From 321fcf0a1ad837467affd1a2da000551044a2171 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Fri, 11 Feb 2022 02:31:23 +0000 Subject: [PATCH 1/2] Add alias to launchpad existing subscription --- .../__pycache__/merge_vars.cpython-39.pyc | Bin 4806 -> 4806 bytes .../subscriptions/subscriptions.tfvars.j2 | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc b/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc index 983ff35eecb4b7d12b9a0ff50f47b873b073ffe0..234152fea485aa659350e63eef21fecc16f60d7a 100644 GIT binary patch delta 20 acmX@6dQ6o&k(ZZ?0SL Date: Mon, 14 Feb 2022 11:45:34 +0000 Subject: [PATCH 2/2] Update templates --- caf_solution/local.networking.tf | 9 +- .../orion-landingzone/tfstates.asvm.yaml | 29 --- .../orion-landingzone/config.asvm.yaml | 0 .../orion-landingzone/deployments.yaml | 16 +- .../orion-landingzone/readme.md | 0 .../orion-landingzone/resources.asvm.yaml | 28 +- .../orion-landingzone/subscriptions.asvm.yaml | 8 +- .../asvm/orion-landingzone/tfstates.asvm.yaml | 29 +++ templates/platform/ansible.yaml | 243 +++--------------- templates/platform/generic/readme.md | 27 ++ .../platform/level0/credentials/readme.md | 4 +- .../platform/level0/launchpad/ansible.yaml | 242 ----------------- .../level0/launchpad/ansible.yaml.old | 242 +++++++++++++++++ .../azuread_api_permissions.tfvars.j2 | 60 ----- ....j2 => azuread_applications.tfvars.j2.old} | 0 .../launchpad/azuread_group_members.tfvars.j2 | 6 +- .../level0/launchpad/azuread_groups.tfvars.j2 | 4 + .../level0/launchpad/azuread_roles.tfvars.j2 | 28 -- .../launchpad/dynamic_secrets.tfvars.j2 | 67 ----- ...ars.j2 => keyvault_policies.tfvars.j2.old} | 0 .../level0/launchpad/keyvaults.tfvars.j2 | 6 +- ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 templates/platform/level0/launchpad/readme.md | 9 +- ....tfvars.j2 => role_mappings.tfvars.j2.OLD} | 0 ...rs.j2 => service_principals.tfvars.j2.old} | 0 .../launchpad/storage_accounts.tfvars.j2 | 90 ------- templates/platform/level1/eslz/ansible.yaml | 51 ++-- .../level1/eslz/enterprise_scale.tfvars.j2 | 2 +- ...ration.tfvars.j2 => landingzone.tfvars.j2} | 0 .../lib/v1.1.1/custom_landing_zones.tfvars.j2 | 2 +- templates/platform/level1/eslz/readme.md | 2 +- .../eslz/subscription_id_overrides.tfvars.j2 | 16 +- .../{ansible.yaml => ansible.yaml.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 templates/platform/level1/identity/readme.md | 2 +- .../{ansible.yaml => ansible.yaml.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 .../platform/level1/management/readme.md | 2 +- .../{ansible.yaml => ansible.yaml.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 .../platform/level1/subscriptions/readme.md | 2 +- ...yment.yaml => ansible_deployment.yaml.old} | 0 ...l => ansible_resource_deployment.yaml.old} | 0 ...pe.yaml => ansible_resource_type.yaml.old} | 0 templates/platform/level2/asvm/ansible.yaml | 129 +++++----- ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 templates/platform/level2/asvm/readme.md | 2 +- ...vars.j2 => storage_accounts.tfvars.j2.old} | 0 .../{ansible.yaml => ansible.yaml.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 .../connectivity/vpn_site/vpn_sites.tfvars.j2 | 36 --- .../{ansible.yaml => ansible.yaml.old} | 0 templates/platform/process_deployments.yaml | 21 ++ templates/platform/process_foundations.yaml | 10 + templates/platform/process_resources.yaml | 30 +++ templates/platform/process_stages.yaml | 33 +++ .../process_subscription_resources.yaml | 76 ++++++ templates/platform/process_tfstate.yaml | 22 ++ .../azuread_api_permissions.tfvars.j2 | 32 +++ templates/resources/azuread_roles.tfvars.j2 | 15 ++ .../dynamic_keyvault_secrets.tfvars.j2 | 15 +- .../dynamic_keyvault_secrets.tfvars.j2.old | 12 + templates/resources/landingzone.tfvars.j2 | 56 ++-- .../resources/storage_accounts.tfvars.j2 | 110 ++++++++ .../vpn_gateway_connections.tfvars.j2} | 16 +- templates/resources/vpn_sites.tfvars.j2 | 38 +++ 68 files changed, 948 insertions(+), 931 deletions(-) delete mode 100644 templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/config.asvm.yaml (100%) rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/deployments.yaml (82%) rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/readme.md (100%) rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/resources.asvm.yaml (98%) rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/subscriptions.asvm.yaml (53%) create mode 100644 templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml create mode 100644 templates/platform/generic/readme.md delete mode 100644 templates/platform/level0/launchpad/ansible.yaml create mode 100644 templates/platform/level0/launchpad/ansible.yaml.old delete mode 100644 templates/platform/level0/launchpad/azuread_api_permissions.tfvars.j2 rename templates/platform/level0/launchpad/{azuread_applications.tfvars.j2 => azuread_applications.tfvars.j2.old} (100%) delete mode 100644 templates/platform/level0/launchpad/azuread_roles.tfvars.j2 delete mode 100644 templates/platform/level0/launchpad/dynamic_secrets.tfvars.j2 rename templates/platform/level0/launchpad/{keyvault_policies.tfvars.j2 => keyvault_policies.tfvars.j2.old} (100%) rename templates/platform/level0/launchpad/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level0/launchpad/{role_mappings.tfvars.j2 => role_mappings.tfvars.j2.OLD} (100%) rename templates/platform/level0/launchpad/{service_principals.tfvars.j2 => service_principals.tfvars.j2.old} (100%) delete mode 100644 templates/platform/level0/launchpad/storage_accounts.tfvars.j2 rename templates/platform/level1/eslz/{configuration.tfvars.j2 => landingzone.tfvars.j2} (100%) rename templates/platform/level1/identity/{ansible.yaml => ansible.yaml.old} (100%) rename templates/platform/level1/identity/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level1/management/{ansible.yaml => ansible.yaml.old} (100%) rename templates/platform/level1/management/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level1/subscriptions/{ansible.yaml => ansible.yaml.old} (100%) rename templates/platform/level1/subscriptions/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/{ansible_deployment.yaml => ansible_deployment.yaml.old} (100%) rename templates/platform/level2/{ansible_resource_deployment.yaml => ansible_resource_deployment.yaml.old} (100%) rename templates/platform/level2/{ansible_resource_type.yaml => ansible_resource_type.yaml.old} (100%) rename templates/platform/level2/asvm/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/asvm/{storage_accounts.tfvars.j2 => storage_accounts.tfvars.j2.old} (100%) rename templates/platform/level2/connectivity/{ansible.yaml => ansible.yaml.old} (100%) rename templates/platform/level2/connectivity/azurerm_firewall_policies/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/connectivity/azurerm_firewalls/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/connectivity/vpn_site/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) delete mode 100644 templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 rename templates/platform/level2/identity/{ansible.yaml => ansible.yaml.old} (100%) create mode 100644 templates/platform/process_deployments.yaml create mode 100644 templates/platform/process_foundations.yaml create mode 100644 templates/platform/process_resources.yaml create mode 100644 templates/platform/process_stages.yaml create mode 100644 templates/platform/process_subscription_resources.yaml create mode 100644 templates/platform/process_tfstate.yaml create mode 100644 templates/resources/azuread_api_permissions.tfvars.j2 create mode 100644 templates/resources/azuread_roles.tfvars.j2 create mode 100644 templates/resources/dynamic_keyvault_secrets.tfvars.j2.old create mode 100644 templates/resources/storage_accounts.tfvars.j2 rename templates/{platform/level2/connectivity/vpn_site/vpn_gateways_connections.tfvars.j2 => resources/vpn_gateway_connections.tfvars.j2} (60%) create mode 100644 templates/resources/vpn_sites.tfvars.j2 diff --git a/caf_solution/local.networking.tf b/caf_solution/local.networking.tf index c27380a3f..f0bfeed6a 100644 --- a/caf_solution/local.networking.tf +++ b/caf_solution/local.networking.tf @@ -2,9 +2,9 @@ locals { networking = merge( var.networking, { - application_gateway_platforms = var.application_gateway_platforms - application_gateway_applications_v1 = var.application_gateway_applications_v1 application_gateway_applications = var.application_gateway_applications + application_gateway_applications_v1 = var.application_gateway_applications_v1 + application_gateway_platforms = var.application_gateway_platforms application_gateway_waf_policies = var.application_gateway_waf_policies application_gateways = var.application_gateways application_security_groups = var.application_security_groups @@ -15,8 +15,8 @@ locals { azurerm_firewall_policy_rule_collection_groups = var.azurerm_firewall_policy_rule_collection_groups azurerm_firewalls = var.azurerm_firewalls azurerm_routes = var.azurerm_routes - cdn_profiles = var.cdn_profiles cdn_endpoints = var.cdn_endpoints + cdn_profiles = var.cdn_profiles ddos_services = var.ddos_services dns_zone_records = var.dns_zone_records dns_zones = var.dns_zones @@ -46,10 +46,11 @@ locals { virtual_hubs = var.virtual_hubs virtual_network_gateway_connections = var.virtual_network_gateway_connections virtual_network_gateways = var.virtual_network_gateways + virtual_subnets = var.virtual_subnets virtual_wans = var.virtual_wans vnet_peerings = var.vnet_peerings vnets = var.vnets - virtual_subnets = var.virtual_subnets + vpn_gateway_connections = var.vpn_gateway_connections vpn_sites = var.vpn_sites } ) diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml b/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml deleted file mode 100644 index 54e176178..000000000 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# ### orion ### -tfstates: - asvm: - asvm_storage_containers: - subscriptions: - lz_key_name: it_dna_orion_storage_containers - tfstate: it_dna_orion_storage_containers.tfstate - workspace: tfstate - level: level3 - - it_dna_orion_dev: - subscriptions: - lz_key_name: it_dna_orion_dev_subscriptions - tfstate: it_dna_orion_dev_subscriptions.tfstate - resources: - lz_key_name: it_dna_orion_dev_resources - tfstate: it_dna_orion_dev_resources.tfstate - workspace: orion-dev - level: level3 - - it_dna_orion_prod: - subscriptions: - lz_key_name: it_dna_orion_prod_subscriptions - tfstate: it_dna_orion_prod_subscriptions.tfstate - resources: - lz_key_name: it_dna_orion_prod_resources - tfstate: it_dna_orion_prod_resources.tfstate - workspace: orion-prod - level: level3 diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/config.