Merge pull request #215 from Azure/5.4.0

2106 - Integration with 5.4.0

.devcontainer/docker-compose.yml

@@ -6,7 +6,7 @@
   version: '3.7'
   services:
     rover:
-      image: aztfmod/rover:0.15.4-2105.2603
+      image: aztfmod/rover:1.0.1-2106.3012
       user: vscode
 
       labels:

.github/workflows/landingzones-tf13.yml → .github/workflows/landingzones-tf100.yml

@@ -3,11 +3,18 @@
 # Licensed under the MIT License.
 #
 
-name: landingzones-tf13
-  
+name: landingzones-tf100
+
 on:
+  workflow_dispatch:
+  pull_request:
+    paths-ignore:
+      - 'documentation/**'
+      - '_pictures/**'
+      - 'README.md'
+      - 'CHANGELOG.md'
   schedule:
-    - cron:  '0 2 * * *'
+    - cron:  '0 3 * * *'
 
 env:
   TF_CLI_ARGS: '-no-color'
@@ -30,7 +37,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.13.7-2105.2603
+      image: aztfmod/rover:1.0.1-2106.3012
       options: --user 0
 
     steps:
@@ -82,7 +89,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:0.13.7-2105.2603
+      image: aztfmod/rover:1.0.1-2106.3012
       options: --user 0
 
     steps:
@@ -126,7 +133,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.13.7-2105.2603
+      image: aztfmod/rover:1.0.1-2106.3012
       options: --user 0
 
     steps:
@@ -159,7 +166,7 @@ jobs:
             -level level1 \
             -parallelism=30 \
             --environment ${{ github.run_id }} \
-            '-var tags={testing_job_id="${{ github.run_id }}"}'
+             '-var tags={testing_job_id="${{ github.run_id }}"}'
 
   networking200:
     name: networking-200
@@ -177,7 +184,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:0.13.7-2105.2603
+      image: aztfmod/rover:1.0.1-2106.3012
       options: --user 0
 
     steps:
@@ -220,7 +227,7 @@ jobs:
         random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.13.7-2105.2603
+      image: aztfmod/rover:1.0.1-2106.3012
       options: --user 0
 
     steps:

.github/workflows/landingzones-tf14.yml

@@ -4,8 +4,9 @@
 #
 
 name: landingzones-tf14
-  
+
 on:
+  workflow_dispatch:
   schedule:
     - cron:  '0 0 * * *'
 
@@ -30,7 +31,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.14.11-2105.2603
+      image: aztfmod/rover:0.14.11-2106.3012
       options: --user 0
 
     steps:
@@ -82,7 +83,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:0.14.11-2105.2603
+      image: aztfmod/rover:0.14.11-2106.3012
       options: --user 0
 
     steps:
@@ -126,7 +127,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.14.11-2105.2603
+      image: aztfmod/rover:0.14.11-2106.3012
       options: --user 0
 
     steps:
@@ -177,7 +178,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:0.14.11-2105.2603
+      image: aztfmod/rover:0.14.11-2106.3012
       options: --user 0
 
     steps:
@@ -220,7 +221,7 @@ jobs:
         random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.14.11-2105.2603
+      image: aztfmod/rover:0.14.11-2106.3012
       options: --user 0
 
     steps:

.github/workflows/landingzones-tf15.yml

@@ -4,16 +4,11 @@
 #
 
 name: landingzones-tf15
-  
+
 on:
-  pull_request:
-    paths-ignore:
-      - 'documentation/**'
-      - '_pictures/**'
-      - 'README.md'
-      - 'CHANGELOG.md'
+  workflow_dispatch:
   schedule:
-    - cron:  '0 3 * * *'
+    - cron:  '0 1 * * *'
 
 env:
   TF_CLI_ARGS: '-no-color'
@@ -36,7 +31,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.15.4-2105.2603
+      image: aztfmod/rover:0.15.5-2106.3012
       options: --user 0
 
     steps:
@@ -88,7 +83,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:0.15.4-2105.2603
+      image: aztfmod/rover:0.15.5-2106.3012
       options: --user 0
 
     steps:
@@ -132,7 +127,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.15.4-2105.2603
+      image: aztfmod/rover:0.15.5-2106.3012
       options: --user 0
 
     steps:
@@ -183,7 +178,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:0.15.4-2105.2603
+      image: aztfmod/rover:0.15.5-2106.3012
       options: --user 0
 
     steps:
@@ -226,7 +221,7 @@ jobs:
         random_length: ['5']
 
     container:
-      image: aztfmod/rover:0.15.4-2105.2603
+      image: aztfmod/rover:0.15.5-2106.3012
       options: --user 0
 
     steps:

.gitignore

@@ -10,4 +10,5 @@
 **/*.log
 **/backend.azurerm.tf
 public
-aztfmod
+aztfmod
+*output.json

caf_launchpad/dynamic_secrets.tf

@@ -1,7 +1,7 @@
 
 module "dynamic_keyvault_secrets" {
   source  = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets"
-  version = "~>5.3.2"
+  version = "~>5.4.0"
 
   # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master"
 

caf_launchpad/landingzone.tf

@@ -1,15 +1,10 @@
 module "launchpad" {
   source  = "aztfmod/caf/azurerm"
-  version = "~>5.3.2"
+  version = "~>5.4.0"
 
