Merge pull request #487 from Azure/int-5.7.0

5.7.2

.devcontainer/docker-compose.yml

@@ -6,7 +6,7 @@
   version: '3.7'
   services:
     rover:
-      image: aztfmod/rover:1.4.6-2306.1405
+      image: aztfmod/rover:1.4.6-2307.0508
       user: vscode
 
       labels:

.github/workflows/landingzones-tf100.yml

@@ -39,7 +39,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:1.4.6-2306.1405
+      image: aztfmod/rover:1.4.6-2307.0508
       options: --user 0
 
     steps:
@@ -96,7 +96,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:1.4.6-2306.1405
+      image: aztfmod/rover:1.4.6-2307.0508
       options: --user 0
 
     steps:
@@ -143,7 +143,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:1.4.6-2306.1405
+      image: aztfmod/rover:1.4.6-2307.0508
       options: --user 0
 
     steps:
@@ -198,7 +198,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:1.4.6-2306.1405
+      image: aztfmod/rover:1.4.6-2307.0508
       options: --user 0
 
     steps:
@@ -244,7 +244,7 @@ jobs:
         random_length: ['5']
 
     container:
-      image: aztfmod/rover:1.4.6-2306.1405
+      image: aztfmod/rover:1.4.6-2307.0508
       options: --user 0
 
     steps:
@@ -291,7 +291,7 @@ jobs:
           for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done
           for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].objectId" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done
           for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done
-          for i in `az keyvault list-deleted --query "[?tags.environment=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done
-          for i in `az group list --query "[?tags.environment=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done
+          for i in `az keyvault list-deleted --query "[?tags.caf_environment=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done
+          for i in `az group list --query "[?tags.caf_environment=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done
           for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done
-          for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done
+          for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done

.pre-commit-config.yaml

@@ -1,16 +1,16 @@
 # See http://pre-commit.com for more information
 # See http://pre-commit.com/hooks.html for more hooks
 repos:
-  - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.64.0
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.81.0
     hooks:
     - id: terraform_fmt
     - id: terraform_docs
-    - id: terraform_tflint
+    # - id: terraform_tflint
     # - id: terraform_validate
     # - id: terraform_tfsec
-  - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
     hooks:
       - id: check-merge-conflict
       - id: trailing-whitespace

CHANGELOG.md

@@ -1,3 +1,26 @@
+## 5.7.2
+
+### rover
+
+min version: required_version = ">= 1.3.5" 
+https://hub.docker.com/repository/docker/aztfmod/rover/tags?page=1&ordering=last_updated&name=1.3.9
+https://hub.docker.com/repository/docker/aztfmod/rover/tags?page=1&ordering=last_updated&name=1.4.
+
+Rover has been upgraded to support new features like:
+
+* Using MSAL library to connect to azurerm backend storage accounts (> 1.3.5)
+* leverage precondition to evaluate additional check at plan time
+
+### caf_launchpad
+
+BREAKING CHANGES:
+
+* replace in your tfvars the tags ***tfstate*** and ***environment*** by ***caf_tfstate*** and ***caf_environment***. You need to upgrade to the minimum rover version as stated in this upgrade note.
+
+UPGRADE:
+
+* use azuread_applications instead of azuread_apps to support the decoupling of apps and service principals. Refer to caf_launchpad/scenario/200/iam_azuread.tfvars for a complete example.
+
 ## v9.0.2009 (September 2020)
 
 BREAKING CHANGES:

caf_launchpad/dynamic_secrets.tf

@@ -1,7 +1,7 @@
 
 module "dynamic_keyvault_secrets" {
   source  = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets"
-  version = "5.6.10"
+  version = "5.7.2"
 
   for_each = try(var.dynamic_keyvault_secrets, {})
 

caf_launchpad/landingzone.tf

@@ -1,13 +1,15 @@
 module "launchpad" {
   source  = "aztfmod/caf/azurerm"
-  version = "5.6.10"
+  version = "5.7.2"
+  # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=main"
 
   providers = {
     azurerm.vhub = azurerm.vhub
   }
 
   current_landingzone_key               = var.landingzone.key
   custom_role_definitions               = var.custom_role_definitions
+  data_sources                          = var.data_sources
   enable                                = var.enable
   event_hub_namespaces                  = var.event_hub_namespaces
   global_settings                       = local.global_settings
@@ -31,6 +33,7 @@ module "launchpad" {
     azuread_api_permissions             = var.azuread_api_permissions
     azuread_applications                = var.azuread_applications
     azuread_apps                        = var.azuread_apps
+    azuread_conditional_access          = var.azuread_conditional_access
     azuread_credential_policies         = var.azuread_credential_policies
     azuread_groups                      = var.azuread_groups
     azuread_groups_membership           = var.azuread_groups_membership

caf_launchpad/main.tf

@@ -99,7 +99,7 @@ locals {
     "landingzone" = var.landingzone.key
   }
 
-  tags = merge(local.global_settings.tags, local.landingzone_tag, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags)
+  tags = merge(local.global_settings.tags, local.landingzone_tag, { "caf_environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags)
 
