Azure · arnaudlh · Feb 16, 2022 · Feb 16, 2022 · Feb 16, 2022 · Feb 16, 2022
diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml
@@ -12,6 +12,8 @@ deployments:
       platform:
         virtual_hubs: non_prod
     remote_tfstates:
+      asvm:
+        subscriptions:
       platform:
         virtual_hubs: non_prod
         azurerm_firewalls: non_prod
@@ -495,13 +497,13 @@ subscriptions:
                   - sp_LZContributors
         storage_containers:
           orion_prod_level3:
-            lz_key: orion_storage_containers
+            lz_key: orion_subscriptions
             Storage Blob Data Contributor:
               azuread_service_principals:
                 keys:
                   - sp_LZContributors
           orion_dev_level4:
-            lz_key: orion_storage_containers
+            lz_key: orion_subscriptions
             Storage Blob Data Contributor:
               azuread_service_principals:
                 keys:

diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml
@@ -12,6 +12,8 @@ deployments:
       platform:
         virtual_hubs: prod
     remote_tfstates:
+      asvm:
+        subscriptions:
       platform:
         virtual_hubs: prod
         azurerm_firewalls: prod
@@ -509,13 +511,13 @@ subscriptions:
                   - sp_LZContributors
         storage_containers:
           orion_prod_level3:
-            lz_key: orion_storage_containers
+            lz_key: orion_subscriptions
             Storage Blob Data Contributor:
               azuread_service_principals:
                 keys:
                   - sp_LZContributors
           orion_prod_level4:
-            lz_key: orion_storage_containers
+            lz_key: orion_subscriptions
             Storage Blob Data Contributor:
               azuread_service_principals:
                 keys:

diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md b/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md
@@ -9,7 +9,7 @@ rover ignite \
   -e base_templates_folder=/tf/caf/landingzones/templates/platform \
   -e resource_template_folder=/tf/caf/landingzones/templates/resources \
   -e config_folder=/tf/caf/definitions/asvm/orion-landingzone \
-  -e config_folder_platform=/tf/caf/definitions/single_subscription \
+  -e config_folder_platform=/tf/caf/definitions \
   -e landingzones_folder=/tf/caf/landingzones
 
 

diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml
@@ -27,6 +27,9 @@ subscriptions:
         name: eaowner
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_ea_account_owner
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad
@@ -52,6 +55,9 @@ subscriptions:
         name: idl0
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_level0
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad
@@ -82,6 +88,9 @@ subscriptions:
         name: id
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_identity
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad
@@ -107,6 +116,9 @@ subscriptions:
         name: mg
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_management
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad
@@ -137,6 +149,9 @@ subscriptions:
         name: es
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_eslz
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad
@@ -167,6 +182,9 @@ subscriptions:
         name: co
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_connectivity
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad
@@ -197,6 +215,9 @@ subscriptions:
         name: scp
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_subscription_creation_platform
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad
@@ -227,6 +248,9 @@ subscriptions:
         name: scl
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_subscription_creation_landingzones
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad
@@ -257,6 +281,9 @@ subscriptions:
         name: gitops
         resource_group_key: sp_credentials
         purge_protection_enabled: false
+        tags:
+          caf_environment: <replace>
+          caf_identity_aad_key: cred_gitops
         creation_policies:
           caf_platform_maintainers:
             lz_key: launchpad

diff --git a/templates/platform/level2/asvm/keyvaults.tfvars.j2 b/templates/platform/level2/asvm/keyvaults.tfvars.j2
@@ -11,6 +11,7 @@ keyvaults = {
 
     creation_policies = {
 {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
+{% if launchpad_azuread_groups is defined %}
       subscription_creation_landingzones = {
         object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}"
         secret_permissions = ["Get"]
@@ -24,6 +25,7 @@ keyvaults = {
         secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
       }
 {% endif %}
+{% endif %}
 {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %}
       logged_in_user = {
         # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy
@@ -46,10 +48,12 @@ keyvaults = {
 
     creation_policies = {
 {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
+{% if launchpad_azuread_groups is defined %}
       subscription_creation_landingzones = {
         object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}"
         secret_permissions = ["Get"]
       }
+{% endif %}
       caf_ac_landingzone_maintainers_non_prod = {
         azuread_group_key  = "caf_ac_landingzone_maintainers_non_prod"
         secret_permissions = ["Get"]
@@ -58,6 +62,7 @@ keyvaults = {
         azuread_group_key  = "caf_ac_landingzone_maintainers_prod"
         secret_permissions = ["Get"]
       }
+{% if launchpad_azuread_groups is defined %}
       level0 = {
         object_id = "{{launchpad_azuread_groups.level0.id}}"
         secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
@@ -67,6 +72,7 @@ keyvaults = {
         secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
       }
 {% endif %}
+{% endif %}
 {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %}
       logged_in_user = {
         # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy

diff --git a/templates/platform/level3/ansible.yaml b/templates/platform/level3/ansible.yaml
@@ -1,45 +1,13 @@
-- name: "Creates cache directory"
-  file:
-    path: "~/.terraform.cache/launchpad"
-    state: directory
 