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/config.asvm.yaml similarity index 100% rename from templates/enterprise-scale/contoso/application/orion-landingzone/config.asvm.yaml rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/config.asvm.yaml diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml similarity index 82% rename from templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml index f22cebc46..7b83be426 100644 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml @@ -12,12 +12,12 @@ deployments: platform: asvm: - it_dna_orion_dev: + orion_dev: subscriptions: landingzone: key: asvm: - it_dna_orion_dev: subscriptions + orion_dev: subscriptions global_settings_key: asvm: asvm_storage_containers: subscriptions @@ -29,13 +29,13 @@ deployments: landingzone: key: asvm: - it_dna_orion_dev: resources + orion_dev: resources global_settings_key: platform: virtual_hubs: non_prod remote_tfstates: asvm: - it_dna_orion_dev: subscriptions + orion_dev: subscriptions asvm_storage_containers: subscriptions platform: virtual_hubs: non_prod @@ -44,12 +44,12 @@ deployments: asvm: azurerm_firewalls: non_prod - it_dna_orion_prod: + orion_prod: subscriptions: landingzone: key: asvm: - it_dna_orion_prod: subscriptions + orion_prod: subscriptions global_settings_key: asvm: asvm_storage_containers: subscriptions @@ -61,13 +61,13 @@ deployments: landingzone: key: asvm: - it_dna_orion_prod: resources + orion_prod: resources global_settings_key: platform: virtual_hubs: prod remote_tfstates: asvm: - it_dna_orion_prod: subscriptions + orion_prod: subscriptions asvm_storage_containers: subscriptions platform: virtual_hubs: prod diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/readme.md b/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md similarity index 100% rename from templates/enterprise-scale/contoso/application/orion-landingzone/readme.md rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml similarity index 98% rename from templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml index c37374424..a75c16210 100644 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml @@ -3,7 +3,7 @@ gitops: subscriptions: - it_dna_orion_dev: + orion_dev: resource_groups: rg: @@ -458,8 +458,8 @@ subscriptions: built_in_role_mapping: subscriptions: - it_dna_orion_dev: - lz_key: it_dna_orion_dev_subscriptions + orion_dev: + lz_key: orion_dev_subscriptions Contributor: azuread_service_principals: keys: @@ -486,21 +486,21 @@ subscriptions: keys: - sp_LZContributors storage_containers: - it_dna_orion_prod_level3: - lz_key: it_dna_orion_storage_containers + orion_prod_level3: + lz_key: orion_storage_containers Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors - it_dna_orion_dev_level4: - lz_key: it_dna_orion_storage_containers + orion_dev_level4: + lz_key: orion_storage_containers Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors - it_dna_orion_prod: + orion_prod: resource_groups: rg: @@ -972,8 +972,8 @@ subscriptions: built_in_role_mapping: subscriptions: - it_dna_orion_prod: - lz_key: it_dna_orion_prod_subscriptions + orion_prod: + lz_key: orion_prod_subscriptions Contributor: azuread_service_principals: keys: @@ -1000,14 +1000,14 @@ subscriptions: keys: - sp_LZContributors storage_containers: - it_dna_orion_prod_level3: - lz_key: it_dna_orion_storage_containers + orion_prod_level3: + lz_key: orion_storage_containers Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors - it_dna_orion_prod_level4: - lz_key: it_dna_orion_storage_containers + orion_prod_level4: + lz_key: orion_storage_containers Storage Blob Data Contributor: azuread_service_principals: keys: diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml similarity index 53% rename from templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml index db45e7c58..8a7a49156 100644 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml @@ -2,12 +2,12 @@ gitops: landingzones: aci_network subscriptions: - it_dna_orion_dev: - it_dna_orion_dev: + orion_dev: + orion_dev: name: orion-dev management_group_suffix: non-prod - it_dna_orion_prod: - it_dna_orion_prod: + orion_prod: + orion_prod: name: orion-prod management_group_suffix: prod \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml new file mode 100644 index 000000000..8a1f94f17 --- /dev/null +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml @@ -0,0 +1,29 @@ +# ### orion ### +tfstates: + asvm: + asvm_storage_containers: + subscriptions: + lz_key_name: orion_storage_containers + tfstate: orion_storage_containers.tfstate + workspace: tfstate + level: level3 + + orion_dev: + subscriptions: + lz_key_name: orion_dev_subscriptions + tfstate: orion_dev_subscriptions.tfstate + resources: + lz_key_name: orion_dev_resources + tfstate: orion_dev_resources.tfstate + workspace: orion-dev + level: level3 + + orion_prod: + subscriptions: + lz_key_name: orion_prod_subscriptions + tfstate: orion_prod_subscriptions.tfstate + resources: + lz_key_name: orion_prod_resources + tfstate: orion_prod_resources.tfstate + workspace: orion-prod + level: level3 diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index a22d1b019..2f33594bd 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -1,211 +1,69 @@ -- name: CAF Terraform - Generate Azure Subscription Vending Machine (asvm) configuration files +- name: Process deployment based on bootstrap.yaml hosts: localhost - vars: - # connectivity_virtual_wan: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_wan.yaml') | from_yaml }}" - # connectivity_virtual_hub: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_hub.yaml') | from_yaml }}" - connectivity_firewall: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall.yaml', errors='ignore') | from_yaml }}" - connectivity_firewall_policies: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall_policies.yaml', errors='ignore') | from_yaml }}" - connectivity_vpn_sites: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_sites.yaml', errors='ignore') | from_yaml }}" - connectivity_vpn_gateway_connections: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_gateway_connections.yaml', errors='ignore') | from_yaml }}" - connectivity_express_routes: "{{ lookup('file', '{{ config_folder }}/connectivity_express_routes.yaml', errors='ignore') | from_yaml }}" - connectivity_express_route_peerings: "{{ lookup('file', '{{ config_folder }}/connectivity_express_route_peerings.yaml', errors='ignore') | from_yaml }}" - identity: "{{ lookup('file', '{{ config_folder }}/identity.yaml') | from_yaml }}" - management: "{{ lookup('file', '{{ config_folder }}/management.yaml') | from_yaml }}" - subscriptions: "{{ lookup('file', '{{ config_folder }}/subscriptions.yaml') | from_yaml }}" - mg: "{{ lookup('file', '{{ config_folder }}/eslz/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" - mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/custom_landing_zones.caf.platform.yaml') | from_yaml }}" - tfstates: "{{ lookup('file', '{{ config_folder }}/tfstates.yaml') | from_yaml }}" - base_templates_folder: "{{ base_templates_folder }}" - boostrap_launchpad: boostrap_launchpad | default(false) - deploy_subscriptions: deploy_subscriptions | default(false) - tasks: + + - name: "load {{ config_folder }}/bootstrap.yaml" + include_vars: + name: bootstrap + dir: "{{ config_folder }}" + depth: 1 + ignore_unknown_extensions: true + files_matching: "bootstrap.yaml" - name: "Load variable for platform config" include_vars: name: config - dir: "{{config_folder_platform | default(config_folder)}}" + dir: "{{config_folder}}" depth: 1 ignore_unknown_extensions: true - files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml" + files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml|subscriptions.yaml" - - name: "Get latest cache folder" - set_fact: - job_cache_base_path: "/home/vscode/.terraform.cache" - destination_base: "{{ destination_base_path | default(config.configuration_folders.platform.destination_base_path) }}" - - - name: "Creates cache directory" - file: - path: "{{ job_cache_base_path }}/launchpad" - state: directory - - name: "Destination folder" - debug: - msg: "{{destination_base}}" + - name: "{{deployment}} - Set tfstate_object" + set_fact: + destination_base: '{{config.configuration_folders.platform.destination_base_path}}' - - name: "Content of config" - debug: - msg: "{{config}}" + - debug: + msg: + - "{{bootstrap}}" + - "{{config}}" + verbosity: 2 # -# Level 0 +# Generate the foundation services # -## launchpad - - - name: "[{{ level }}-{{ base_folder }}] launchpad" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" + - include_tasks: "process_foundations.yaml" + loop: "{{bootstrap.deployments.keys()}}" + when: boostrap is defined + loop_control: + loop_var: stage vars: - base_folder: "launchpad" - level: "level0" - subscription_key: launchpad - -## credentials - - name: "[{{ level }}-{{ base_folder }}] Setup credentials" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - config.platform_identity.azuread_identity_mode == "service_principal" - - launchpad_tfstate_exists.rc == 0 - vars: - base_folder: "credentials" - level: "level0" - subscription_key: launchpad_credentials - - - name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: - - config.platform_identity.azuread_identity_mode == "logged_in_user" - - launchpad_tfstate_exists.rc == 0 - vars: - base_folder: "credentials" - level: "level0" - -## billing_subscription_role_delegations - - name: "[{{ level }}-{{ base_folder }}] Configure subscription role delegations" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: ((config.caf_terraform.billing_subscription_role_delegations is defined) and (config.platform_identity.azuread_identity_mode == "service_principal") and (launchpad_tfstate_exists.rc == 0) and (credentials_tfstate_exists is not skipped)) - vars: - base_folder: "billing_subscription_role_delegations" - level: "level0" - - - name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: - - level0_billing_subscription_role_delegations is skipped - vars: - base_folder: "billing_subscription_role_delegations" - level: "level0" - + step: deployments # -# Level 1 +# Process the deployments folders # + - find: + paths: "{{config_folder}}/deployments" + recurse: yes + patterns: "*.yaml" + file_type: file + register: files_to_process -## subscriptions - - name: "{{ level }}-{{ base_folder }} | Create platform subscriptions" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "dedicated_new" and config.platform_identity.azuread_identity_mode != "logged_in_user" and launchpad_tfstate_exists is succeeded and credentials_tfstate_exists is succeeded) - vars: - base_folder: "subscriptions" - level: "level1" - - - name: "{{ level }}-{{ base_folder }} | Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: - - level1_subscriptions is skipped - vars: - base_folder: "subscriptions" - level: "level1" + - debug: + msg: + - "{{files_to_process}}" + verbosity: 2 -## management - - name: "{{ level }}-{{ base_folder }} | Management services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - (config.platform_management.enable | bool) - - ((level1_subscriptions is not skipped and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - - ((platform_subscriptions_details is defined and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - - vars: - base_folder: "management" - level: "level1" - subscription_key: management - -## identity - - name: "{{ level }}-{{ base_folder }} | Identity services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - launchpad_tfstate_exists is not skipped - - credentials_tfstate_exists is not skipped - - ((level1_subscriptions is not skipped and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - - ((platform_subscriptions_details is defined and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - - identity.subscriptions is defined - - vars: - base_folder: "identity" - level: "level1" - subscription_key: identity - -## eslz - - name: "{{ level }}-{{ base_folder }} | Enterprise-scale services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - (config.platform_core_setup.enterprise_scale.enable | bool) - - ( (config.platform_core_setup.enterprise_scale.enable | bool) and level1_subscriptions is not skipped ) or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" or config.platform_identity.azuread_identity_mode == "logged_in_user" - - platform_subscriptions_details.identity is defined or config.platform_identity.azuread_identity_mode == "logged_in_user" or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" - - platform_subscriptions_details.management is defined or config.platform_identity.azuread_identity_mode == "logged_in_user" or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" - - vars: - base_folder: "eslz" - level: "level1" - -# -# Level 2 -# - -## asvm - - name: "{{ level }}-{{ base_folder }} | Azure Subscription Vending Machine (asvm)" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - - launchpad_azuread_groups is defined - - platform_subscriptions_details is defined or (config.platform_identity.azuread_identity_mode == "logged_in_user") - vars: - base_folder: "asvm" - level: "level2" - subscription_key: asvm - -## Connectivity - - name: "{{ level }}-{{ base_folder }} | Connectivity services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - ( (config.networking_topology.deployment_option == "virtual_wan") or (config.platform_identity.azuread_identity_mode == 'logged_in_user') ) - - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == 'logged_in_user') - vars: - base_folder: "connectivity" - level: "level2" - -## identity - - name: "{{ level }}-{{ base_folder }} | Identity services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - config.platform_core_setup.enterprise_scale.subscription_deployment_mode != "single_reuse" - - launchpad_tfstate_exists is not skipped - - credentials_tfstate_exists is not skipped - - level1_subscriptions is not skipped or (config.platform_identity.azuread_identity_mode == "logged_in_user") - - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") - - vars: - base_folder: "identity" - level: "level2" + - name: Process deployments folder configuration files + include_tasks: "process_deployments.yaml" + loop: "{{files_to_process.files}}" + loop_control: + loop_var: file_to_process ## Platform readme @@ -223,20 +81,3 @@ shell: | terraform fmt -recursive {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }} - -# # -# # Pipelines -# # -# - name: Pipelines -# hosts: localhost -# vars: -# config: "{{ lookup('file', '{{ config_folder }}/platform.yaml') | from_yaml }}" -# connectivity: "{{ lookup('file', '{{ config_folder }}/connectivity.yaml') | from_yaml }}" -# cidr: "{{ lookup('file', '{{ config_folder }}/cidr.yaml') | from_yaml }}" -# tfstates: "{{ lookup('file', '{{ config_folder }}/tfstates.yaml') | from_yaml }}" -# base_templates_folder: /tf/caf/templates/platform -# base_folder: pipelines - -# tasks: -# - import_tasks: "{{ base_folder }}/platform.yaml" -# - debug: msg="You can now proceed to the next steps and execute the deployment. Refer to the readme in {{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/README.md" diff --git a/templates/platform/generic/readme.md b/templates/platform/generic/readme.md new file mode 100644 index 000000000..d0dd39cf6 --- /dev/null +++ b/templates/platform/generic/readme.md @@ -0,0 +1,27 @@ + +```bash +#Note: close previous session if you logged with a different service principal using --impersonate-sp-from-keyvault-url +rover logout + +# login a with a user member of the caf-maintainers group +rover login -t {{ config.platform_identity.tenant_name }} + +rover \ +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} + --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ +{% endif %} + -lz /tf/caf/landingzones/caf_solution \ + -var-folder {{ destination_path }} \ + -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +{% if config.subscriptions[resources.subscriptions.keys() | first ].subscription_id is defined %} + -target_subscription {{ config.subscriptions[resources.subscriptions.keys() | first ].subscription_id }} \ +{% endif %} + -tfstate {{ config.tfstates.platform[resources.deployments.tfstate.keys() | first][resources.deployments.tfstate.values() | first].tfstate }} \ + -log-severity {{ config.gitops.rover_log_error }} \ + -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -level {{ level }} \ + -p ${TF_DATA_DIR}/{{ config.tfstates.platform[resources.deployments.tfstate.keys() | first][resources.deployments.tfstate.values() | first].tfstate }}.tfplan \ + -a plan + +``` + diff --git a/templates/platform/level0/credentials/readme.md b/templates/platform/level0/credentials/readme.md index 23353e464..e93e7d096 100644 --- a/templates/platform/level0/credentials/readme.md +++ b/templates/platform/level0/credentials/readme.md @@ -11,7 +11,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \ @@ -35,7 +35,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \ diff --git a/templates/platform/level0/launchpad/ansible.yaml b/templates/platform/level0/launchpad/ansible.yaml deleted file mode 100644 index c21fa1145..000000000 --- a/templates/platform/level0/launchpad/ansible.yaml +++ /dev/null @@ -1,242 +0,0 @@ -- name: "[{{ level }}-{{ base_folder }}] - Set variables" - set_fact: - destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - -- name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "launchpad.yaml|level0.yaml|configuration.caf.platform.yaml" - -- debug: - msg: "{{resources}}" - -- name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: config.configuration_folders.platform.cleanup_destination | bool - -- name: "[{{ level }}-{{ base_folder }}] Creates directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: directory - - -# -# container_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resources - container_groups" - when: - - resources.subscriptions[subscription_key].container_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/container_groups.tfvars.j2" - -# -# network_security_group_definition -# -- name: "[{{ level }}-{{ base_folder }}] - resources - network_security_group_definition" - when: - - resources.subscriptions[subscription_key].network_security_group_definition is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2" - - -# -# resource_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resources - resource_groups" - when: - - resources.subscriptions[subscription_key].resource_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/resource_groups.tfvars.j2" - -# -# virtual_networks -# -- name: "[{{ level }}-{{ base_folder }}] - resources - virtual_networks" - when: - - resources.subscriptions[subscription_key].virtual_networks is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/virtual_networks.tfvars.j2" - - -# -# network_profiles -# -- name: "[{{ level }}-{{ base_folder }}] - resources - network_profiles" - when: - - resources.subscriptions[subscription_key].network_profiles is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/network_profiles.tfvars.j2" - - -- name: "[{{ level }}-{{ base_folder }}] launchpad" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" - force: yes - loop: - - dynamic_secrets - - global_settings - - keyvaults - - landingzone - - role_mappings - - storage_accounts - -- name: "[{{ level }}-{{ base_folder }}] Clean-up identity files" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" - state: absent - when: config.platform_identity.azuread_identity_mode == "logged_in_user" - loop: - - azuread_api_permissions - - azuread_applications - - azuread_group_members - - azuread_groups - - azuread_roles - - keyvault_policies - - service_principals - -- name: "[{{ level }}-{{ base_folder }}] lauchpad - identity - service_principal" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" - force: yes - when: config.platform_identity.azuread_identity_mode != 'logged_in_user' - loop: - - azuread_api_permissions - - azuread_applications - - azuread_group_members - - azuread_groups - - azuread_roles - - keyvault_policies - - service_principals - -- name: "[{{ level }}-{{ base_folder }}] Deploy the launchpad" - when: boostrap_launchpad | bool | default(false) - shell: | - /tf/rover/rover.sh \ - -lz /tf/caf/landingzones/caf_launchpad \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ - -launchpad \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -a apply - -- name: "[{{ level }}-{{ base_folder }}] Get tfstate account name" - register: launchpad_storage_account - shell: | - az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - -- debug: - msg: "{{launchpad_storage_account}}" - -- name: "[{{ level }}-{{ base_folder }}] Get launchpad tfstate details" - register: launchpad_tfstate_exists - ignore_errors: true - shell: | - az storage blob download \ - --name "{{ config.tfstates.platform.launchpad.tfstate }}" \ - --account-name "{{ launchpad_storage_account.stdout | default('') }}" \ - --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ - --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" - -- name: "[{{ level }}-{{ base_folder }}] Get subscription_creation_landingzones details" - when: - - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" - register: launchpad_tfstate - -- name: "[{{ level }}-{{ base_folder }}] Get launchpad json data" - when: - - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - set_fact: - scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" - -- name: "[{{ level }}-{{ base_folder }}] set launchpad_azuread_groups" - when: - - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - set_fact: - launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" - vars: - path: 'outputs.objects.value.launchpad.azuread_groups' - -- name: "[{{ level }}-{{ base_folder }}] Get credentials tfstate details" - register: credentials_tfstate_exists - ignore_errors: true - shell: | - az storage blob download \ - --name "{{ config.tfstates.platform.launchpad_credentials.tfstate }}" \ - --account-name "{{ launchpad_storage_account.stdout }}" \ - --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ - --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - -- name: "[{{ level }}-{{ base_folder }}] Get launchpad_credentials details" - when: credentials_tfstate_exists.rc == 0 - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - register: launchpad_credentials - -- name: "[{{ level }}-{{ base_folder }}] Get launchpad_credentials json data" - when: credentials_tfstate_exists.rc == 0 - set_fact: - credjsondata: "{{ launchpad_credentials.stdout | from_json }}" - -- name: "[{{ level }}-{{ base_folder }}] set keyvaults" - when: credentials_tfstate_exists.rc == 0 - set_fact: - keyvaults: "{{ credjsondata | json_query(path) }}" - vars: - path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults' - -- name: "[{{ level }}-{{ base_folder }}] cleanup" - when: credentials_tfstate_exists.rc == 0 - file: - path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - state: absent - -- name: "[{{ level }}-{{ base_folder }}] cleanup" - when: launchpad_tfstate_exists.rc == 0 - file: - path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" - state: absent - -# Update readme -- name: "[{{ level }}-{{ base_folder }}] launchpad - readme" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/readme.md" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/readme.md" - force: yes \ No newline at end of file diff --git a/templates/platform/level0/launchpad/ansible.yaml.old b/templates/platform/level0/launchpad/ansible.yaml.old new file mode 100644 index 000000000..3e58c3865 --- /dev/null +++ b/templates/platform/level0/launchpad/ansible.yaml.old @@ -0,0 +1,242 @@ +- name: "{{deployment}} - Set variables" + set_fact: + destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}" + +- debug: + msg: + - "{{tfstate_object}}" + - "{{resources}}" + +- name: "[{{resources.relative_destination_folder}}] Clean-up directory" + file: + path: "{{destination_path}}" + state: absent + when: config.configuration_folders.platform.cleanup_destination | bool + +- name: "[{{resources.relative_destination_folder}}] Creates directory" + file: + path: "{{destination_path}}" + state: directory + + +- name: "{{deployment}} - process subscription resources" + include_tasks: "process_subscription_resources.yaml" + loop: "{{resources.subscriptions.keys()}}" + loop_control: + loop_var: subscription_key + +# # +# # container_groups +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - container_groups" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].container_groups is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/container_groups.tfvars.j2" + +# # +# # network_security_group_definition +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - network_security_group_definition" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].network_security_group_definition is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2" + + +# # +# # resource_groups +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - resource_groups" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].resource_groups is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/resource_groups.tfvars.j2" + +# # +# # virtual_networks +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - virtual_networks" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].virtual_networks