From 2b897ccb6a5e19a72daf4c9c3924c688cd009e05 Mon Sep 17 00:00:00 2001 From: Horacio Antonelli Date: Thu, 6 Jan 2022 11:36:21 +0000 Subject: [PATCH 01/67] Add domain_name_registrations to local.remote.tf --- caf_solution/local.remote.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/caf_solution/local.remote.tf b/caf_solution/local.remote.tf index 80ce0d607..cd510141f 100644 --- a/caf_solution/local.remote.tf +++ b/caf_solution/local.remote.tf @@ -80,6 +80,9 @@ locals { dns_zones = { for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].dns_zones, {})) } + domain_name_registrations = { + for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].domain_name_registrations, {})) + } event_hub_namespaces = { for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].event_hub_namespaces, {})) } From c760186e9403af83158d9bf970e0af1ae4da6524 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Thu, 27 Jan 2022 08:39:17 +0000 Subject: [PATCH 02/67] Add network profiles --- caf_launchpad/landingzone.tf | 11 ++++++----- caf_launchpad/variables.tf | 4 ++++ 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf index 64ce2a226..6ae4b304b 100644 --- a/caf_launchpad/landingzone.tf +++ b/caf_launchpad/landingzone.tf @@ -1,9 +1,9 @@ module "launchpad" { - source = "aztfmod/caf/azurerm" - version = "5.5.1" + # source = "aztfmod/caf/azurerm" + # version = "5.5.1" - # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=master" + source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" # source = "../../aztfmod" providers = { @@ -59,11 +59,12 @@ module "launchpad" { } networking = { - vnets = try(var.networking.vnets, var.vnets) + azurerm_routes = try(var.networking.azurerm_routes, var.azurerm_routes) + network_profiles = var.network_profiles network_security_group_definition = try(var.networking.network_security_group_definition, var.network_security_group_definition) public_ip_addresses = try(var.networking.public_ip_addresses, var.public_ip_addresses) - azurerm_routes = try(var.networking.azurerm_routes, var.azurerm_routes) route_tables = try(var.networking.route_tables, var.route_tables) + vnets = try(var.networking.vnets, var.vnets) } security = { diff --git a/caf_launchpad/variables.tf b/caf_launchpad/variables.tf index dfe7937a9..172fb0b2e 100644 --- a/caf_launchpad/variables.tf +++ b/caf_launchpad/variables.tf @@ -239,4 +239,8 @@ variable "propagate_launchpad_identities" { variable "container_groups" { default = {} +} + +variable "network_profiles" { + default = {} } \ No newline at end of file From b6f92952c6849310d5befb84de4dba81bc6e5096 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 31 Jan 2022 07:21:53 +0000 Subject: [PATCH 03/67] Add subscription_ids and vhub readme --- .../lib/v1.1.1/custom_landing_zones.tfvars.j2 | 4 ++ .../level2/connectivity/virtual_hub/readme.md | 43 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 templates/platform/level2/connectivity/virtual_hub/readme.md diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 index 4ebb58b6b..d5fd9fbb1 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 @@ -55,7 +55,11 @@ custom_landing_zones = { {% endif %} } subscriptions = {} +{% if mg_custom.subscription_ids is defined %} + subscription_ids = {{ mg_custom.subscription_ids | replace('None','[]') | replace('\'','\"') }} +{% else %} subscription_ids = [] +{% endif %} } {% endfor %} diff --git a/templates/platform/level2/connectivity/virtual_hub/readme.md b/templates/platform/level2/connectivity/virtual_hub/readme.md new file mode 100644 index 000000000..f306b23ae --- /dev/null +++ b/templates/platform/level2/connectivity/virtual_hub/readme.md @@ -0,0 +1,43 @@ + +# Connectivity +You have selected the vwan networking option to build your Enteprise Scale platform. The following instructions guides you through the steps to follow. + +## Select the correct branch for the landingzones code + +Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services + +## Virtual hubs + +{% for virtual_hub in tfstates.virtual_hubs.keys() %} +### {{ virtual_hub }} + +```bash +# login a with a user member of the caf-platform-maintainers group +rover login -t {{ config.platform_identity.tenant_name }} + +cd {{ destination_base }}/landingzones +git fetch origin +git checkout {{ config.gitops.caf_landingzone_branch }} + +rover \ +{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} + --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ +{% endif %} + -lz {{ destination_base }}/landingzones/caf_solution \ + -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }} \ + -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +{% if platform_subscriptions_details is defined %} + -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ +{% else %} + -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ +{% endif %} + -tfstate {{ config.tfstates.platform.virtual_hubs[virtual_hub].tfstate }} \ + -log-severity ERROR \ + -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -level {{ level }} \ + -p ${TF_DATA_DIR}/{{ config.tfstates.platform.virtual_hubs[virtual_hub].tfstate }}.tfplan \ + -a plan + + +``` +{% endfor %} From c5b8c1d693ce0a6e6c590e2a4923b227c14554f7 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 31 Jan 2022 07:43:37 +0000 Subject: [PATCH 04/67] Update when condition to express route circuit --- templates/platform/level2/connectivity/ansible.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/platform/level2/connectivity/ansible.yaml b/templates/platform/level2/connectivity/ansible.yaml index 119700857..74d9015b0 100644 --- a/templates/platform/level2/connectivity/ansible.yaml +++ b/templates/platform/level2/connectivity/ansible.yaml @@ -35,6 +35,7 @@ - name: Express Route Circuit include_tasks: "{{ level }}/{{ base_folder }}/express_route_circuit/ansible.yaml" when: + - connectivity_express_routes is defined - connectivity_express_routes.express_route_circuits is defined loop: "{{ config.tfstates.platform.express_route_circuits.keys() }}" loop_control: From ed0d07ec68ef94ca4ed0858bf0a181ed4a639875 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 31 Jan 2022 07:51:35 +0000 Subject: [PATCH 05/67] Update for loop --- .../platform/level2/connectivity/virtual_hub/readme.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/templates/platform/level2/connectivity/virtual_hub/readme.md b/templates/platform/level2/connectivity/virtual_hub/readme.md index f306b23ae..277d9e193 100644 --- a/templates/platform/level2/connectivity/virtual_hub/readme.md +++ b/templates/platform/level2/connectivity/virtual_hub/readme.md @@ -1,14 +1,11 @@ - -# Connectivity -You have selected the vwan networking option to build your Enteprise Scale platform. The following instructions guides you through the steps to follow. +# Virtual hubs ## Select the correct branch for the landingzones code Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services -## Virtual hubs -{% for virtual_hub in tfstates.virtual_hubs.keys() %} +{% for virtual_hub in config.tfstates.platform.virtual_hubs.keys() %} ### {{ virtual_hub }} ```bash From 66e9a30bdb86f3bc0e1c214744ebb29d26b81a58 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 31 Jan 2022 12:56:18 +0000 Subject: [PATCH 06/67] Fix template lookup --- templates/platform/ansible.yaml | 13 ++++++------- templates/platform/level2/asvm/readme.md | 2 +- templates/platform/level2/connectivity/ansible.yaml | 5 ++++- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index d6d4feb8f..d9e53cc7a 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -3,18 +3,17 @@ vars: connectivity_virtual_wan: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_wan.yaml') | from_yaml }}" connectivity_virtual_hub: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_hub.yaml') | from_yaml }}" - connectivity_firewall: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall.yaml') | from_yaml }}" - connectivity_firewall_policies: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall_policies.yaml') | from_yaml }}" - connectivity_vpn_sites: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_sites.yaml') | from_yaml }}" - connectivity_vpn_gateway_connections: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_gateway_connections.yaml') | from_yaml }}" - connectivity_express_routes: "{{ lookup('file', '{{ config_folder }}/connectivity_express_routes.yaml') | from_yaml }}" - connectivity_express_route_peerings: "{{ lookup('file', '{{ config_folder }}/connectivity_express_route_peerings.yaml') | from_yaml }}" + connectivity_firewall: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall.yaml', errors='ignore') | from_yaml }}" + connectivity_firewall_policies: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall_policies.yaml', errors='ignore') | from_yaml }}" + connectivity_vpn_sites: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_sites.yaml', errors='ignore') | from_yaml }}" + connectivity_vpn_gateway_connections: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_gateway_connections.yaml', errors='ignore') | from_yaml }}" + connectivity_express_routes: "{{ lookup('file', '{{ config_folder }}/connectivity_express_routes.yaml', errors='ignore') | from_yaml }}" + connectivity_express_route_peerings: "{{ lookup('file', '{{ config_folder }}/connectivity_express_route_peerings.yaml', errors='ignore') | from_yaml }}" identity: "{{ lookup('file', '{{ config_folder }}/identity.yaml') | from_yaml }}" management: "{{ lookup('file', '{{ config_folder }}/management.yaml') | from_yaml }}" subscriptions: "{{ lookup('file', '{{ config_folder }}/subscriptions.yaml') | from_yaml }}" mg: "{{ lookup('file', '{{ config_folder }}/eslz/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/custom_landing_zones.caf.platform.yaml') | from_yaml }}" - mg_struture: "{{ lookup('file', '{{ config_folder }}/eslz/structure.caf.platform.yaml') | from_yaml }}" tfstates: "{{ lookup('file', '{{ config_folder }}/tfstates.yaml') | from_yaml }}" base_templates_folder: "{{ base_templates_folder }}" boostrap_launchpad: boostrap_launchpad | default(false) diff --git a/templates/platform/level2/asvm/readme.md b/templates/platform/level2/asvm/readme.md index 3e348beca..70b86198e 100644 --- a/templates/platform/level2/asvm/readme.md +++ b/templates/platform/level2/asvm/readme.md @@ -6,7 +6,7 @@ rover login -t {{ config.platform_identity.tenant_name }} cd {{ destination_base }}/landingzones git fetch origin -git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }} +git checkout {{ resources.gitops.landingzones }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} diff --git a/templates/platform/level2/connectivity/ansible.yaml b/templates/platform/level2/connectivity/ansible.yaml index 74d9015b0..62e369916 100644 --- a/templates/platform/level2/connectivity/ansible.yaml +++ b/templates/platform/level2/connectivity/ansible.yaml @@ -24,6 +24,10 @@ loop_control: loop_var: virtual_hub +- name: "connectivity_vpn_sites" + debug: + msg: "{{connectivity_vpn_sites}}" + - name: VPN Sites include_tasks: "{{ level }}/{{ base_folder }}/vpn_site/ansible.yaml" when: @@ -35,7 +39,6 @@ - name: Express Route Circuit include_tasks: "{{ level }}/{{ base_folder }}/express_route_circuit/ansible.yaml" when: - - connectivity_express_routes is defined - connectivity_express_routes.express_route_circuits is defined loop: "{{ config.tfstates.platform.express_route_circuits.keys() }}" loop_control: From 6e9758863756d85d33386559d10e51fc7747ce55 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 31 Jan 2022 13:21:51 +0000 Subject: [PATCH 07/67] Clean-up. Add IP address plan --- .../contoso/platform/IP Address Plan.xlsx | Bin 0 -> 11859 bytes .../contoso/platform/README.md | 2 +- .../contoso/platform/connectivity.yaml | 34 ------------------ .../platform/connectivity_express_routes.yaml | 2 +- .../platform/connectivity_firewall.yaml | 5 --- .../platform/contoso.caf.platform.yaml | 4 +-- .../connectivity_firewall_policies.yaml | 2 +- .../non_prod/connectivity_firewalls.yaml | 6 ++-- .../non_prod/connectivity_private_dns.yaml | 10 +++--- .../prod/connectivity_firewall_policies.yaml | 2 +- .../prod/connectivity_firewalls.yaml | 6 ++-- .../prod/connectivity_private_dns.yaml | 10 +++--- .../deployments/prod/identity_level2.yaml | 2 +- .../prod/identity_level2_aadds.yaml | 2 +- 14 files changed, 24 insertions(+), 63 deletions(-) create mode 100644 templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx delete mode 100644 templates/enterprise-scale/contoso/platform/connectivity.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/connectivity_firewall.yaml diff --git a/templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx b/templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..4ffeb8f1841580ec8309e0c22dd4cb497765541d GIT binary patch literal 11859 zcmeHN1y>wvwryO32PXt~cXxuj)3^m`+=IKj2MH1^xVyUtcPF@o5Zqqp&dj@aGWY$0 zH`QxZt?sI`yQ_L1+2=b-vQW^N09XJ#001BXcv+`mTS5Q;IWPdgYXCf?j+mXTvze{4 zf!YUqGbcSpcN=TsJZMPj8~`Nv`u}eKkDtI;(uP$JGv>fKoM&jl%9J=^6ib=@$=6-V zF#+NE%w@y$pv;4xr*8NzQByQ|Rcq{Z!*?A9iV1ey`W%!xqQa-v-S=&StW^c7%M*y# zoZcgL+9Aq7is)LUDh^_TSVpFhnR>Xf;$`FRBiyGfG_Cnbsc#d31s_L(B_uqM*|yAh zQrXY~_0J`eCM2p@V#{F(kcn~=2EMKfuqGArN!q-bZ zAB~?r_|_nn;fAOd+9-9$dk+l&yu3gGl>W^_>(!abeu8Ny2X??$U=KBLG_!VMV*IuL zuV?;0cE`WmdRcpaI}<;DH0B4TYc!Rb60cMA0=fz zP`kFr(v~(A=gJOmkV(v3h*zV1Wz@t+cwO)&1Y6*vKX5=^d)@f90%A^7^|U;ss*x+_ zDDi8C??Ou9A+k^ykKD=hN30GNmRTJPFDZvBA4ojkFr8IfY$zNc=HT1t+pFO8C|-C)o)Bu6b-qrPh!g&V(r% zPsGtAFnEFxGgmuWPgy$kRD zbg^$Yup!6TX`Qj`PN}OjuOPSI!-+hNU6z09VeF&xO~V3Tbi1LC12o*{Mbh)=c(qTI zN-&U}5+#5Kn2ZS5mR{e-#>OclW6;uw;?n9#s*FG2?k*^XkC%_uT|rR_v;>`@ z8T+8X>XciEsA&8|w%kPtO2n7VVWM3QhbX6+@CPyb9`ThL%EO__0#)zwMC3oyY#+Of za_i5dUC&=cGlbd!ga$*p2^An`hLw>SxL;dSFahvSrLz0Z7l$0y3k*He125zF`-a)n z-P{fP0~Ko!QM9@V(o9}B)1juPf#D<{vc)e^S9LFs9N&R{R3%pUx1Q12&dSdfDw~kh zCdjBLjIqcqg|z8xdZ+%ZgDo}Tvo*{s4a~G_R!+b=12qFkP`_{DLdPG|DWVP3r35u< zCE$T54(y2*&aD(ozS6=Xa-9ur2<$>5zWNDM-4hmx%hb=1l00?kVVq|N86e4V#$#U` zUW@=#{oEtOCh_`{#8i@0q^4NVpkw+hzROw%PQ z1~XQ1^jOH^Ee>rwJZp2L>&-JuDH?k$oZg0vZP$YfZ)j`#;8**ZoFc~!_=+vs-t)>2 zXayaq(dFzndUTfp8|kp&cFnfz8I()x@)!?r;@yEwhE1t+`T~ef#va7UuV;|gQLqPN zJb@iqFIMM5DIPw!uq&uoUyc${ldStPCT3?B1*aQKGs1ZSY%TDadS@NI4H&HJ?&4Ew zAc>d|Q9!=vEfs#X$5xWMQulJ$?g*mlB25v8eO~fe4(upmE9py?78LQRI?72!8VTR@ z)1x8Xj_%S)c=L++*p=oKKhLSVY;aA|8Eke6*V`rAa)%Bcq50_X(hiy2thAfPJmwm_ zeO!xuo~bCc%x%4$N|~BUiPsntM*gWSTu>6ahr!!GK!aM7>_l?)IwD9E@y*vyF{eYd zC)VF|^l_Ut4x)8Idj+<8v9;{7#4uv!_e37e6?5*lo@(@TW4i%6+Xy9RF=ZI^!tK1~ z@V9Rhrj9L00xMEiJm`v-Pyv-#*FEYJdV65cn%}PRcf}AYl>-nWkaf>Bh z6gi4|L$josBDZ>{w?;H9_(0{1kYxFX(I*zZx7(i6H`EvyJ{ETrPy0BHOxRNzl;XRv z+G4gjFRaaShF)4zPCpL2t)_|L1A(3e22jPigIC8-z|My0A_xoifaJo4Mc(6N+c+a+ zrTe+uR?TzuQS9|e1HIa2!jjnFg&Z~Cst_Wimd$ssDn)1nb$dgz-WQo4FXUhv==3hg zp6V+#{sbwBOFK4&Fb3CKxiv3inf4sSyk18N6lqVO`Kla;TzaCSDyK!twF`_oV-*DW zL8_2TZx8n)DNe%IG(}SLZ1$~C%)n#Vg}6l0`Hyv*su38HQ^S zs9d`n_YKQ6JksUNaS=0p67YQfes~$$Dd79_;I7x8rn#P0))tOJRrPEx*5Kvo31{7) z^ZEPH1=ry$)kRNV=i}XIYUj%Z?^V_IDi%|R_m3Zki8veHSNn>wgv%>$2-CikgjavB z*fKe%j5P8`dANWO%Iael?Mo0wKX5HR8y$kw*C9UYaj81(S$U&10Mo|b30i6)x@abk z`B*7Y4YO(z<%;XZyIGPx`u)58C%Lu6%jWRb@X2`48KX=Y;AWpKM{`?cDZ0vR4>G>R6bGR5oh5b?1(h|#_H(XElF9yL@w?TL34R;LLVf% z#~XTuFVcyKw1e{SR zxPaIjr5cviMudi*r}v~yFyE}wlc>V(%_az|+oC?U6X7@qR7ILC^EWKkkB77I@m_vO zUT(!zb&eXq^=uS$(wa148{Kc7(j+xZCOnZTqZ^t~zsfX(FiR)_&C@uh!qb`ETqN04 zncF!8xMNd?qi^Kj;ft@y=yC66s(EC^pvZ4>K<*NKi=3fZfH`1JXzi3fj)vDZPxZh) z^U|}Y^RcTPG&EQjIPHMO^RmJtzHYo8M^gp`@Ee7|BO>9f1%zQe>xyTU0P$ev9t^8eT*7=r;1!4Z;Z)CRXR-A&EDG+H7CkzZT(!h#ur&@oBZoKB3HM z{)4)c{@m@$L&^IYeZfkz3DCz&;K0@Om59~HHZT7X%JUxwpA_4wciBji&PHMSTSeWx zq1&dS;Fyb7lv}8ptso{yZ__!_=vR}-7eg{WAUV<(Y-VrFYynGteVYVK^5IVSm` zE_7JgljRQzm+rCAGYaO-Wi9DnUcn^Xxzp%Ii>1mG9smW-*UM**eGb&zv{PZJmu7H{ z1S@k3_aFA0d>Cnb?S9omH1w96ngNSeCTE%V!{qa;}YLo@Nff*`ntg zPkGQDX!#gA%c|IH+)Uueb`*_@4thsQ)#Oh}sXE!mXM0y~1>Zc!8aM1ed*mfx1eJ=ETEiEQG zxR`Li$Uw)VaTfoKDy;b3JGX7a5sQVkh-sdr7&6{SCD*(((@#Ad;T2<3igZM{ic9I; zxyOwBX(dqC?TTw$L~|ofu$Ft~h5fWgv(AZ!p?u$vOMi&X*3cH%J}EFbR)83rQ84B{ z$h2+EdPhQaGc#n5vC3<=DfC9v)+(>mvC+dLDb8}<+PFw?3tUuC2@Pe90bPXYk7crM z??+bK=HA1(`SW|&`*Ihl94Lv}rIJzKPZJC!aT-RhCTd5+Z?y4HF}(QDSi`N!EHWhF z8+D?o1*+ttHll@OkoNo;O&(T<09wW36iH4gdFc zGGvtHIa{S;F2s7rMjd!73NxS2+Qo3mGJM621W!3n#B?TxyENXW9e^9F)`pkA6>FS5 zmDo4nGX>ys8~4vr+sVSr%-Mogs`nM{G<1 zIz%N*!l0Ngs^?6pv^w!5qR@?N@5kCX%bs?=j+B!@1ZC2AqYj^FU79_ZaK6{glumsz z2oA@1zops$_4uy;g^mV4Q~QFc>_u_$I})gKv`|Oe^e0GAcOua=6Ylfw8nM(5a-_YT zXKLKBhtXCqbjlBy-ZO{!aok%CbjG=32j1dK&eP%hdOZ_QJc$~SbS9kTI|xoeHq@jkXKFu_-Vb(xcek)xTZso&qW3zC`|hP`PB??C8$B^2#kPJRQ`Ja9 z^?T|OElx-al16})WL${+i=atk+-?CtJB(L zHQLs4sqc+5Qa1#JmK#DNXnSGRTTt{CGb+TF6(S42XelI5Pzb>Y%#h0@l23PXw^#RO zc4Hzdxk(Mniw}^kTz#<-wpWsJ5*zJD^hTZZOmWtO0AdCMXyS9)p!p18Jc}^~WpqB- z5deRx%)RDvk!#y*j!|1+J}cc(GQ%nAB!X=V+c}iPp`uXrHJ=&kI{zjvT95brO(-Cvq1WHs}seRB3*;Fv7Sdq5^?+u;95{e>B|qKlkMmhqkJ z?VyGLyr)h+@=qoV-!b~$+BcN(gz8ocs8$ZeG;TD2BuApBzEl!?*D?^~a&i@|uenvi zi0-xEuIbPVR83hKS~@V0D^Afk0JXYed-Ov;7N`g3up6Hq9+G!4M#mJ_5=S;_bkRJk zp1Y&wOXGBXaPD|RohvUnwRcT?lsDJwR5=ivj`~;}pGy8cC9_))oyAc2N*V+02iqbM zckzUzN|x)#z!!ff-KS-*lD#Ykrgaik*|30J{5<=slb-|8S42%GM1RZjevIAsuwcJx z0IL$@f3n>9gSFWo^v+k;1FbM)dJ~-p!MC?QTVzsnyILmTBd+1r1-8>RoP-_q4$15} zpLCwfxMHNnl!Kl~508!xRz1&>6H68B>xx>;WD2?4;FxFxY1_n&!SD1e0svQ};5DAd07(XswQd>U+39F!$vDS|}ra@rVOm~VYb z()~mYU)Vt`xBb?LBx1o2K99&PT9bMTt(P;3&B7Zss$U=g3s_&misN@&T4D_2E$w#p)mtSq9&l$PWpn~JRlCUdB#|FpdH6~D&OSv= zCLJ5giV8UlLEHurJ67c>u6eCyV4Y5OnW~QJ4L$mGZN8GOrKvFQkgf$o0{pUP8N4~c zcv&@Rz=fEd>we~PV76hL=kc!2+uq3@l7YMMxdIA62tC9d(j03j4E`Q!C~QTllBGb@ zWY0%t7Wc=o`VX;-{Sq`x2giFY+4}eI%z-soe&0~_4VLur z;NrJ0A15>{xa;c`_?#9*U-gE$rWf4qkN=qQ@=laor`MWj8>WbE|InuEd0|?wTY32b z4W`uKv*b0QV%Y(~|wA||BQNo*fxkBTQ35lOp$Fp1nsQaoOw zay@|k;Xl*D4Yq^|F?hWMAAI)zs3HE)@tKLkwkynNA?GmnDA4CMoRtB)T`r{Tsd)z; zgG zyPEjTkw_17%O)6=r5zl^E2Zh+wpc=kdX6_D^121##*G<0HDD2V7Si~{isa(JlZ9Zd|V*q)5J(u=42lU<_ zyP+k_v1B?oXoK3doNsmgaK2gn zb+$NyFXdFk3EK8^*qB5TeRqqDI|hXpC`-e<{q=TQlpfMBuHx|F=AP*ZP-@`T)hr2N z7H$q3pIu(HLvXhW^4tJ0F$9J5y zX_NU2N*D*#mn)WK3TU@4KPuX}_|Wg@=nd@XO+U$OKZtZjPazE8GEwf8SzA3$e*VJY zqjKicbcVK>R6lP*OMicYr~RUsdB=yMG6wmkcD_){5WoCunD{dwxOqJkD30%UCSMf? zr)5}PZ;yuUB?0LQU{i)7vfBCzaGryD#Se>mLkKE|iI+NN8+nHXurlfn1*UNU)*k(X zP5fZyfv+mI?FlJJbOQQYdu!KCb2H!i)j0CSru1U$t%HDtcnTY*YFgzjGNhtYnjgWn^9!Lr&0)?(6s1XtY#fkb4-+3 zG|;WiC9lPt9OiM**U7CSlf7AQtJ?0t^~Ts*2TDWq!CB5qji)n0f*w)_|Kx1v^?pb?^J z4yKo{h>?&D0!%5DKo;Mn3+haQS{5yhkOJwZRXglI3 z7sV4l45`a>JwYjFt>A zUoN~j*8G^i3B*%h0t{~{U%K2qRS~iJQ0guCzNS12!EflX+2o_WOUrL^drxs*^)s;Q z1j*@iIxw30)%^|6*TF+oq4TKEk6#ka)}*PjdF<}v6bsw;rBeo94lJ|~SB*5Wrj)Rp z-=OLzB!zs=CCbT$blvNrN*UkCfwhH5>`Qu7mg#WVyJqxhYJ1tHtPw14q4`8t@7Sb? z6vbS9ft#A(S%pE{ z@a2@N-V>r)3#dC@C1%?PyK96PvSa-@t*dCOM1oR39P^Bzf6CO;&W*}csEboVd-}5} z%D_YrnMx1W0PWJAOT<^SvVO72hB)#ea23A8N8MEZDd1YXnXJhZQDQ|#>O9qt!V|$l z2eIMD0OMwcAg&ETCfs4Wo;$blWP_gYjReB2=M~1}`bO|%?7&}?R8k7a7OZN)vB=R6 zmLOCTixfR`kRy*>#dj)#czM0URi^zDmd3X4&_>nUa}T7uTR|kQwY3(~P9LxGia~Mm z(u>;GsJ)qEL2d6>b61siLLRseTaJ8`$2cD`KiCy4TNT-*T}_p(N4k7kkK{ikia0We z7sR&enEW0*Pv7L&lPnu8u&>N`|Oy8RSxw*JsOZDGkg)_R?5>}~5!jnE_4IGUvhJ?_hYRPg6JJtdpa?Ss~p5sr?&5OHbo{Mwiwij-05oh_C8x{0Lg$`)iTD*&8*AvCs(q&mmIhy#`%#mHA5pzivh!jCgq^vZx;&euG%W9E zEU$&-UQ-bQzJ>~psFh@%cgo>y6~cFxnXsXCum$%*cM~U)GmET1U0b|_xpekHG96g6 zP@+N|$cs`ym$sux`!KwvPD{T9(g&y@0WA{VFl>IRu60gIu@m5Sv2Wi;B~1!N(g2q!2>Lr6vhO)TMFTHr4>}X5Q+XoI9y1)Ti?>#bl7c66z*KxH};(` ziv3GvLaVm8TH9Wd4Jh)jo|A%T?k%5Q3DmdR!$nn&ax<0KAfu1gby{kxiU{Njh%azy zFKpgub$AFOK9PC6^^NFg(f&5d-yWeYKinvk`}b`_K0TE@MKGy7!TyQ89Q3{jAB zf7M{3ncU#i?6p@wwP-0Mg>n?6lAKd+1B^$-{1yjd+2@EE2|DUY2zp?0Dh>|_VFvbX zv~4#x1m|~hGX&79I;RQ>T%86eX`63^Ba!u-3B11SI;$$z3XOg<-1^1{F^)&nXZ}Wf z=u_y!OF`B`a%=$Z-bp{`U3!H)XkSl4TuWa<+@z1Hh;A0%MJB5}8MVrptDba}CJQdg zsmLr|&(NK=XW1boxk^tJxH+u*QOr=Yma4YUY|BT>FsLpJxX@p*&N~<89lF&b=lf5(OMdaNU zH^}}%{9ZcQlw5v@^b@+GAM2p`M!`Swz^`#U2uKES@A292-^;0pZzo_YEm=l5BcKami?UDn?wUw$|KeewKH<13`U zT}uBQ;P>|bp8(F_2Jb(={XZ51en9pU$$+n)%bc>h57-wxdG zroVR|{xofR^S8I~M=#=cl;73HpC~9Ke~a>m_V^v;-*f$+7y!UL1px4S=KtOL--GI3 etxKu@V*RfWt0W5pW*Pv1^y>vCD+}GPcmD&@+Ualr literal 0 HcmV?d00001 diff --git a/templates/enterprise-scale/contoso/platform/README.md b/templates/enterprise-scale/contoso/platform/README.md index a0a3c91ad..078d70a4d 100644 --- a/templates/enterprise-scale/contoso/platform/README.md +++ b/templates/enterprise-scale/contoso/platform/README.md @@ -7,7 +7,7 @@ ```bash cd /tf/caf/landingzones git pull -git checkout 2112.int +git checkout aci_network ``` diff --git a/templates/enterprise-scale/contoso/platform/connectivity.yaml b/templates/enterprise-scale/contoso/platform/connectivity.yaml deleted file mode 100644 index 77210f19d..000000000 --- a/templates/enterprise-scale/contoso/platform/connectivity.yaml +++ /dev/null @@ -1,34 +0,0 @@ -virtual_networks: - connectivity_hub1_firewall_egress: - name: firewall-egress-re1 - resource_group_key: contoso_global_firewall - region_key: region1 - address_space: - - - specialsubnets: - AzureFirewallSubnet: - name: AzureFirewallSubnet - cidr: - - - - -azurerm_firewalls: - egress_fw_region1: - name: egress-firewall - resource_group_key: contoso_global_firewall - region_key: region1 - # egress_fw_region2: - # name: egress-firewall - # resource_group_key: contoso_global_wan - # region_key: region2 - -resource_groups: - contoso_global_dns: - name: contoso-connectivity-global-dns - region_key: region1 - contoso_global_firewall: - name: contoso-connectivity-global-firewall - region_key: region1 - contoso_global_er_circuits: - name: contoso-connectivity-global-er-circuits - region_key: region1 diff --git a/templates/enterprise-scale/contoso/platform/connectivity_express_routes.yaml b/templates/enterprise-scale/contoso/platform/connectivity_express_routes.yaml index 46eb0a79f..f90bd43e3 100644 --- a/templates/enterprise-scale/contoso/platform/connectivity_express_routes.yaml +++ b/templates/enterprise-scale/contoso/platform/connectivity_express_routes.yaml @@ -1,5 +1,5 @@ gitops: - caf_landingzone_branch: 2112.int + caf_landingzone_branch: aci_network express_route_circuits: prod: diff --git a/templates/enterprise-scale/contoso/platform/connectivity_firewall.yaml b/templates/enterprise-scale/contoso/platform/connectivity_firewall.yaml deleted file mode 100644 index c4c3a8cbd..000000000 --- a/templates/enterprise-scale/contoso/platform/connectivity_firewall.yaml +++ /dev/null @@ -1,5 +0,0 @@ - -resource_groups: - contoso_global_firewall: - name: contoso-connectivity-global-firewall - region_key: region1 \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml index 65f8dd692..218f86efd 100644 --- a/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml +++ b/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml @@ -81,7 +81,7 @@ platform_core_setup: v0.3.3: caf_landingzone_branch: "patch.5.4.4" v1.1.1: - caf_landingzone_branch: "2112.int" + caf_landingzone_branch: "aci_network" platform_management: enable: true @@ -113,6 +113,6 @@ notifications: security_center_email_contact: gitops: - caf_landingzone_branch: "2112.int" + caf_landingzone_branch: "aci_network" deployment_mode: interactive rover_log_error: ERROR diff --git a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewall_policies.yaml index e9c4e245d..d1a6f3215 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewall_policies.