-- name: "[{{ level }}-{{ subscription_key }}]  Get tfstate account name"
-  register: launchpad_storage_account
+- name: "[{{ level }}-{{ subscription_key }}]  Get asvm keyvault credentials name"
+  register: keyvault_scl
   shell: |
-    az storage account list \
+    az keyvault list \
       --subscription {{ config.caf_terraform.launchpad.subscription_id }} \
-      --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name
-
-- name: "[{{ level }}-{{ subscription_key }}]  Get credentials tfstate details"
-  register: credentials_tfstate_exists
-  ignore_errors: true
-  shell: |
-    az storage blob download \
-      --name "{{ config.tfstates.platform.launchpad_credentials.tfstate }}" \
-      --account-name "{{ launchpad_storage_account.stdout }}" \
-      --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \
-      --auth-mode "login" \
-      --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}"
-
-- name: "[{{ level }}-{{ subscription_key }}]  Get launchpad_credentials details"
-  shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}"
-  register: launchpad_credentials
-
-- name: "[{{ level }}-{{ subscription_key }}]  Get launchpad_credentials json data"
-  set_fact:
-    credjsondata: "{{ launchpad_credentials.stdout | from_json }}"
-
-- name: "[{{ level }}-{{ subscription_key }}]  set keyvaults"
-  set_fact:
-    keyvaults: "{{ credjsondata | json_query(path) }}"
-  vars:
-    path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults'
-
-- name: "[{{ level }}-{{ subscription_key }}]  cleanup"
-  file:
-    path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}"
-    state: absent
+      --query "[?tags.caf_identity_aad_key=='cred_subscription_creation_landingzones' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r --arg http "https://" --arg suffix ".vault.azure.net/" '$http + (.name) + $suffix'
 
+- debug:
+    msg: "{{keyvault_scl.stdout}}"
 
 #
 # Get landingzones subscriptions

diff --git a/templates/platform/level3/readme.md b/templates/platform/level3/readme.md
@@ -9,8 +9,8 @@ git pull
 git checkout {{ resources.gitops.caf_landingzone_branch }}
 
 rover \
-{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %}
-  --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \
+{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %}
+  --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \
 {% endif %}
   -lz {{landingzones_folder}}/caf_solution \
   -var-folder {{ destination_path }} \

diff --git a/templates/platform/level3/subscriptions/readme.md b/templates/platform/level3/subscriptions/readme.md
@@ -9,8 +9,8 @@ git pull
 git checkout {{ resources.gitops.caf_landingzone_branch }}
 
 rover \
-{% if config.platform_identity.azuread_identity_mode != "logged_in_user"  and keyvaults is defined %}
-  --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \
+{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %}
+  --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \
 {% endif %}
   -lz {{landingzones_folder}}/caf_solution \
   -var-folder {{ destination_path }} \

diff --git a/templates/resources/keyvaults.tfvars.j2 b/templates/resources/keyvaults.tfvars.j2
@@ -22,7 +22,13 @@ keyvaults = {
 {% if keyvault.soft_delete_retention_days is defined %}
     soft_delete_retention_days = {{ keyvault.soft_delete_retention_days }}
 {% endif %}
-
+{% if keyvault.tags is defined %}
+      tags   = {
+{% for tag_key, tag_value in keyvault.tags.items() %}
+        {{ tag_key }} = "{{ tag_value }}"
+{% endfor %}
+      }
+{% endif %}
     creation_policies = {
 {% if config.platform_identity is defined %}
 {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %}

diff --git a/templates/resources/landingzone.tfvars.j2 b/templates/resources/landingzone.tfvars.j2
@@ -23,7 +23,7 @@ landingzone = {
 {% endfor %}
 {% else %} 
     {{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].lz_key_name }} = {
-      fstate   = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].tfstate }}"
+      tfstate   = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].tfstate }}"
       workspace = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].workspace | default('tfstate')}}"
     }
 {% endif %}