is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/virtual_networks.tfvars.j2" + + +# # +# # network_profiles +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - network_profiles" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].network_profiles is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/network_profiles.tfvars.j2" + + +# - name: "[{{resources.relative_destination_folder}}] launchpad" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" +# dest: "{{destination_path}}/{{ item }}.tfvars" +# force: yes +# loop: +# - dynamic_secrets +# - global_settings +# - keyvaults +# - landingzone +# - role_mappings +# - storage_accounts + +# - name: "[{{resources.relative_destination_folder}}] Clean-up identity files" +# file: +# path: "{{destination_path}}/{{ item }}.tfvars" +# state: absent +# when: config.platform_identity.azuread_identity_mode == "logged_in_user" +# loop: +# - azuread_api_permissions +# - azuread_applications +# - azuread_group_members +# - azuread_groups +# - azuread_roles +# - keyvault_policies +# - service_principals + +# - name: "[{{resources.relative_destination_folder}}] lauchpad - identity - service_principal" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" +# dest: "{{destination_path}}/{{ item }}.tfvars" +# force: yes +# when: config.platform_identity.azuread_identity_mode != 'logged_in_user' +# loop: +# - azuread_api_permissions +# - azuread_applications +# - azuread_group_members +# - azuread_groups +# - azuread_roles +# - keyvault_policies +# - service_principals + +# - name: "[{{resources.relative_destination_folder}}] Deploy the launchpad" +# when: boostrap_launchpad | bool | default(false) +# shell: | +# /tf/rover/rover.sh \ +# -lz /tf/caf/landingzones/caf_launchpad \ +# -var-folder {{destination_path}} \ +# -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +# -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ +# -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ +# -log-severity {{ config.gitops.rover_log_error }} \ +# -launchpad \ +# -env {{ config.caf_terraform.launchpad.caf_environment }} \ +# -level {{ level }} \ +# -a apply + +- name: "[{{resources.relative_destination_folder}}] Get tfstate account name" + register: launchpad_storage_account + shell: | + az storage account list \ + --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + +- debug: + msg: "{{launchpad_storage_account}}" + +- name: "[{{resources.relative_destination_folder}}] Get launchpad tfstate details" + register: launchpad_tfstate_exists + ignore_errors: true + shell: | + az storage blob download \ + --name "{{ config.tfstates.platform.launchpad.tfstate }}" \ + --account-name "{{ launchpad_storage_account.stdout | default('') }}" \ + --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --auth-mode "login" \ + --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + +- name: "[{{resources.relative_destination_folder}}] Get subscription_creation_landingzones details" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + register: launchpad_tfstate + +- name: "[{{resources.relative_destination_folder}}] Get launchpad json data" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + set_fact: + scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" + +- name: "[{{resources.relative_destination_folder}}] set launchpad_azuread_groups" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + set_fact: + launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" + vars: + path: 'outputs.objects.value.launchpad.azuread_groups' + +- name: "[{{resources.relative_destination_folder}}] Get credentials tfstate details" + register: credentials_tfstate_exists + ignore_errors: true + shell: | + az storage blob download \ + --name "{{ config.tfstates.platform.launchpad_credentials.tfstate }}" \ + --account-name "{{ launchpad_storage_account.stdout }}" \ + --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --auth-mode "login" \ + --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + +- name: "[{{resources.relative_destination_folder}}] Get launchpad_credentials details" + when: credentials_tfstate_exists.rc == 0 + shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + register: launchpad_credentials + +- name: "[{{resources.relative_destination_folder}}] Get launchpad_credentials json data" + when: credentials_tfstate_exists.rc == 0 + set_fact: + credjsondata: "{{ launchpad_credentials.stdout | from_json }}" + +- name: "[{{resources.relative_destination_folder}}] set keyvaults" + when: credentials_tfstate_exists.rc == 0 + set_fact: + keyvaults: "{{ credjsondata | json_query(path) }}" + vars: + path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults' + +- name: "[{{resources.relative_destination_folder}}] cleanup" + when: credentials_tfstate_exists.rc == 0 + file: + path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + state: absent + +- name: "[{{resources.relative_destination_folder}}] cleanup" + when: launchpad_tfstate_exists.rc == 0 + file: + path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + state: absent + +# Update readme +# - name: "[{{resources.relative_destination_folder}}] launchpad - readme" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/readme.md" +# dest: "{{destination_path}}/readme.md" +# force: yes \ No newline at end of file diff --git a/templates/platform/level0/launchpad/azuread_api_permissions.tfvars.j2 b/templates/platform/level0/launchpad/azuread_api_permissions.tfvars.j2 deleted file mode 100644 index 01e3e4656..000000000 --- a/templates/platform/level0/launchpad/azuread_api_permissions.tfvars.j2 +++ /dev/null @@ -1,60 +0,0 @@ - - -azuread_api_permissions = { - level0 = { - microsoft_graph = { - resource_app_id = "00000003-0000-0000-c000-000000000000" - resource_access = { - AppRoleAssignment_ReadWrite_All = { - id = "06b708a9-e830-4db3-a914-8e69da51d44f" - type = "Role" - } - DelegatedPermissionGrant_ReadWrite_All = { - id = "8e8e4742-1d95-4f68-9d56-6ee75648c72a" - type = "Role" - } - DelegatedPermissionGrant_ReadWrite_All = { - id = "18a4783c-866b-4cc7-a460-3d5e5662c884" - type = "Role" - } - } - } - } - identity = { - active_directory_graph = { - resource_app_id = "00000002-0000-0000-c000-000000000000" - resource_access = { - Application_ReadWrite_OwnedBy = { - id = "824c81eb-e3f8-4ee6-8f6d-de7f50d565b7" - type = "Role" - } - Directory_ReadWrite_All = { - id = "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175" - type = "Role" - } - } - } - microsoft_graph = { - resource_app_id = "00000003-0000-0000-c000-000000000000" - resource_access = { - AppRoleAssignment_ReadWrite_All = { - id = "06b708a9-e830-4db3-a914-8e69da51d44f" - type = "Role" - } - DelegatedPermissionGrant_ReadWrite_All = { - id = "8e8e4742-1d95-4f68-9d56-6ee75648c72a" - type = "Role" - } - GroupReadWriteAll = { - id = "62a82d76-70ea-41e2-9197-370581804d09" - type = "Role" - } - RoleManagement_ReadWrite_Directory = { - id = "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" - type = "Role" - } - } - } - } - -} diff --git a/templates/platform/level0/launchpad/azuread_applications.tfvars.j2 b/templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old similarity index 100% rename from templates/platform/level0/launchpad/azuread_applications.tfvars.j2 rename to templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old diff --git a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 index ec156a815..137706f8f 100644 --- a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 +++ b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 @@ -1,3 +1,4 @@ +{% if config.platform_identity.enable_azuread_groups %} azuread_groups_membership = { caf_platform_maintainers = { {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} @@ -31,4 +32,7 @@ azuread_groups_membership = { ] } } -} \ No newline at end of file +} +{% else %} +# Azure AD Groups in config.platform_identity.enable_azuread_groups is not set to true +{% endif %} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 b/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 index a551a004a..3eaee1839 100644 --- a/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 +++ b/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 @@ -1,3 +1,4 @@ +{% if config.platform_identity.enable_azuread_groups %} azuread_groups = { caf_platform_maintainers = { name = "caf-platform-maintainers" @@ -95,3 +96,6 @@ azuread_groups = { } } +{% else %} +# Azure AD Groups in config.platform_identity.enable_azuread_groups is not set to true +{% endif %} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/azuread_roles.tfvars.j2 b/templates/platform/level0/launchpad/azuread_roles.tfvars.j2 deleted file mode 100644 index 88162fee6..000000000 --- a/templates/platform/level0/launchpad/azuread_roles.tfvars.j2 +++ /dev/null @@ -1,28 +0,0 @@ -# -# Available roles: -# az rest --method Get --uri https://graph.microsoft.com/v1.0/directoryRoleTemplates -o json | jq -r .value[].displayName -# -azuread_roles = { - azuread_service_principals = { - level0 = { - roles = [ - "Privileged Role Administrator", - "Application Administrator", - "Groups Administrator" - ] - } - identity = { - roles = [ - "User Administrator", - "Application Administrator", - "Groups Administrator" - ] - } - subscription_creation_landingzones = { - roles = [ - "Application Administrator", - "Groups Administrator" - ] - } - } -} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/dynamic_secrets.tfvars.j2 b/templates/platform/level0/launchpad/dynamic_secrets.tfvars.j2 deleted file mode 100644 index 0b967297e..000000000 --- a/templates/platform/level0/launchpad/dynamic_secrets.tfvars.j2 +++ /dev/null @@ -1,67 +0,0 @@ - -# Store output attributes into keyvault secret -# Those values are used by the rover to connect the current remote state and -# identity the lower level -dynamic_keyvault_secrets = { - level0 = { - subscription_id = { - output_key = "client_config" - attribute_key = "subscription_id" - secret_name = "subscription-id" - } - tenant_id = { - output_key = "client_config" - attribute_key = "tenant_id" - secret_name = "tenant-id" - } - } - level1 = { - lower_stg = { - output_key = "storage_accounts" - resource_key = "level0" - attribute_key = "name" - secret_name = "lower-storage-account-name" - } - lower_rg = { - output_key = "resource_groups" - resource_key = "level0" - attribute_key = "name" - secret_name = "lower-resource-group-name" - } - subscription_id = { - output_key = "client_config" - attribute_key = "subscription_id" - secret_name = "subscription-id" - } - tenant_id = { - output_key = "client_config" - attribute_key = "tenant_id" - secret_name = "tenant-id" - } - } - level2 = { - lower_stg = { - output_key = "storage_accounts" - resource_key = "level1" - attribute_key = "name" - secret_name = "lower-storage-account-name" - } - lower_rg = { - output_key = "resource_groups" - resource_key = "level1" - attribute_key = "name" - secret_name = "lower-resource-group-name" - } - subscription_id = { - output_key = "client_config" - attribute_key = "subscription_id" - secret_name = "subscription-id" - } - tenant_id = { - output_key = "client_config" - attribute_key = "tenant_id" - secret_name = "tenant-id" - } - } - -} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/keyvault_policies.tfvars.j2 b/templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old similarity index 100% rename from templates/platform/level0/launchpad/keyvault_policies.tfvars.j2 rename to templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old diff --git a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 index 06f112bfc..3dca65e8a 100644 --- a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 +++ b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 @@ -15,7 +15,7 @@ keyvaults = { object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -51,7 +51,7 @@ keyvaults = { object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -87,7 +87,7 @@ keyvaults = { object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] diff --git a/templates/platform/level0/launchpad/landingzone.tfvars.j2 