   global_settings = {
     default_region     = var.default_region

caf_launchpad/scenario/100/keyvaults.tfvars

@@ -1,13 +1,14 @@
 
 keyvaults = {
   level0 = {
-    name                = "level0"
-    resource_group_key  = "level0"
-    sku_name            = "standard"
-    soft_delete_enabled = true
+    name                      = "level0"
+    resource_group_key        = "level0"
+    sku_name                  = "standard"
+    soft_delete_enabled       = true
+    enable_rbac_authorization = false
     tags = {
-      tfstate     = "level0"
-      environment = "sandpit"
+      caf_tfstate     = "level0"
+      caf_environment = "sandpit"
     }
 
     creation_policies = {
@@ -21,13 +22,14 @@ keyvaults = {
   }
 
   level1 = {
-    name                = "level1"
-    resource_group_key  = "level1"
-    sku_name            = "standard"
-    soft_delete_enabled = true
+    name                      = "level1"
+    resource_group_key        = "level1"
+    sku_name                  = "standard"
+    soft_delete_enabled       = true
+    enable_rbac_authorization = false
     tags = {
-      tfstate     = "level1"
-      environment = "sandpit"
+      caf_tfstate     = "level1"
+      caf_environment = "sandpit"
     }
 
     creation_policies = {
@@ -40,13 +42,14 @@ keyvaults = {
   }
 
   level2 = {
-    name                = "level2"
-    resource_group_key  = "level2"
-    sku_name            = "standard"
-    soft_delete_enabled = true
+    name                      = "level2"
+    resource_group_key        = "level2"
+    sku_name                  = "standard"
+    soft_delete_enabled       = true
+    enable_rbac_authorization = false
     tags = {
-      tfstate     = "level2"
-      environment = "sandpit"
+      caf_tfstate     = "level2"
+      caf_environment = "sandpit"
     }
 
     creation_policies = {
@@ -60,13 +63,14 @@ keyvaults = {
   }
 
   level3 = {
-    name                = "level3"
-    resource_group_key  = "level3"
-    sku_name            = "standard"
-    soft_delete_enabled = true
+    name                      = "level3"
+    resource_group_key        = "level3"
+    sku_name                  = "standard"
+    soft_delete_enabled       = true
+    enable_rbac_authorization = false
     tags = {
-      tfstate     = "level3"
-      environment = "sandpit"
+      caf_tfstate     = "level3"
+      caf_environment = "sandpit"
     }
 
     creation_policies = {
@@ -79,13 +83,14 @@ keyvaults = {
   }
 
   level4 = {
-    name                = "level4"
-    resource_group_key  = "level4"
-    sku_name            = "standard"
-    soft_delete_enabled = true
+    name                      = "level4"
+    resource_group_key        = "level4"
+    sku_name                  = "standard"
+    soft_delete_enabled       = true
+    enable_rbac_authorization = false
     tags = {
-      tfstate     = "level4"
-      environment = "sandpit"
+      caf_tfstate     = "level4"
+      caf_environment = "sandpit"
     }
 
     creation_policies = {

caf_launchpad/scenario/100/storage_accounts.tfvars

@@ -9,9 +9,9 @@ storage_accounts = {
     tags = {
       ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
       # Only adjust the environment value at creation time
-      tfstate     = "level0"
-      environment = "sandpit"
-      launchpad   = "launchpad"
+      caf_tfstate     = "level0"
+      caf_environment = "sandpit"
+      launchpad       = "launchpad"
       ##
     }
     blob_properties = {
@@ -35,9 +35,9 @@ storage_accounts = {
     account_replication_type = "RAGRS"
     tags = {
       # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates.
-      tfstate     = "level1"
-      environment = "sandpit"
-      launchpad   = "launchpad"
+      caf_tfstate     = "level1"
+      caf_environment = "sandpit"
+      launchpad       = "launchpad"
     }
     blob_properties = {
       versioning_enabled                = true
@@ -59,9 +59,9 @@ storage_accounts = {
     account_replication_type = "RAGRS"
     tags = {
       # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates.
-      tfstate     = "level2"
-      environment = "sandpit"
-      launchpad   = "launchpad"
+      caf_tfstate     = "level2"
+      caf_environment = "sandpit"
+      launchpad       = "launchpad"
     }
     blob_properties = {
       versioning_enabled                = true
@@ -83,9 +83,9 @@ storage_accounts = {
     account_replication_type = "RAGRS"
     tags = {
       # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates.
-      tfstate     = "level3"
-      environment = "sandpit"
-      launchpad   = "launchpad"
+      caf_tfstate     = "level3"
+      caf_environment = "sandpit"
+      launchpad       = "launchpad"
     }
     blob_properties = {
       versioning_enabled                = true
@@ -107,9 +107,9 @@ storage_accounts = {
     account_replication_type = "RAGRS"
     tags = {
       # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates.
-      tfstate     = "level4"
-      environment = "sandpit"
-      launchpad   = "launchpad"
+      caf_tfstate     = "level4"
+      caf_environment = "sandpit"
+      launchpad       = "launchpad"
     }
     blob_properties = {
       versioning_enabled                = true