-  # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=master"
+  #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=5.4.0"
+  #source = "../../aztfmod"
 
-  # azuread                               = var.azuread
-  azuread_api_permissions               = var.azuread_api_permissions
-  azuread_apps                          = var.azuread_apps
-  azuread_groups                        = var.azuread_groups
-  azuread_roles                         = var.azuread_roles
-  azuread_users                         = var.azuread_users
   current_landingzone_key               = var.landingzone.key
   custom_role_definitions               = var.custom_role_definitions
   enable                                = var.enable
@@ -22,6 +17,7 @@ module "launchpad" {
   logged_aad_app_objectId               = var.logged_aad_app_objectId
   logged_user_objectId                  = var.logged_user_objectId
   managed_identities                    = var.managed_identities
+  remote_objects                        = local.remote
   resource_groups                       = var.resource_groups
   role_mapping                          = var.role_mapping
   storage_accounts                      = var.storage_accounts
@@ -30,6 +26,19 @@ module "launchpad" {
   tenant_id                             = var.tenant_id
   user_type                             = var.user_type
 
+  azuread = {
+    azuread_api_permissions             = var.azuread_api_permissions
+    azuread_applications                = var.azuread_applications
+    azuread_apps                        = var.azuread_apps
+    azuread_credential_policies         = var.azuread_credential_policies
+    azuread_groups                      = var.azuread_groups
+    azuread_groups_membership           = var.azuread_groups_membership
+    azuread_roles                       = var.azuread_roles
+    azuread_service_principal_passwords = var.azuread_service_principal_passwords
+    azuread_service_principals          = var.azuread_service_principals
+    azuread_users                       = var.azuread_users
+  }
+
   diagnostics = {
     diagnostics_definition          = try(var.diagnostics.diagnostics_definition, var.diagnostics_definition)
     diagnostics_destinations        = try(var.diagnostics.diagnostics_destinations, var.diagnostics_destinations)

caf_launchpad/local.remote.tf

@@ -0,0 +1,7 @@
+locals {
+  remote = {
+    azuread_service_principals = {
+      for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].azuread_service_principals, {}))
+    }
+  }
+}

caf_launchpad/locals.remote_tfstates.tf

@@ -0,0 +1,36 @@
+locals {
+  landingzone = {
+    current = {
+      storage_account_name = var.tfstate_storage_account_name
+      container_name       = var.tfstate_container_name
+      resource_group_name  = var.tfstate_resource_group_name
+    }
+  }
+}
+
+data "terraform_remote_state" "remote" {
+  for_each = try(var.landingzone.tfstates, {})
+
+  backend = var.landingzone.backend_type
+  config  = local.remote_state[try(each.value.backend_type, var.landingzone.backend_type, "azurerm")][each.key]
+}
+
+locals {
+
+  remote_state = {
+
+    azurerm = {
+      for key, value in try(var.landingzone.tfstates, {}) : key => {
+        container_name       = value.workspace
+        key                  = value.tfstate
+        resource_group_name  = value.resource_group_name
+        storage_account_name = value.storage_account_name
+        subscription_id      = value.subscription_id
+        tenant_id            = value.tenant_id
+        sas_token            = try(value.sas_token, null) != null ? var.sas_token : null
+      }
+    }
+
+  }
+
+}

caf_launchpad/output.tf

@@ -11,12 +11,12 @@ output "objects" {
 }
 
 output "global_settings" {
-  value = module.launchpad.global_settings
+  value     = module.launchpad.global_settings
   sensitive = true
 }
 
 output "diagnostics" {
-  value = module.launchpad.diagnostics
+  value     = module.launchpad.diagnostics
   sensitive = true
 }
 
@@ -29,7 +29,7 @@ output "tfstates" {
 output "launchpad_identities" {
   value = var.propagate_launchpad_identities ? {
     (var.landingzone.key) = {
-      azuread_groups = module.launchpad.azuread_groups
+      azuread_groups     = module.launchpad.azuread_groups
       managed_identities = module.launchpad.managed_identities
     }
   } : {}

caf_launchpad/variables.tf

@@ -16,6 +16,10 @@ variable "tenant_id" {}
 variable "landingzone" {
   description = "The landing zone name is used to reference the tfstate in configuration files. Therefore while set it is recommended not to change"
 }
+variable "sas_token" {
+  description = "SAS Token to access the remote state in another Azure AD tenant."
+  default     = null
+}
 
 variable "passthrough" {
   default = false
@@ -94,12 +98,24 @@ variable "azuread_apps" {
 variable "azuread_groups" {
   default = {}
 }
+variable "azuread_groups_membership" {
+  default = {}
+}
 variable "azuread_users" {
   default = {}
 }
 variable "azuread_roles" {
   default = {}
 }
+variable "azuread_credential_policies" {
+  default = {}
+}
+variable "azuread_service_principals" {
+  default = {}
+}
+variable "azuread_service_principal_passwords" {
+  default = {}
+}
 variable "managed_identities" {
   default = {}
 }
@@ -152,6 +168,10 @@ variable "azuread_api_permissions" {
   default = {}
 }
 
+variable "azuread_applications" {
+  default = {}
+}
+
 variable "environment" {
   type        = string
   description = "This variable is set by the rover during the deployment based on the -env or -environment flags. Default to sandpit"