rule_collection_definition = var.azurerm_firewall_network_rule_collection_definition + azurerm_firewalls = var.azurerm_firewalls + azurerm_routes = var.azurerm_routes + ddos_services = var.ddos_services + dns_zone_records = var.dns_zone_records + dns_zones = var.dns_zones + domain_name_registrations = var.domain_name_registrations + express_route_circuit_authorizations = var.express_route_circuit_authorizations + express_route_circuits = var.express_route_circuits + front_door_waf_policies = var.front_door_waf_policies + front_doors = var.front_doors + ip_groups = var.ip_groups + load_balancers = var.load_balancers + local_network_gateways = var.local_network_gateways + network_security_group_definition = var.network_security_group_definition + network_watchers = var.network_watchers + networking_interface_asg_associations = var.networking_interface_asg_associations + private_dns = var.private_dns + private_endpoints = var.private_endpoints + public_ip_addresses = var.public_ip_addresses + route_tables = var.route_tables + vhub_peerings = var.vhub_peerings + virtual_hub_connections = var.virtual_hub_connections + virtual_hub_er_gateway_connections = var.virtual_hub_er_gateway_connections + virtual_hub_route_tables = var.virtual_hub_route_tables + virtual_network_gateway_connections = var.virtual_network_gateway_connections + virtual_network_gateways = var.virtual_network_gateways + virtual_wans = var.virtual_wans + vnet_peerings = var.vnet_peerings + vnets = var.vnets + } + ) +} diff --git a/caf_solution/local.remote.tf b/caf_solution/local.remote.tf new file mode 100644 index 000000000..b369b0f5d --- /dev/null +++ b/caf_solution/local.remote.tf @@ -0,0 +1,139 @@ +locals { + remote = { + aks_clusters = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].aks_clusters, {})) + } + app_config = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].app_config, {})) + } + app_service_environments = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].app_service_environments, {})) + } + app_service_plans = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].app_service_plans, {})) + } + app_services = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].app_services, {})) + } + application_security_groups = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].application_security_groups, {})) + } + application_gateway_applications = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].application_gateway_applications, {})) + } + application_gateways = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].application_gateways, {})) + } + availability_sets = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].availability_sets, {})) + } + azuread_applications = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].azuread_applications, {})) + } + azuread_groups = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].azuread_groups, {})) + } + azuread_users = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].azuread_users, {})) + } + azurerm_firewalls = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].azurerm_firewalls, {})) + } + container_registry = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].container_registry, {})) + } + disk_encryption_sets = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].disk_encryption_sets, {})) + } + dns_zones = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].dns_zones, {})) + } + event_hub_namespaces = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].event_hub_namespaces, {})) + } + front_door_waf_policies = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].front_door_waf_policies, {})) + } + integration_service_environment = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].integration_service_environment, {})) + } + keyvault_certificate_requests = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].keyvault_certificate_requests, {})) + } + keyvault_keys = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].keyvault_keys, {})) + } + keyvaults = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].keyvaults, {})) + } + logic_app_integration_account = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].logic_app_integration_account, {})) + } + logic_app_workflow = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].logic_app_workflow, {})) + } + machine_learning_workspaces = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].machine_learning_workspaces, {})) + } + managed_identities = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].managed_identities, {})) + } + mssql_databases = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].mssql_databases, {})) + } + mssql_elastic_pools = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].mssql_elastic_pools, {})) + } + mssql_managed_databases = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].mssql_managed_databases, {})) + } + mssql_managed_instances = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].mssql_managed_instances, {})) + } + mssql_servers = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].mssql_servers, {})) + } + mysql_servers = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].mysql_servers, {})) + } + network_security_groups = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].network_security_groups, {})) + } + network_watchers = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].network_watchers, {})) + } + postgresql_servers = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].postgresql_servers, {})) + } + private_dns = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].private_dns, {})) + } + proximity_placement_groups = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].proximity_placement_groups, {})) + } + public_ip_addresses = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].public_ip_addresses, {})) + } + recovery_vaults = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].recovery_vaults, {})) + } + resource_groups = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].resource_groups, {})) + } + storage_accounts = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].storage_accounts, {})) + } + synapse_workspaces = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].synapse_workspaces, {})) + } + virtual_hub_route_tables = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].virtual_hub_route_tables, {})) + } + virtual_wans = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].virtual_wans, {})) + } + vnets = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].vnets, {})) + } + } +} \ No newline at end of file diff --git a/caf_solution/local.remote_objects.tf b/caf_solution/local.remote_objects.tf new file mode 100644 index 000000000..602dc1229 --- /dev/null +++ b/caf_solution/local.remote_objects.tf @@ -0,0 +1,36 @@ +# locals { +# remote_objects = { +# aks_clusters = local.remote.aks_clusters +# app_service_environments = local.remote.app_service_environments +# app_service_plans = local.remote.app_service_plans +# app_services = local.remote.app_services +# application_gateway_applications = local.remote.application_gateway_applications +# application_gateways = local.remote.application_gateways +# availability_sets = local.remote.availability_sets +# azuread_applications = local.remote.azuread_applications +# azuread_groups = local.remote.azuread_groups +# azuread_users = local.remote.azuread_users +# azurerm_firewalls = local.remote.azurerm_firewalls +# container_registry = local.remote.container_registry +# event_hub_namespaces = local.remote.event_hub_namespaces +# front_door_waf_policies = local.remote.front_door_waf_policies +# keyvaults = local.remote.keyvaults +# managed_identities = local.remote.managed_identities +# mssql_databases = local.remote.mssql_databases +# mssql_elastic_pools = local.remote.mssql_elastic_pools +# mssql_managed_databases = local.remote.mssql_managed_databases +# mssql_managed_instances = local.remote.mssql_managed_instances +# mssql_servers = local.remote.mssql_servers +# mysql_servers = local.remote.mysql_servers +# network_watchers = local.remote.network_watchers +# postgresql_servers = local.remote.postgresql_servers +# private_dns = local.remote.private_dns +# proximity_placement_groups = local.remote.proximity_placement_groups +# public_ip_addresses = local.remote.public_ip_addresses +# recovery_vaults = local.remote.recovery_vaults +# resource_groups = local.remote.resource_groups +# storage_accounts = local.remote.storage_accounts +# synapse_workspaces = local.remote.synapse_workspaces +# vnets = local.remote.vnets +# } +# } \ No newline at end of file diff --git a/caf_solution/local.security.tf b/caf_solution/local.security.tf new file mode 100644 index 000000000..3d5daf9e9 --- /dev/null +++ b/caf_solution/local.security.tf @@ -0,0 +1,13 @@ +locals { + security = merge( + var.security, + { + disk_encryption_sets = var.disk_encryption_sets + dynamic_keyvault_secrets = var.dynamic_keyvault_secrets + keyvault_certificate_issuers = var.keyvault_certificate_issuers + keyvault_certificate_requests = var.keyvault_certificate_requests + keyvault_certificates = var.keyvault_certificates + keyvault_keys = var.keyvault_keys + } + ) +} diff --git a/caf_solution/local.shared_services.tf b/caf_solution/local.shared_services.tf new file mode 100644 index 000000000..a1aa3d091 --- /dev/null +++ b/caf_solution/local.shared_services.tf @@ -0,0 +1,14 @@ +locals { + shared_services = merge( + var.shared_services, + { + automations = var.automations + recovery_vaults = var.recovery_vaults + monitoring = var.monitoring + shared_image_galleries = var.shared_image_galleries + image_definitions = var.image_definitions + packer_service_principal = var.packer_service_principal + packer_managed_identity = var.packer_managed_identity + } + ) +} diff --git a/caf_solution/local.storage.tf b/caf_solution/local.storage.tf new file mode 100644 index 000000000..9f1bf953f --- /dev/null +++ b/caf_solution/local.storage.tf @@ -0,0 +1,9 @@ +locals { + storage = merge( + var.storage, + { + netapp_accounts = var.netapp_accounts + storage_account_blobs = var.storage_account_blobs + } + ) +} diff --git a/caf_solution/local.webapp.tf b/caf_solution/local.webapp.tf new file mode 100644 index 000000000..c69c19622 --- /dev/null +++ b/caf_solution/local.webapp.tf @@ -0,0 +1,12 @@ +locals { + webapp = merge( + var.webapp, + { + app_service_environments = var.app_service_environments + app_service_plans = var.app_service_plans + app_services = var.app_services + azurerm_application_insights = var.azurerm_application_insights + function_apps = var.function_apps + } + ) +} diff --git a/caf_solution/locals.remote_tfstates.tf b/caf_solution/locals.remote_tfstates.tf new file mode 100644 index 000000000..ca11e499e --- /dev/null +++ b/caf_solution/locals.remote_tfstates.tf @@ -0,0 +1,65 @@ +locals { + landingzone = { + current = { + storage_account_name = var.tfstate_storage_account_name + container_name = var.tfstate_container_name + resource_group_name = var.tfstate_resource_group_name + } + lower = { + storage_account_name = var.lower_storage_account_name + container_name = var.lower_container_name + resource_group_name = var.lower_resource_group_name + } + } +} + +data "terraform_remote_state" "remote" { + for_each = try(var.landingzone.tfstates, {}) + + backend = var.landingzone.backend_type + config = { + storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name + container_name = try(each.value.workspace, local.landingzone[try(each.value.level, "current")].container_name) + resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name + subscription_id = var.tfstate_subscription_id + key = each.value.tfstate + } +} + +locals { + landingzone_tag = { + "landingzone" = var.landingzone.key + } + + tags = merge(try(local.global_settings.tags, {}), local.landingzone_tag, { "level" = var.landingzone.level }, try({ "environment" = local.global_settings.environment }, {}), { "rover_version" = var.rover_version }, var.tags) + global_settings = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].global_settings, var.global_settings) + + diagnostics = { + # Get the diagnostics settings of services to create + diagnostic_event_hub_namespaces = var.diagnostic_event_hub_namespaces + diagnostic_log_analytics = var.diagnostic_log_analytics + diagnostic_storage_accounts = var.diagnostic_storage_accounts + + # Combine the diagnostics definitions + diagnostics_definition = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics.diagnostics_definition, var.diagnostics_definition) + diagnostics_destinations = { + event_hub_namespaces = merge( + try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics.diagnostics_destinations.event_hub_namespaces, {}), + try(var.diagnostics_destinations.event_hub_namespaces, {}) + ) + log_analytics = merge( + try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics.diagnostics_destinations.log_analytics, {}), + try(var.diagnostics_destinations.log_analytics, {}) + ) + storage = merge( + try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics.diagnostics_destinations.storage, {}), + try(var.diagnostics_destinations.storage, {}) + ) + } + # Get the remote existing diagnostics objects + storage_accounts = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics.storage_accounts + log_analytics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics.log_analytics + event_hub_namespaces = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics.event_hub_namespaces + } + +} diff --git a/landingzones/caf_networking/main.tf b/caf_solution/main.tf similarity index 84% rename from landingzones/caf_networking/main.tf rename to caf_solution/main.tf index abdc1b7f0..0ab6b978b 100644 --- a/landingzones/caf_networking/main.tf +++ b/caf_solution/main.tf @@ -1,12 +1,12 @@ terraform { required_providers { azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.43" + source = "hashicorp/azurerm" + version = "~> 2.50" } azuread = { source = "hashicorp/azuread" - version = "~> 1.0.0" + version = "~> 1.4.0" } random = { source = "hashicorp/random" @@ -26,7 +26,7 @@ terraform { } azurecaf = { source = "aztfmod/azurecaf" - version = "~> 1.2.0" + version = "~>1.2.0" } } required_version = ">= 0.13" @@ -36,7 +36,7 @@ terraform { provider "azurerm" { features { key_vault { - purge_soft_delete_on_destroy = true + purge_soft_delete_on_destroy = var.provider_azurerm_features_keyvault.purge_soft_delete_on_destroy } } } diff --git a/caf_solution/modules/databricks/cluster.tf b/caf_solution/modules/databricks/cluster.tf new file mode 100644 index 000000000..25310d783 --- /dev/null +++ b/caf_solution/modules/databricks/cluster.tf @@ -0,0 +1,17 @@ +resource "databricks_cluster" "cluster" { + cluster_name = var.settings.name + spark_version = var.settings.spark_version + node_type_id = var.settings.node_type_id + autotermination_minutes = var.settings.autotermination_minutes + + dynamic "autoscale" { + for_each = try(var.settings.autoscale, null) == null ? [] : [1] + + content { + min_workers = try(var.settings.autoscale.min_workers, null) + max_workers = try(var.settings.autoscale.max_workers, null) + } + } + + +} \ No newline at end of file diff --git a/landingzones/caf_solutions/modules/databricks/instance_pool.tf b/caf_solution/modules/databricks/instance_pool.tf similarity index 100% rename from landingzones/caf_solutions/modules/databricks/instance_pool.tf rename to caf_solution/modules/databricks/instance_pool.tf diff --git a/landingzones/caf_solutions/modules/databricks/main.tf b/caf_solution/modules/databricks/main.tf similarity index 100% rename from landingzones/caf_solutions/modules/databricks/main.tf rename to caf_solution/modules/databricks/main.tf diff --git a/landingzones/caf_solutions/modules/databricks/output.tf b/caf_solution/modules/databricks/output.tf similarity index 68% rename from landingzones/caf_solutions/modules/databricks/output.tf rename to caf_solution/modules/databricks/output.tf index 5a3ec0668..d6bc7bc48 100644 --- a/landingzones/caf_solutions/modules/databricks/output.tf +++ b/caf_solution/modules/databricks/output.tf @@ -1,9 +1,7 @@ -output cluster { +output "cluster" { value = { id = databricks_cluster.cluster.id default_tags = databricks_cluster.cluster.default_tags state = databricks_cluster.cluster.state - spark_version = databricks_cluster.cluster.spark_version - } } \ No newline at end of file diff --git a/caf_solution/modules/databricks/variables.tf b/caf_solution/modules/databricks/variables.tf new file mode 100644 index 000000000..719f36726 --- /dev/null +++ b/caf_solution/modules/databricks/variables.tf @@ -0,0 +1,4 @@ +variable "azure_workspace_resource_id" { + default = {} +} +variable "settings" {} \ No newline at end of file diff --git a/caf_solution/output.tf b/caf_solution/output.tf new file mode 100644 index 000000000..6c2f8c16d --- /dev/null +++ b/caf_solution/output.tf @@ -0,0 +1,16 @@ +output "objects" { + value = tomap( + { + (var.landingzone.key) = { + for key, value in module.solution : key => value + if try(value, {}) != {} + } + } + ) + sensitive = true +} + +output "tfstates" { + value = local.tfstates + sensitive = true +} diff --git a/landingzones/caf_solutions/readme.md b/caf_solution/readme.md similarity index 100% rename from landingzones/caf_solutions/readme.md rename to caf_solution/readme.md diff --git a/caf_solution/scenario/foundations/100-passthrough/landingzone.tfvars b/caf_solution/scenario/foundations/100-passthrough/landingzone.tfvars new file mode 100644 index 000000000..9340de718 --- /dev/null +++ b/caf_solution/scenario/foundations/100-passthrough/landingzone.tfvars @@ -0,0 +1,12 @@ +landingzone = { + backend_type = "azurerm" + global_settings_key = "launchpad" + level = "level1" + key = "caf_foundations" + tfstates = { + launchpad = { + level = "lower" + tfstate = "caf_launchpad.tfstate" + } + } +} \ No newline at end of file diff --git a/landingzones/caf_launchpad/scenario/200/compute.tfvars b/caf_solution/scenario/foundations/gitops/compute.tfvars similarity index 91% rename from landingzones/caf_launchpad/scenario/200/compute.tfvars rename to caf_solution/scenario/foundations/gitops/compute.tfvars index 88164c5a4..5c7d99238 100644 --- a/landingzones/caf_launchpad/scenario/200/compute.tfvars +++ b/caf_solution/scenario/foundations/gitops/compute.tfvars @@ -85,12 +85,13 @@ virtual_machines = { version = "latest" } - identity = { - type = "UserAssigned" - managed_identity_keys = [ - "level0", "level1", "level2", "level3", "level4" - ] - } + # identity = { + # type = "UserAssigned" + # lz_key = "launchpad" + # managed_identity_keys = [ + # "level0", "level1", "level2", "level3", "level4" + # ] + # } } } diff --git a/caf_solution/scenario/foundations/gitops/iam_keyvault_policies.tfvars b/caf_solution/scenario/foundations/gitops/iam_keyvault_policies.tfvars new file mode 100644 index 000000000..d4b3bedfb --- /dev/null +++ b/caf_solution/scenario/foundations/gitops/iam_keyvault_policies.tfvars @@ -0,0 +1,25 @@ +keyvault_access_policies_azuread_apps = { + + secrets = { + caf_launchpad_level0 = { + lz_key = "launchpad" + azuread_app_key = "caf_launchpad_level0" + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + } + } +} + +keyvault_access_policies = { + secrets = { + keyvault_level0_rw = { + lz_key = "launchpad" + azuread_group_key = "keyvault_level0_rw" + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + } + keyvault_password_rotation = { + lz_key = "launchpad" + azuread_group_key = "keyvault_password_rotation" + secret_permissions = ["Set", "Get", "List", "Delete", ] + } + } +} diff --git a/caf_solution/scenario/foundations/gitops/iam_role_mapping.tfvars b/caf_solution/scenario/foundations/gitops/iam_role_mapping.tfvars new file mode 100644 index 000000000..0503053df --- /dev/null +++ b/caf_solution/scenario/foundations/gitops/iam_role_mapping.tfvars @@ -0,0 +1,19 @@ + +# +# Services supported: subscriptions, storage accounts and resource groups +# Can assign roles to: AD groups, AD object ID, AD applications, Managed identities +# +role_mapping = { + built_in_role_mapping = { + resource_groups = { + networking = { + "Reader" = { + azuread_groups = { + lz_key = "launchpad" + keys = ["caf_launchpad_Reader"] + } + } + } + } + } +} diff --git a/caf_solution/scenario/foundations/gitops/keyvaults.tfvars b/caf_solution/scenario/foundations/gitops/keyvaults.tfvars new file mode 100644 index 000000000..a829929ce --- /dev/null +++ b/caf_solution/scenario/foundations/gitops/keyvaults.tfvars @@ -0,0 +1,34 @@ + +keyvaults = { + secrets = { + name = "secrets" + resource_group_key = "bastion_launchpad" + region = "region1" + sku_name = "premium" + soft_delete_enabled = true + + # you can setup up to 5 profiles + diagnostic_profiles = { + operations = { + definition_key = "default_all" + destination_type = "log_analytics" + destination_key = "central_logs" + } + siem = { + definition_key = "siem_all" + destination_type = "storage" + destination_key = "all_regions" + } + } + + creation_policies = { + logged_in_user = { + # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy + # More examples in /examples/keyvault + secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] + } + } + + + } +} diff --git a/caf_solution/scenario/foundations/gitops/landingzone.tfvars b/caf_solution/scenario/foundations/gitops/landingzone.tfvars new file mode 100644 index 000000000..6aed75e5b --- /dev/null +++ b/caf_solution/scenario/foundations/gitops/landingzone.tfvars @@ -0,0 +1,21 @@ +landingzone = { + backend_type = "azurerm" + global_settings_key = "launchpad" + level = "level1" + key = "caf_gitops" + tfstates = { + launchpad = { + level = "lower" + tfstate = "caf_launchpad.tfstate" + } + } +} + +resource_groups = { + networking = { + name = "launchpad-networking" + } + bastion_launchpad = { + name = "launchpad-bastion" + } +} \ No newline at end of file diff --git a/landingzones/caf_launchpad/scenario/200/networking.tfvars b/caf_solution/scenario/foundations/gitops/networking.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/networking.tfvars rename to caf_solution/scenario/foundations/gitops/networking.tfvars diff --git a/landingzones/caf_launchpad/scenario/200/networking_nsg_definition.tfvars b/caf_solution/scenario/foundations/gitops/networking_nsg_definition.tfvars similarity index 100% rename from landingzones/caf_launchpad/scenario/200/networking_nsg_definition.tfvars rename to caf_solution/scenario/foundations/gitops/networking_nsg_definition.tfvars diff --git a/landingzones/caf_networking/scenario/100-single-region-hub/configuration.tfvars b/caf_solution/scenario/networking/100-single-region-hub/configuration.tfvars similarity index 90% rename from landingzones/caf_networking/scenario/100-single-region-hub/configuration.tfvars rename to caf_solution/scenario/networking/100-single-region-hub/configuration.tfvars index 7269553e2..b20b85509 100644 --- a/landingzones/caf_networking/scenario/100-single-region-hub/configuration.tfvars +++ b/caf_solution/scenario/networking/100-single-region-hub/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_foundations" level = "level2" key = "networking_hub" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_foundations = { level = "lower" tfstate = "caf_foundations.tfstate" } diff --git a/landingzones/caf_networking/scenario/100-single-region-hub/network_security_group_definition.tfvars b/caf_solution/scenario/networking/100-single-region-hub/network_security_group_definition.tfvars similarity index 100% rename from landingzones/caf_networking/scenario/100-single-region-hub/network_security_group_definition.tfvars rename to caf_solution/scenario/networking/100-single-region-hub/network_security_group_definition.tfvars diff --git a/landingzones/caf_networking/scenario/100-single-region-hub/readme.md b/caf_solution/scenario/networking/100-single-region-hub/readme.md similarity index 100% rename from landingzones/caf_networking/scenario/100-single-region-hub/readme.md rename to caf_solution/scenario/networking/100-single-region-hub/readme.md diff --git a/landingzones/caf_networking/scenario/101-multi-region-hub/configuration.tfvars b/caf_solution/scenario/networking/101-multi-region-hub/configuration.tfvars similarity index 72% rename from landingzones/caf_networking/scenario/101-multi-region-hub/configuration.tfvars rename to caf_solution/scenario/networking/101-multi-region-hub/configuration.tfvars index 26f860340..654a1bfe1 100644 --- a/landingzones/caf_networking/scenario/101-multi-region-hub/configuration.tfvars +++ b/caf_solution/scenario/networking/101-multi-region-hub/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_foundations" level = "level2" key = "networking_hub" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_foundations = { level = "lower" tfstate = "caf_foundations.tfstate" } diff --git a/landingzones/caf_networking/scenario/101-multi-region-hub/network_security_group_definition.tfvars b/caf_solution/scenario/networking/101-multi-region-hub/network_security_group_definition.tfvars similarity index 100% rename from landingzones/caf_networking/scenario/101-multi-region-hub/network_security_group_definition.tfvars rename to caf_solution/scenario/networking/101-multi-region-hub/network_security_group_definition.tfvars diff --git a/landingzones/caf_networking/scenario/101-multi-region-hub/peering.tfvars b/caf_solution/scenario/networking/101-multi-region-hub/peering.tfvars similarity index 100% rename from landingzones/caf_networking/scenario/101-multi-region-hub/peering.tfvars rename to caf_solution/scenario/networking/101-multi-region-hub/peering.tfvars diff --git a/landingzones/caf_networking/scenario/101-multi-region-hub/readme.md b/caf_solution/scenario/networking/101-multi-region-hub/readme.md similarity index 100% rename from landingzones/caf_networking/scenario/101-multi-region-hub/readme.md rename to caf_solution/scenario/networking/101-multi-region-hub/readme.md diff --git a/landingzones/caf_networking/scenario/101-multi-region-hub/virtual_networks.tfvars b/caf_solution/scenario/networking/101-multi-region-hub/virtual_networks.tfvars similarity index 100% rename from landingzones/caf_networking/scenario/101-multi-region-hub/virtual_networks.tfvars rename to caf_solution/scenario/networking/101-multi-region-hub/virtual_networks.tfvars diff --git a/landingzones/caf_networking/scenario/105-hub-and-spoke/configuration.tfvars b/caf_solution/scenario/networking/105-hub-and-spoke/configuration.tfvars similarity index 95% rename from landingzones/caf_networking/scenario/105-hub-and-spoke/configuration.tfvars rename to caf_solution/scenario/networking/105-hub-and-spoke/configuration.tfvars index b32be7ef7..fdb98ad03 100644 --- a/landingzones/caf_networking/scenario/105-hub-and-spoke/configuration.tfvars +++ b/caf_solution/scenario/networking/105-hub-and-spoke/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_foundations" level = "level2" key = "networking_hub" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_foundations = { level = "lower" tfstate = "caf_foundations.tfstate" } diff --git a/landingzones/caf_networking/scenario/105-hub-and-spoke/network_security_group_definition.tfvars b/caf_solution/scenario/networking/105-hub-and-spoke/network_security_group_definition.tfvars similarity index 100% rename from landingzones/caf_networking/scenario/105-hub-and-spoke/network_security_group_definition.tfvars rename to caf_solution/scenario/networking/105-hub-and-spoke/network_security_group_definition.tfvars diff --git a/landingzones/caf_networking/scenario/105-hub-and-spoke/readme.md b/caf_solution/scenario/networking/105-hub-and-spoke/readme.md similarity index 100% rename from landingzones/caf_networking/scenario/105-hub-and-spoke/readme.md rename to caf_solution/scenario/networking/105-hub-and-spoke/readme.md diff --git a/landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/configuration.tfvars b/caf_solution/scenario/networking/106-hub-virtual-wan-firewall/configuration.tfvars similarity index 84% rename from landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/configuration.tfvars rename to caf_solution/scenario/networking/106-hub-virtual-wan-firewall/configuration.tfvars index 591d780e0..6383a2dde 100644 --- a/landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/configuration.tfvars +++ b/caf_solution/scenario/networking/106-hub-virtual-wan-firewall/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_foundations" level = "level2" key = "networking_hub" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_foundations = { level = "lower" tfstate = "caf_foundations.tfstate" } @@ -63,9 +59,9 @@ vhub_peerings = { # output_key = "vnets" vnet_key = "vnet_re1" } - name = "vhub_peering_hub_sg" + name = "vhub_peering_hub_sg" hub_to_virtual_network_traffic_allowed = true virtual_network_to_hub_gateways_traffic_allowed = true - internet_security_enabled = true + internet_security_enabled = true } } diff --git a/landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/network_security_group_definition.tfvars b/caf_solution/scenario/networking/106-hub-virtual-wan-firewall/network_security_group_definition.tfvars similarity index 100% rename from landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/network_security_group_definition.tfvars rename to caf_solution/scenario/networking/106-hub-virtual-wan-firewall/network_security_group_definition.tfvars diff --git a/landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/readme.md b/caf_solution/scenario/networking/106-hub-virtual-wan-firewall/readme.md similarity index 100% rename from landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/readme.md rename to caf_solution/scenario/networking/106-hub-virtual-wan-firewall/readme.md diff --git a/landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/virtual_wan.tfvars b/caf_solution/scenario/networking/106-hub-virtual-wan-firewall/virtual_wan.tfvars similarity index 100% rename from landingzones/caf_networking/scenario/106-hub-virtual-wan-firewall/virtual_wan.tfvars rename to caf_solution/scenario/networking/106-hub-virtual-wan-firewall/virtual_wan.tfvars diff --git a/landingzones/caf_networking/scenario/200-single-region-hub/configuration.tfvars b/caf_solution/scenario/networking/200-single-region-hub/configuration.tfvars similarity index 98% rename from landingzones/caf_networking/scenario/200-single-region-hub/configuration.tfvars rename to caf_solution/scenario/networking/200-single-region-hub/configuration.tfvars index c06ac4c4b..3e4945769 100644 --- a/landingzones/caf_networking/scenario/200-single-region-hub/configuration.tfvars +++ b/caf_solution/scenario/networking/200-single-region-hub/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_gitops" level = "level2" key = "networking_hub" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_gitops = { level = "lower" tfstate = "caf_foundations.tfstate" } @@ -79,8 +75,7 @@ vnet_peerings = { vnet_key = "hub_rg1" } to = { - tfstate_key = "foundations" - lz_key = "launchpad" + lz_key = "caf_gitops" output_key = "vnets" vnet_key = "devops_region1" } @@ -94,8 +89,7 @@ vnet_peerings = { launchpad_devops-TO-hub_rg1 = { name = "launchpad_devops-TO-hub_rg1" from = { - tfstate_key = "foundations" - lz_key = "launchpad" + lz_key = "caf_gitops" output_key = "vnets" vnet_key = "devops_region1" } diff --git a/landingzones/caf_networking/scenario/201-multi-region-hub/configuration.tfvars b/caf_solution/scenario/networking/201-multi-region-hub/configuration.tfvars similarity index 98% rename from landingzones/caf_networking/scenario/201-multi-region-hub/configuration.tfvars rename to caf_solution/scenario/networking/201-multi-region-hub/configuration.tfvars index 1e23636ed..45eb82b65 100644 --- a/landingzones/caf_networking/scenario/201-multi-region-hub/configuration.tfvars +++ b/caf_solution/scenario/networking/201-multi-region-hub/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_gitops" level = "level2" key = "networking_hub" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_gitops = { level = "lower" tfstate = "caf_foundations.tfstate" } @@ -158,8 +154,7 @@ vnet_peerings = { vnet_key = "hub_rg1" } to = { - tfstate_key = "foundations" - lz_key = "launchpad" + lz_key = "caf_gitops" output_key = "vnets" vnet_key = "devops_region1" } @@ -173,8 +168,7 @@ vnet_peerings = { launchpad_devops-TO-hub_rg1 = { name = "launchpad_devops-TO-hub_rg1" from = { - tfstate_key = "foundations" - lz_key = "launchpad" + lz_key = "caf_gitops" output_key = "vnets" vnet_key = "devops_region1" } @@ -195,8 +189,7 @@ vnet_peerings = { vnet_key = "hub_rg2" } to = { - tfstate_key = "foundations" - lz_key = "launchpad" + lz_key = "caf_gitops" output_key = "vnets" vnet_key = "devops_region1" } @@ -210,8 +203,7 @@ vnet_peerings = { launchpad_devops-TO-hub_rg2 = { name = "launchpad_devops-TO-hub_rg2" from = { - tfstate_key = "foundations" - lz_key = "launchpad" + lz_key = "caf_gitops" output_key = "vnets" vnet_key = "devops_region1" } diff --git a/landingzones/caf_networking/scenario/210-aks-private/configuration.tfvars b/caf_solution/scenario/networking/210-aks-private/configuration.tfvars similarity index 99% rename from landingzones/caf_networking/scenario/210-aks-private/configuration.tfvars rename to caf_solution/scenario/networking/210-aks-private/configuration.tfvars index b264d5adc..f243d609e 100644 --- a/landingzones/caf_networking/scenario/210-aks-private/configuration.tfvars +++ b/caf_solution/scenario/networking/210-aks-private/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_gitops" level = "level2" key = "networking_hub" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_gitops = { level = "lower" tfstate = "caf_foundations.tfstate" } @@ -94,7 +90,7 @@ vnet_peerings = { vnet_key = "hub_rg1" } to = { - lz_key = "launchpad" + lz_key = "caf_gitops" output_key = "vnets" vnet_key = "devops_region1" } diff --git a/landingzones/caf_networking/scenario/210-aks-private/peerings/launchpad/configuration.tfvars b/caf_solution/scenario/networking/210-aks-private/peerings/launchpad/configuration.tfvars similarity index 100% rename from landingzones/caf_networking/scenario/210-aks-private/peerings/launchpad/configuration.tfvars rename to caf_solution/scenario/networking/210-aks-private/peerings/launchpad/configuration.tfvars diff --git a/landingzones/caf_shared_services/scenario/100/configuration.tfvars b/caf_solution/scenario/shared_services/100/configuration.tfvars similarity index 95% rename from landingzones/caf_shared_services/scenario/100/configuration.tfvars rename to caf_solution/scenario/shared_services/100/configuration.tfvars index 25489ff12..c99d0e73a 100644 --- a/landingzones/caf_shared_services/scenario/100/configuration.tfvars +++ b/caf_solution/scenario/shared_services/100/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_foundations" level = "level2" key = "shared_services" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_foundations = { level = "lower" tfstate = "caf_foundations.tfstate" } diff --git a/landingzones/caf_shared_services/scenario/200/configuration.tfvars b/caf_solution/scenario/shared_services/200/configuration.tfvars similarity index 96% rename from landingzones/caf_shared_services/scenario/200/configuration.tfvars rename to caf_solution/scenario/shared_services/200/configuration.tfvars index 0f8c8559c..83b977838 100644 --- a/landingzones/caf_shared_services/scenario/200/configuration.tfvars +++ b/caf_solution/scenario/shared_services/200/configuration.tfvars @@ -1,14 +1,10 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "foundations" + global_settings_key = "caf_foundations" level = "level2" key = "shared_services" tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - launchpad = { + caf_foundations = { level = "lower" tfstate = "caf_foundations.tfstate" } diff --git a/landingzones/caf_solutions/scripts/cloud-init-install-rover-tools.config b/caf_solution/scripts/cloud-init-install-rover-tools.config similarity index 100% rename from landingzones/caf_solutions/scripts/cloud-init-install-rover-tools.config rename to caf_solution/scripts/cloud-init-install-rover-tools.config diff --git a/landingzones/caf_launchpad/scripts/grant_consent.sh b/caf_solution/scripts/grant_consent.sh similarity index 100% rename from landingzones/caf_launchpad/scripts/grant_consent.sh rename to caf_solution/scripts/grant_consent.sh diff --git a/caf_solution/variables.compute.tf b/caf_solution/variables.compute.tf new file mode 100644 index 000000000..fdffa3519 --- /dev/null +++ b/caf_solution/variables.compute.tf @@ -0,0 +1,29 @@ +variable "aks_clusters" { + default = {} +} +variable "availability_sets" { + default = {} +} +variable "azure_container_registries" { + default = {} +} +variable "bastion_hosts" { + default = {} +} +## Compute variables +variable "compute" { + description = "Compute configuration objects" + default = { + # virtual_machines = {} + # ... + } +} +variable "container_groups" { + default = {} +} +variable "proximity_placement_groups" { + default = {} +} +variable "virtual_machines" { + default = {} +} \ No newline at end of file diff --git a/caf_solution/variables.data_factory.tf b/caf_solution/variables.data_factory.tf new file mode 100644 index 000000000..39ff7f01d --- /dev/null +++ b/caf_solution/variables.data_factory.tf @@ -0,0 +1,26 @@ +variable "data_factory" { + default = {} +} +variable "data_factory_pipeline" { + default = {} +} +variable "data_factory_trigger_schedule" { + default = {} +} +variable "datasets" { + default = { + # azure_blob + # cosmosdb_sqlapi + # delimited_text + # http + # json + # mysql + # postgresql + # sql_server_table + } +} +variable "linked_services" { + default = { + # azure_blob_storage + } +} \ No newline at end of file diff --git a/caf_solution/variables.database.tf b/caf_solution/variables.database.tf new file mode 100644 index 000000000..d6b4a7ab4 --- /dev/null +++ b/caf_solution/variables.database.tf @@ -0,0 +1,76 @@ +variable "app_config" { + default = {} +} +variable "azurerm_redis_caches" { + default = {} +} +variable "cosmos_dbs" { + default = {} +} +variable "database" { + description = "Database configuration objects" + default = {} +} +variable "databricks_workspaces" { + default = {} +} +variable "machine_learning_workspaces" { + default = {} +} +variable "mariadb_databases" { + default = {} +} +variable "mariadb_servers" { + default = {} +} +variable "mssql_databases" { + default = {} +} +variable "mssql_elastic_pools" { + default = {} +} +variable "mssql_failover_groups" { + default = {} +} +variable "mssql_managed_databases" { + default = {} +} +variable "mssql_managed_databases_backup_ltr" { + default = {} +} +variable "mssql_managed_databases_restore" { + default = {} +} +variable "mssql_managed_instances" { + default = {} +} +variable "mssql_managed_instances_secondary" { + default = {} +} +variable "mssql_mi_administrators" { + default = {} +} +variable "mssql_mi_failover_groups" { + default = {} +} +variable "mssql_mi_secondary_tdes" { + default = {} +} +variable "mssql_mi_tdes" { + default = {} +} +variable "mssql_servers" { + default = {} +} +variable "mysql_databases" { + default = {} +} +variable "mysql_servers" { + default = {} +} +variable "postgresql_servers" { + default = {} +} +variable "synapse_workspaces" { + default = {} +} \ No newline at end of file diff --git a/caf_solution/variables.logic_app.tf b/caf_solution/variables.logic_app.tf new file mode 100644 index 000000000..0e48766fe --- /dev/null +++ b/caf_solution/variables.logic_app.tf @@ -0,0 +1,27 @@ +variable "logic_app" { + default = {} +} +variable "integration_service_environment" { + default = {} +} +variable "logic_app_action_custom" { + default = {} +} +variable "logic_app_action_http" { + default = {} +} +variable "logic_app_integration_account" { + default = {} +} +variable "logic_app_trigger_custom" { + default = {} +} +variable "logic_app_trigger_http_request" { + default = {} +} +variable "logic_app_trigger_recurrence" { + default = {} +} +variable "logic_app_workflow" { + default = {} +} \ No newline at end of file diff --git a/caf_solution/variables.networking.tf b/caf_solution/variables.networking.tf new file mode 100644 index 000000000..467bc6be2 --- /dev/null +++ b/caf_solution/variables.networking.tf @@ -0,0 +1,104 @@ + +variable "application_gateways" { + default = {} +} +variable "application_gateway_applications" { + default = {} +} +variable "application_security_groups" { + default = {} +} +variable "azurerm_firewalls" { + default = {} +} +variable "azurerm_firewall_application_rule_collection_definition" { + default = {} +} +variable "azurerm_firewall_nat_rule_collection_definition" { + default = {} +} +variable "azurerm_firewall_network_rule_collection_definition" { + default = {} +} +variable "azurerm_routes" { + default = {} +} +variable "ddos_services" { + default = {} +} +variable "dns_zones" { + default = {} +} +variable "dns_zone_records" { + default = {} +} +variable "domain_name_registrations" { + default = {} +} +variable "express_route_circuits" { + default = {} +} +variable "express_route_circuit_authorizations" { + default = {} +} +variable "load_balancers" { + default = {} +} +variable "network_watchers" { + default = {} +} +variable "networking" { + default = {} + type = map(any) +} +variable "front_door_waf_policies" { + default = {} +} +variable "front_doors" { + default = {} +} +variable "ip_groups" { + default = {} +} +variable "local_network_gateways" { + default = {} +} +variable "networking_interface_asg_associations" { + default = {} +} +variable "network_security_group_definition" { + default = {} +} +variable "private_endpoints" { + default = {} +} +variable "private_dns" { + default = {} +} +variable "public_ip_addresses" { + default = {} +} +variable "route_tables" { + default = {} +} +variable "virtual_network_gateway_connections" { + default = {} +} +variable "virtual_network_gateways" { + default = {} +} +variable "virtual_wans" { + default = {} +} +variable "vnets" { + default = {} +} +variable "vhub_peerings" { + default = {} +} +variable "vnet_peerings" { + default = {} +} +variable "virtual_hub_er_gateway_connections" { + default = {} +} \ No newline at end of file diff --git a/caf_solution/variables.security.tf b/caf_solution/variables.security.tf new file mode 100644 index 000000000..5caae44dd --- /dev/null +++ b/caf_solution/variables.security.tf @@ -0,0 +1,19 @@ +variable "disk_encryption_sets" { + default = {} +} +variable "keyvault_certificate_issuers" { + default = {} +} +variable "keyvault_certificate_requests" { + default = {} +} +variable "keyvault_certificates" { + default = {} +} +variable "keyvault_keys" { + default = {} +} +## Security variables +variable "security" { + default = {} +} \ No newline at end of file diff --git a/caf_solution/variables.shared_services.tf b/caf_solution/variables.shared_services.tf new file mode 100644 index 000000000..90c1d0697 --- /dev/null +++ b/caf_solution/variables.shared_services.tf @@ -0,0 +1,37 @@ +# Shared services +variable "shared_services" { + description = "Shared services configuration objects" + default = { + # automations = {} + # monitoring = {} + # recovery_vaults = {} + } +} + +variable "automations" { + default = {} +} + +variable "image_definitions" { + default = {} +} + +variable "monitoring" { + default = {} +} + +variable "packer_service_principal" { + default = {} +} + +variable "packer_managed_identity" { + default = {} +} + +variable "recovery_vaults" { + default = {} +} + +variable "shared_image_galleries" { + default = {} +} \ No newline at end of file diff --git a/caf_solution/variables.storage.tf b/caf_solution/variables.storage.tf new file mode 100644 index 000000000..8a373b8ac --- /dev/null +++ b/caf_solution/variables.storage.tf @@ -0,0 +1,13 @@ +variable "netapp_accounts" { + default = {} +} +variable "storage" { + description = "Storage configuration objects" + default = {} +} +variable "storage_account_blobs" { + default = {} +} +variable "storage_accounts" { + default = {} +} \ No newline at end of file diff --git a/caf_solution/variables.tf b/caf_solution/variables.tf new file mode 100644 index 000000000..111c1fc6d --- /dev/null +++ b/caf_solution/variables.tf @@ -0,0 +1,243 @@ +# Map of the remote data state for lower level +variable "lower_storage_account_name" {} +variable "lower_container_name" {} +variable "lower_resource_group_name" {} + +variable "tfstate_subscription_id" { + description = "This value is propulated by the rover. subscription id hosting the remote tfstates" +} +variable "tfstate_storage_account_name" {} +variable "tfstate_container_name" {} +variable "tfstate_key" {} +variable "tfstate_resource_group_name" {} + +variable "landingzone" { + default = { + backend_type = "azurerm" + global_settings_key = "launchpad" + level = "level1" + key = "caf_examples" + tfstates = { + launchpad = { + level = "lower" + tfstate = "caf_launchpad.tfstate" + } + } + } +} + +variable "global_settings" { + default = {} +} + +variable "provider_azurerm_features_keyvault" { + default = { + purge_soft_delete_on_destroy = false + } +} + + +variable "rover_version" { + default = {} +} + +variable "client_config" { + default = {} +} + +variable "tenant_id" { + description = "Azure AD Tenant ID for the current deployment." + default = null +} + +variable "current_landingzone_key" { + description = "Key for the current landing zones where the deployment is executed. Used in the context of landing zone deployment." + default = "local" + type = string +} + +variable "tfstates" { + description = "Terraform states configuration object. Used in the context of landing zone deployment." + default = {} +} + +variable "enable" { + description = "Map of services defined in the configuration file you want to disable during a deployment." + default = { + # bastion_hosts = true + # virtual_machines = true + } +} + +variable "environment" { + description = "Name of the CAF environment." + type = string + default = "sandpit" +} + +variable "logged_user_objectId" { + description = "Used to set access policies based on the value 'logged_in_user'. Can only be used in interactive execution with vscode." + default = null +} +variable "logged_aad_app_objectId" { + description = "Used to set access policies based on the value 'logged_in_aad_app'" + default = null +} + +variable "use_msi" { + description = "Deployment using an MSI for authentication." + default = false + type = bool +} + +variable "tags" { + description = "Tags to be used for this resource deployment." + type = map(any) + default = null +} + +variable "resource_groups" { + description = "Resource groups configuration objects" + default = {} +} + +variable "subscriptions" { + default = {} +} + +variable "subscription_billing_role_assignments" { + default = {} +} + +variable "billing" { + description = "Billing information" + default = {} +} + +variable "remote_objects" { + description = "Remote objects is used to allow the landing zone to retrieve remote tfstate objects and pass them to the caf module" + default = {} +} + +## Diagnostics settings +variable "diagnostics_definition" { + default = null + description = "Shared diadgnostics settings that can be used by the services to enable diagnostics" +} + +variable "diagnostics_destinations" { + default = null +} + +variable "log_analytics" { + default = {} +} + +variable "diagnostics" { + default = {} +} + +variable "event_hub_namespaces" { + default = {} +} + +variable "subnet_id" { + default = {} +} + +variable "user_type" { + description = "The rover set this value to user or serviceprincipal. It is used to handle Azure AD api consents." + default = {} +} + +## Azure AD +variable "azuread_apps" { + default = {} +} + +variable "azuread_groups" { + default = {} +} + +variable "azuread_roles" { + default = {} +} + +variable "azuread_users" { + default = {} +} + +variable "azuread_api_permissions" { + default = {} +} + +variable "managed_identities" { + description = "Managed Identity configuration objects" + default = {} +} + +variable "keyvaults" { + description = "Key Vault configuration objects" + default = {} +} + +variable "keyvault_access_policies" { + default = {} +} + +variable "keyvault_access_policies_azuread_apps" { + default = {} +} + +variable "custom_role_definitions" { + description = "Custom role definitions configuration objects" + default = {} +} +variable "role_mapping" { + default = { + built_in_role_mapping = {} + custom_role_mapping = {} + } +} + +variable "dynamic_keyvault_secrets" { + default = {} +} + + +variable "diagnostic_storage_accounts" { + default = {} +} + + +variable "event_hubs" { + default = {} +} + +variable "event_hub_auth_rules" { + default = {} +} + +variable "event_hub_namespace_auth_rules" { + default = {} +} + +variable "event_hub_consumer_groups" { + default = {} +} + +variable "diagnostic_event_hub_namespaces" { + default = {} +} +variable "diagnostic_log_analytics" { + default = {} +} +variable "virtual_hub_route_tables" { + default = {} +} +variable "virtual_hub_connections" { + default = {} +} +variable "var_folder_path" { + default = null +} \ No newline at end of file diff --git a/caf_solution/variables.webapp.tf b/caf_solution/variables.webapp.tf new file mode 100644 index 000000000..68afec4d7 --- /dev/null +++ b/caf_solution/variables.webapp.tf @@ -0,0 +1,26 @@ + +variable "webapp" { + description = "Web applications configuration objects" + default = { + # app_services = {} + # app_service_environments = {} + # app_service_plans = {} + # azurerm_application_insights = {} + # ... + } +} +variable "app_service_environments" { + default = {} +} +variable "app_service_plans" { + default = {} +} +variable "app_services" { + default = {} +} +variable "azurerm_application_insights" { + default = {} +} +variable "function_apps" { + default = {} +} \ No newline at end of file diff --git a/landingzones/caf_eslz/README.md b/landingzones/caf_eslz/README.md deleted file mode 100644 index afef4f046..000000000 --- a/landingzones/caf_eslz/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# Cloud Adoption Framework for Azure - Landing zones on Terraform - Enterprise-Scale - -The foundations landing zone allows you to manage the core components of an environment: - -* Management groups -* Policies - -Foundations landing zone operates at **level 1**. - -For a review of the hierarchy approach of Cloud Adoption Framework for Azure landing zones on Terraform, you can refer to [the following documentation](../../documentation/code_architecture/hierarchy.md). - -
- -## Components - -CAF eslz leverages the enterprise-scale module in order to deploy its core components. - -For full description on enterprise_scale module usage, please [refer to the repository](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) - -This is currently work in progress. -Use the following configuration file in order to get started with the enterprise-scale module integration: - -```bash -# This example will setup the complete enterprise-scale fundamentals management groups and policies. Please make sure you have appropriate privileges on the tenant and subscription - -rover -lz /tf/caf/public/landingzones/caf_eslz \ - -var-folder /tf/caf/public/landingzones/caf_eslz/scenario/100 \ - -level level1 \ - -a [plan|apply|destroy] - -# This example will setup custom enterprise-scale management groups and policies. Please make sure you have appropriate privileges on the tenant and subscription - -rover -lz /tf/caf/public/landingzones/caf_eslz \ - -var-folder /tf/caf/public/landingzones/caf_eslz/scenario/200 \ - -level level1 \ - -a [plan|apply|destroy] - -# If the tfstates are stored in a different subscription you need to execute the following command -rover -lz /tf/caf/public/landingzones/caf_eslz \ - -tfstate_subscription_id \ - -var-folder /tf/caf/public/landingzones/caf_foundations/scenario/200 \ - -level level1 \ - -a apply -``` diff --git a/landingzones/caf_eslz/es_main.tf b/landingzones/caf_eslz/es_main.tf deleted file mode 100644 index 45ced3fc9..000000000 --- a/landingzones/caf_eslz/es_main.tf +++ /dev/null @@ -1,25 +0,0 @@ -# For full description on enterprise_scale module usage, please refer to https://github.com/Azure/terraform-azurerm-caf-enterprise-scale - -module "enterprise_scale" { - source = "Azure/caf-enterprise-scale/azurerm" - version = "0.0.8" - - root_parent_id = data.azurerm_client_config.current.tenant_id - - root_id = try(var.enterprise_scale.root_id, "es") - root_name = try(var.enterprise_scale.root_name, "Enterprise-Scale") - deploy_core_landing_zones = try(var.enterprise_scale.deploy_core_landing_zones, false) - - # Control whether to deploy the demo landing zones // default = false - deploy_demo_landing_zones = try(var.enterprise_scale.deploy_demo_landing_zones, false) - - # Set a path for the custom archetype library path - library_path = try(format("%s", var.enterprise_scale.library_path), "") - - # Deploys the custom landing zone configuration as defined in config file - custom_landing_zones = try(var.enterprise_scale.custom_landing_zones, {}) - subscription_id_overrides = try(var.enterprise_scale.subscription_id_overrides, {}) - archetype_config_overrides = try(var.enterprise_scale.archetype_config_overrides, {}) - - default_location = local.global_settings.regions[local.global_settings.default_region] -} \ No newline at end of file diff --git a/landingzones/caf_eslz/landingzone.tf b/landingzones/caf_eslz/landingzone.tf deleted file mode 100644 index b12b48a6c..000000000 --- a/landingzones/caf_eslz/landingzone.tf +++ /dev/null @@ -1,21 +0,0 @@ -module "foundations" { - # source = "/tf/caf/aztfmod" - source = "aztfmod/caf/azurerm" - version = "~>5.2.0" - - current_landingzone_key = var.landingzone.key - tenant_id = var.tenant_id - tags = local.tags - diagnostics = local.remote.diagnostics - global_settings = local.global_settings - tfstates = local.tfstates - diagnostics_definition = var.diagnostics_definition - diagnostics_destinations = var.diagnostics_destinations - diagnostic_storage_accounts = var.diagnostic_storage_accounts - logged_user_objectId = var.logged_user_objectId - logged_aad_app_objectId = var.logged_aad_app_objectId - resource_groups = var.resource_groups - keyvaults = var.keyvaults - log_analytics = var.log_analytics - event_hub_namespaces = var.event_hub_namespaces -} diff --git a/landingzones/caf_eslz/locals.remote_tfstates.tf b/landingzones/caf_eslz/locals.remote_tfstates.tf deleted file mode 100644 index 27fa9da3c..000000000 --- a/landingzones/caf_eslz/locals.remote_tfstates.tf +++ /dev/null @@ -1,78 +0,0 @@ -locals { - landingzone = { - current = { - storage_account_name = var.tfstate_storage_account_name - container_name = var.tfstate_container_name - resource_group_name = var.tfstate_resource_group_name - } - lower = { - storage_account_name = var.lower_storage_account_name - container_name = var.lower_container_name - resource_group_name = var.lower_resource_group_name - } - } -} - -data "terraform_remote_state" "remote" { - for_each = try(var.landingzone.tfstates, {}) - - backend = var.landingzone.backend_type - config = { - storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name - container_name = local.landingzone[try(each.value.level, "current")].container_name - resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name - subscription_id = var.tfstate_subscription_id - key = each.value.tfstate - } -} - -locals { - landingzone_tag = { - "landingzone" = var.landingzone.key - } - - tags = merge(var.tags, local.landingzone_tag, local.global_settings.tags, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }) - - global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.global_settings - - - remote = { - diagnostics = { - # Get the diagnostics settings of services to create - diagnostic_event_hub_namespaces = var.diagnostic_event_hub_namespaces - diagnostic_log_analytics = var.diagnostic_log_analytics - diagnostic_storage_accounts = var.diagnostic_storage_accounts - - # Combine the diagnostics definitions - diagnostics_definition = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_definition, var.diagnostics_definition) - diagnostics_destinations = { - event_hub_namespaces = merge( - try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.event_hub_namespaces, {}), - try(var.diagnostics_destinations.event_hub_namespaces, {}) - ) - log_analytics = merge( - try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.log_analytics, {}), - try(var.diagnostics_destinations.log_analytics, {}) - ) - storage = merge( - try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.storage, {}), - try(var.diagnostics_destinations.storage, {}) - ) - } - # Get the remote existing diagnostics objects - storage_accounts = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.storage_accounts - log_analytics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.log_analytics - event_hub_namespaces = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.event_hub_namespaces - } - - managed_identities = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.managed_identities[key], {})) - } - azuread_groups = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azuread_groups[key], {})) - } - vnets = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.vnets[key], {})) - } - } -} diff --git a/landingzones/caf_eslz/main.tf b/landingzones/caf_eslz/main.tf deleted file mode 100644 index b3f105bee..000000000 --- a/landingzones/caf_eslz/main.tf +++ /dev/null @@ -1,63 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.43" - } - azuread = { - source = "hashicorp/azuread" - version = "~> 1.0.0" - } - random = { - source = "hashicorp/random" - version = "~> 2.2.1" - } - null = { - source = "hashicorp/null" - version = "~> 2.1.0" - } - tls = { - source = "hashicorp/tls" - version = "~> 2.2.0" - } - azurecaf = { - source = "aztfmod/azurecaf" - version = "~> 1.2.0" - } - } - required_version = ">= 0.13" -} - - -provider "azurerm" { - features { - key_vault { - purge_soft_delete_on_destroy = true - } - } -} - -data "azurerm_client_config" "current" {} -data "azurerm_subscription" "current" {} - -locals { - - # Update the tfstates map - tfstates = merge( - map(var.landingzone.key, - map( - "storage_account_name", var.tfstate_storage_account_name, - "container_name", var.tfstate_container_name, - "resource_group_name", var.tfstate_resource_group_name, - "key", var.tfstate_key, - "level", var.landingzone.level, - "tenant_id", var.tenant_id, - "subscription_id", data.azurerm_client_config.current.subscription_id - ) - ) - , - data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.tfstates - ) - -} - diff --git a/landingzones/caf_eslz/output.tf b/landingzones/caf_eslz/output.tf deleted file mode 100644 index f856906a6..000000000 --- a/landingzones/caf_eslz/output.tf +++ /dev/null @@ -1,30 +0,0 @@ -output global_settings { - value = local.global_settings - sensitive = true -} -output diagnostics { - value = module.foundations.diagnostics - sensitive = true -} -output vnets { - value = local.remote.vnets - sensitive = true -} -output managed_identities { - value = local.remote.managed_identities - sensitive = true -} -output azuread_groups { - value = local.remote.azuread_groups - sensitive = true -} -output tfstates { - value = local.tfstates - sensitive = true -} -output keyvaults { - value = tomap({ - (var.landingzone.key) = try(module.foundations.keyvaults, {}) - }) - sensitive = true -} diff --git a/landingzones/caf_eslz/scenario/100/enterprise_scale_contoso_com.tfvars b/landingzones/caf_eslz/scenario/100/enterprise_scale_contoso_com.tfvars deleted file mode 100644 index 89e2ea1fd..000000000 --- a/landingzones/caf_eslz/scenario/100/enterprise_scale_contoso_com.tfvars +++ /dev/null @@ -1,25 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "launchpad" - level = "level1" - key = "caf_eslz" - tfstates = { - launchpad = { - level = "lower" - tfstate = "caf_launchpad.tfstate" - } - } -} - -enterprise_scale = { - # Define a custom ID to use for the root Management Group - # Also used as a prefix for all core Management Group IDs - # root_id = "caf" - # root_name = "CAF-RootManagementGroup" - - # Control whether to deploy the default core landing zones // default = true - deploy_core_landing_zones = true - - # Control whether to deploy the demo landing zones // default = false - deploy_demo_landing_zones = false -} \ No newline at end of file diff --git a/landingzones/caf_eslz/scenario/200/enterprise_scale_contoso_com.tfvars b/landingzones/caf_eslz/scenario/200/enterprise_scale_contoso_com.tfvars deleted file mode 100644 index 73c92cb7f..000000000 --- a/landingzones/caf_eslz/scenario/200/enterprise_scale_contoso_com.tfvars +++ /dev/null @@ -1,45 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "launchpad" - level = "level1" - key = "caf_foundations" - tfstates = { - launchpad = { - level = "lower" - tfstate = "caf_launchpad.tfstate" - } - } -} - -enterprise_scale = { - #path to the policies definition and assignment repo - library_path = "/tf/caf/public/landingzones/caf_eslz/scenario/200/lib" - - #management groups hierarchy configuration - custom_landing_zones = { - caf = { - display_name = "CAF-RootManagementGroup" - parent_management_group_id = "" - subscription_ids = [] - archetype_config = { - archetype_id = "es_root" - parameters = {} - access_control = {} - } - } - child-caf = { - display_name = "CAF-ChildManagementGroup" - parent_management_group_id = "caf" - subscription_ids = [] - archetype_config = { - archetype_id = "es_management" - parameters = { - ES-Deploy-ForwardDiagLog = { - logAnalytics = "central_logs_region1" - } - } - access_control = {} - } - } - } -} \ No newline at end of file diff --git a/landingzones/caf_eslz/scenario/200/lib/archetype_definition_es_management.tmpl.json b/landingzones/caf_eslz/scenario/200/lib/archetype_definition_es_management.tmpl.json deleted file mode 100644 index e6d18b5db..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/archetype_definition_es_management.tmpl.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "es_management": { - "policy_assignments": [ - "ES-Deploy-ASC-Standard" - ], - "policy_definitions": [ - ], - "policy_set_definitions": [], - "role_assignments": [], - "role_definitions": [] - } -} \ No newline at end of file diff --git a/landingzones/caf_eslz/scenario/200/lib/archetype_definition_es_root.json b/landingzones/caf_eslz/scenario/200/lib/archetype_definition_es_root.json deleted file mode 100644 index e41b04f6f..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/archetype_definition_es_root.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "es_root": { - "policy_assignments": [ - "ES-Deploy-ASC-Standard" - ], - "policy_definitions": [ - "ES-Deploy-ASC-Standard" - ], - "policy_set_definitions": [], - "role_assignments": [], - "role_definitions": [] - } -} \ No newline at end of file diff --git a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_allowed_resource-locations.tmpl.json b/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_allowed_resource-locations.tmpl.json deleted file mode 100644 index ae28ea455..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_allowed_resource-locations.tmpl.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "name": "ES-Allowed-Locations", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Specifies the allowed locations (regions) where resources can be deployed", - "displayName": "ES-Allowed-Resource-Locations", - "notScopes": [], - "parameters": { - "listOfAllowedLocations": { - "value": [ - "uksouth", - "ukwest" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "scope": "${current_scope_resource_id}" - }, - "sku": { - "name": "A0", - "tier": "Free" - }, - "location": "${default_location}", - "identity": { - "type": "None" - } -} diff --git a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_allowed_resourcegroup-locations.tmpl.json b/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_allowed_resourcegroup-locations.tmpl.json deleted file mode 100644 index b00174588..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_allowed_resourcegroup-locations.tmpl.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "name": "ES-Allowed-RSG-Locations", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed", - "displayName": "ES-Allowed-ResourceGroup-Locations", - "notScopes": [], - "parameters": { - "listOfAllowedLocations": { - "value": [ - "uksouth", - "ukwest" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "scope": "${current_scope_resource_id}" - }, - "sku": { - "name": "A0", - "tier": "Free" - }, - "location": "${default_location}", - "identity": { - "type": "None" - } -} diff --git a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_ce.tmpl.json b/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_ce.tmpl.json deleted file mode 100644 index 4417b6a01..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_ce.tmpl.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "name": "ES-Deploy-ASC-ContExport", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Deploy ASC Continuous Export To Log Analytics Workspace.", - "displayName": "ES-Deploy-ASC-ContinuousExportToWorkspace", - "notScopes": [], - "parameters": { - "resourceGroupLocation": { - "value": null - }, - "workspaceResourceId": { - "value": null - } - }, - "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-ASC-ContinuousExportToWorkspace", - "scope": "${current_scope_resource_id}" - }, - "sku": { - "name": "A0", - "tier": "Free" - }, - "location": "${default_location}", - "identity": { - "type": "SystemAssigned" - } -} diff --git a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_monitoring.tmpl.json deleted file mode 100644 index ba6d2186f..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_monitoring.tmpl.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "name": "ES-Deploy-ASC-Monitoring", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Enable Monitoring in Azure Security Center.", - "displayName": "ES-Deploy-ASC-Monitoring", - "notScopes": [], - "parameters": { - "aadAuthenticationInSqlServerMonitoringEffect": { - "value": "Disabled" - }, - "diskEncryptionMonitoringEffect": { - "value": "Disabled" - }, - "encryptionOfAutomationAccountMonitoringEffect": { - "value": "Disabled" - }, - "identityDesignateLessThanOwnersMonitoringEffect": { - "value": "Disabled" - }, - "identityDesignateMoreThanOneOwnerMonitoringEffect": { - "value": "Disabled" - }, - "identityEnableMFAForWritePermissionsMonitoringEffect": { - "value": "Disabled" - }, - "identityRemoveDeprecatedAccountMonitoringEffect": { - "value": "Disabled" - }, - "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { - "value": "Disabled" - }, - "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { - "value": "Disabled" - }, - "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": { - "value": "Disabled" - }, - "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { - "value": "Disabled" - }, - "jitNetworkAccessMonitoringEffect": { - "value": "Disabled" - }, - "networkSecurityGroupsOnSubnetsMonitoringEffect": { - "value": "AuditIfNotExists" - }, - "sqlDbEncryptionMonitoringEffect": { - "value": "Disabled" - }, - "sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": { - "value": "Disabled" - }, - "sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": { - "value": "Disabled" - }, - "sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": { - "value": "Disabled" - }, - "sqlServerAdvancedDataSecurityMonitoringEffect": { - "value": "Disabled" - }, - "systemUpdatesMonitoringEffect": { - "value": "Disabled" - }, - "useRbacRulesMonitoringEffect": { - "value": "Disabled" - }, - "vmssSystemUpdatesMonitoringEffect": { - "value": "Disabled" - }, - "windowsDefenderExploitGuardMonitoringEffect": { - "value": "Disabled" - } - }, - "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", - "scope": "${current_scope_resource_id}" - }, - "sku": { - "name": "A0", - "tier": "Free" - }, - "location": "${default_location}", - "identity": { - "type": "SystemAssigned" - } -} diff --git a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_standard.tmpl.json b/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_standard.tmpl.json deleted file mode 100644 index 1786a9c39..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_standard.tmpl.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "name": "ES-Deploy-ASC-Standard", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Deploy Azure Security Center Standard Tier.", - "displayName": "ES-Deploy-ASC-Standard", - "notScopes": [], - "parameters": {}, - "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-ASC-Standard", - "scope": "${current_scope_resource_id}" - }, - "sku": { - "name": "A0", - "tier": "Free" - }, - "location": "${default_location}", - "identity": { - "type": "SystemAssigned" - } -} diff --git a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_diag_activitylog.tmpl.json b/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_diag_activitylog.tmpl.json deleted file mode 100644 index 7bf367af8..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_diag_activitylog.tmpl.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "ES-Deploy-ForwardActLogs", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", - "displayName": "ES-Deploy-Diagnostics-ForwardActivityLogs", - "notScopes": [], - "parameters": { - "logAnalytics": { - "value": null - } - }, - "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-Diagnostics-LogAnalytics", - "scope": "${current_scope_resource_id}" - }, - "sku": { - "name": "A0", - "tier": "Free" - }, - "location": "${default_location}", - "identity": { - "type": "SystemAssigned" - } -} diff --git a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_diag_loganalytics.tmpl.json b/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_diag_loganalytics.tmpl.json deleted file mode 100644 index 6cae95354..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_diag_loganalytics.tmpl.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "ES-Deploy-ForwardDiagLog", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", - "displayName": "ES-Deploy-Diagnostics-ForwardDiagnosticLogs", - "notScopes": [], - "parameters": { - "logAnalytics": { - "value": null - } - }, - "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/ES-Deploy-Diagnostics-LogAnalytics", - "scope": "${current_scope_resource_id}" - }, - "sku": { - "name": "A0", - "tier": "Free" - }, - "location": "${default_location}", - "identity": { - "type": "SystemAssigned" - } -} diff --git a/landingzones/caf_eslz/scenario/200/lib/policy_definition_es_deploy_asc_standard.json b/landingzones/caf_eslz/scenario/200/lib/policy_definition_es_deploy_asc_standard.json deleted file mode 100644 index d75c1298a..000000000 --- a/landingzones/caf_eslz/scenario/200/lib/policy_definition_es_deploy_asc_standard.json +++ /dev/null @@ -1,284 +0,0 @@ -{ - "name": "ES-Deploy-ASC-Standard", - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2019-09-01", - "properties": { - "description": "Ensures that subscriptions have Security Center Standard enabled.", - "displayName": "ES-Deploy-ASC-Standard", - "mode": "All", - "parameters": { - "pricingTierVMs": { - "type": "String", - "metadata": { - "displayName": "pricingTierVMs", - "description": "" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - }, - "pricingTierSqlServers": { - "type": "String", - "metadata": { - "displayName": "pricingTierSqlServers", - "description": "" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - }, - "pricingTierAppServices": { - "type": "String", - "metadata": { - "displayName": "pricingTierAppServices", - "description": "" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - }, - "pricingTierStorageAccounts": { - "type": "String", - "metadata": { - "displayName": "pricingTierStorageAccounts", - "description": "" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - }, - "pricingTierContainerRegistry": { - "type": "String", - "metadata": { - "displayName": "pricingTierContainerRegistry", - "description": "" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - }, - "pricingTierKeyVaults": { - "type": "String", - "metadata": { - "displayName": "pricingTierKeyVaults", - "description": "" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - }, - "pricingTierKubernetesService": { - "type": "String", - "metadata": { - "displayName": "pricingTierKubernetesService", - "description": "" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Resources/subscriptions" - } - ] - }, - "then": { - "effect": "deployIfNotExists", - "details": { - "type": "Microsoft.Security/pricings", - "deploymentScope": "subscription", - "existenceScope": "subscription", - "roleDefinitionIds": [ - "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" - ], - "existenceCondition": { - "allOf": [ - { - "field": "Microsoft.Security/pricings/pricingTier", - "equals": "Standard" - }, - { - "field": "type", - "equals": "Microsoft.Security/pricings" - } - ] - }, - "deployment": { - "location": "northeurope", - "properties": { - "mode": "incremental", - "parameters": { - "pricingTierVMs": { - "value": "[parameters('pricingTierVMs')]" - }, - "pricingTierSqlServers": { - "value": "[parameters('pricingTierSqlServers')]" - }, - "pricingTierAppServices": { - "value": "[parameters('pricingTierAppServices')]" - }, - "pricingTierStorageAccounts": { - "value": "[parameters('pricingTierStorageAccounts')]" - }, - "pricingTierContainerRegistry": { - "value": "[parameters('pricingTierContainerRegistry')]" - }, - "pricingTierKeyVaults": { - "value": "[parameters('pricingTierKeyVaults')]" - }, - "pricingTierKubernetesService": { - "value": "[parameters('pricingTierKubernetesService')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "pricingTierVMs": { - "type": "string", - "metadata": { - "description": "pricingTierVMs" - } - }, - "pricingTierSqlServers": { - "type": "string", - "metadata": { - "description": "pricingTierSqlServers" - } - }, - "pricingTierAppServices": { - "type": "string", - "metadata": { - "description": "pricingTierAppServices" - } - }, - "pricingTierStorageAccounts": { - "type": "string", - "metadata": { - "description": "pricingTierStorageAccounts" - } - }, - "pricingTierContainerRegistry": { - "type": "string", - "metadata": { - "description": "ContainerRegistry" - } - }, - "pricingTierKeyVaults": { - "type": "string", - "metadata": { - "description": "KeyVaults" - } - }, - "pricingTierKubernetesService": { - "type": "string", - "metadata": { - "description": "KubernetesService" - } - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "VirtualMachines", - "properties": { - "pricingTier": "[parameters('pricingTierVMs')]" - } - }, - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "StorageAccounts", - "dependsOn": [ - "[concat('Microsoft.Security/pricings/VirtualMachines')]" - ], - "properties": { - "pricingTier": "[parameters('pricingTierStorageAccounts')]" - } - }, - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "AppServices", - "dependsOn": [ - "[concat('Microsoft.Security/pricings/StorageAccounts')]" - ], - "properties": { - "pricingTier": "[parameters('pricingTierAppServices')]" - } - }, - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "SqlServers", - "dependsOn": [ - "[concat('Microsoft.Security/pricings/AppServices')]" - ], - "properties": { - "pricingTier": "[parameters('pricingTierSqlServers')]" - } - }, - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "KeyVaults", - "dependsOn": [ - "[concat('Microsoft.Security/pricings/SqlServers')]" - ], - "properties": { - "pricingTier": "[parameters('pricingTierKeyVaults')]" - } - }, - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "KubernetesService", - "dependsOn": [ - "[concat('Microsoft.Security/pricings/KeyVaults')]" - ], - "properties": { - "pricingTier": "[parameters('pricingTierKubernetesService')]" - } - }, - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "ContainerRegistry", - "dependsOn": [ - "[concat('Microsoft.Security/pricings/KubernetesService')]" - ], - "properties": { - "pricingTier": "[parameters('pricingTierContainerRegistry')]" - } - } - ], - "outputs": {} - } - } - } - } - } - } - } -} diff --git a/landingzones/caf_eslz/variables.tf b/landingzones/caf_eslz/variables.tf deleted file mode 100644 index fc19f2f99..000000000 --- a/landingzones/caf_eslz/variables.tf +++ /dev/null @@ -1,83 +0,0 @@ -# Map of the remote data state -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_subscription_id { - description = "This value is propulated by the rover. subscription id hosting the remote tfstates" -} -variable tfstate_storage_account_name { - description = "This value is propulated by the rover" -} -variable tfstate_container_name { - description = "This value is propulated by the rover" -} -variable tfstate_key { - description = "This value is propulated by the rover" -} -variable tfstate_resource_group_name { - description = "This value is propulated by the rover" -} - -variable landingzone { - default = { - backend_type = "azurerm" - global_settings_key = "launchpad" - level = "level1" - key = "foundations" - tfstates = { - launchpad = { - level = "lower" - tfstate = "caf_launchpad.tfstate" - } - } - } -} - -variable tenant_id {} -variable rover_version {} -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - type = map - default = {} -} - -variable enterprise_scale { - default = {} -} - -variable diagnostics_definition { - default = {} -} -variable keyvaults { - default = {} -} -variable resource_groups { - default = {} -} -variable log_analytics { - default = {} -} -variable event_hub_namespaces { - default = {} -} -variable diagnostic_storage_accounts { - default = {} -} -variable diagnostic_event_hub_namespaces { - default = {} -} -variable diagnostic_log_analytics { - default = {} -} -variable diagnostics_destinations { - default = {} -} -variable dynamic_keyvault_secrets { - default = {} -} \ No newline at end of file diff --git a/landingzones/caf_foundations/README.md b/landingzones/caf_foundations/README.md deleted file mode 100644 index d9e449911..000000000 --- a/landingzones/caf_foundations/README.md +++ /dev/null @@ -1,32 +0,0 @@ -# Cloud Adoption Framework for Azure - Landing zones on Terraform - Foundations - -The foundations landing zone allows you to manage the core components of an environment: - -* Auditing and Accounting, deployment or connection to existing ones. - -Foundations landing zone operates at **level 1**. - -For a review of the hierarchy approach of Cloud Adoption Framework for Azure landing zones on Terraform, you can refer to [the following documentation](../../documentation/code_architecture/hierarchy.md). - -
- -## Components - -CAF foundations landing zone leverages the enterprise-scale module in order to deploy its core components. - -## Deploying CAF foundations - -By default, the content of this landing zone is empty unless you specify a configuration file to enable it. - -```bash -# To deploy the CAF foundations in passthrough mode -rover -lz /tf/caf/public/landingzones/caf_foundations \ - -level level1 \ - -a apply - -# If the tfstates are stored in a different subscription you need to execute the following command -rover -lz /tf/caf/public/landingzones/caf_foundations \ - -tfstate_subscription_id \ - -level level1 \ - -a apply -``` diff --git a/landingzones/caf_foundations/dynamic_secrets.tf b/landingzones/caf_foundations/dynamic_secrets.tf deleted file mode 100644 index ae6338236..000000000 --- a/landingzones/caf_foundations/dynamic_secrets.tf +++ /dev/null @@ -1,11 +0,0 @@ - -module dynamic_keyvault_secrets { - source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "~>5.2.0" - - for_each = try(var.dynamic_keyvault_secrets, {}) - - settings = each.value - keyvault = module.foundations.keyvaults[each.key] - objects = module.foundations -} diff --git a/landingzones/caf_foundations/landingzone.tf b/landingzones/caf_foundations/landingzone.tf deleted file mode 100644 index d44b5b6ee..000000000 --- a/landingzones/caf_foundations/landingzone.tf +++ /dev/null @@ -1,30 +0,0 @@ -module "foundations" { - source = "aztfmod/caf/azurerm" - version = "~>5.2.0" - - current_landingzone_key = var.landingzone.key - tenant_id = var.tenant_id - tags = local.tags - diagnostics = local.remote.diagnostics - global_settings = local.global_settings - tfstates = local.tfstates - diagnostics_definition = var.diagnostics_definition - diagnostics_destinations = var.diagnostics_destinations - diagnostic_storage_accounts = var.diagnostic_storage_accounts - logged_user_objectId = var.logged_user_objectId - logged_aad_app_objectId = var.logged_aad_app_objectId - resource_groups = var.resource_groups - keyvaults = var.keyvaults - log_analytics = var.log_analytics - event_hub_namespaces = var.event_hub_namespaces - - ## Azure Active Directory - azuread_apps = var.azuread_apps - azuread_api_permissions = var.azuread_api_permissions - azuread_groups = var.azuread_groups - azuread_roles = var.azuread_roles - azuread_users = var.azuread_users - managed_identities = var.managed_identities - custom_role_definitions = var.custom_role_definitions - role_mapping = var.role_mapping -} diff --git a/landingzones/caf_foundations/locals.remote_tfstates.tf b/landingzones/caf_foundations/locals.remote_tfstates.tf deleted file mode 100644 index 287208e10..000000000 --- a/landingzones/caf_foundations/locals.remote_tfstates.tf +++ /dev/null @@ -1,92 +0,0 @@ -locals { - landingzone = { - current = { - storage_account_name = var.tfstate_storage_account_name - container_name = var.tfstate_container_name - resource_group_name = var.tfstate_resource_group_name - } - lower = { - storage_account_name = var.lower_storage_account_name - container_name = var.lower_container_name - resource_group_name = var.lower_resource_group_name - } - } -} - -data "terraform_remote_state" "remote" { - for_each = try(var.landingzone.tfstates, {}) - - backend = var.landingzone.backend_type - config = { - storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name - container_name = local.landingzone[try(each.value.level, "current")].container_name - resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name - subscription_id = var.tfstate_subscription_id - key = each.value.tfstate - } -} - -locals { - landingzone_tag = { - "landingzone" = var.landingzone.key - } - - tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) - - global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.global_settings - - - remote = { - diagnostics = { - # Get the diagnostics settings of services to create - diagnostic_event_hub_namespaces = var.diagnostic_event_hub_namespaces - diagnostic_log_analytics = var.diagnostic_log_analytics - diagnostic_storage_accounts = var.diagnostic_storage_accounts - - # Combine the diagnostics definitions - diagnostics_definition = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_definition, var.diagnostics_definition) - diagnostics_destinations = { - event_hub_namespaces = merge( - try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.event_hub_namespaces, {}), - try(var.diagnostics_destinations.event_hub_namespaces, {}) - ) - log_analytics = merge( - try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.log_analytics, {}), - try(var.diagnostics_destinations.log_analytics, {}) - ) - storage = merge( - try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.storage, {}), - try(var.diagnostics_destinations.storage, {}) - ) - } - # Get the remote existing diagnostics objects - storage_accounts = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.storage_accounts - log_analytics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.log_analytics - event_hub_namespaces = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.event_hub_namespaces - } - - managed_identities = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.managed_identities[key], {})) - } - azuread_groups = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azuread_groups[key], {})) - } - azuread_applications = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.aad_apps[key], {})) - } - azuread_users = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azuread_users[key], {})) - } - vnets = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.vnets[key], {})) - } - } - - combined = { - managed_identities = merge(local.remote.managed_identities, tomap({ (var.landingzone.key) = module.foundations.managed_identities })) - azuread_groups = merge(local.remote.azuread_groups, tomap({ (var.landingzone.key) = module.foundations.azuread_groups })) - aad_apps = merge(local.remote.azuread_applications, tomap({ (var.landingzone.key) = module.foundations.aad_apps })) - azuread_users = merge(local.remote.azuread_users, tomap({ (var.landingzone.key) = module.foundations.azuread_users })) - } - -} diff --git a/landingzones/caf_foundations/main.tf b/landingzones/caf_foundations/main.tf deleted file mode 100644 index b3f105bee..000000000 --- a/landingzones/caf_foundations/main.tf +++ /dev/null @@ -1,63 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.43" - } - azuread = { - source = "hashicorp/azuread" - version = "~> 1.0.0" - } - random = { - source = "hashicorp/random" - version = "~> 2.2.1" - } - null = { - source = "hashicorp/null" - version = "~> 2.1.0" - } - tls = { - source = "hashicorp/tls" - version = "~> 2.2.0" - } - azurecaf = { - source = "aztfmod/azurecaf" - version = "~> 1.2.0" - } - } - required_version = ">= 0.13" -} - - -provider "azurerm" { - features { - key_vault { - purge_soft_delete_on_destroy = true - } - } -} - -data "azurerm_client_config" "current" {} -data "azurerm_subscription" "current" {} - -locals { - - # Update the tfstates map - tfstates = merge( - map(var.landingzone.key, - map( - "storage_account_name", var.tfstate_storage_account_name, - "container_name", var.tfstate_container_name, - "resource_group_name", var.tfstate_resource_group_name, - "key", var.tfstate_key, - "level", var.landingzone.level, - "tenant_id", var.tenant_id, - "subscription_id", data.azurerm_client_config.current.subscription_id - ) - ) - , - data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.tfstates - ) - -} - diff --git a/landingzones/caf_foundations/output.tf b/landingzones/caf_foundations/output.tf deleted file mode 100644 index 2db7ccbc4..000000000 --- a/landingzones/caf_foundations/output.tf +++ /dev/null @@ -1,39 +0,0 @@ -output global_settings { - value = local.global_settings - sensitive = true -} -output diagnostics { - value = module.foundations.diagnostics - sensitive = true -} -output vnets { - value = local.remote.vnets - sensitive = true -} -output tfstates { - value = local.tfstates - sensitive = true -} -output keyvaults { - value = tomap({ - (var.landingzone.key) = try(module.foundations.keyvaults, {}) - }) - sensitive = true -} -# Active Directory -output managed_identities { - value = local.combined.managed_identities - sensitive = true -} -output azuread_groups { - value = local.combined.azuread_groups - sensitive = true -} -output aad_apps { - value = local.combined.aad_apps - sensitive = true -} -output azuread_users { - value = local.combined.managed_identities - sensitive = true -} diff --git a/landingzones/caf_foundations/variables.tf b/landingzones/caf_foundations/variables.tf deleted file mode 100644 index ae7930164..000000000 --- a/landingzones/caf_foundations/variables.tf +++ /dev/null @@ -1,112 +0,0 @@ -# Map of the remote data state -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_subscription_id { - description = "This value is propulated by the rover. subscription id hosting the remote tfstates" -} -variable tfstate_storage_account_name { - description = "This value is propulated by the rover" -} -variable tfstate_container_name { - description = "This value is propulated by the rover" -} -variable tfstate_key { - description = "This value is propulated by the rover" -} -variable tfstate_resource_group_name { - description = "This value is propulated by the rover" -} - -variable landingzone { - default = { - backend_type = "azurerm" - global_settings_key = "launchpad" - level = "level1" - key = "foundations" - tfstates = { - launchpad = { - level = "lower" - tfstate = "caf_launchpad.tfstate" - } - } - } -} - -variable tenant_id {} -variable rover_version {} -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - type = map - default = {} -} - -variable enterprise_scale { - default = {} -} - -variable diagnostics_definition { - default = {} -} -variable keyvaults { - default = {} -} -variable resource_groups { - default = {} -} -variable log_analytics { - default = {} -} -variable event_hub_namespaces { - default = {} -} -variable diagnostic_storage_accounts { - default = {} -} -variable diagnostic_event_hub_namespaces { - default = {} -} -variable diagnostic_log_analytics { - default = {} -} -variable diagnostics_destinations { - default = {} -} -variable dynamic_keyvault_secrets { - default = {} -} - -## Azure Active Directory -variable azuread_apps { - default = {} -} -variable azuread_api_permissions { - default = {} -} -variable azuread_groups { - default = {} -} -variable azuread_users { - default = {} -} -variable azuread_roles { - default = {} -} -variable managed_identities { - default = {} -} -variable custom_role_definitions { - default = {} -} -variable role_mapping { - default = { - built_in_role_mapping = {} - custom_role_mapping = {} - } -} \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/azure_devops/variables.tf b/landingzones/caf_launchpad/add-ons/azure_devops/variables.tf deleted file mode 100644 index 8cf5b7916..000000000 --- a/landingzones/caf_launchpad/add-ons/azure_devops/variables.tf +++ /dev/null @@ -1,102 +0,0 @@ -# Map of the remote data state for lower level -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_storage_account_name {} -variable tfstate_container_name {} -variable tfstate_key {} -variable tfstate_resource_group_name {} - -variable tfstate_subscription_id { - description = "This value is propulated by the rover. subscription id hosting the remote tfstates" -} - -variable global_settings { - default = {} -} -variable tenant_id {} -variable landingzone { -} -variable rover_version { - default = null -} - -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - default = null -} -variable app_service_environments { - default = {} -} -variable app_service_plans { - default = {} -} -variable app_services { - default = {} -} -variable diagnostics_definition { - default = {} -} -variable resource_groups { - default = {} -} -variable network_security_group_definition { - default = {} -} -variable vnets { - default = {} -} -variable azurerm_redis_caches { - default = {} -} -variable mssql_servers { - default = {} -} -variable storage_accounts { - default = {} -} -variable storage_account_blobs { - default = {} -} -variable azuread_groups { - default = {} -} -variable keyvaults { - default = {} -} -variable keyvault_access_policies { - default = {} -} -variable keyvault_access_policies_azuread_apps { - default = {} -} -variable virtual_machines { - default = {} -} -variable diagnostic_storage_accounts { - default = {} -} -variable virtual_machine_extension_scripts { - default = {} -} -variable azure_devops { - default = {} -} -variable role_mapping { - default = {} -} -variable custom_role_definitions { - default = {} -} -variable azuread_apps { - default = {} -} -variable dynamic_keyvault_secrets { - default = {} -} \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/extensions/variables.tf b/landingzones/caf_launchpad/add-ons/azure_devops_agent/extensions/variables.tf deleted file mode 100644 index 88453a149..000000000 --- a/landingzones/caf_launchpad/add-ons/azure_devops_agent/extensions/variables.tf +++ /dev/null @@ -1,3 +0,0 @@ -variable virtual_machine_id {} -variable extensions {} -variable settings {} \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/azure_devops_agent/variables.tf b/landingzones/caf_launchpad/add-ons/azure_devops_agent/variables.tf deleted file mode 100644 index 4efef26b0..000000000 --- a/landingzones/caf_launchpad/add-ons/azure_devops_agent/variables.tf +++ /dev/null @@ -1,102 +0,0 @@ -# Map of the remote data state for lower level -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_storage_account_name {} -variable tfstate_container_name {} -variable tfstate_key {} -variable tfstate_resource_group_name {} - -variable tfstate_subscription_id { - description = "This value is propulated by the rover. subscription id hosting the remote tfstates" -} - -variable global_settings { - default = {} -} -variable tenant_id {} -variable landingzone { -} -variable rover_version { - default = null -} - -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - default = null -} -variable app_service_environments { - default = {} -} -variable app_service_plans { - default = {} -} -variable app_services { - default = {} -} -variable diagnostics_definition { - default = {} -} -variable resource_groups { - default = {} -} -variable network_security_group_definition { - default = {} -} -variable vnets { - default = {} -} -variable azurerm_redis_caches { - default = {} -} -variable mssql_servers { - default = {} -} -variable storage_accounts { - default = {} -} -variable storage_account_blobs { - default = {} -} -variable azuread_groups { - default = {} -} -variable keyvaults { - default = {} -} -variable keyvault_access_policies { - default = {} -} -variable virtual_machines { - default = {} -} -variable diagnostic_storage_accounts { - default = {} -} -variable virtual_machine_extension_scripts { - default = {} -} -variable azure_devops { - default = {} -} -variable role_mapping { - default = {} -} -variable custom_role_definitions { - default = {} -} -variable azuread_apps { - default = {} -} -variable dynamic_keyvault_secrets { - default = {} -} -variable managed_identities { - default = {} -} \ No newline at end of file diff --git a/landingzones/caf_launchpad/add-ons/terraform_cloud/variables.tf b/landingzones/caf_launchpad/add-ons/terraform_cloud/variables.tf deleted file mode 100644 index e84068bba..000000000 --- a/landingzones/caf_launchpad/add-ons/terraform_cloud/variables.tf +++ /dev/null @@ -1,85 +0,0 @@ -# Map of the remote data state for lower level -variable lower_storage_account_name { - default = {} -} -variable lower_container_name { - default = {} -} -variable lower_resource_group_name { - default = {} -} - -variable tfstate_storage_account_name { - default = {} -} -variable tfstate_container_name { - default = {} -} -variable tfstate_key { - default = {} -} -variable tfstate_resource_group_name { - default = {} -} - -variable global_settings { - default = {} -} -variable tenant_id { - default = {} -} -variable landingzone { - default = {} -} - -variable rover_version { - default = null -} - -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - default = null -} -variable keyvaults { - default = {} -} -variable keyvault_access_policies { - default = {} -} -variable role_mapping { - default = {} -} -variable secrets_from_keys { - default = {} -} -variable custom_role_definitions { - default = {} -} -variable azuread_apps { - default = {} -} - -variable tfe_organizations { - default = {} -} - -variable tfe_workspaces { - default = {} -} - -variable tfe_variables { - default = {} -} - -variable tfe_servers { - default = {} -} - -variable tfe_agents { - default = {} -} \ No newline at end of file diff --git a/landingzones/caf_launchpad/landingzone.tf b/landingzones/caf_launchpad/landingzone.tf deleted file mode 100644 index 762a46947..000000000 --- a/landingzones/caf_launchpad/landingzone.tf +++ /dev/null @@ -1,48 +0,0 @@ -module "launchpad" { - source = "aztfmod/caf/azurerm" - version = "~>5.2.0" - - current_landingzone_key = var.landingzone.key - tenant_id = var.tenant_id - tags = local.tags - global_settings = local.global_settings - enable = var.enable - logged_user_objectId = var.logged_user_objectId - logged_aad_app_objectId = var.logged_aad_app_objectId - user_type = var.user_type - log_analytics = var.log_analytics - diagnostics = { - diagnostics_definition = var.diagnostics_definition - diagnostics_destinations = var.diagnostics_destinations - diagnostic_event_hub_namespaces = var.diagnostic_event_hub_namespaces - diagnostic_log_analytics = var.diagnostic_log_analytics - diagnostic_storage_accounts = var.diagnostic_storage_accounts - } - event_hub_namespaces = var.event_hub_namespaces - resource_groups = var.resource_groups - keyvaults = var.keyvaults - keyvault_access_policies = var.keyvault_access_policies - keyvault_access_policies_azuread_apps = var.keyvault_access_policies_azuread_apps - subscriptions = var.subscriptions - compute = { - virtual_machines = var.virtual_machines - bastion_hosts = var.bastion_hosts - } - networking = { - vnets = var.vnets - network_security_group_definition = var.network_security_group_definition - public_ip_addresses = var.public_ip_addresses - azurerm_routes = var.azurerm_routes - route_tables = var.route_tables - } - storage_accounts = var.storage_accounts - # diagnostic_storage_accounts = var.diagnostic_storage_accounts - azuread_apps = var.azuread_apps - azuread_api_permissions = var.azuread_api_permissions - azuread_groups = var.azuread_groups - azuread_roles = var.azuread_roles - azuread_users = var.azuread_users - managed_identities = var.managed_identities - custom_role_definitions = var.custom_role_definitions - role_mapping = var.role_mapping -} diff --git a/landingzones/caf_launchpad/output.tf b/landingzones/caf_launchpad/output.tf deleted file mode 100644 index cd0c82677..000000000 --- a/landingzones/caf_launchpad/output.tf +++ /dev/null @@ -1,66 +0,0 @@ -output global_settings { - value = local.global_settings - sensitive = true -} - -output diagnostics { - value = module.launchpad.diagnostics - sensitive = true -} - -# TODO: candidate to deprecation in 2101 -# output networking { -# value = map( -# var.landingzone.key, -# map( -# "vnets", module.launchpad.vnets -# ) -# ) -# sensitive = true -# description = "[WARNING] deprecated. Use vnets from 0.4" -# } - -output vnets { - value = tomap({ - (var.landingzone.key) = module.launchpad.vnets - }) - sensitive = true -} - -output tfstates { - value = local.tfstates - sensitive = true -} - -output backend_type { - value = var.landingzone.backend_type - sensitive = true -} - -output keyvaults { - value = tomap({ - (var.landingzone.key) = module.launchpad.keyvaults - }) - sensitive = true -} - -output managed_identities { - value = tomap({ - (var.landingzone.key) = module.launchpad.managed_identities - }) - sensitive = true -} - -output aad_apps { - value = tomap({ - (var.landingzone.key) = module.launchpad.aad_apps - }) - sensitive = true -} - -output azuread_groups { - value = tomap({ - (var.landingzone.key) = module.launchpad.azuread_groups - }) - sensitive = true -} diff --git a/landingzones/caf_networking/documentation/img/100-single-region-hub.png b/landingzones/caf_networking/documentation/img/100-single-region-hub.png deleted file mode 100644 index 48aac6a45..000000000 Binary files a/landingzones/caf_networking/documentation/img/100-single-region-hub.png and /dev/null differ diff --git a/landingzones/caf_networking/documentation/img/101-multi-region-hub.png b/landingzones/caf_networking/documentation/img/101-multi-region-hub.png deleted file mode 100644 index 48f2cd59d..000000000 Binary files a/landingzones/caf_networking/documentation/img/101-multi-region-hub.png and /dev/null differ diff --git a/landingzones/caf_networking/documentation/img/105-hub-and-spoke.png b/landingzones/caf_networking/documentation/img/105-hub-and-spoke.png deleted file mode 100644 index 93a665fd2..000000000 Binary files a/landingzones/caf_networking/documentation/img/105-hub-and-spoke.png and /dev/null differ diff --git a/landingzones/caf_networking/documentation/img/106-hub-virtual-wan-firewall.png b/landingzones/caf_networking/documentation/img/106-hub-virtual-wan-firewall.png deleted file mode 100644 index 021a80d9d..000000000 Binary files a/landingzones/caf_networking/documentation/img/106-hub-virtual-wan-firewall.png and /dev/null differ diff --git a/landingzones/caf_networking/landingzone.tf b/landingzones/caf_networking/landingzone.tf deleted file mode 100644 index 98de51c99..000000000 --- a/landingzones/caf_networking/landingzone.tf +++ /dev/null @@ -1,62 +0,0 @@ -module "networking" { - source = "aztfmod/caf/azurerm" - version = "~>5.2.0" - - current_landingzone_key = var.landingzone.key - tags = local.tags - diagnostics = local.diagnostics - global_settings = local.global_settings - tfstates = local.tfstates - tenant_id = var.tenant_id - logged_user_objectId = var.logged_user_objectId - logged_aad_app_objectId = var.logged_aad_app_objectId - resource_groups = var.resource_groups - keyvaults = var.keyvaults - keyvault_access_policies = var.keyvault_access_policies - networking = { - application_gateway_applications = var.application_gateway_applications - application_gateways = var.application_gateways - azurerm_firewall_application_rule_collection_definition = var.azurerm_firewall_application_rule_collection_definition - azurerm_firewall_nat_rule_collection_definition = var.azurerm_firewall_nat_rule_collection_definition - azurerm_firewall_network_rule_collection_definition = var.azurerm_firewall_network_rule_collection_definition - azurerm_firewalls = var.azurerm_firewalls - azurerm_routes = var.azurerm_routes - ddos_services = var.ddos_services - dns_zone_records = var.dns_zone_records - dns_zones = var.dns_zones - express_route_circuit_authorizations = var.express_route_circuit_authorizations - express_route_circuits = var.express_route_circuits - network_security_group_definition = var.network_security_group_definition - private_dns = var.private_dns - private_endpoints = var.private_endpoints - public_ip_addresses = var.public_ip_addresses - load_balancers = var.load_balancers - route_tables = var.route_tables - vhub_peerings = var.vhub_peerings - virtual_network_gateways = var.virtual_network_gateways - virtual_wans = var.virtual_wans - vnet_peerings = var.vnet_peerings - vnets = var.vnets - } - compute = { - azure_container_registries = var.azure_container_registries - bastion_hosts = var.bastion_hosts - virtual_machines = var.virtual_machines - } - storage_accounts = var.storage_accounts - managed_identities = var.managed_identities - - remote_objects = { - application_gateway_applications = local.remote.application_gateway_applications - application_gateways = local.remote.application_gateways - azuread_groups = local.remote.azuread_groups - azurerm_firewalls = local.remote.azurerm_firewalls - keyvaults = local.remote.keyvaults - managed_identities = local.remote.managed_identities - private_dns = local.remote.private_dns - public_ip_addresses = local.remote.public_ip_addresses - virtual_wans = local.remote.virtual_wans - vnets = local.remote.vnets - } - -} diff --git a/landingzones/caf_networking/locals.remote_tfstates.tf b/landingzones/caf_networking/locals.remote_tfstates.tf deleted file mode 100644 index 9f3734742..000000000 --- a/landingzones/caf_networking/locals.remote_tfstates.tf +++ /dev/null @@ -1,91 +0,0 @@ -locals { - landingzone = { - current = { - storage_account_name = var.tfstate_storage_account_name - container_name = var.tfstate_container_name - resource_group_name = var.tfstate_resource_group_name - } - lower = { - storage_account_name = var.lower_storage_account_name - container_name = var.lower_container_name - resource_group_name = var.lower_resource_group_name - } - } -} - -data "terraform_remote_state" "remote" { - for_each = try(var.landingzone.tfstates, {}) - - backend = var.landingzone.backend_type - config = { - storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name - container_name = local.landingzone[try(each.value.level, "current")].container_name - resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name - subscription_id = var.tfstate_subscription_id - key = each.value.tfstate - } -} - -locals { - landingzone_tag = { - "landingzone" = var.landingzone.key - } - - tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) - - global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.global_settings - - diagnostics = { - diagnostics_definition = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_definition, var.diagnostics_definition) - diagnostics_destinations = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations - storage_accounts = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.storage_accounts - log_analytics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.log_analytics - event_hub_namespaces = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.event_hub_namespaces - } - - - remote = { - managed_identities = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.managed_identities[key], {})) - } - azuread_groups = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azuread_groups[key], {})) - } - vnets = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.vnets[key], {})) - } - azurerm_firewalls = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azurerm_firewalls[key], {})) - } - virtual_wans = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.virtual_wans[key], {})) - } - private_dns = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.private_dns[key], {})) - } - application_gateways = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.application_gateways[key], {})) - } - application_gateway_applications = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.application_gateway_applications[key], {})) - } - public_ip_addresses = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.public_ip_addresses[key], {})) - } - keyvaults = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.keyvaults[key], {})) - } - } - - - combined = { - vnets = merge(local.remote.vnets, map(var.landingzone.key, module.networking.vnets)) - azurerm_firewalls = merge(local.remote.azurerm_firewalls, map(var.landingzone.key, module.networking.azurerm_firewalls)) - public_ip_addresses = merge(local.remote.public_ip_addresses, map(var.landingzone.key, module.networking.public_ip_addresses)) - virtual_wans = merge(local.remote.virtual_wans, map(var.landingzone.key, module.networking.virtual_wans)) - private_dns = merge(local.remote.private_dns, map(var.landingzone.key, module.networking.private_dns)) - application_gateways = merge(local.remote.application_gateways, map(var.landingzone.key, module.networking.application_gateways)) - application_gateway_applications = merge(local.remote.application_gateway_applications, map(var.landingzone.key, module.networking.application_gateway_applications)) - } - -} diff --git a/landingzones/caf_networking/output.tf b/landingzones/caf_networking/output.tf deleted file mode 100644 index 8a177ac7f..000000000 --- a/landingzones/caf_networking/output.tf +++ /dev/null @@ -1,58 +0,0 @@ -output diagnostics { - value = module.networking.diagnostics - sensitive = true -} - -output tfstates { - value = local.tfstates - sensitive = true -} - -output vnets { - value = local.combined.vnets - sensitive = true -} - -output azurerm_firewalls { - value = local.combined.azurerm_firewalls - sensitive = true -} - -output virtual_wans { - value = local.combined.virtual_wans - sensitive = true - description = "Virtual WAN output" -} - -output private_dns { - value = local.combined.private_dns - sensitive = true -} - -output application_gateways { - value = local.combined.application_gateways - sensitive = true -} - -output application_gateway_applications { - value = local.combined.application_gateway_applications - sensitive = true -} - -output public_ip_addresses { - value = local.combined.public_ip_addresses - sensitive = true -} - -output managed_identities { - value = local.remote.managed_identities - sensitive = true -} -output azuread_groups { - value = local.remote.azuread_groups - sensitive = true -} -output express_route_circuits { - value = module.networking.express_route_circuits - sensitive = false -} diff --git a/landingzones/caf_networking/readme.md b/landingzones/caf_networking/readme.md deleted file mode 100644 index cccb1a695..000000000 --- a/landingzones/caf_networking/readme.md +++ /dev/null @@ -1,45 +0,0 @@ -# Cloud Adoption Framework for Azure - Landing zones on Terraform - Networking - -The networking landing zone allows you to deploy most networking topologies on Microsoft Azure. The same landing zone used with different parameters should allow you to deploy most network configurations. - -* Hub and spoke -* Virtual WAN -* Application DMZ scenario -* Any custom network topology based on virtual networks or virtual WAN -* Library of network security groups definition - -Networking landing zone operates at **level 2**. - -For a review of the hierarchy approach of Cloud Adoption Framework for Azure landing zones on Terraform, you can refer to [the following documentation](../../documentation/code_architecture/hierarchy.md). - -## Getting started with networking examples - -Depending on the networking scenario and topology, we provide you with different examples ready to use: - -| level | scenario | -|-------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------| -| [100-single-region-hub](./scenario/100-single-region-hub) | Simple hub in one region | -| [101-multi-region-hub](./scenario/101-multi-region-hub) | Two hubs in different regions with peering | -| [105-hub-and-spoke](./scenario/105-hub-and-spoke) | Hub and spoke topology in one region | -| [106-hub-virtual-wan-firewall](./scenario/106-hub-virtual-wan-firewall) | Azure Virtual WAN topology with virtual hub in multiple regions, optional support for Azure Firewall manager | -| [200-single-region-hub](./scenario/200-single-region-hub) | Simple hub in one region, with diagnostics | -| [201-multi-region-hub](./scenario/201-multi-region-hub) | Two hubs in different regions with peering, with diagnostics | -| [210-aks-private](./scenario/210-aks-private) | Hub and spoke topology in one region, with diagnostics | - -## Deploying CAF networking - -Once you have picked a scenario for test, you can deploy it using: - -```bash -rover -lz /tf/caf/public/landingzones/caf_networking \ - -level level2 \ - -var-folder /tf/caf/public/landingzones/caf_networking/scenario/100-single-region-hub \ - -a apply - -# If the tfstates are stored in a different subscription you need to execute the following command -rover -lz /tf/caf/public/landingzones/caf_networking \ - -tfstate_subscription_id \ - -level level2 \ - -var-folder /tf/caf/public/landingzones/caf_networking/scenario/100-single-region-hub \ - -a apply -``` diff --git a/landingzones/caf_networking/variables.tf b/landingzones/caf_networking/variables.tf deleted file mode 100644 index 3d450ce15..000000000 --- a/landingzones/caf_networking/variables.tf +++ /dev/null @@ -1,147 +0,0 @@ -# Map of the remote data state for lower level -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_subscription_id { - description = "This value is propulated by the rover. subscription id hosting the remote tfstates" -} -variable tfstate_storage_account_name {} -variable tfstate_container_name {} -variable tfstate_key {} -variable tfstate_resource_group_name {} - -variable landingzone { - default = { - backend_type = "azurerm" - current = { - level = "level2" - key = "networking_hub" - } - lower = { - foundations = { - tfstate = "caf_foundations.tfstate" - } - networking = { - foundations = { - tfstate = "caf_foundations.tfstate" - } - } - } - } -} -variable tenant_id {} - -variable global_settings { - default = {} -} -variable rover_version {} -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - type = map - default = {} -} -variable diagnostics_definition { - default = null -} -variable resource_groups { - default = {} -} -variable vnets { - default = {} -} -variable virtual_wans { - default = {} -} -variable public_ip_addresses { - default = {} -} -variable vnet_peerings { - default = {} -} -variable vhub_peerings { - default = {} -} -variable azurerm_firewalls { - default = {} -} -variable network_security_group_definition { - default = null -} -variable route_tables { - default = {} -} -variable azurerm_routes { - default = {} -} -variable storage_accounts { - default = {} -} -variable virtual_machines { - default = {} -} -variable managed_identities { - default = {} -} -variable azurerm_firewall_network_rule_collection_definition { - default = {} -} -variable azurerm_firewall_application_rule_collection_definition { - default = {} -} -variable azurerm_firewall_nat_rule_collection_definition { - default = {} -} -variable azure_container_registries { - default = {} -} -variable bastion_hosts { - default = {} -} -variable ddos_services { - default = {} -} -variable private_dns { - default = {} -} -variable application_gateways { - default = {} -} -variable application_gateway_applications { - default = {} -} -variable keyvaults { - default = {} -} -variable keyvault_access_policies { - default = {} -} -variable express_route_circuits { - default = {} -} -variable express_route_circuit_authorizations { - default = {} -} -variable network_watchers { - default = {} -} -variable private_endpoints { - default = {} -} -variable dns_zones { - default = {} -} -variable dns_zone_records { - default = {} -} -variable virtual_network_gateways { - default = {} -} -variable load_balancers { - default = {} -} \ No newline at end of file diff --git a/landingzones/caf_shared_services/landingzone.tf b/landingzones/caf_shared_services/landingzone.tf deleted file mode 100644 index a0ff8c94e..000000000 --- a/landingzones/caf_shared_services/landingzone.tf +++ /dev/null @@ -1,30 +0,0 @@ -module "landingzones_shared_services" { - source = "aztfmod/caf/azurerm" - version = "~>5.2.0" - - current_landingzone_key = var.landingzone.key - tenant_id = var.tenant_id - tags = local.tags - diagnostics = local.diagnostics - global_settings = local.global_settings - tfstates = local.tfstates - logged_user_objectId = var.logged_user_objectId - logged_aad_app_objectId = var.logged_aad_app_objectId - resource_groups = var.resource_groups - - shared_services = { - recovery_vaults = var.recovery_vaults - automations = var.automations - } - - compute = { - virtual_machines = var.virtual_machines - } - - # Pass the remote objects you need to connect to. - remote_objects = { - vnets = local.remote.vnets - keyvaults = local.remote.keyvaults - recovery_vaults = local.remote.recovery_vaults - } -} \ No newline at end of file diff --git a/landingzones/caf_shared_services/locals.remote_tfstates.tf b/landingzones/caf_shared_services/locals.remote_tfstates.tf deleted file mode 100644 index 67a09aa26..000000000 --- a/landingzones/caf_shared_services/locals.remote_tfstates.tf +++ /dev/null @@ -1,65 +0,0 @@ -locals { - landingzone = { - current = { - storage_account_name = var.tfstate_storage_account_name - container_name = var.tfstate_container_name - resource_group_name = var.tfstate_resource_group_name - } - lower = { - storage_account_name = var.lower_storage_account_name - container_name = var.lower_container_name - resource_group_name = var.lower_resource_group_name - } - } -} - -data "terraform_remote_state" "remote" { - for_each = try(var.landingzone.tfstates, {}) - - backend = var.landingzone.backend_type - config = { - storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name - container_name = local.landingzone[try(each.value.level, "current")].container_name - resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name - subscription_id = var.tfstate_subscription_id - key = each.value.tfstate - } -} - -locals { - landingzone_tag = { - "landingzone" = var.landingzone.key - } - - tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) - - global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.global_settings - - diagnostics = { - diagnostics_definition = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_definition, var.diagnostics_definition) - diagnostics_destinations = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations - storage_accounts = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.storage_accounts - log_analytics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.log_analytics - event_hub_namespaces = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.event_hub_namespaces - } - - - - remote = { - managed_identities = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.managed_identities[key], {})) - } - azuread_groups = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azuread_groups[key], {})) - } - vnets = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.vnets[key], {})) - } - keyvaults = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.keyvaults[key], {})) - } - recovery_vaults = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.recovery_vaults[key], {})) - } - } -} diff --git a/landingzones/caf_shared_services/main.tf b/landingzones/caf_shared_services/main.tf deleted file mode 100644 index abdc1b7f0..000000000 --- a/landingzones/caf_shared_services/main.tf +++ /dev/null @@ -1,66 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.43" - } - azuread = { - source = "hashicorp/azuread" - version = "~> 1.0.0" - } - random = { - source = "hashicorp/random" - version = "~> 2.2.1" - } - external = { - source = "hashicorp/external" - version = "~> 1.2.0" - } - null = { - source = "hashicorp/null" - version = "~> 2.1.0" - } - tls = { - source = "hashicorp/tls" - version = "~> 2.2.0" - } - azurecaf = { - source = "aztfmod/azurecaf" - version = "~> 1.2.0" - } - } - required_version = ">= 0.13" -} - - -provider "azurerm" { - features { - key_vault { - purge_soft_delete_on_destroy = true - } - } -} - -data "azurerm_client_config" "current" {} - - -locals { - - # Update the tfstates map - tfstates = merge( - map(var.landingzone.key, - map( - "storage_account_name", var.tfstate_storage_account_name, - "container_name", var.tfstate_container_name, - "resource_group_name", var.tfstate_resource_group_name, - "key", var.tfstate_key, - "level", var.landingzone.level, - "tenant_id", var.tenant_id, - "subscription_id", data.azurerm_client_config.current.subscription_id - ) - ) - , - data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.tfstates - ) - -} \ No newline at end of file diff --git a/landingzones/caf_shared_services/output.tf b/landingzones/caf_shared_services/output.tf deleted file mode 100644 index 2a9e22029..000000000 --- a/landingzones/caf_shared_services/output.tf +++ /dev/null @@ -1,29 +0,0 @@ -output global_settings { - value = local.global_settings - sensitive = true -} - -output diagnostics { - value = local.diagnostics - sensitive = true -} - -output tfstates { - value = local.tfstates - sensitive = true -} - -output managed_identities { - value = local.remote.managed_identities - sensitive = true -} -output azuread_groups { - value = local.remote.azuread_groups - sensitive = true -} - -output recovery_vaults { - value = tomap({ - (var.landingzone.key) = module.landingzones_shared_services.recovery_vaults - }) -} \ No newline at end of file diff --git a/landingzones/caf_shared_services/readme.md b/landingzones/caf_shared_services/readme.md deleted file mode 100644 index c87bf6d35..000000000 --- a/landingzones/caf_shared_services/readme.md +++ /dev/null @@ -1,40 +0,0 @@ -# Cloud Adoption Framework for Azure - Landing zones on Terraform - Shared services - -The Shared services landing zone allows you to management components on Microsoft Azure, typically: - -* Monitoring -* Azure Site Recovery -* Azure Backup -* Azure Automation - -Shared services landing zone operates at **level 2**. - -It is **important** to deploy shared services landing zone, even in passthrough mode as it will export some shared parameters and settings from level1 landing zones. - -For a review of the hierarchy approach of Cloud Adoption Framework for Azure landing zones on Terraform, you can refer to [the following documentation](../../documentation/code_architecture/hierarchy.md). - -## Deploying shared services - -By default, the content of this landing zone is empty unless you specify a configuration file to enable it. - -```bash -rover -lz /tf/caf/public/landingzones/caf_shared_services \ --level level2 \ --a apply -``` - -You can deploy an example with Azure Site Recovery configuration and Automation: - -```bash -rover -lz /tf/caf/public/landingzones/caf_shared_services \ - -level level2 \ - -var-folder /tf/caf/public/landingzones/caf_shared_services/scenario/100 \ - -a apply - -# If the tfstates are stored in a different subscription you need to execute the following command -rover -lz /tf/caf/public/landingzones/caf_shared_services \ - -tfstate_subscription_id \ - -level level2 \ - -var-folder /tf/caf/public/landingzones/caf_shared_services/scenario/100 \ - -a apply -``` diff --git a/landingzones/caf_shared_services/variables.tf b/landingzones/caf_shared_services/variables.tf deleted file mode 100644 index 32e251869..000000000 --- a/landingzones/caf_shared_services/variables.tf +++ /dev/null @@ -1,71 +0,0 @@ -# Map of the remote data state for lower level -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_storage_account_name {} -variable tfstate_container_name {} -variable tfstate_key {} -variable tfstate_resource_group_name {} - -variable tfstate_subscription_id { - description = "This value is propulated by the rover. subscription id hosting the remote tfstates" -} - -variable landingzone { - default = { - backend_type = "azurerm" - level = "level2" - global_settings_key = "foundations" - key = "shared_services" - tfstates = { - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - foundations = { - level = "lower" - tfstate = "caf_foundations.tfstate" - } - } - } -} -variable tenant_id {} -variable global_settings { - default = {} -} -variable rover_version {} -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - type = map - default = {} -} -variable diagnostics_definition { - default = {} -} -variable resource_groups { - default = {} -} -variable automations { - default = {} -} -variable recovery_vaults { - default = {} -} -variable replicated_vms { - default = {} -} -variable network_mappings { - default = {} -} -variable diagnostic_storage_accounts { - default = {} -} -variable virtual_machines { - default = {} -} \ No newline at end of file diff --git a/landingzones/caf_shared_services/vm_extensions.tf b/landingzones/caf_shared_services/vm_extensions.tf deleted file mode 100644 index 838e39926..000000000 --- a/landingzones/caf_shared_services/vm_extensions.tf +++ /dev/null @@ -1,42 +0,0 @@ -# -# microsoft_enterprise_cloud_monitoring - Install the monitoring agent in the virtual machine -# - - -module "vm_extension_monitoring_agent" { - source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "~>5.2.0" - - for_each = { - for key, value in try(var.virtual_machines, {}) : key => value - if try(value.virtual_machine_extensions.microsoft_enterprise_cloud_monitoring, null) != null - } - - client_config = module.landingzones_shared_services.client_config - virtual_machine_id = module.landingzones_shared_services.virtual_machines[each.key].id - extension = each.value.virtual_machine_extensions.microsoft_enterprise_cloud_monitoring - extension_name = "microsoft_enterprise_cloud_monitoring" - settings = { - diagnostics = local.diagnostics - } -} - -module "vm_extension_diagnostics" { - source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "~>5.2.0" - - for_each = { - for key, value in try(var.virtual_machines, {}) : key => value - if try(value.virtual_machine_extensions.microsoft_azure_diagnostics, null) != null - } - - client_config = module.landingzones_shared_services.client_config - virtual_machine_id = module.landingzones_shared_services.virtual_machines[each.key].id - extension = each.value.virtual_machine_extensions.microsoft_azure_diagnostics - extension_name = "microsoft_azure_diagnostics" - settings = { - diagnostics = local.diagnostics - xml_diagnostics_file = try(each.value.virtual_machine_extensions.microsoft_azure_diagnostics.xml_diagnostics_file, null) - diagnostics_storage_account_keys = each.value.virtual_machine_extensions.microsoft_azure_diagnostics.diagnostics_storage_account_keys - } -} diff --git a/landingzones/caf_solutions/add-ons/aks_applications/app/variables.tf b/landingzones/caf_solutions/add-ons/aks_applications/app/variables.tf deleted file mode 100644 index ee6af89a5..000000000 --- a/landingzones/caf_solutions/add-ons/aks_applications/app/variables.tf +++ /dev/null @@ -1,5 +0,0 @@ -variable cluster {} - -variable namespaces {} - -variable helm_charts {} \ No newline at end of file diff --git a/landingzones/caf_solutions/add-ons/aks_applications/variables.tf b/landingzones/caf_solutions/add-ons/aks_applications/variables.tf deleted file mode 100644 index 97a3e84dc..000000000 --- a/landingzones/caf_solutions/add-ons/aks_applications/variables.tf +++ /dev/null @@ -1,36 +0,0 @@ -# Map of the remote data state for lower level -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_storage_account_name {} -variable tfstate_container_name {} -variable tfstate_resource_group_name {} -# variable tfstate_key {} - -variable global_settings { - default = {} -} - -# variable tenant_id {} -variable landingzone {} - -variable namespaces {} - -variable tags { - default = null - type = map -} - -variable helm_charts {} - -variable rover_version { - default = null -} - -variable cluster_re1_key { - default = null -} -variable cluster_re2_key { - default = null -} \ No newline at end of file diff --git a/landingzones/caf_solutions/add-ons/databricks/variables.tf b/landingzones/caf_solutions/add-ons/databricks/variables.tf deleted file mode 100644 index 1523ef38c..000000000 --- a/landingzones/caf_solutions/add-ons/databricks/variables.tf +++ /dev/null @@ -1,115 +0,0 @@ -# Map of the remote data state for lower level -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_storage_account_name {} -variable tfstate_container_name {} -variable tfstate_key {} -variable tfstate_resource_group_name {} - -variable global_settings { - default = {} -} - -variable landingzone { - default = "" -} - -variable environment { - default = "sandpit" -} -variable rover_version { - default = null -} -variable max_length { - default = 40 -} -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - default = null - type = map -} -variable app_service_environments { - default = {} -} -variable app_service_plans { - default = {} -} -variable app_services { - default = {} -} -variable diagnostics_definition { - default = null -} -variable resource_groups { - default = null -} -variable network_security_group_definition { - default = null -} -variable vnets { - default = {} -} -variable azurerm_redis_caches { - default = {} -} -variable mssql_servers { - default = {} -} -variable storage_accounts { - default = {} -} -variable azuread_groups { - default = {} -} -variable keyvaults { - default = {} -} -variable keyvault_access_policies { - default = {} -} -variable virtual_machines { - default = {} -} -variable azure_container_registries { - default = {} -} -variable bastion_hosts { - default = {} -} -variable public_ip_addresses { - default = {} -} -variable diagnostic_storage_accounts { - default = {} -} -variable managed_identities { - default = {} -} -variable private_dns { - default = {} -} -variable synapse_workspaces { - default = {} -} -variable azurerm_application_insights { - default = {} -} -variable role_mapping { - default = {} -} -variable aks_clusters { - default = {} -} -variable databricks_workspaces { - default = {} -} -variable databricks { - default = {} -} diff --git a/landingzones/caf_solutions/dynamic_secrets.tf b/landingzones/caf_solutions/dynamic_secrets.tf deleted file mode 100644 index d026418de..000000000 --- a/landingzones/caf_solutions/dynamic_secrets.tf +++ /dev/null @@ -1,10 +0,0 @@ -module dynamic_keyvault_secrets { - source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "~>5.2.0" - - for_each = try(var.dynamic_keyvault_secrets, {}) - - settings = each.value - keyvault = module.caf.keyvaults[each.key] - objects = module.caf -} \ No newline at end of file diff --git a/landingzones/caf_solutions/landingzone.tf b/landingzones/caf_solutions/landingzone.tf deleted file mode 100644 index 06d1a28e5..000000000 --- a/landingzones/caf_solutions/landingzone.tf +++ /dev/null @@ -1,139 +0,0 @@ -module "caf" { - source = "aztfmod/caf/azurerm" - version = "~>5.2.0" - - azuread_api_permissions = var.azuread_api_permissions - azuread_apps = var.azuread_apps - azuread_groups = var.azuread_groups - azuread_roles = var.azuread_roles - azuread_users = var.azuread_users - current_landingzone_key = var.landingzone.key - custom_role_definitions = var.custom_role_definitions - diagnostics = local.diagnostics - event_hub_namespaces = var.event_hub_namespaces - global_settings = local.global_settings - keyvault_access_policies = var.keyvault_access_policies - keyvault_certificate_issuers = var.keyvault_certificate_issuers - keyvaults = var.keyvaults - log_analytics = var.log_analytics - logged_aad_app_objectId = var.logged_aad_app_objectId - logged_user_objectId = var.logged_user_objectId - managed_identities = var.managed_identities - resource_groups = var.resource_groups - role_mapping = var.role_mapping - storage_accounts = var.storage_accounts - tags = local.tags - tenant_id = var.tenant_id - tfstates = local.tfstates - user_type = var.user_type - - compute = { - aks_clusters = var.aks_clusters - availability_sets = var.availability_sets - azure_container_registries = var.azure_container_registries - bastion_hosts = var.bastion_hosts - proximity_placement_groups = var.proximity_placement_groups - virtual_machines = var.virtual_machines - } - - database = { - azurerm_redis_caches = var.azurerm_redis_caches - cosmos_dbs = var.cosmos_dbs - databricks_workspaces = var.databricks_workspaces - machine_learning_workspaces = var.machine_learning_workspaces - mariadb_servers = var.mariadb_servers - mssql_databases = var.mssql_databases - mssql_elastic_pools = var.mssql_elastic_pools - mssql_failover_groups = var.mssql_failover_groups - mssql_managed_databases = var.mssql_managed_databases - mssql_managed_databases_restore = var.mssql_managed_databases_restore - mssql_managed_instances = var.mssql_managed_instances - mssql_managed_instances_secondary = var.mssql_managed_instances_secondary - mssql_mi_administrators = var.mssql_mi_administrators - mssql_mi_failover_groups = var.mssql_mi_failover_groups - mssql_servers = var.mssql_servers - mysql_servers = var.mysql_servers - postgresql_servers = var.postgresql_servers - synapse_workspaces = var.synapse_workspaces - } - - networking = { - application_gateway_applications = var.application_gateway_applications - application_gateways = var.application_gateways - azurerm_routes = var.azurerm_routes - dns_zone_records = var.dns_zone_records - dns_zones = var.dns_zones - domain_name_registrations = var.domain_name_registrations - express_route_circuit_authorizations = var.express_route_circuit_authorizations - express_route_circuits = var.express_route_circuits - front_door_waf_policies = var.front_door_waf_policies - front_doors = var.front_doors - load_balancers = var.load_balancers - local_network_gateways = var.local_network_gateways - network_security_group_definition = var.network_security_group_definition - network_watchers = var.network_watchers - private_dns = var.private_dns - private_endpoints = var.private_endpoints - public_ip_addresses = var.public_ip_addresses - route_tables = var.route_tables - virtual_network_gateway_connections = var.virtual_network_gateway_connections - virtual_network_gateways = var.virtual_network_gateways - virtual_wans = var.virtual_wans - vnet_peerings = var.vnet_peerings - vnets = var.vnets - } - - remote_objects = { - aks_clusters = local.remote.aks_clusters - app_service_environments = local.remote.app_service_environments - app_service_plans = local.remote.app_service_plans - app_services = local.remote.app_services - application_gateway_applications = local.remote.application_gateway_applications - application_gateways = local.remote.application_gateways - availability_sets = local.remote.availability_sets - azuread_applications = local.remote.azuread_applications - azuread_groups = local.remote.azuread_groups - azuread_users = local.remote.azuread_users - azurerm_firewalls = local.remote.azurerm_firewalls - container_registry = local.remote.container_registry - event_hub_namespaces = local.remote.event_hub_namespaces - front_door_waf_policies = local.remote.front_door_waf_policies - keyvaults = local.remote.keyvaults - managed_identities = local.remote.managed_identities - mssql_databases = local.remote.mssql_databases - mssql_elastic_pools = local.remote.mssql_elastic_pools - mssql_managed_databases = local.remote.mssql_managed_databases - mssql_managed_instances = local.remote.mssql_managed_instances - mssql_servers = local.remote.mssql_servers - mysql_servers = local.remote.mysql_servers - network_watchers = local.remote.network_watchers - postgresql_servers = local.remote.postgresql_servers - private_dns = local.remote.private_dns - proximity_placement_groups = local.remote.proximity_placement_groups - public_ip_addresses = local.remote.public_ip_addresses - recovery_vaults = local.remote.recovery_vaults - resource_groups = local.remote.resource_groups - storage_accounts = local.remote.storage_accounts - synapse_workspaces = local.remote.synapse_workspaces - vnets = local.remote.vnets - } - - security = { - keyvault_certificate_issuers = var.keyvault_certificate_issuers - keyvault_certificate_requests = var.keyvault_certificate_requests - keyvault_certificates = var.keyvault_certificates - keyvault_keys = var.keyvault_keys - } - - shared_services = { - monitoring = var.monitoring - recovery_vaults = var.recovery_vaults - } - - webapp = { - app_service_environments = var.app_service_environments - app_service_plans = var.app_service_plans - app_services = var.app_services - azurerm_application_insights = var.azurerm_application_insights - } -} diff --git a/landingzones/caf_solutions/locals.remote_tfstates.tf b/landingzones/caf_solutions/locals.remote_tfstates.tf deleted file mode 100644 index 96de17801..000000000 --- a/landingzones/caf_solutions/locals.remote_tfstates.tf +++ /dev/null @@ -1,158 +0,0 @@ -locals { - landingzone = { - current = { - storage_account_name = var.tfstate_storage_account_name - container_name = var.tfstate_container_name - resource_group_name = var.tfstate_resource_group_name - } - lower = { - storage_account_name = var.lower_storage_account_name - container_name = var.lower_container_name - resource_group_name = var.lower_resource_group_name - } - } -} - -data "terraform_remote_state" "remote" { - for_each = try(var.landingzone.tfstates, {}) - - backend = var.landingzone.backend_type - config = { - storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name - container_name = local.landingzone[try(each.value.level, "current")].container_name - resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name - subscription_id = var.tfstate_subscription_id - key = each.value.tfstate - } -} - -locals { - landingzone_tag = { - "landingzone" = var.landingzone.key - } - - tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags) - - global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.global_settings - - diagnostics = { - diagnostics_definition = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_definition, var.diagnostics_definition) - diagnostics_destinations = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations - storage_accounts = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.storage_accounts - log_analytics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.log_analytics - event_hub_namespaces = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.event_hub_namespaces - } - - remote = { - aks_clusters = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.aks_clusters[key], {})) - } - app_service_environments = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.app_service_environments[key], {})) - } - app_service_plans = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.app_service_plans[key], {})) - } - app_services = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.app_services[key], {})) - } - application_gateway_applications = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.application_gateway_applications[key], {})) - } - application_gateways = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.application_gateways[key], {})) - } - availability_sets = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.availability_sets[key], {})) - } - azuread_applications = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azuread_applications[key], {})) - } - azuread_groups = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azuread_groups[key], {})) - } - azuread_users = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azuread_users[key], {})) - } - azurerm_firewalls = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.azurerm_firewalls[key], {})) - } - container_registry = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.container_registry[key], {})) - } - event_hub_namespaces = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.event_hub_namespaces[key], {})) - } - front_door_waf_policies = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.front_door_waf_policies[key], {})) - } - keyvaults = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.keyvaults[key], {})) - } - managed_identities = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.managed_identities[key], {})) - } - mssql_databases = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.mssql_databases[key], {})) - } - mssql_elastic_pools = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.mssql_elastic_pools[key], {})) - } - mssql_managed_databases = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.mssql_managed_databases[key], {})) - } - mssql_managed_instances = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.mssql_managed_instances[key], {})) - } - mssql_servers = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.mssql_servers[key], {})) - } - mysql_servers = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.mysql_servers[key], {})) - } - network_watchers = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.network_watchers[key], {})) - } - postgresql_servers = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.postgresql_servers[key], {})) - } - private_dns = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.private_dns[key], {})) - } - proximity_placement_groups = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.proximity_placement_groups[key], {})) - } - public_ip_addresses = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.public_ip_addresses[key], {})) - } - recovery_vaults = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.recovery_vaults[key], {})) - } - resource_groups = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.resource_groups[key], {})) - } - storage_accounts = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.storage_accounts[key], {})) - } - synapse_workspaces = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.synapse_workspaces[key], {})) - } - vnets = { - for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.vnets[key], {})) - } - } - - combined = { - app_service_environments = merge(local.remote.app_service_environments, tomap({ (var.landingzone.key) = module.caf.app_service_environments })) - app_service_plans = merge(local.remote.app_service_plans, tomap({ (var.landingzone.key) = module.caf.app_service_plans })) - app_services = merge(local.remote.app_services, tomap({ (var.landingzone.key) = module.caf.app_services })) - application_gateway_applications = merge(local.remote.application_gateway_applications, tomap({ (var.landingzone.key) = module.caf.application_gateway_applications })) - application_gateways = merge(local.remote.application_gateways, tomap({ (var.landingzone.key) = module.caf.application_gateways })) - managed_identities = merge(local.remote.managed_identities, tomap({ (var.landingzone.key) = module.caf.managed_identities })) - mssql_elastic_pools = merge(local.remote.mssql_elastic_pools, tomap({ (var.landingzone.key) = module.caf.mssql_elastic_pools })) - mssql_servers = merge(local.remote.mssql_servers, tomap({ (var.landingzone.key) = module.caf.mssql_servers })) - private_dns = merge(local.remote.private_dns, tomap({ (var.landingzone.key) = module.caf.private_dns })) - public_ip_addresses = merge(local.remote.public_ip_addresses, tomap({ (var.landingzone.key) = module.caf.public_ip_addresses })) - vnets = merge(local.remote.vnets, tomap({ (var.landingzone.key) = module.caf.vnets })) - } -} diff --git a/landingzones/caf_solutions/main.tf b/landingzones/caf_solutions/main.tf deleted file mode 100644 index 141e1ce9d..000000000 --- a/landingzones/caf_solutions/main.tf +++ /dev/null @@ -1,70 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.43" - } - azuread = { - source = "hashicorp/azuread" - version = "~> 1.0.0" - } - random = { - source = "hashicorp/random" - version = "~> 2.2.1" - } - external = { - source = "hashicorp/external" - version = "~> 1.2.0" - } - null = { - source = "hashicorp/null" - version = "~> 2.1.0" - } - tls = { - source = "hashicorp/tls" - version = "~> 2.2.0" - } - azurecaf = { - source = "aztfmod/azurecaf" - version = "~> 1.2.0" - } - databricks = { - source = "databrickslabs/databricks" - version = "~> 0.2.5" - } - } - required_version = ">= 0.13" -} - - -provider "azurerm" { - features { - key_vault { - purge_soft_delete_on_destroy = true - } - } -} - -data "azurerm_client_config" "current" {} - - -locals { - - # Update the tfstates map - tfstates = merge( - map(var.landingzone.key, - map( - "storage_account_name", var.tfstate_storage_account_name, - "container_name", var.tfstate_container_name, - "resource_group_name", var.tfstate_resource_group_name, - "key", var.tfstate_key, - "level", var.landingzone.level, - "tenant_id", var.tenant_id, - "subscription_id", data.azurerm_client_config.current.subscription_id - ) - ) - , - data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.tfstates - ) - -} \ No newline at end of file diff --git a/landingzones/caf_solutions/modules/databricks/cluster.tf b/landingzones/caf_solutions/modules/databricks/cluster.tf deleted file mode 100644 index 3a98fd219..000000000 --- a/landingzones/caf_solutions/modules/databricks/cluster.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "databricks_cluster" "cluster" { - cluster_name = var.settings.name - spark_version = data.databricks_spark_version.version.id - node_type_id = var.settings.node_type_id - autotermination_minutes = try(var.settings.autotermination_minutes, 120) - - dynamic "autoscale" { - for_each = try(var.settings.autoscale, null) == null ? [] : [1] - - content { - min_workers = try(var.settings.autoscale.min_workers, null) - max_workers = try(var.settings.autoscale.max_workers, null) - } - } - -} - -data "databricks_spark_version" "version" { - latest = try(var.settings.spark_version.latest, true) - long_term_support = try(var.settings.spark_version.long_term_support, false) - ml = try(var.settings.spark_version.ml, false) - genomics = try(var.settings.spark_version.mlgenomics, false) - gpu = try(var.settings.spark_version.gpu, false) - scala = try(var.settings.spark_version.scala, "2.12") - spark_version = try(var.settings.spark_version.spark_version, "3.0") -} \ No newline at end of file diff --git a/landingzones/caf_solutions/modules/databricks/variables.tf b/landingzones/caf_solutions/modules/databricks/variables.tf deleted file mode 100644 index 3f8e42ce5..000000000 --- a/landingzones/caf_solutions/modules/databricks/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable azure_workspace_resource_id { - default = {} -} -variable settings {} \ No newline at end of file diff --git a/landingzones/caf_solutions/output.tf b/landingzones/caf_solutions/output.tf deleted file mode 100644 index a6bc22b2b..000000000 --- a/landingzones/caf_solutions/output.tf +++ /dev/null @@ -1,114 +0,0 @@ -#Core outputs -output diagnostics { - value = local.diagnostics - sensitive = true -} - -output tfstates { - value = local.tfstates - sensitive = true -} - -output global_settings { - value = local.global_settings - sensitive = true -} - -# ASE -output app_service_environments { - value = local.combined.app_service_environments - sensitive = true -} - -output app_service_plans { - value = local.combined.app_service_plans - sensitive = true -} - -output app_services { - value = local.combined.app_services - sensitive = true -} - -# DB -output mssql_servers { - value = local.combined.mssql_servers - sensitive = true -} - -output mssql_elastic_pools { - value = local.combined.mssql_elastic_pools - sensitive = true -} - -output redis_caches { - value = module.caf.redis_caches - sensitive = true -} - -output managed_identities { - value = local.combined.managed_identities - sensitive = true -} - -output keyvaults { - value = tomap({ (var.landingzone.key) = module.caf.keyvaults }) - sensitive = true -} - -# App Gateways -output application_gateways { - value = local.combined.application_gateways - sensitive = true -} - -output application_gateway_applications { - value = local.combined.application_gateway_applications - sensitive = true -} - -# DNS -output private_dns { - value = local.combined.private_dns - sensitive = true -} - -# Kubernetes related outputs -output aks_clusters_kubeconfig { - value = { - for key, aks_cluster in module.caf.aks_clusters : key => { - aks_kubeconfig_cmd = aks_cluster.aks_kubeconfig_cmd - aks_kubeconfig_admin_cmd = aks_cluster.aks_kubeconfig_admin_cmd - } - } - sensitive = false -} - -output aks_clusters { - value = tomap({ (var.landingzone.key) = module.caf.aks_clusters }) - sensitive = true -} - -output virtual_machines { - value = module.caf.virtual_machines - sensitive = false -} - -# Data and AI outputs -output databricks_workspaces { - value = tomap({ (var.landingzone.key) = module.caf.databricks_workspaces }) - sensitive = true -} - -output machine_learning_workspaces { - value = tomap({ (var.landingzone.key) = module.caf.machine_learning_workspaces }) - sensitive = true -} - -output synapse_workspaces { - value = tomap({ (var.landingzone.key) = module.caf.synapse_workspaces }) - sensitive = true -} - - - diff --git a/landingzones/caf_solutions/variables.tf b/landingzones/caf_solutions/variables.tf deleted file mode 100644 index 7d6273cb1..000000000 --- a/landingzones/caf_solutions/variables.tf +++ /dev/null @@ -1,272 +0,0 @@ -# Map of the remote data state for lower level -variable lower_storage_account_name {} -variable lower_container_name {} -variable lower_resource_group_name {} - -variable tfstate_subscription_id { - description = "This value is propulated by the rover. subscription id hosting the remote tfstates" -} -variable tfstate_storage_account_name {} -variable tfstate_container_name {} -variable tfstate_key {} -variable tfstate_resource_group_name {} - -variable landingzone {} -variable tenant_id {} - -variable global_settings { - default = {} -} -variable rover_version { - default = null -} -variable logged_user_objectId { - default = null -} -variable logged_aad_app_objectId { - default = null -} -variable tags { - type = map - default = {} -} -variable resource_groups { - default = {} -} -variable azurerm_redis_caches { - default = {} -} -variable mssql_servers { - default = {} -} -variable mssql_databases { - default = {} -} -variable mssql_elastic_pools { - default = {} -} -variable storage_accounts { - default = {} -} -variable azuread_groups { - default = {} -} -variable keyvaults { - default = {} -} -variable keyvault_access_policies { - default = {} -} -variable keyvault_certificates { - default = {} -} -variable managed_identities { - default = {} -} -variable azurerm_application_insights { - default = {} -} -variable role_mapping { - default = {} -} -variable custom_role_definitions { - default = {} -} -variable dynamic_keyvault_secrets { - default = {} -} -variable app_service_environments { - default = {} -} -variable app_service_plans { - default = {} -} -variable app_services { - default = {} -} -variable diagnostics_definition { - default = null -} -variable network_security_group_definition { - default = null -} -variable route_tables { - default = {} -} -variable azurerm_routes { - default = {} -} -variable vnets { - default = {} -} -variable mssql_managed_instances { - default = {} -} -variable mssql_managed_instances_secondary { - default = {} -} - -variable mssql_managed_databases { - default = {} -} -variable mssql_managed_databases_restore { - default = {} -} - -variable mariadb_servers { - default = {} -} -variable mariadb_databases { - default = {} -} -variable mssql_failover_groups { - default = {} -} -variable mssql_mi_failover_groups { - default = {} -} -variable mssql_mi_administrators { - default = {} -} -variable azuread_roles { - default = {} -} -variable keyvault_certificate_issuers { - default = {} -} -variable keyvault_certificate_requests { - default = {} -} -variable virtual_machines { - default = {} -} -variable bastion_hosts { - default = {} -} -variable public_ip_addresses { - default = {} -} -variable diagnostic_storage_accounts { - default = {} -} -variable diagnostic_event_hub_namespaces { - default = {} -} -variable diagnostic_log_analytics { - default = {} -} -variable private_dns { - default = {} -} -variable synapse_workspaces { - default = {} -} -variable aks_clusters { - default = {} -} -variable databricks_workspaces { - default = {} -} -variable machine_learning_workspaces { - default = {} -} -variable monitoring { - default = {} -} -variable virtual_wans { - default = {} -} -variable event_hub_namespaces { - default = {} -} -variable application_gateways { - default = {} -} -variable application_gateway_applications { - default = {} -} -variable mysql_servers { - default = {} -} -variable postgresql_servers { - default = {} -} -variable cosmos_db { - default = {} -} -variable log_analytics { - default = {} -} -variable recovery_vaults { - default = {} -} -variable availability_sets { - default = {} -} -variable proximity_placement_groups { - default = {} -} -variable network_watchers { - default = {} -} -variable virtual_network_gateways { - default = {} -} -variable virtual_network_gateway_connections { - default = {} -} -variable express_route_circuits { - default = {} -} -variable express_route_circuit_authorizations { - default = {} -} -variable diagnostics_destinations { - default = {} -} -variable vnet_peerings { - default = {} -} -variable cosmos_dbs { - default = {} -} -variable front_doors { - default = {} -} -variable front_door_waf_policies { - default = {} -} -variable dns_zones { - default = {} -} -variable private_endpoints { - default = {} -} -variable local_network_gateways { - default = {} -} -variable azure_container_registries { - default = {} -} -variable azuread_api_permissions { - default = {} -} -variable azuread_apps { - default = {} -} -variable azuread_users { - default = {} -} -variable user_type {} -variable domain_name_registrations { - default = {} -} -variable dns_zone_records { - default = {} -} -variable keyvault_keys { - default = {} -} -variable load_balancers { - default = {} -} \ No newline at end of file