b/templates/platform/level0/launchpad/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level0/launchpad/landingzone.tfvars.j2 rename to templates/platform/level0/launchpad/landingzone.tfvars.j2.old diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index 361e6ed95..46cbefbaf 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -17,7 +17,7 @@ This scenario requires the following privileges: Elevate your credentials to the tenant root level to have enough privileges to create the management group hierarchy. ```bash -{% if config.caf_terraform.billing_subscription_role_delegations.enable %} +{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} {% else %} # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with an account owner. @@ -34,7 +34,7 @@ az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?ap ```bash {% if config.caf_terraform.billing_subscription_role_delegations is defined %} -{% if config.caf_terraform.billing_subscription_role_delegations.enable %} +{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} {% else %} # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with an account owner. @@ -45,13 +45,14 @@ rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terra cd /tf/caf/landingzones git fetch origin git checkout {{ config.gitops.caf_landingzone_branch }} +git pull rover \ {% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_launchpad \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ @@ -75,7 +76,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_launchpad \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ diff --git a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 b/templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD similarity index 100% rename from templates/platform/level0/launchpad/role_mappings.tfvars.j2 rename to templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD diff --git a/templates/platform/level0/launchpad/service_principals.tfvars.j2 b/templates/platform/level0/launchpad/service_principals.tfvars.j2.old similarity index 100% rename from templates/platform/level0/launchpad/service_principals.tfvars.j2 rename to templates/platform/level0/launchpad/service_principals.tfvars.j2.old diff --git a/templates/platform/level0/launchpad/storage_accounts.tfvars.j2 b/templates/platform/level0/launchpad/storage_accounts.tfvars.j2 deleted file mode 100644 index 8aa17568c..000000000 --- a/templates/platform/level0/launchpad/storage_accounts.tfvars.j2 +++ /dev/null @@ -1,90 +0,0 @@ - -storage_accounts = { - level0 = { - name = "{{ resources.subscriptions[subscription_key].storage_accounts.level0.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level0.resource_group_key }}" - account_kind = "BlobStorage" - account_tier = "Standard" - shared_access_key_enabled = false - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - - tags = { - ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. - # Only adjust the environment value at creation time - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - caf_launchpad = "launchpad" - caf_tfstate = "level0" - ## - } - - blob_properties = { - versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }} - container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }} - delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }} - } - - containers = { - {{ config.tfstates.platform.launchpad.workspace | default('tfstate') }} = { - name = "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" - } - } - } - - level1 = { - name = "{{ resources.subscriptions[subscription_key].storage_accounts.level1.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level1.resource_group_key }}" - account_kind = "BlobStorage" - account_tier = "Standard" - shared_access_key_enabled = false - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - - tags = { - # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates. - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - caf_launchpad = "launchpad" - caf_tfstate = "level1" - } - - blob_properties = { - versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }} - container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }} - delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }} - } - - containers = { - {{ config.tfstates.platform.launchpad.workspace | default('tfstate') }} = { - name = "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" - } - } - } - - level2 = { - name = "{{ resources.subscriptions[subscription_key].storage_accounts.level2.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level2.resource_group_key }}" - account_kind = "BlobStorage" - account_tier = "Standard" - shared_access_key_enabled = false - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - - tags = { - # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates. - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - caf_launchpad = "launchpad" - caf_tfstate = "level2" - } - - blob_properties = { - versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }} - container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }} - delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }} - } - - containers = { - {{ config.tfstates.platform.launchpad.workspace | default('tfstate') }} = { - name = "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" - } - } - } - - -} \ No newline at end of file diff --git a/templates/platform/level1/eslz/ansible.yaml b/templates/platform/level1/eslz/ansible.yaml index 583a6ed3e..02159edd4 100644 --- a/templates/platform/level1/eslz/ansible.yaml +++ b/templates/platform/level1/eslz/ansible.yaml @@ -1,58 +1,69 @@ -- name: "{{ level }}-{{ base_folder }} | Clean-up base directory" +- name: "{{level }}-{{ deployment}} - Set landingzone file_path" + set_fact: + destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{ level }}/{{ deployment }}" + mg: "{{ lookup('file', '{{ config_folder }}/eslz/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" + mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/custom_landing_zones.caf.platform.yaml') | from_yaml }}" + level: "{{tfstate_object.level}}" + verbosity: 2 + +- debug: + msg: "{{destination_path}}" + +- name: "{{ level }}-{{ deployment }} | Clean-up base directory" shell: | - rm -rf "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" + rm -rf "{{ destination_path }}" when: - config.platform_core_setup.enterprise_scale.enable - config.platform_core_setup.enterprise_scale.clean_up_destination_folder -- name: "{{ level }}-{{ base_folder }} | Creates directory structure" - shell: mkdir -p "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib/{{ item.path }}" - with_filetree: "{{ level }}/{{ base_folder }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}" +- name: "{{ level }}-{{ deployment }} | Creates directory structure" + shell: mkdir -p "{{ destination_path }}/lib/{{ item.path }}" + with_filetree: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder}}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}" when: item.state == 'directory' -- name: "{{ level }}-{{ base_folder }} | Tfvars" +- name: "{{ level }}-{{ deployment }} | Tfvars" ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - - "{{ level }}/{{ base_folder }}/*.j2" - - "{{ level }}/{{ base_folder }}/*.md" + - "{{ level }}/{{ deployment }}/*.j2" + - "{{ level }}/{{ deployment }}/*.md" -- name: "{{ level }}-{{ base_folder }} | Lib - archetypes - built-in" +- name: "{{ level }}-{{ deployment }} | Lib - archetypes - built-in" ansible.builtin.template: - src: "{{ base_templates_folder }}/{{ level }}/eslz/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/archetype_definition_template.json.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib/archetype_definitions/archetype_definition_{{ mg.archetype_definitions[item].archetype_id }}.json" + src: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder}}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/archetype_definition_template.json.j2" + dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg.archetype_definitions[item].archetype_id }}.json" force: yes loop: "{{ mg.archetype_definitions.keys() }}" loop_control: loop_var: item -- name: "{{ level }}-{{ base_folder }} | Lib - archetypes - custom" +- name: "{{ level }}-{{ deployment }} | Lib - archetypes - custom" when: - mg_custom.archetype_definitions is defined ansible.builtin.template: - src: "{{ base_templates_folder }}/{{ level }}/eslz/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/custom_landing_zone_template.json.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib/archetype_definitions/archetype_definition_{{ mg_custom.archetype_definitions[item].archetype_id }}.json" + src: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/custom_landing_zone_template.json.j2" + dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg_custom.archetype_definitions[item].archetype_id }}.json" force: yes loop: "{{ mg_custom.archetype_definitions.keys() }}" loop_control: loop_var: item -- name: "{{ level }}-{{ base_folder }} | Lib" +- name: "{{ level }}-{{ deployment }} | Lib" ansible.builtin.template: src: "{{ item.src }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib/{{ item.path }}" + dest: "{{ destination_path }}/lib/{{ item.path }}" force: yes with_filetree: "{{ config_folder }}/eslz/lib" when: item.state == 'file' and config.platform_core_setup.enterprise_scale.update_lib_folder -- name: "{{ level }}-{{ base_folder }} | overrides" +- name: "{{ level }}-{{ deployment }} | overrides" when: - mg_custom.archetype_definitions is defined ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - - "{{ level }}/{{ base_folder }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/*.tfvars.j2" + - "{{ level }}/{{ deployment }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/*.tfvars.j2" diff --git a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 index 56045fc03..3b51b0112 100644 --- a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 +++ b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 @@ -1,4 +1,4 @@ -library_path = "../../../../{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib" +library_path = "../../../../{{ config.configuration_folders.platform.destination_relative_path }}/{{ tfstate_object.sub_template_folder }}/lib" {% if config.platform_core_setup.enterprise_scale.root_parent_id is defined %} root_parent_id = "{{ config.platform_core_setup.enterprise_scale.root_parent_id }}" {% endif %} diff --git a/templates/platform/level1/eslz/configuration.tfvars.j2 b/templates/platform/level1/eslz/landingzone.tfvars.j2 similarity index 100% rename from templates/platform/level1/eslz/configuration.tfvars.j2 rename to templates/platform/level1/eslz/landingzone.tfvars.j2 diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 index 8d96940d2..c95c57d8a 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 @@ -62,7 +62,7 @@ custom_landing_zones = { } subscriptions = {} {% if level.subscription_ids is defined %} - subscription_ids = {{ level.subscription_ids | replace('None','[]') | replace('\'','\"') }} + subscription_ids = {{ level.subscription_ids | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} subscription_ids = [] {% endif %} diff --git a/templates/platform/level1/eslz/readme.md b/templates/platform/level1/eslz/readme.md index 96b22db83..17a616b85 100644 --- a/templates/platform/level1/eslz/readme.md +++ b/templates/platform/level1/eslz/readme.md @@ -18,7 +18,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_eslz.vault_uri }} \ {% endif %} -lz {{ destination_base }}/landingzones/caf_solution/add-ons/caf_eslz \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.eslz.tfstate }} \ -log-severity ERROR \ diff --git a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 index 1d0d43eca..19082ee50 100644 --- a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 @@ -1,7 +1,7 @@ subscription_id_overrides = { {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.root is defined %} - root = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('\'','\"') }} + root = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} root = [] {% endif %} @@ -14,37 +14,37 @@ subscription_id_overrides = { {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %} - decommissioned = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('\'','\"') }} + decommissioned = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} decommissioned = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes is defined %} - sandboxes = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('\'','\"') }} + sandboxes = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} sandboxes = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] is defined %} - landing-zones = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('\'','\"') }} + landing-zones = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} landing-zones = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform is defined %} - platform = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('\'','\"') }} + platform = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} platform = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity is defined %} - connectivity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('\'','\"') }} + connectivity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} connectivity = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.management is defined %} - management = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('\'','\"') }} + management = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} management = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity is defined %} - identity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('\'','\"') }} + identity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} identity = [] {% endif %} diff --git a/templates/platform/level1/identity/ansible.yaml b/templates/platform/level1/identity/ansible.yaml.old similarity index 100% rename from templates/platform/level1/identity/ansible.yaml rename to templates/platform/level1/identity/ansible.yaml.old diff --git a/templates/platform/level1/identity/landingzone.tfvars.j2 b/templates/platform/level1/identity/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level1/identity/landingzone.tfvars.j2 rename to templates/platform/level1/identity/landingzone.tfvars.j2.old diff --git a/templates/platform/level1/identity/readme.md b/templates/platform/level1/identity/readme.md index d2a8ecee1..f7c0f8314 100644 --- a/templates/platform/level1/identity/readme.md +++ b/templates/platform/level1/identity/readme.md @@ -22,7 +22,7 @@ rover \ {% endif %} {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ diff --git a/templates/platform/level1/management/ansible.yaml b/templates/platform/level1/management/ansible.yaml.old similarity index 100% rename from templates/platform/level1/management/ansible.yaml rename to templates/platform/level1/management/ansible.yaml.old diff --git a/templates/platform/level1/management/landingzone.tfvars.j2 b/templates/platform/level1/management/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level1/management/landingzone.tfvars.j2 rename to templates/platform/level1/management/landingzone.tfvars.j2.old diff --git a/templates/platform/level1/management/readme.md b/templates/platform/level1/management/readme.md index 130826048..23edecc4c 100644 --- a/templates/platform/level1/management/readme.md +++ b/templates/platform/level1/management/readme.md @@ -22,7 +22,7 @@ rover \ {% endif %} {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.management.subscription_id }} \ diff --git a/templates/platform/level1/subscriptions/ansible.yaml b/templates/platform/level1/subscriptions/ansible.yaml.old similarity index 100% rename from templates/platform/level1/subscriptions/ansible.yaml rename to templates/platform/level1/subscriptions/ansible.yaml.old diff --git a/templates/platform/level1/subscriptions/landingzone.tfvars.j2 b/templates/platform/level1/subscriptions/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level1/subscriptions/landingzone.tfvars.j2 rename to templates/platform/level1/subscriptions/landingzone.tfvars.j2.old diff --git a/templates/platform/level1/subscriptions/readme.md b/templates/platform/level1/subscriptions/readme.md index dc36cd7b9..3aea9caab 100644 --- a/templates/platform/level1/subscriptions/readme.md +++ b/templates/platform/level1/subscriptions/readme.md @@ -14,7 +14,7 @@ rover \ {% endif %} {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.platform_subscriptions.tfstate }} \ -log-severity {{ config.gitops.rover_log_error }} \ diff --git a/templates/platform/level2/ansible_deployment.yaml b/templates/platform/level2/ansible_deployment.yaml.old similarity index 100% rename from templates/platform/level2/ansible_deployment.yaml rename to templates/platform/level2/ansible_deployment.yaml.old diff --git a/templates/platform/level2/ansible_resource_deployment.yaml b/templates/platform/level2/ansible_resource_deployment.yaml.old similarity index 100% rename from templates/platform/level2/ansible_resource_deployment.yaml rename to templates/platform/level2/ansible_resource_deployment.yaml.old diff --git a/templates/platform/level2/ansible_resource_type.yaml b/templates/platform/level2/ansible_resource_type.yaml.old similarity index 100% rename from templates/platform/level2/ansible_resource_type.yaml rename to templates/platform/level2/ansible_resource_type.yaml.old diff --git a/templates/platform/level2/asvm/ansible.yaml b/templates/platform/level2/asvm/ansible.yaml index 2135fd666..0b26e230c 100644 --- a/templates/platform/level2/asvm/ansible.yaml +++ b/templates/platform/level2/asvm/ansible.yaml @@ -1,31 +1,31 @@ -- name: "[{{ level }}-{{ base_folder }}] - Set variables" - set_fact: - destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" +# - name: "[{{ level }}-{{ base_folder }}] - Set variables" +# set_fact: +# destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" -- name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "asvm.yaml" +# - name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad" +# include_vars: +# name: resources +# dir: "{{config_folder}}" +# depth: 1 +# ignore_unknown_extensions: true +# files_matching: "asvm.yaml" -- debug: - msg: "{{resources}}" +# - debug: +# msg: "{{resources}}" -- name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: config.configuration_folders.platform.cleanup_destination | bool +# - name: "[{{ level }}-{{ base_folder }}] Clean-up directory" +# file: +# path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" +# state: absent +# when: config.configuration_folders.platform.cleanup_destination | bool -- name: "[{{ level }}-{{ base_folder }}] Creates directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: directory +# - name: "[{{ level }}-{{ base_folder }}] Creates directory" +# file: +# path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" +# state: directory -- name: "[{{ level }}-{{ base_folder }}] Get level2 tfstate account name" +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get level2 tfstate account name" register: level2_storage_account shell: | az storage account list \ @@ -34,9 +34,9 @@ - debug: msg: "{{level2_storage_account}}" + verbosity: 2 - -- name: "[{{ level }}-{{ base_folder }}] Get level2 tfstate account name" +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get level2 tfstate account name" register: level2_storage_rg shell: | az storage account list \ @@ -45,48 +45,49 @@ - debug: msg: "{{level2_storage_account}}" + verbosity: 2 -# -# resource_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resource_groups" - when: - - resources.subscriptions[subscription_key].resource_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/resource_groups.tfvars.j2" +# # +# # resource_groups +# # +# - name: "[{{ level }}-{{ base_folder }}] - resource_groups" +# when: +# - resources.subscriptions[subscription_key].resource_groups is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/resource_groups.tfvars.j2" -# -# azuread_groups -# -- name: "[{{ level }}-{{ base_folder }}] - azuread_groups" - when: - - resources.subscriptions[subscription_key].azuread_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_groups.tfvars.j2" +# # +# # azuread_groups +# # +# - name: "[{{ level }}-{{ base_folder }}] - azuread_groups" +# when: +# - resources.subscriptions[subscription_key].azuread_groups is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/azuread_groups.tfvars.j2" -- name: "[{{ level }}-{{ base_folder }}] asvm" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" - force: yes - loop: - - dynamic_secrets - - keyvaults - - landingzone - - role_mappings - - storage_accounts +# - name: "[{{ level }}-{{ base_folder }}] asvm" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" +# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" +# force: yes +# loop: +# - dynamic_secrets +# - keyvaults +# - landingzone +# - role_mappings +# - storage_accounts -- name: "[{{ level }}-{{ base_folder }}] launchpad - readme" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/readme.md" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/readme.md" - force: yes \ No newline at end of file +# - name: "[{{ level }}-{{ base_folder }}] launchpad - readme" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/readme.md" +# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/readme.md" +# force: yes \ No newline at end of file diff --git a/templates/platform/level2/asvm/landingzone.tfvars.j2 b/templates/platform/level2/asvm/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/asvm/landingzone.tfvars.j2 rename to templates/platform/level2/asvm/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/asvm/readme.md b/templates/platform/level2/asvm/readme.md index 70b86198e..cbd54f9b1 100644 --- a/templates/platform/level2/asvm/readme.md +++ b/templates/platform/level2/asvm/readme.md @@ -13,7 +13,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.asvm.tfstate }} \ diff --git a/templates/platform/level2/asvm/storage_accounts.tfvars.j2 b/templates/platform/level2/asvm/storage_accounts.tfvars.j2.old similarity index 100% rename from templates/platform/level2/asvm/storage_accounts.tfvars.j2 rename to templates/platform/level2/asvm/storage_accounts.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/ansible.yaml b/templates/platform/level2/connectivity/ansible.yaml.old similarity index 100% rename from templates/platform/level2/connectivity/ansible.yaml rename to templates/platform/level2/connectivity/ansible.yaml.old diff --git a/templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2 rename to templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2 rename to templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2 rename to templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 b/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 deleted file mode 100644 index 79894da6c..000000000 --- a/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 +++ /dev/null @@ -1,36 +0,0 @@ -vpn_sites = { - {{ site }} = { - name = "{{ connectivity_vpn_sites.vpn_sites[site].name }}" - resource_group = { - lz_key = "{{ connectivity_vpn_sites.vpn_sites[site].resource_group.lz_key }}" - key = "{{ connectivity_vpn_sites.vpn_sites[site].resource_group.key }}" - } - virtual_wan = { - lz_key = "{{ connectivity_vpn_sites.vpn_sites[site].virtual_wan.lz_key }}" - key = "{{ connectivity_vpn_sites.vpn_sites[site].virtual_wan.key }}" - } - device_vendor = "{{ connectivity_vpn_sites.vpn_sites[site].device_vendor }}" -{% if connectivity_vpn_sites.vpn_sites[site].address_cidrs is defined %} - address_cidrs = {{ connectivity_vpn_sites.vpn_sites[site].address_cidrs | replace('None','[]') | replace('\'','\"') }} -{% endif %} - links = { -{% for link_key, link in connectivity_vpn_sites.vpn_sites[site].links.items() %} - {{ link_key }} = { - name = "{{ link.name }}" - ip_address = "{{ link.ip_address }}" - provider_name = "{{ link.provider_name }}" - speed_in_mbps = "{{ link.speed_in_mbps }}" -{% if link.fqdn is defined %} - fqdn = "{{ ink.fqdn }}" -{% endif %} -{% if link.bgp is defined %} - bgp = { - asn = "{{ link.bgp.asn }}" - peering_address = "{{ link.bgp.peering_address }}" - } -{% endif %} - } -{% endfor %} - } - } -} \ No newline at end of file diff --git a/templates/platform/level2/identity/ansible.yaml b/templates/platform/level2/identity/ansible.yaml.old similarity index 100% rename from templates/platform/level2/identity/ansible.yaml rename to templates/platform/level2/identity/ansible.yaml.old diff --git a/templates/platform/process_deployments.yaml b/templates/platform/process_deployments.yaml new file mode 100644 index 000000000..7aae3f269 --- /dev/null +++ b/templates/platform/process_deployments.yaml @@ -0,0 +1,21 @@ + +- debug: + msg: "file {{file_to_process.path}}" + +- set_fact: + resources: "{{ lookup('file', '{{ file_to_process.path }}') | from_yaml }}" + +- set_fact: + env: "{{resources.deployments.tfstate.values() | first | default('')}}" + +- name: "{{tfstates[tfstate]}} - Set tfstate_object" + set_fact: + tfstate_object: '{{config.tfstates.platform[resources.deployments.tfstate.keys() | first] if env == "" else config.tfstates.platform[resources.deployments.tfstate.keys() | first][env]}}' + +- name: "Including tasks process_tfstate.yaml" + include_tasks: "process_tfstate.yaml" + loop: ["{{resources.deployments.tfstate.keys() | first }}"] + loop_control: + loop_var: deployment + vars: + config_file: "{{ file_to_process.path }}" \ No newline at end of file diff --git a/templates/platform/process_foundations.yaml b/templates/platform/process_foundations.yaml new file mode 100644 index 000000000..fff4a2ccd --- /dev/null +++ b/templates/platform/process_foundations.yaml @@ -0,0 +1,10 @@ + +- debug: + msg: "stage {{stage}} - {{bootstrap[step][stage]}}" + +- include_tasks: "process_stages.yaml" + loop: "{{bootstrap[step][stage].keys()}}" + loop_control: + loop_var: tfstate + vars: + tfstates: "{{bootstrap[step][stage]}}" \ No newline at end of file diff --git a/templates/platform/process_resources.yaml b/templates/platform/process_resources.yaml new file mode 100644 index 000000000..c3b7a0054 --- /dev/null +++ b/templates/platform/process_resources.yaml @@ -0,0 +1,30 @@ +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}} - check file to process" + stat: + path: "{{ansible_to_process}}/{{resource_type}}.tfvars.j2" + register: override_file + +- name: "{{deployment}} - Set resource_type file_path" + set_fact: + resource_type_template: "{{resource_template_folder}}/{{resource_type}}.tfvars.j2" + resource_type_override: "{{ansible_to_process }}/{{resource_type}}.tfvars.j2" + verbosity: 2 + +- debug: + msg: + - "resource_type_template for {{resource_type_template}}" + - "{{resource_type_override}}" + - "{{override_file}}" + verbosity: 2 + + +# +# resources +# +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}}" + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{resource_type_override if override_file.stat.exists else resource_type_template}}" + diff --git a/templates/platform/process_stages.yaml b/templates/platform/process_stages.yaml new file mode 100644 index 000000000..f2c043615 --- /dev/null +++ b/templates/platform/process_stages.yaml @@ -0,0 +1,33 @@ + +- debug: + msg: "tfstate {{tfstate}} - {{tfstates[tfstate]}}" + + +- name: "{{tfstates[tfstate]}} - Set env" + set_fact: + env: "{{tfstates[tfstate].values() | first | default()}}" + verbosity: 2 + + +- name: "{{tfstates[tfstate]}} - Set tfstate_object" + set_fact: + tfstate_object: '{{config.tfstates.platform[tfstates[tfstate].keys() | first] if env == "" else config.tfstates.platform[tfstates[tfstate].keys() | first][env]}}' + verbosity: 2 + +- name: "{{tfstates[tfstate]}} - Set config_file" + set_fact: + config_file: "{{config_folder + '/' + tfstate_object.config_file }}" + +- debug: + msg: '{{ config_file }}' + verbosity: 2 + +- name: "Including tasks process_tfstate.yaml" + include_tasks: "process_tfstate.yaml" + loop: "{{tfstates[tfstate].keys()}}" + loop_control: + loop_var: deployment + vars: + key: "{{tfstates[tfstate]}}" + resources: "{{ lookup('file', '{{ config_file }}') | from_yaml }}" + deployments: "{{ lookup('file', '{{ config_file }}') | from_yaml }}" \ No newline at end of file diff --git a/templates/platform/process_subscription_resources.yaml b/templates/platform/process_subscription_resources.yaml new file mode 100644 index 000000000..3bb94c2ba --- /dev/null +++ b/templates/platform/process_subscription_resources.yaml @@ -0,0 +1,76 @@ + +- debug: + msg: + - "subscription_key {{subscription_key}}" + - "{{resources.subscriptions[subscription_key]}}" + +- name: "{{deployment}} - Set ansible_to_process" + set_fact: + ansible_to_process: "{{base_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else base_templates_folder + '/generic'}}" + verbosity: 2 + +- name: "{{deployment}} - Set landingzone file_path" + set_fact: + landingzone_template: "{{resource_template_folder}}/landingzone.tfvars.j2" + landingzone_override: "{{ansible_to_process}}/landingzone.tfvars.j2" + destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}" + level: "{{tfstate_object.level}}" + verbosity: 2 + + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - check file to process" + stat: + path: "{{landingzone_override}}" + register: landingzone_override_file + + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - Clean-up directory" + file: + path: "{{destination_path}}" + state: absent + when: config.configuration_folders.platform.cleanup_destination | bool + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - Creates directory" + file: + path: "{{destination_path}}" + state: directory + + + +- name: "{{deployment}} - process custom yaml process" + include_tasks: "{{base_templates_folder}}/{{tfstate_object.yaml}}" + when: tfstate_object.yaml is defined + +# +# landingzone.tfvars +# +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone" + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{landingzone_override if landingzone_override_file.stat.exists else landingzone_template}}" + +# +# Resources +# + +- name: "{{deployment}} - process resources" + include_tasks: "process_resources.yaml" + loop: "{{resources.subscriptions[subscription_key] | list if resources.subscriptions[subscription_key] is mapping else [] }}" + loop_control: + loop_var: resource_type + +# +# overrides +# +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - overrides" + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{ ansible_to_process }}/*.j2" + - "{{ ansible_to_process }}/*.md" + diff --git a/templates/platform/process_tfstate.yaml b/templates/platform/process_tfstate.yaml new file mode 100644 index 000000000..acbc3ba87 --- /dev/null +++ b/templates/platform/process_tfstate.yaml @@ -0,0 +1,22 @@ + +- name: "Verify {{deployment}} {{key[deployment] | default()}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :" + debug: + msg: + - "{{config.tfstates.platform[deployment]}}" + - "resources - {{resources}}" + +- name: "{{deployment}} - tfstate_object sub_template_folder and config_file - {{env}}" + debug: + msg: + - 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}' + - 'config_file - {{tfstate_object.config_file | default()}}' + - 'tfstate_object - {{tfstate_object}}' + verbosity: 2 + +- name: "{{deployment}} - process subscription resources" + include_tasks: "process_subscription_resources.yaml" + loop: "{{resources.subscriptions.keys()}}" + loop_control: + loop_var: subscription_key + vars: + level: "{{tfstate_object.level}}" diff --git a/templates/resources/azuread_api_permissions.tfvars.j2 b/templates/resources/azuread_api_permissions.tfvars.j2 new file mode 100644 index 000000000..4a5ebc39e --- /dev/null +++ b/templates/resources/azuread_api_permissions.tfvars.j2 @@ -0,0 +1,32 @@ +azuread_api_permissions = { +{% for key, value in resources.subscriptions[subscription_key].azuread_api_permissions.items() %} + {{ key }} = { +{% if value.microsoft_graph is defined %} + microsoft_graph = { + resource_app_id = "{{ value.microsoft_graph.resource_app_id }}" + resource_access = { +{% for r_key, r_value in value.microsoft_graph.resource_access.items() %} + {{r_key}} = { + id = "{{ r_value.id }}" + type = "{{ r_value.type }}" + } +{% endfor%} + } + } +{% endif %} +{% if value.active_directory_graph is defined %} + active_directory_graph = { + resource_app_id = "{{ value.active_directory_graph.resource_app_id }}" + resource_access = { +{% for r_key, r_value in value.active_directory_graph.resource_access.items() %} + {{r_key}} = { + id = "{{ r_value.id }}" + type = "{{ r_value.type }}" + } +{% endfor%} + } + } +{% endif %} + } +{% endfor %} +} diff --git a/templates/resources/azuread_roles.tfvars.j2 b/templates/resources/azuread_roles.tfvars.j2 new file mode 100644 index 000000000..338f4a52d --- /dev/null +++ b/templates/resources/azuread_roles.tfvars.j2 @@ -0,0 +1,15 @@ +# +# Available roles: +# az rest --method Get --uri https://graph.microsoft.com/v1.0/directoryRoleTemplates -o json | jq -r .value[].displayName +# +azuread_roles = { +{% for key, value in resources.subscriptions[subscription_key].azuread_roles.items() %} + {{ key }} = { +{% for l_key, l_value in value.items() %} + {{l_key}} = { + roles = {{ l_value.roles | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} + } +{% endfor %} + } +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 index 0797ccf1a..b43870518 100644 --- a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 +++ b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 @@ -1,12 +1,13 @@ dynamic_keyvault_secrets = { -{% for kv_key, kv_value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} - {{ kv_key }} = { -{% for key, value in kv_value.items() %} - {{ key }} = { - secret_name = "{{ value.secret_name }}" - value = "{{ value['value'] }}" +{% for key, value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} + {{ key }} = { +{% for l1_key, l1_value in value.items() %} + {{l1_key}} = { +{% for l2_key, l2_value in l1_value.items() %} + {{l2_key}} = "{{l2_value}}" +{% endfor%} } -{% endfor %} +{% endfor%} } {% endfor %} } \ No newline at end of file diff --git a/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old b/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old new file mode 100644 index 000000000..0797ccf1a --- /dev/null +++ b/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old @@ -0,0 +1,12 @@ +dynamic_keyvault_secrets = { +{% for kv_key, kv_value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} + {{ kv_key }} = { +{% for key, value in kv_value.items() %} + {{ key }} = { + secret_name = "{{ value.secret_name }}" + value = "{{ value['value'] }}" + } +{% endfor %} + } +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/landingzone.tfvars.j2 b/templates/resources/landingzone.tfvars.j2 index c3fb3d132..cc3ef7b07 100644 --- a/templates/resources/landingzone.tfvars.j2 +++ b/templates/resources/landingzone.tfvars.j2 @@ -3,49 +3,56 @@ landingzone = { {% if config.tfstates['asvm'][subscription_key].level is defined %} {% set level = config.tfstates['asvm'][subscription_key].level %} level = "{{ level }}" -{% elif deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first %} - {% set level = config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first].level %} +{% elif resources.deployments.landingzone.key.platform.values() | first %} + {% set level = config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first][resources.deployments.landingzone.key.platform.values() | first].level %} level = "{{ level }}" +{% elif resources.deployments.landingzone is defined %} + {% set level = config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].level %} + level = "{{config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].level}}" {% else %} - {% set level = config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].level %} + {% set level = config.tfstates['platform'][resources.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].level %} level = "{{ level }}" {% endif %} -{% if deployments.deployments[subscription_key][deployment].landingzone.key.asvm is defined %} -{% for l_key, l_value in deployments.deployments[subscription_key][deployment].landingzone.key.asvm.items() %} +{% if resources.deployments.landingzone.key.asvm is defined %} +{% for l_key, l_value in resources.deployments.landingzone.key.asvm.items() %} key = "{{ config.tfstates['asvm'][l_key][l_value].lz_key_name}}" {% endfor %} -{% elif deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first %} - key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first].lz_key_name }}" +{% elif resources.deployments.landingzone.key.platform.values() | first %} + key = "{{ config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first][resources.deployments.landingzone.key.platform.values() | first].lz_key_name }}" +{% elif resources.deployments.landingzone.key.platform is defined %} + key = "{{config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].lz_key_name}}" {% else %} - key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].lz_key_name }}" + key = "{{ config.tfstates['platform'][resources.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].lz_key_name }}" {% endif %} -{% if deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform is defined %} -{% if deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.values() | first %} - global_settings_key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.values() | first].lz_key_name }}" +{% if resources.deployments.landingzone.global_settings_key.platform is defined %} +{% if resources.deployments.landingzone.global_settings_key.platform.values() | first %} + global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first][resources.deployments.landingzone.global_settings_key.platform.values() | first].lz_key_name }}" {% else %} - global_settings_key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" + global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" {% endif %} +{% elif resources.deployments[subscription_key].landingzone.global_settings_key.platform is defined %} + global_settings_key = "{{ config.tfstates['platform'][resources.deployments[subscription_key].landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" +{% elif resources.deployments[subscription_key].landingzone.global_settings_key.platform is not defined %} {% else %} -{% for m_key, m_value in deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.asvm.items() %} +{% for m_key, m_value in resources.deployments[subscription_key][deployment].landingzone.global_settings_key.asvm.items() %} global_settings_key = "{{ config.tfstates['asvm'][m_key][m_value].lz_key_name }}" {% endfor %} {% endif %} - -{% if deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates is defined %} +{% if resources.deployments.landingzone.remote_tfstates is defined %} tfstates = { -{% if deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.asvm is defined %} -{% for a_key, a_value in deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.asvm.items() %} +{% if resources.deployments.landingzone.remote_tfstates.asvm is defined %} +{% for a_key, a_value in resources.deployments.landingzone.remote_tfstates.asvm.items() %} {{ config.tfstates['asvm'][a_key][a_value].lz_key_name }} = { tfstate = "{{ config.tfstates['asvm'][a_key][a_value].tfstate }}" workspace = "{{ config.tfstates['asvm'][a_key].workspace }}" } {% endfor %} {% endif %} -{% if deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform is defined %} -{% for p_key in deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform.keys() %} -{% if config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]] is defined %} - {{ config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]].lz_key_name }} = { - {% set remote_tfstate = config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]] %} +{% if resources.deployments.landingzone.remote_tfstates.platform is defined %} +{% for p_key in resources.deployments.landingzone.remote_tfstates.platform.keys() %} +{% if config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]] is defined %} + {{ config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]].lz_key_name }} = { + {% set remote_tfstate = config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]] %} tfstate = "{{ remote_tfstate.tfstate }}" workspace = "{{ remote_tfstate.workspace | default('tfstate') }}" {% if remote_tfstate.level != level %} @@ -66,10 +73,9 @@ landingzone = { } {% endif %} } - -{% if deployments.deployments[subscription_key][deployment].custom_variables is defined %} +{% if resources.deployments[subscription_key][deployment].custom_variables is defined %} custom_variables = { -{% for cv_key, cv_value in deployments.deployments[subscription_key][deployment].custom_variables.items() %} +{% for cv_key, cv_value in resources.deployments[subscription_key][deployment].custom_variables.items() %} {{cv_key}} = "{{cv_value}}" {% endfor %} } diff --git a/templates/resources/storage_accounts.tfvars.j2 b/templates/resources/storage_accounts.tfvars.j2 new file mode 100644 index 000000000..b9d9079ec --- /dev/null +++ b/templates/resources/storage_accounts.tfvars.j2 @@ -0,0 +1,110 @@ +storage_accounts = { +{% for key, value in resources.subscriptions[subscription_key].storage_accounts.items() %} + {{ key }} = { + name = "{{ value.name }}" + resource_group_key = "{{ value.resource_group_key }}" + account_kind = "{{ value.account_kind | default('BlobStorage') }}" + account_tier = "{{ value.account_tier | default('Standard') }}" + shared_access_key_enabled = {{ value.shared_access_key_enabled | lower | default('false') }} + account_replication_type = "{{ value.account_replication_type }}" +{% if value.access_tier is defined %} + access_tier = "{{ value.access_tier }}" +{% endif %} +{% if value.min_tls_version is defined %} + min_tls_version = "{{ value.min_tls_version }}" +{% endif %} +{% if value.allow_blob_public_access is defined %} + allow_blob_public_access = {{ value.allow_blob_public_access | lower }} +{% endif %} +{% if value.is_hns_enabled is defined %} + is_hns_enabled = {{ value.is_hns_enabled | lower }} +{% endif %} +{% if value.nfsv3_enabled is defined %} + nfsv3_enabled = {{ value.nfsv3_enabled | lower }} +{% endif %} +{% if value.large_file_share_enabled is defined %} + large_file_share_enabled = {{ value.large_file_share_enabled | lower }} +{% endif %} +{% if value.enable_system_msi is defined %} + enable_system_msi = {{ value.enable_system_msi | lower }} +{% endif %} + +{% if value.blob_properties is defined %} + blob_properties = { +{% if value.blob_properties.versioning_enabled is defined %} + versioning_enabled = {{ value.blob_properties.versioning_enabled | lower }} +{% endif %} +{% if value.blob_properties.change_feed_enabled is defined %} + change_feed_enabled = {{ value.blob_properties.change_feed_enabled | lower }} +{% endif %} +{% if value.blob_properties.last_access_time_enabled is defined %} + last_access_time_enabled = {{ value.blob_properties.last_access_time_enabled | lower }} +{% endif %} +{% if value.blob_properties.default_service_version is defined %} + default_service_version = "{{ value.blob_properties.default_service_version }}" +{% endif %} +{% if value.blob_properties.container_delete_retention_policy is defined %} + container_delete_retention_policy = { + days = {{ value.blob_properties.container_delete_retention_policy.days }} + } +{% endif %} +{% if value.blob_properties.delete_retention_policy is defined %} + delete_retention_policy = { + days = {{ value.blob_properties.delete_retention_policy.days }} + } +{% endif %} + } +{% endif %} + +{% if value.network is defined %} + network = { +{% if value.network.default_action is defined %} + default_action = {{ value.network.default_action | lower }} +{% endif %} +{% if value.network.bypass is defined %} + bypass = {{ value.network.bypass | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if value.network.ip_rules is defined %} + ip_rules = {{ value.network.ip_rules | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if value.network.subnets is defined %} + subnets = { +{% for s_key, s_value in value.network.subnets.items() %} + {{ s_key }} = { +{% if s_value.remote_subnet_id is defined %} + remote_subnet_id = "{{ s_value.remote_subnet_id }}" +{% else %} +{% if s_value.lz_key is defined %} + lz_key = "{{ s_value.lz_key }}" +{% endif %} + vnet_key = "{{ s_value.vnet_key }}" + subnet_key = "{{ s_value.subnet_key }}" +{% endif %} + } +{% endfor %} + } +{% endif %} + } +{% endif %} + +{% if value.containers is defined %} + containers = { +{% for c_key, c_value in value.containers.items() %} + {{ c_key }} = { + name = "{{ c_value.name }}" + } +{% endfor %} + } +{% endif %} + +{% if value.tags is defined %} + tags = { +{% for tag_key, tag_value in value.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} + } + +{% endfor %} +} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/vpn_site/vpn_gateways_connections.tfvars.j2 b/templates/resources/vpn_gateway_connections.tfvars.j2 similarity index 60% rename from templates/platform/level2/connectivity/vpn_site/vpn_gateways_connections.tfvars.j2 rename to templates/resources/vpn_gateway_connections.tfvars.j2 index 0720ce648..4cb978052 100644 --- a/templates/platform/level2/connectivity/vpn_site/vpn_gateways_connections.tfvars.j2 +++ b/templates/resources/vpn_gateway_connections.tfvars.j2 @@ -1,17 +1,18 @@ vpn_gateway_connections = { - {{ site }} = { - name = "{{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].name }}" - internet_security_enabled = {{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].internet_security_enabled | default(true) | string | lower }} // propagate to default route table +{% for key, value in resources.subscriptions[subscription_key].vpn_gateway_connections.items() %} + {{ key }} = { + name = "{{ value.name }}" + internet_security_enabled = {{ value.internet_security_enabled | default(true) | string | lower }} // propagate to default route table vpn_site = { - key = "{{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].vpn_site.key }}" + key = "{{ value.vpn_site.key }}" } virtual_hub = { - lz_key = "{{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].virtual_hub.lz_key }}" - key = "{{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].virtual_hub.key }}" + lz_key = "{{ value.virtual_hub.lz_key }}" + key = "{{ value.virtual_hub.key }}" } vpn_links = { -{% for link_key, link in connectivity_vpn_gateway_connections.vpn_gateway_connections[site].vpn_links.items() %} +{% for link_key, link in value.vpn_links.items() %} {{ link_key }} = { name = "{{ link.name }}" shared_key = "{{ link.shared_key }}" @@ -37,4 +38,5 @@ vpn_gateway_connections = { {% endfor %} } } +{% endfor %} } \ No newline at end of file diff --git a/templates/resources/vpn_sites.tfvars.j2 b/templates/resources/vpn_sites.tfvars.j2 new file mode 100644 index 000000000..d79984684 --- /dev/null +++ b/templates/resources/vpn_sites.tfvars.j2 @@ -0,0 +1,38 @@ +vpn_sites = { +{% for key, value in resources.subscriptions[subscription_key].vpn_sites.items() %} + {{ key }} = { + name = "{{ value.name }}" + resource_group = { + lz_key = "{{ value.resource_group.lz_key }}" + key = "{{ value.resource_group.key }}" + } + virtual_wan = { + lz_key = "{{ value.virtual_wan.lz_key }}" + key = "{{ value.virtual_wan.key }}" + } + device_vendor = "{{ value.device_vendor }}" + } +{% if value.address_cidrs is defined %} + address_cidrs = {{ value.address_cidrs | replace('None','[]') | replace('\'','\"') }} +{% endif %} + links = { +{% for link_key, link in value.links.items() %} + {{ link_key }} = { + name = "{{ link.name }}" + ip_address = "{{ link.ip_address }}" + provider_name = "{{ link.provider_name }}" + speed_in_mbps = "{{ link.speed_in_mbps }}" +{% if link.fqdn is defined %} + fqdn = "{{ ink.fqdn }}" +{% endif %} +{% if link.bgp is defined %} + bgp = { + asn = "{{ link.bgp.asn }}" + peering_address = "{{ link.bgp.peering_address }}" + } +{% endif %} + } +{% endfor %} + } +{% endfor %} +} \ No newline at end of file