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewall_policies.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: 2112.int + landingzones: aci_network deployments: connectivity: diff --git a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml index b89bb2a17..2f61eedcf 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: 2112.int + landingzones: aci_network deployments: connectivity: @@ -30,12 +30,12 @@ subscriptions: resource_group_key: firewall_policies region_key: region1 address_space: - - 10.51.4.0/26 + - 10.201.61.0/24 specialsubnets: AzureFirewallSubnet: name: AzureFirewallSubnet cidr: - - 10.51.4.0/26 + - 10.201.61.0/26 public_ip_addresses: fw_pip1: diff --git a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_private_dns.yaml index b1218f556..f9d14ec38 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_private_dns.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_private_dns.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: 2112.int + landingzones: aci_network deployments: connectivity: @@ -78,8 +78,8 @@ subscriptions: name: fw-non-prod-plinks-01 vnet_key: vnet lz_key: connectivity_firewalls_non_prod - privatelink.southeastasia.azmk8s.io: - name: privatelink.southeastasia.azmk8s.io + privatelink.southeastasia.azmk8s.io: + name: privatelink.southeastasia.azmk8s.io resource_group_key: dns_connectivity_non_prod vnet_links: fw_non_prod_plinks_01: @@ -94,8 +94,8 @@ subscriptions: name: fw-non-prod-plinks-01 vnet_key: vnet lz_key: connectivity_firewalls_non_prod - privatelink.southeastasia.backup.windowsazure.com: - name: privatelink.southeastasia.backup.windowsazure.com + privatelink.southeastasia.backup.windowsazure.com: + name: privatelink.southeastasia.backup.windowsazure.com resource_group_key: dns_connectivity_non_prod vnet_links: fw_non_prod_plinks_01: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml index 720fc7954..fe412c850 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: 2112.int + landingzones: aci_network deployments: connectivity: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml index 54639c529..7c061b4f8 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: 2112.int + landingzones: aci_network deployments: connectivity: @@ -30,12 +30,12 @@ subscriptions: resource_group_key: firewall_policies region_key: region1 address_space: - - 10.51.196.0/26 + - 10.101.61.0/24 specialsubnets: AzureFirewallSubnet: name: AzureFirewallSubnet cidr: - - 10.51.196.0/26 + - 10.101.61.0/26 public_ip_addresses: fw_pip1: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml index 4bfa756d6..67840148f 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: 2112.int + landingzones: aci_network deployments: connectivity: @@ -76,8 +76,8 @@ subscriptions: name: fw-prod-plinks-01 vnet_key: vnet lz_key: connectivity_firewalls_prod - privatelink.southeastasia.azmk8s.io: - name: privatelink.southeastasia.azmk8s.io + privatelink.southeastasia.azmk8s.io: + name: privatelink.southeastasia.azmk8s.io resource_group_key: dns_connectivity_prod vnet_links: fw_prod_plinks_01: @@ -92,8 +92,8 @@ subscriptions: name: fw-prod-plinks-01 vnet_key: vnet lz_key: connectivity_firewalls_prod - privatelink.southeastasia.backup.windowsazure.com: - name: privatelink.southeastasia.backup.windowsazure.com + privatelink.southeastasia.backup.windowsazure.com: + name: privatelink.southeastasia.backup.windowsazure.com resource_group_key: dns_connectivity_prod vnet_links: fw_prod_plinks_01: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml index 5edab1e12..f9177405d 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: 2112.int + landingzones: aci_network deployments: identity: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml index 3e3ab8a7c..13b1c54eb 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: 2112.int + landingzones: aci_network deployments: identity: From 50770e4ba95d6bc5e87d7770230d447ddbf6f01e Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 31 Jan 2022 13:45:32 +0000 Subject: [PATCH 08/67] template - add gitops branch --- templates/enterprise-scale/contoso/platform/asvm.yaml | 3 +++ templates/platform/level2/connectivity/ansible.yaml | 4 ---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/templates/enterprise-scale/contoso/platform/asvm.yaml b/templates/enterprise-scale/contoso/platform/asvm.yaml index 658826a33..8641c70b8 100644 --- a/templates/enterprise-scale/contoso/platform/asvm.yaml +++ b/templates/enterprise-scale/contoso/platform/asvm.yaml @@ -1,3 +1,6 @@ +gitops: + landingzones: aci_network + subscriptions: asvm: resource_groups: diff --git a/templates/platform/level2/connectivity/ansible.yaml b/templates/platform/level2/connectivity/ansible.yaml index 62e369916..119700857 100644 --- a/templates/platform/level2/connectivity/ansible.yaml +++ b/templates/platform/level2/connectivity/ansible.yaml @@ -24,10 +24,6 @@ loop_control: loop_var: virtual_hub -- name: "connectivity_vpn_sites" - debug: - msg: "{{connectivity_vpn_sites}}" - - name: VPN Sites include_tasks: "{{ level }}/{{ base_folder }}/vpn_site/ansible.yaml" when: From c7a11a29700d007756be7c3abc9afd4737f836e3 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 31 Jan 2022 15:37:50 +0000 Subject: [PATCH 09/67] Add orion template application landingzone --- .../__pycache__/merge_vars.cpython-39.pyc | Bin 4793 -> 4806 bytes .../orion-landingzone/config.asvm.yaml | 4 + .../orion-landingzone/deployments.yaml | 77 ++ .../application/orion-landingzone/readme.md | 14 + .../orion-landingzone/resources.asvm.yaml | 1015 +++++++++++++++++ .../orion-landingzone/subscriptions.asvm.yaml | 13 + .../orion-landingzone/tfstates.asvm.yaml | 29 + 7 files changed, 1152 insertions(+) create mode 100644 templates/enterprise-scale/contoso/application/orion-landingzone/config.asvm.yaml create mode 100644 templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml create mode 100644 templates/enterprise-scale/contoso/application/orion-landingzone/readme.md create mode 100644 templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml create mode 100644 templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml create mode 100644 templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml diff --git a/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc b/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc index fdb1cae7fb477e5235ac8bb3b6b9272b3a761cbf..149a2864e0f386995bd1a2c3652fd8482ff93ff1 100644 GIT binary patch delta 70 zcmdm~dQ6o&k(ZZ?0SK<0d$EywHM@?7eo2~sa$=f(PGVk4W?p(#eqL&^eo1O>K~7=` Xkd;_akdv95Sdy8aSG@Tu`x7nzQh*v3 delta 57 zcmX@6x>J=qk(ZZ?0SKO|6>a2R%`R`PUy`PuoS3FxT#{H+l3Ju+lA2qPlUR~kte;q1 Lmb>{8`x7nz^*0lv diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/config.asvm.yaml b/templates/enterprise-scale/contoso/application/orion-landingzone/config.asvm.yaml new file mode 100644 index 000000000..b39312f88 --- /dev/null +++ b/templates/enterprise-scale/contoso/application/orion-landingzone/config.asvm.yaml @@ -0,0 +1,4 @@ +# cleanup_destination - recommended to clean and recreated a clean state from template. +configuration_folders: + asvm: + cleanup_destination: true \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml b/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml new file mode 100644 index 000000000..5e0bb44a3 --- /dev/null +++ b/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml @@ -0,0 +1,77 @@ +deployments: + asvm_storage_containers: + storage_containers: + landingzone: + key: + asvm: + asvm_storage_containers: subscriptions + global_settings_key: + platform: + asvm: + remote_tfstates: + platform: + asvm: + + it_dna_orion_dev: + subscriptions: + landingzone: + key: + asvm: + it_dna_orion_dev: subscriptions + global_settings_key: + asvm: + asvm_storage_containers: subscriptions + remote_tfstates: + asvm: + asvm_storage_containers: subscriptions + + resources: + landingzone: + key: + asvm: + it_dna_orion_dev: resources + global_settings_key: + platform: + virtual_hubs: non_prod + remote_tfstates: + asvm: + it_dna_orion_dev: subscriptions + asvm_storage_containers: subscriptions + platform: + virtual_hubs: non_prod + private_dns: non_prod + identity_level2: + asvm: + azurerm_firewalls: non_prod + + it_dna_orion_prod: + subscriptions: + landingzone: + key: + asvm: + it_dna_orion_prod: subscriptions + global_settings_key: + asvm: + asvm_storage_containers: subscriptions + remote_tfstates: + asvm: + asvm_storage_containers: subscriptions + + resources: + landingzone: + key: + asvm: + it_dna_orion_prod: resources + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + asvm: + it_dna_orion_prod: subscriptions + asvm_storage_containers: subscriptions + platform: + virtual_hubs: prod + private_dns: prod + identity_level2: + asvm: + azurerm_firewalls: prod \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/readme.md b/templates/enterprise-scale/contoso/application/orion-landingzone/readme.md new file mode 100644 index 000000000..6ba8ecf43 --- /dev/null +++ b/templates/enterprise-scale/contoso/application/orion-landingzone/readme.md @@ -0,0 +1,14 @@ +# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM) + +## Generate the configuration files + +```bash +rover ignite \ + --playbook /tf/caf/landingzones/templates/applications/ansible.yaml \ + -e base_templates_folder=/tf/caf/landingzones/templates/applications \ + -e resource_template_folder=/tf/caf/landingzones/templates/resources \ + -e destination_base_path=/tf/caf/configuration/contoso/landingzones/ \ + -e config_folder=/tf/caf/platform-definition/application/ \ + -e config_folder_platform=/tf/caf/platform-definition + +``` \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml b/templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml new file mode 100644 index 000000000..c37374424 --- /dev/null +++ b/templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml @@ -0,0 +1,1015 @@ +gitops: + landingzones: aci_network + +subscriptions: + + it_dna_orion_dev: + + resource_groups: + rg: + name: rg-orion-dev + backup: + name: rg-orion-dev-backup + networking: + name: rg-orion-dev-networking + preparation: + name: rg-orion-dev-preparation + modeling: + name: rg-orion-dev-modeling + consumption: + name: rg-orion-dev-consumption + analytics: + name: rg-orion-dev-analytics + + virtual_networks: + vnet: + name: vnet-orion-dev + resource_group_key: networking + region_key: region1 + dns_servers_keys: + fw_prod_plinks_01: + resource_type: azurerm_firewall + lz_key: connectivity_firewalls_non_prod + key: fw_non_prod_plinks_01 + address_space: + - 10.101.200.0/23 + subnets: + databricks_preparation_egress: + name: databricks-preparation-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.200.0/26 + databricks_preparation_private: + name: databricks-preparation-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.200.64/26 + databricks_modeling_egress: + name: databricks-modeling-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.201.0/26 + databricks_modeling_private: + name: databricks-modeling-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.201.64/26 + consumption: + name: consumption + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.200.128/25 + databricks_notebooks: + name: databricks-notebooks + service_endpoints: + - Microsoft.Storage + - Microsoft.KeyVault + nsg_key: databricks_notebooks + cidr: + - 10.101.201.128/27 + private_endpoints: + name: private-endpoints + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.201.192/27 + + network_security_group_definition: + databricks_egress: + version: 1 + resource_group_key: networking + name: nsg-databricks-egress + nsg: + Inbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 5557 + destination_address_prefix: "*" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 22 + destination_address_prefix: "*" + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + 405: + name: ICMP + access: Allow + protocol: icmp + source_port_range: "*" + source_address_prefix: "*" + destination_port_range: "*" + destination_address_prefix: "*" + databricks_private: + version: 1 + resource_group_key: networking + name: nsg-databricks-private + nsg: + Inbound: + 400: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 401: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + consumption: + version: 1 + resource_group_key: networking + name: nsg-consumption + databricks_notebooks: + version: 1 + resource_group_key: networking + name: nsg-databricks-notebook + nsg: + Inbound: + 500: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 501: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 500: + name: AzureActiveDirectory + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectory" + destination_port_ranges: + - 80 + - 443 + 501: + name: AzureMachineLearning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureMachineLearning" + destination_port_ranges: + - 443 + 502: + name: AzureResourceManager + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureResourceManager" + destination_port_ranges: + - 443 + 503: + name: Storage SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "Storage.SoutheastAsia" + destination_port_ranges: + - 443 + 504: + name: AzureFrontDoor Frontend + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.Frontend" + destination_port_ranges: + - 443 + 505: + name: Container Registry SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureContainerRegistry.SoutheastAsia" + destination_port_ranges: + - 443 + 506: + name: Microsoft Container Registry SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "MicrosoftContainerRegistry.SoutheastAsia" + destination_port_ranges: + - 443 + 507: + name: Keyvault SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureKeyVault.SoutheastAsia" + destination_port_ranges: + - 443 + 508: + name: AzureFrontDoor FirstParty + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.FirstParty" + destination_port_range: "*" + + virtual_hub_connections: + vnet_to_dev: + name: vnet-orion-dev-TO-non-prod + virtual_hub: + lz_key: connectivity_virtual_hub_non_prod + key: non_prod + vnet: + vnet_key: vnet + + recovery_vaults: + asr: + name: vault-orion-dev + resource_group_key: backup + backup_policies: + vms: + default: + name: vm-default-policy + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + + keyvaults: + kv_delegated_sp: + name: kvoriondev0001 + resource_group_key: rg + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + landingzone_maintainers_non_prod: + lz_key: asvm + azuread_group_key: caf_ac_landingzone_maintainers_non_prod + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + kv_delegated_sp: + app_LZContributors: + azuread_service_principal_key: sp_LZContributors + secret_permissions: + - Get + + azuread_applications: + app_LZContributors: + application_name: app-asvm-orion-dev-Contributors + + azuread_service_principals: + sp_LZContributors: + azuread_application: + key: app_LZContributors + + azuread_credentials: + app_LZContributors: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + key: app_LZContributors + keyvaults: + kv_delegated_sp: + secret_prefix: sp + + azuread_credential_policies: + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 70 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + + custom_role_definitions: + contributors_extended: + name: lz-orion-dev-contributors-extended + useprefix: true + description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/virtualNetworks/join/action + + role_mapping: + custom_role_mapping: + networking: + vnet: + contributors_extended: + azuread_service_principals: + keys: + - sp_LZContributors + + built_in_role_mapping: + subscriptions: + it_dna_orion_dev: + lz_key: it_dna_orion_dev_subscriptions + Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + resource_groups: + preparation: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + modeling: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + consumption: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + analytics: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + storage_containers: + it_dna_orion_prod_level3: + lz_key: it_dna_orion_storage_containers + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + it_dna_orion_dev_level4: + lz_key: it_dna_orion_storage_containers + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + + + it_dna_orion_prod: + + resource_groups: + rg: + name: rg-orion-prod + backup: + name: rg-orion-prod-backup + networking: + name: rg-orion-prod-networking + preparation: + name: rg-orion-prod-preparation + modeling: + name: rg-orion-prod-modeling + consumption: + name: rg-orion-prod-consumption + analytics: + name: rg-orion-prod-analytics + + virtual_networks: + vnet: + name: vnet-orion-prod + resource_group_key: networking + region_key: region1 + dns_servers_keys: + fw_prod_plinks_01: + resource_type: azurerm_firewall + lz_key: connectivity_firewalls_prod + key: fw_prod_plinks_01 + address_space: + - 10.101.8.0/23 + subnets: + databricks_preparation_egress: + name: databricks-preparation-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.8.0/26 + databricks_preparation_private: + name: databricks-preparation-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.8.64/26 + databricks_modeling_egress: + name: databricks-modeling-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.9.0/26 + databricks_modeling_private: + name: databricks-modeling-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.9.64/26 + consumption: + name: consumption + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.8.128/25 + databricks_notebooks: + name: databricks-notebooks + service_endpoints: + - Microsoft.Storage + - Microsoft.KeyVault + nsg_key: databricks_notebooks + cidr: + - 10.101.9.128/27 + private_endpoints: + name: private-endpoints + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.9.192/27 + + network_security_group_definition: + databricks_egress: + version: 1 + resource_group_key: networking + name: nsg-databricks-egress + nsg: + Inbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 5557 + destination_address_prefix: "*" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 22 + destination_address_prefix: "*" + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + 405: + name: ICMP + access: Allow + protocol: icmp + source_port_range: "*" + source_address_prefix: "*" + destination_port_range: "*" + destination_address_prefix: "*" + databricks_private: + version: 1 + resource_group_key: networking + name: nsg-databricks-private + nsg: + Inbound: + 400: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 401: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + consumption: + version: 1 + resource_group_key: networking + name: nsg-consumption + databricks_notebooks: + version: 1 + resource_group_key: networking + name: nsg-databricks-notebooks + nsg: + Inbound: + 500: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 501: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 500: + name: AzureActiveDirectory + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectory" + destination_port_ranges: + - 80 + - 443 + 501: + name: AzureMachineLearning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureMachineLearning" + destination_port_ranges: + - 443 + 502: + name: AzureResourceManager + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureResourceManager" + destination_port_ranges: + - 443 + 503: + name: Storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "Storage" + destination_port_ranges: + - 443 + 504: + name: AzureFrontDoor Frontend + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.Frontend" + destination_port_ranges: + - 443 + 505: + name: Container Registry + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureContainerRegistry" + destination_port_ranges: + - 443 + 506: + name: Microsoft Container Registry + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "MicrosoftContainerRegistry" + destination_port_ranges: + - 443 + 507: + name: Keyvault + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureKeyVault" + destination_port_ranges: + - 443 + 508: + name: AzureFrontDoor FirstParty + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.FirstParty" + destination_port_range: "*" + + virtual_hub_connections: + vnet_to_prod: + name: vnet-orion-prod-TO-prod + virtual_hub: + lz_key: connectivity_virtual_hub_prod + key: prod + vnet: + vnet_key: vnet + + recovery_vaults: + asr: + name: vault-orion-prod + resource_group_key: backup + backup_policies: + vms: + default: + name: vm-default-policy + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + + keyvaults: + kv_delegated_sp: + name: kvolymprod001 + resource_group_key: rg + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + landingzone_maintainers_prod: + lz_key: asvm + azuread_group_key: caf_ac_landingzone_maintainers_prod + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + kv_delegated_sp: + app_LZContributors: + azuread_service_principal_key: sp_LZContributors + secret_permissions: + - Get + + azuread_applications: + app_LZContributors: + application_name: app-asvm-orion-prod-Contributors + + azuread_service_principals: + sp_LZContributors: + azuread_application: + key: app_LZContributors + + azuread_credentials: + app_LZContributors: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + key: app_LZContributors + keyvaults: + kv_delegated_sp: + secret_prefix: sp + + azuread_credential_policies: + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 70 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + + azuread_groups_membership: + caf_prod_landingzones_dns_contributors: + azuread_service_principals: + sp_LZContributors: + group_lz_key: identity_level2 + keys: + - sp_LZContributors + caf_ac_landingzone_maintainers_prod: + azuread_service_principals: + sp_LZContributors: + group_lz_key: asvm + keys: + - sp_LZContributors + + custom_role_definitions: + contributors_extended: + name: lz-orion-prod-contributors-extended + useprefix: true + description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/virtualNetworks/join/action + + role_mapping: + custom_role_mapping: + networking: + vnet: + contributors_extended: + managed_identities: + keys: + - aks_consumption + azuread_service_principals: + keys: + - sp_LZContributors + + built_in_role_mapping: + subscriptions: + it_dna_orion_prod: + lz_key: it_dna_orion_prod_subscriptions + Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + resource_groups: + preparation: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + modeling: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + consumption: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + analytics: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + storage_containers: + it_dna_orion_prod_level3: + lz_key: it_dna_orion_storage_containers + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + it_dna_orion_prod_level4: + lz_key: it_dna_orion_storage_containers + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml b/templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml new file mode 100644 index 000000000..db45e7c58 --- /dev/null +++ b/templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml @@ -0,0 +1,13 @@ +gitops: + landingzones: aci_network + +subscriptions: + it_dna_orion_dev: + it_dna_orion_dev: + name: orion-dev + management_group_suffix: non-prod + + it_dna_orion_prod: + it_dna_orion_prod: + name: orion-prod + management_group_suffix: prod \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml b/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml new file mode 100644 index 000000000..54e176178 --- /dev/null +++ b/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml @@ -0,0 +1,29 @@ +# ### orion ### +tfstates: + asvm: + asvm_storage_containers: + subscriptions: + lz_key_name: it_dna_orion_storage_containers + tfstate: it_dna_orion_storage_containers.tfstate + workspace: tfstate + level: level3 + + it_dna_orion_dev: + subscriptions: + lz_key_name: it_dna_orion_dev_subscriptions + tfstate: it_dna_orion_dev_subscriptions.tfstate + resources: + lz_key_name: it_dna_orion_dev_resources + tfstate: it_dna_orion_dev_resources.tfstate + workspace: orion-dev + level: level3 + + it_dna_orion_prod: + subscriptions: + lz_key_name: it_dna_orion_prod_subscriptions + tfstate: it_dna_orion_prod_subscriptions.tfstate + resources: + lz_key_name: it_dna_orion_prod_resources + tfstate: it_dna_orion_prod_resources.tfstate + workspace: orion-prod + level: level3 From 0dc17b7b04b73560b63c5a8c025cb8909f1ff79a Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Thu, 3 Feb 2022 02:32:34 +0000 Subject: [PATCH 10/67] Update orion landingzones --- .../contoso/application/orion-landingzone/deployments.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml b/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml index 5e0bb44a3..f22cebc46 100644 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml +++ b/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml @@ -40,7 +40,7 @@ deployments: platform: virtual_hubs: non_prod private_dns: non_prod - identity_level2: + identity_level2: non_prod asvm: azurerm_firewalls: non_prod @@ -72,6 +72,6 @@ deployments: platform: virtual_hubs: prod private_dns: prod - identity_level2: + identity_level2: prod asvm: azurerm_firewalls: prod \ No newline at end of file From 30ad3a9825d8504121370ae229a245e7d125e0ad Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Fri, 4 Feb 2022 09:43:42 +0000 Subject: [PATCH 11/67] Add template ADDS --- .../prod/identity_level2_adds.yaml | 388 ++++++++++++++ .../__pycache__/merge_vars.cpython-39.pyc | Bin 0 -> 4806 bytes .../platform/action_plugins/merge_vars.py | 155 ++++++ .../level2/identity/adds/azure_monitor.tfvars | 0 .../identity/adds/configuration.tfvars.j2 | 18 - .../identity/adds/cost_management.tfvars | 0 .../platform/level2/identity/adds/demo.yaml | 34 -- .../level2/identity/adds/keyvaults.tfvars.j2 | 31 -- .../adds/network_security_groups.tfvars.j2 | 481 ------------------ .../platform/level2/identity/adds/readme.md | 26 - .../identity/adds/resource_groups.tfvars.j2 | 8 - .../level2/identity/adds/site_recovery.tfvars | 0 .../adds/virtual_hub_connections.tfvars.j2 | 32 -- .../identity/adds/virtual_networks.tfvars.j2 | 41 -- .../platform/level2/identity/ansible.yaml | 18 +- .../diagnostics/wadcfg.xml | 0 .../domain_controllers.tfvars.j2.old} | 0 .../landingzone.tfvars.j2 | 17 + .../identity/identity_level2_adds/readme.md | 32 ++ .../dynamic_keyvault_secrets.tfvars.j2 | 12 + .../resources/virtual_machines.tfvars.j2 | 336 ++++++++++++ 21 files changed, 955 insertions(+), 674 deletions(-) create mode 100644 templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml create mode 100644 templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc create mode 100644 templates/platform/action_plugins/merge_vars.py delete mode 100644 templates/platform/level2/identity/adds/azure_monitor.tfvars delete mode 100644 templates/platform/level2/identity/adds/configuration.tfvars.j2 delete mode 100644 templates/platform/level2/identity/adds/cost_management.tfvars delete mode 100644 templates/platform/level2/identity/adds/demo.yaml delete mode 100644 templates/platform/level2/identity/adds/keyvaults.tfvars.j2 delete mode 100644 templates/platform/level2/identity/adds/network_security_groups.tfvars.j2 delete mode 100644 templates/platform/level2/identity/adds/readme.md delete mode 100644 templates/platform/level2/identity/adds/resource_groups.tfvars.j2 delete mode 100644 templates/platform/level2/identity/adds/site_recovery.tfvars delete mode 100644 templates/platform/level2/identity/adds/virtual_hub_connections.tfvars.j2 delete mode 100644 templates/platform/level2/identity/adds/virtual_networks.tfvars.j2 rename templates/platform/level2/identity/{adds => identity_level2_adds}/diagnostics/wadcfg.xml (100%) rename templates/platform/level2/identity/{adds/domain_controllers.tfvars.j2 => identity_level2_adds/domain_controllers.tfvars.j2.old} (100%) create mode 100644 templates/platform/level2/identity/identity_level2_adds/landingzone.tfvars.j2 create mode 100644 templates/platform/level2/identity/identity_level2_adds/readme.md create mode 100644 templates/resources/dynamic_keyvault_secrets.tfvars.j2 create mode 100644 templates/resources/virtual_machines.tfvars.j2 diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml new file mode 100644 index 000000000..e16bf3d2c --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml @@ -0,0 +1,388 @@ +gitops: + landingzones: aci_network + +deployments: + identity: + landingzone: + key: + platform: + identity_adds: prod + global_settings_key: + platform: + management: + remote_tfstates: + platform: + management: + virtual_hubs: prod + + +subscriptions: + identity: + resource_groups: + rg: + name: identity-prod-adds + region_key: region1 + + virtual_networks: + vnet: + name: vnet-identity-prod-adds + resource_group_key: rg + region_key: region1 + address_space: + - 10.10.100.0/27 + dns_servers: + - 10.10.100.4 + - 10.10.100.5 + subnets: + adds: + name: snet-adds + cidr: + - 10.10.100.0/28 + nsg_key: adds_re1 + management: + name: snet-adds-management + cidr: + - 10.10.100.16/28 + + keyvaults: + adds_credentials: + name: addskv + resource_group_key: rg + sku_name: premium + purge_protection_enabled: false + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + dynamic_keyvault_secrets: + adds_credentials: + vmadmin-username: + secret_name: vmadmin-username + value: vmadmin + vmadmin-password: + secret_name: vmadmin-password + value: Very@Str5ngP!44w0rdToChaNge# + + virtual_machines: + adds1: + resource_group: + key: rg + region: region1 + os_type: windows + keyvault_key: adds_credentials + + virtual_machine_settings: + windows: + computer_name: adds1 + name: adds1 + admin_password_key: vmadmin-password + admin_username_key: vmadmin-username + network_interface_keys: + - nic0 + provision_vm_agent: true + size: Standard_F2 + zone: 1 + os_disk: + name: adds1-os + caching: ReadWrite + storage_account_type: Standard_LRS + disk_size_gb: 128 + # identity: + # type: SystemAssigned, UserAssigned + # managed_identity_keys: + # - id1 + # remote: + # lz_key_name1: + # managed_identity_keys: + # - id2 + # - id3 + # lz_key_name2: + # managed_identity_keys: + # - id4 + # - id5 + + # custom_image_id: + + source_image_reference: + publisher: MicrosoftWindowsServer + offer: WindowsServer + sku: 2019-Datacenter + version: latest + + data_disks: + lun1: + name: adds1-data1 + lun: "1" + caching: None + storage_account_type: Standard_LRS + create_option: Empty + disk_size_gb: 10 + zones: + - "1" + + networking_interfaces: + nic0: + name: 0 + vnet_key: vnet + subnet_key: adds + enable_ip_forwarding: false + internal_dns_name_label: adds1-nic0 + private_ip_address_allocation: Static + private_ip_address: 10.10.100.4 + primary: true + tags: + adds: "ok" + dns_servers: + # - Set on-prem dns + - 10.10.100.5 + network_security_group: + key: adds_re1 + # ip_configurations: + # conf2: + # name: 0-conf + # vnet_key: vnet + # subnet_key: management + # enable_ip_forwarding: false + # private_ip_address_allocation: Static + # private_ip_address: 10.10.100.20 + + adds2: + resource_group: + key: rg + region: region1 + os_type: windows + keyvault_key: adds_credentials + + virtual_machine_settings: + windows: + computer_name: adds2 + name: adds2 + admin_password_key: vmadmin-password + admin_username_key: vmadmin-username + network_interface_keys: + - nic0 + provision_vm_agent: true + size: Standard_F2 + zone: 2 + os_disk: + name: adds2-os + caching: ReadWrite + storage_account_type: Standard_LRS + disk_size_gb: 128 + # identity: + # type: SystemAssigned, UserAssigned + # managed_identity_keys: + # - id1 + # remote: + # lz_key_name1: + # managed_identity_keys: + # - id2 + # - id3 + # lz_key_name2: + # managed_identity_keys: + # - id4 + # - id5 + + + source_image_reference: + publisher: MicrosoftWindowsServer + offer: WindowsServer + sku: 2019-Datacenter + version: latest + + data_disks: + lun1: + name: adds2-data1 + lun: "1" + storage_account_type: Standard_LRS + create_option: Empty + disk_size_gb: 10 + zones: + - "2" + + networking_interfaces: + nic0: + name: 0 + vnet_key: vnet + subnet_key: adds + enable_ip_forwarding: false + internal_dns_name_label: adds2-nic0 + private_ip_address_allocation: Static + private_ip_address: 10.10.100.5 + primary: true + tags: + adds: "ok" + dns_servers: + # - Set on-prem ADDS dns + - 10.10.100.4 + network_security_group: + key: adds_re1 + # ip_configurations: + # conf2: + # name: 0-conf + # vnet_key: vnet + # subnet_key: management + # enable_ip_forwarding: false + # private_ip_address_allocation: Static + # private_ip_address: 10.10.100.21 + + virtual_hub_connections: + vnet_to_hub: + name: vnet-identity-prod-adds-TO-vhub-prod + virtual_hub: + lz_key: connectivity_virtual_hub_prod + key: prod + vnet: + vnet_key: vnet + + network_security_group_definition: + adds_re1: + version: 1 + resource_group_key: rg + region: region1 + name: nsg-adds-re1 + # Reference - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts + # following is for Windows Server 2008 and later + nsg: + Inbound: + 400: + name: W32Time. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + # source_address_prefixes: + # - on-prem CIDR for ADDS + source_port_range: "49152-65535" + destination_port_range: "123" + destination_address_prefix: "*" + 401: + name: RPC Endpoint Mapper. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "135" + destination_address_prefix: "*" + 402: + name: Kerberos password change tcp. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "464" + destination_address_prefix: "*" + 403: + name: Kerberos password change udp. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "464" + destination_address_prefix: "*" + 404: + name: RPC for LSA, SAM, NetLogon. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "49152-65535" + destination_address_prefix: "*" + 405: + name: LDAP-tcp. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "389" + destination_address_prefix: "*" + 406: + name: LDAP-udp. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "389" + destination_address_prefix: "*" + 407: + name: LDAP SSL. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "636" + destination_address_prefix: "*" + 408: + name: LDAP GC. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "3268" + destination_address_prefix: "*" + 409: + name: LDAP GC SSL. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "3269" + destination_address_prefix: "*" + 410: + name: DNS tcp. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_ranges: + - "53" + - "49152-65535" + destination_port_range: "53" + destination_address_prefix: "*" + 411: + name: DNS udp. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + source_port_ranges: + - "53" + - "49152-65535" + destination_port_range: "53" + destination_address_prefix: "*" + 412: + name: Kerberos tcp. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "88" + destination_address_prefix: "*" + 413: + name: Kerberos udp. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "88" + destination_address_prefix: "*" + 414: + name: SMB. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "445" + destination_address_prefix: "*" + # Adjust the following based on your RPC custom ports configuration + 415: + name: FRS RPC. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "49152-65535" + destination_address_prefix: "*" \ No newline at end of file diff --git a/templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc b/templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc new file mode 100644 index 0000000000000000000000000000000000000000..149a2864e0f386995bd1a2c3652fd8482ff93ff1 GIT binary patch literal 4806 zcmZu#&668P6`!6NNwZq*hu51;oCH?~0&7ugDJ160F-uJB-~ic55d(!1molqvN#h;O z$la}7OUzbLSr;}JD!Hao)b24C4*V6Ia^x^qE^y|?0rPu3(terQ>Q;Zv>+bh{@Auwp zxUf)l@cjL&e}-SJInF<*bNUI;c?(56()K-?Q#)y3=b2*<47Cc#hbcOt@e!>>g&yB zFEahncB7LHnz0OrU6uCIB#si<42!L(FAnzxE(hXkE|Japbd z(J!KsPKybrWC@+;;zRgUL9Iz4HJ;|5U(-DwVu zb<)JhhlcOr`aI+vsZ5ArJ?eI&hx`huO7m1%<)M+p98!SM~pdHNzCsum6?jD9k5SW=IJMB zFHqYAnRmeS7w9i$-kL*WPuSs{SUO_*FBo06tE!J#msvjxp16nD;TBe6*9vx-7Z(p} zS>=e)UXPu}Zr2s7@W>#m(5n3)3wq9u`zcd3oa8y%D)*fIxx|mCe%~x)fmplbn8gEH zb;T@YLFOO0n7ej7w`}L$F&AhqD<626UBmgFKdhOR;{5}hptxT)7cmit7rr3KU)su- z3cR*W+O|f@oqVaVRvTz@RBK`?L`IlXljaiVlFraj>n@eAEzVU4|k;{ zG&@ZAl?fePG&sMT@*dt*kvMk1y-*RzH{h6q6mJsnPhT!nz0m+}#X*7t+JGDh>_NJO z2Zefv(z9Dtt;TH%nw zTu4|%$MSx=(64Tun5;1z=hYjeIz+eO=9_dnA63ArPbaUQ4i^pZU*krccEVV1qA`1A za+%aZz_JjqK!iS1C8WB}f4BdP7KjV27G6ffYGHNXa^NA@Cu5hOi$V|fp1?xTE^ejr zV0Jx40thBr#@&35aAy%{Us1?m9Q8b^+bI7=anv$ZWRJ;f>I$?}cu$>L-$qq0tE<$u7_;zdpqqQxNIgdr=L|#de1xLO;T^wfLF2Pp zxdzZIvPJeX%4NXHO79R;&K`0ZD%N0MN8`j`#?2_hfO6Gk<3VlIrkKwr*C?_T$|290 zDF+E19FaoWpuulZ#HS#+7b43=G_3pT8a62WuF?gG8kywtHZ!n9D(l{^9Tz@fuc~PL%(du>LjOF1MhGR_4#sp<9%6b*U)-9s!Ji>u+W8IInY;x-XnCJOt)Soo_t*F|d*BKO zL5OW3+>rI_u3E)U?nhwXFB!2Oc<03N^0^y530Mu)<|kOE$jXzioq+08(3q{8+`Ng? zPl0(%z_Y+UMXHA5TOI~n5eJbL5z;Bt(@nR)%pP=LSrzSap#XJ*j$i>uv8)IMWY^!L zSY~kCHD)b+MlTc^j)6w>Z0twwBj~3{cVPi<@~QQicM5E19u}XAIIo4-bvw)PY;JDy zDT1zi_~Cap`0Mxhhi`1~YxnLIpGdUGj&E=~TzogY3#Zk6{yuUc-Ifu1wwXm=HAr@Fg0oK;OY@D-)=OO(g ztojqJv{rp_da3_oQh+3 zHi|F)>9}=tK1%wb?o)zn#o1&X{1Hbx_|hbzZSXtkPyeyNGRwWxkLa4|H`QmI+(mx@z^{9MhHaId- ztQ(Zu+1!PK^#Gsmh{QI*nSXaML>^=Re~~|T_ND3nE)<1a8;mW%TRJSbmW*!?dg@Zv ncWnX^+$eH^O$%xQpkJvWtEiQbQ_wG~dCRwgmx8&V9L)a@sQ~n+ literal 0 HcmV?d00001 diff --git a/templates/platform/action_plugins/merge_vars.py b/templates/platform/action_plugins/merge_vars.py new file mode 100644 index 000000000..b7edcc27a --- /dev/null +++ b/templates/platform/action_plugins/merge_vars.py @@ -0,0 +1,155 @@ +#!/usr/bin/env python + +""" +An Ansible action plugin to allow explicit merging of dict and list facts. + +https://github.com/leapfrogonline/ansible-merge-vars/blob/master/LICENSE.md + +""" + +from ansible.plugins.action import ActionBase +from ansible.errors import AnsibleError +from ansible.utils.vars import isidentifier + + +# Funky import dance for Ansible backwards compatitility (not sure if we +# actually need to do this or not) +try: + from __main__ import display +except ImportError: + from ansible.utils.display import Display # pylint: disable=ungrouped-imports + display = Display() + + +class ActionModule(ActionBase): + """ + Merge all variables in context with a certain suffix (lists or dicts only) + and create a new variable that contains the result of this merge. These + initial suffixed variables can be definied anywhere in the inventory, or by + any other means; as long as they're in the context for the running play, + they'll be merged. + + """ + def run(self, tmp=None, task_vars=None): + suffix_to_merge = self._task.args.get('suffix_to_merge', '') + merged_var_name = self._task.args.get('merged_var_name', '') + dedup = self._task.args.get('dedup', True) + expected_type = self._task.args.get('expected_type') + recursive_dict_merge = bool(self._task.args.get('recursive_dict_merge', False)) + + if 'cacheable' in self._task.args.keys(): + display.deprecated( + "The `cacheable` option does not actually do anything, since Ansible 2.5. " + "No matter what, the variable set by this plugin will be set in the fact " + "cache if you have fact caching enabled. To get rid of this warning, " + "remove the `cacheable` argument from your merge_vars task. This warning " + "will be removed in a future version of this plugin." + ) + + # Validate args + if expected_type not in ['dict', 'list']: + raise AnsibleError("expected_type must be set ('dict' or 'list').") + if not merged_var_name: + raise AnsibleError("merged_var_name must be set") + if not isidentifier(merged_var_name): + raise AnsibleError("merged_var_name '%s' is not a valid identifier" % merged_var_name) + if not suffix_to_merge.endswith('__to_merge'): + raise AnsibleError("Merge suffix must end with '__to_merge', sorry!") + + keys = sorted([key for key in task_vars.keys() + if key.endswith(suffix_to_merge)]) + + display.v("Merging vars in this order: {}".format(keys)) + + # We need to render any jinja in the merged var now, because once it + # leaves this plugin, ansible will cleanse it by turning any jinja tags + # into comments. + # And we need it done before merging the variables, + # in case any structured data is specified with templates. + merge_vals = [self._templar.template(task_vars[key]) for key in keys] + + # Dispatch based on type that we're merging + if merge_vals == []: + if expected_type == 'list': + merged = [] + else: + merged = {} + elif isinstance(merge_vals[0], list): + merged = merge_list(merge_vals, dedup) + elif isinstance(merge_vals[0], dict): + merged = merge_dict(merge_vals, dedup, recursive_dict_merge) + else: + raise AnsibleError( + "Don't know how to merge variables of type: {}".format(type(merge_vals[0])) + ) + + return { + 'ansible_facts': {merged_var_name: merged}, + 'changed': False, + } + + +def merge_dict(merge_vals, dedup, recursive_dict_merge): + """ + To merge dicts, just update one with the values of the next, etc. + """ + check_type(merge_vals, dict) + merged = {} + for val in merge_vals: + if not recursive_dict_merge: + merged.update(val) + else: + # Recursive merging of dictionaries with overlapping keys: + # LISTS: merge with merge_list + # DICTS: recursively merge with merge_dict + # any other types: replace (same as usual behaviour) + for key in val.keys(): + if not key in merged: + # first hit of the value - just assign + merged[key] = val[key] + elif isinstance(merged[key], list): + merged[key] = merge_list([merged[key], val[key]], dedup) + elif isinstance(merged[key], dict): + merged[key] = merge_dict([merged[key], val[key]], dedup, recursive_dict_merge) + else: + merged[key] = val[key] + return merged + + +def merge_list(merge_vals, dedup): + """ To merge lists, just concat them. Dedup if wanted. """ + check_type(merge_vals, list) + merged = flatten(merge_vals) + if dedup: + merged = deduplicate(merged) + return merged + + +def check_type(mylist, _type): + """ Ensure that all members of mylist are of type _type. """ + if not all(isinstance(item, _type) for item in mylist): + raise AnsibleError("All values to merge must be of the same type, either dict or list") + + +def flatten(list_of_lists): + """ + Flattens a list of lists: + >>> flatten([[1, 2] [3, 4]]) + [1, 2, 3, 4] + + I wish Python had this in the standard lib :( + """ + return list((x for y in list_of_lists for x in y)) + + +def deduplicate(mylist): + """ + Just brute force it. This lets us keep order, and lets us dedup unhashable + things, like dicts. Hopefully you won't run into such big lists that + this will ever be a performance issue. + """ + deduped = [] + for item in mylist: + if item not in deduped: + deduped.append(item) + return deduped \ No newline at end of file diff --git a/templates/platform/level2/identity/adds/azure_monitor.tfvars b/templates/platform/level2/identity/adds/azure_monitor.tfvars deleted file mode 100644 index e69de29bb..000000000 diff --git a/templates/platform/level2/identity/adds/configuration.tfvars.j2 b/templates/platform/level2/identity/adds/configuration.tfvars.j2 deleted file mode 100644 index 7c369c753..000000000 --- a/templates/platform/level2/identity/adds/configuration.tfvars.j2 +++ /dev/null @@ -1,18 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" - level = "level2" - key = "{{ config.tfstates.platform.identity_adds.lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.management.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" - } -{% for key, virtual_hub in tfstates.virtual_hubs.items() %} - {{ config.tfstates.platform.virtual_hubs[key].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.virtual_hubs[key].tfstate }}" - } -{% endfor %} - } -} diff --git a/templates/platform/level2/identity/adds/cost_management.tfvars b/templates/platform/level2/identity/adds/cost_management.tfvars deleted file mode 100644 index e69de29bb..000000000 diff --git a/templates/platform/level2/identity/adds/demo.yaml b/templates/platform/level2/identity/adds/demo.yaml deleted file mode 100644 index c91a21597..000000000 --- a/templates/platform/level2/identity/adds/demo.yaml +++ /dev/null @@ -1,34 +0,0 @@ -- name: Identity - ADDS - Clean-up directory - file: - path: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ base_folder }}/adds" - state: absent - when: - - config.configuration_folders.cleanup_destination | bool - -- name: Identity - ADDS - Creates directory structure - file: - path: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ base_folder }}/adds" - state: directory - -- name: Identity - ADDS - Creates directory structure for diagnostics - file: - path: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ base_folder }}/adds/diagnostics" - state: directory - -- name: Identity - ADDS - tfvars - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ base_folder }}/adds/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/*.j2" - - "{{ level }}/{{ base_folder }}/*.md" - -- name: Identity - ADDS - diagnostics - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ base_folder }}/adds/diagnostics/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/diagnostics/*.xml" - diff --git a/templates/platform/level2/identity/adds/keyvaults.tfvars.j2 b/templates/platform/level2/identity/adds/keyvaults.tfvars.j2 deleted file mode 100644 index 6c5053f05..000000000 --- a/templates/platform/level2/identity/adds/keyvaults.tfvars.j2 +++ /dev/null @@ -1,31 +0,0 @@ -keyvaults = { - dc01 = { - name = "dc01-secrets" - resource_group_key = "contoso_identity_adds" - sku_name = "{{ config.platform_core_setup.sku.keyvault }}" - - creation_policies = { - logged_in_user = { - certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Purge", "Recover"] - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - } - logged_in_app = { - certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Purge", "Recover"] - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - } - } - - diagnostic_profiles = { - operations = { - definition_key = "default_all" - destination_type = "log_analytics" - destination_key = "central_logs" - } - siem = { - definition_key = "siem_all" - destination_type = "storage" - destination_key = "all_regions" - } - } - } -} diff --git a/templates/platform/level2/identity/adds/network_security_groups.tfvars.j2 b/templates/platform/level2/identity/adds/network_security_groups.tfvars.j2 deleted file mode 100644 index 72740f61a..000000000 --- a/templates/platform/level2/identity/adds/network_security_groups.tfvars.j2 +++ /dev/null @@ -1,481 +0,0 @@ -# -# Definition of the networking security groups -# -network_security_group_definition = { - # This entry is applied to all subnets with no NSG defined - empty_nsg = { - flow_logs = { - version = 2 - enabled = true - storage_account = { - storage_account_destination = "all_regions" - retention = { - enabled = true - days = 30 - } - } - traffic_analytics = { - enabled = true - log_analytics_workspace_destination = "central_logs" - interval_in_minutes = "10" - } - } - diagnostic_profiles = { - nsg = { - definition_key = "network_security_group" - destination_type = "storage" - destination_key = "all_regions" - } - operations = { - name = "operations" - definition_key = "network_security_group" - destination_type = "log_analytics" - destination_key = "central_logs" - } - } - nsg = [] - } - - azure_bastion_nsg = { - flow_logs = { - version = 2 - enabled = true - storage_account = { - storage_account_destination = "all_regions" - retention = { - enabled = true - days = 30 - } - } - traffic_analytics = { - enabled = false - log_analytics_workspace_destination = "central_logs" - interval_in_minutes = "10" - } - } - - diagnostic_profiles = { - nsg = { - definition_key = "network_security_group" - destination_type = "storage" - destination_key = "all_regions" - } - operations = { - name = "operations" - definition_key = "network_security_group" - destination_type = "log_analytics" - destination_key = "central_logs" - } - } - - nsg = [ - { - name = "bastion-in-allow", - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "bastion-control-in-allow-443", - priority = "120" - direction = "Inbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "135" - source_address_prefix = "GatewayManager" - destination_address_prefix = "*" - }, - { - name = "Kerberos-password-change", - priority = "121" - direction = "Inbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "4443" - source_address_prefix = "GatewayManager" - destination_address_prefix = "*" - }, - { - name = "bastion-vnet-out-allow-22", - priority = "103" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = "VirtualNetwork" - }, - { - name = "bastion-vnet-out-allow-3389", - priority = "101" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "3389" - source_address_prefix = "*" - destination_address_prefix = "VirtualNetwork" - }, - { - name = "bastion-azure-out-allow", - priority = "120" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "*" - destination_address_prefix = "AzureCloud" - } - ] - } - - application_gateway = { - - diagnostic_profiles = { - nsg = { - definition_key = "network_security_group" - destination_type = "storage" - destination_key = "all_regions" - } - operations = { - name = "operations" - definition_key = "network_security_group" - destination_type = "log_analytics" - destination_key = "central_logs" - } - } - - flow_logs = { - version = 2 - enabled = true - storage_account = { - storage_account_destination = "all_regions" - retention = { - enabled = true - days = 30 - } - } - traffic_analytics = { - enabled = true - log_analytics_workspace_destination = "central_logs" - interval_in_minutes = "10" - } - } - - nsg = [ - { - name = "Inbound-HTTP", - priority = "120" - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_range = "*" - destination_port_range = "80-82" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "Inbound-HTTPs", - priority = "130" - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "Inbound-AGW", - priority = "140" - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_range = "*" - destination_port_range = "65200-65535" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - ] - } - - api_management = { - - diagnostic_profiles = { - nsg = { - definition_key = "network_security_group" - destination_type = "storage" - destination_key = "all_regions" - } - operations = { - name = "operations" - definition_key = "network_security_group" - destination_type = "log_analytics" - destination_key = "central_logs" - } - } - flow_logs = { - version = 2 - enabled = true - storage_account = { - storage_account_destination = "all_regions" - retention = { - enabled = true - days = 30 - } - } - traffic_analytics = { - enabled = true - log_analytics_workspace_destination = "central_logs" - interval_in_minutes = "10" - } - } - - nsg = [ - { - name = "Inbound-APIM", - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "3443" - source_address_prefix = "ApiManagement" - destination_address_prefix = "VirtualNetwork" - }, - { - name = "Inbound-Redis", - priority = "110" - direction = "Inbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "6381-6383" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "VirtualNetwork" - }, - { - name = "Inbound-LoadBalancer", - priority = "120" - direction = "Inbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "AzureLoadBalancer" - destination_address_prefix = "VirtualNetwork" - }, - { - name = "Outbound-StorageHttp", - priority = "100" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "80" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "Storage" - }, - { - name = "Outbound-StorageHttps", - priority = "110" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "Storage" - }, - { - name = "Outbound-AADHttp", - priority = "120" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "80" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "AzureActiveDirectory" - }, - { - name = "Outbound-AADHttps", - priority = "130" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "AzureActiveDirectory" - }, - { - name = "Outbound-SQL", - priority = "140" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "1433" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "SQL" - }, - { - name = "Outbound-EventHub", - priority = "150" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "5671-5672" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "EventHub" - }, - { - name = "Outbound-EventHubHttps", - priority = "160" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "EventHub" - }, - { - name = "Outbound-FileShareGit", - priority = "170" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "445" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "Storage" - }, - { - name = "Outbound-Health", - priority = "180" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "1886" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "INTERNET" - }, - { - name = "Outbound-Monitor", - priority = "190" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "AzureMonitor" - }, - { - name = "Outbound-MoSMTP1itor", - priority = "200" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "25" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "INTERNET" - }, - { - name = "Outbound-SMTP2", - priority = "210" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "587" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "INTERNET" - }, - { - name = "Outbound-SMTP3", - priority = "220" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "25028" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "INTERNET" - }, - { - name = "Outbound-Redis", - priority = "230" - direction = "Outbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "6381-6383" - source_address_prefix = "VirtualNetwork" - destination_address_prefix = "VirtualNetwork" - }, - ] - } - - jumpbox = { - flow_logs = { - version = 2 - enabled = true - storage_account = { - storage_account_destination = "all_regions" - retention = { - enabled = true - days = 30 - } - } - traffic_analytics = { - enabled = true - log_analytics_workspace_destination = "central_logs" - interval_in_minutes = "10" - } - } - - diagnostic_profiles = { - nsg = { - definition_key = "network_security_group" - destination_type = "storage" - destination_key = "all_regions" - } - operations = { - name = "operations" - definition_key = "network_security_group" - destination_type = "log_analytics" - destination_key = "central_logs" - } - } - - nsg = [ - { - name = "ssh-inbound-22", - priority = "200" - direction = "Inbound" - access = "Allow" - protocol = "tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = "VirtualNetwork" - }, - ] - } - -} diff --git a/templates/platform/level2/identity/adds/readme.md b/templates/platform/level2/identity/adds/readme.md deleted file mode 100644 index be20632b9..000000000 --- a/templates/platform/level2/identity/adds/readme.md +++ /dev/null @@ -1,26 +0,0 @@ - -### Identity - Active Directory Domain Controllers (ADDS) - -Deploy 2 domain controllers in the primary region - -```bash -# login a with a user member of the caf-maintainers group -rover login -t {{ config.tenant_name }} - -cd {{ destination_base_path }}landingzones -git fetch origin -git checkout {{ config.caf_landingzone_branch }} - -export ARM_USE_AZUREAD=true -caf_env="{{ config.caf_terraform.launchpad.caf_environment }}" - -rover \ - -lz {{ destination_base_path }}landingzones/caf_solution \ - -var-folder {{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ tfstates["identity_adds"].base_config_path }}/adds \ - -tfstate {{ tfstates["identity_adds"].tfstate }} \ - -log-severity ERROR \ - -env ${caf_env} \ - -level {{ level }} \ - -a plan - -``` diff --git a/templates/platform/level2/identity/adds/resource_groups.tfvars.j2 b/templates/platform/level2/identity/adds/resource_groups.tfvars.j2 deleted file mode 100644 index 7d66f7c3f..000000000 --- a/templates/platform/level2/identity/adds/resource_groups.tfvars.j2 +++ /dev/null @@ -1,8 +0,0 @@ -resource_groups = { -{% for key, resource_group in identity.resource_groups.items() %} - {{ key }} = { - name = "{{ resource_group.name }}" - region = "{{ resource_group.region_key }}" - } -{% endfor %} -} \ No newline at end of file diff --git a/templates/platform/level2/identity/adds/site_recovery.tfvars b/templates/platform/level2/identity/adds/site_recovery.tfvars deleted file mode 100644 index e69de29bb..000000000 diff --git a/templates/platform/level2/identity/adds/virtual_hub_connections.tfvars.j2 b/templates/platform/level2/identity/adds/virtual_hub_connections.tfvars.j2 deleted file mode 100644 index 5117df94c..000000000 --- a/templates/platform/level2/identity/adds/virtual_hub_connections.tfvars.j2 +++ /dev/null @@ -1,32 +0,0 @@ -virtual_hub_connections = { -{% for virtual_network_key, virtual_network in identity.virtual_networks.items() %} -{% for vhub_conn_key, vhub_connection in virtual_network.virtual_hub_connection.items() %} - {{ vhub_conn_key }} = { - name = "{{ vhub_connection.name }}" - virtual_hub = { - lz_key = "{{ config.tfstates.platform.virtual_hubs[vhub_connection.virtual_hub.lz_key_name].lz_key_name }}" - key = "{{ vhub_connection.virtual_hub.key }}" - } - vnet = { - vnet_key = "{{ virtual_network_key }}" - } - routing = { -{% for rt_key, route_table in vhub_connection.routing.items() %} - {{ rt_key }} = { - virtual_hub_route_table_key = "{{ route_table.route_table.key }}" - lz_key = "{{ config.tfstates.platform.virtual_hubs[route_table.route_table.lz_key_name].lz_key_name }}" - - propagated_route_table = { -{% if route_table.propagated_route_table.virtual_hub_route_table_keys is defined %} - lz_key = "{{ config.tfstates.platform.virtual_hubs[route_table.propagated_route_table.lz_key_name].lz_key_name }}" - virtual_hub_route_table_keys = {{ route_table.propagated_route_table.virtual_hub_route_table_keys | replace('None','[]') | replace('\'','\"') }} -{% endif %} - labels = {{ route_table.propagated_route_table.labels | replace('None','[]') | replace('\'','\"') }} - } - } -{% endfor %} - } - } -{% endfor %} -{% endfor %} -} \ No newline at end of file diff --git a/templates/platform/level2/identity/adds/virtual_networks.tfvars.j2 b/templates/platform/level2/identity/adds/virtual_networks.tfvars.j2 deleted file mode 100644 index c1080e5a3..000000000 --- a/templates/platform/level2/identity/adds/virtual_networks.tfvars.j2 +++ /dev/null @@ -1,41 +0,0 @@ -vnets = { -{% for key, vnet in identity.virtual_networks.items() %} - {{ key }} = { - resource_group_key = "{{vnet.resource_group_key}}" - vnet = { - name = "{{ vnet.name }}" - address_space = {{ vnet.address_space | replace('None','[]') | replace('\'','\"') }} - } - subnets = { -{% if vnet.subnets is defined %} -{% for subnet_key, subnet in vnet.subnets.items() %} - {{ subnet_key }} = { - name = "{{subnet.name}}" - cidr = {{ vnet.subnets[subnet_key].cidr | replace('None','[]') | replace('\'','\"') }} - nsg_key = "empty_nsg" - } -{% endfor %} -{% endif %} - } -{% if vnet.specialsubnets is defined %} - specialsubnets = { -{% for subnet_key, subnet in vnet.specialsubnets.items() %} - {{ subnet_key }} = { - name = "{{subnet.name}}" - cidr = {{ vnet.specialsubnets[subnet_key].cidr | replace('None','[]') | replace('\'','\"') }} - } -{% endfor %} - } -{% endif %} - - # you can setup up to 5 keys - vnet diganostic - diagnostic_profiles = { - vnet = { - definition_key = "networking_all" - destination_type = "log_analytics" - destination_key = "central_logs" - } - } - } -{% endfor %} -} \ No newline at end of file diff --git a/templates/platform/level2/identity/ansible.yaml b/templates/platform/level2/identity/ansible.yaml index 2fdc64f6e..fe87923bd 100644 --- a/templates/platform/level2/identity/ansible.yaml +++ b/templates/platform/level2/identity/ansible.yaml @@ -1,7 +1,7 @@ - name: Creates {{ base_folder }} directory structure shell: mkdir -p "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" -- name: Azure Identity level2 +- name: "[{{ level }} {{ subscription_key }}] - Azure Identity level2" include_tasks: "{{ level }}/ansible_deployment.yaml" when: - config.tfstates.platform.identity_level2 is defined @@ -13,7 +13,7 @@ resource_folder: identity_level2 display_name: Azure Identity level2 -- name: Azure Active Directory Domain Services (AADDS) +- name: "[{{ level }} {{ subscription_key }}] - Azure Active Directory Domain Services (AADDS) - Azure managed" include_tasks: "{{ level }}/ansible_deployment.yaml" when: - config.tfstates.platform.identity_level2_aadds is defined @@ -23,4 +23,16 @@ vars: files_matching: "identity_level2_aadds.yaml|identity_level2_aadds.caf.yaml" resource_folder: identity_level2_aadds - display_name: Azure Active Directory Domain Services (AADDS) + display_name: Azure Active Directory Domain Services (AADDS Azure Managed) + +- name: "[{{ level }} {{ subscription_key }}] - Active Directory Domain Services in Virtual Machines" + include_tasks: "{{ level }}/ansible_deployment.yaml" + when: + - config.tfstates.platform.identity_level2_adds is defined + loop: "{{ config.tfstates.platform.identity_level2_adds.keys() }}" + loop_control: + loop_var: deployment + vars: + files_matching: "identity_level2_adds.yaml|identity_level2_adds.caf.yaml" + resource_folder: identity_level2_adds + display_name: Active Directory Domain Services (ADDS in VM) diff --git a/templates/platform/level2/identity/adds/diagnostics/wadcfg.xml b/templates/platform/level2/identity/identity_level2_adds/diagnostics/wadcfg.xml similarity index 100% rename from templates/platform/level2/identity/adds/diagnostics/wadcfg.xml rename to templates/platform/level2/identity/identity_level2_adds/diagnostics/wadcfg.xml diff --git a/templates/platform/level2/identity/adds/domain_controllers.tfvars.j2 b/templates/platform/level2/identity/identity_level2_adds/domain_controllers.tfvars.j2.old similarity index 100% rename from templates/platform/level2/identity/adds/domain_controllers.tfvars.j2 rename to templates/platform/level2/identity/identity_level2_adds/domain_controllers.tfvars.j2.old diff --git a/templates/platform/level2/identity/identity_level2_adds/landingzone.tfvars.j2 b/templates/platform/level2/identity/identity_level2_adds/landingzone.tfvars.j2 new file mode 100644 index 000000000..4d9758f75 --- /dev/null +++ b/templates/platform/level2/identity/identity_level2_adds/landingzone.tfvars.j2 @@ -0,0 +1,17 @@ +landingzone = { + backend_type = "azurerm" + global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" + level = "{{ config.tfstates.platform.identity_level2_adds[deployment].level }}" + key = "{{ config.tfstates.platform.identity_level2_adds[deployment].lz_key_name }}" + tfstates = { + # Virtual Hub + {{ config.tfstates.platform.virtual_hubs[deployment].lz_key_name }} = { + level = "current" + tfstate = "{{ config.tfstates.platform.virtual_hubs[deployment].tfstate }}" + } + {{ config.tfstates.platform.management.lz_key_name }} = { + level = "lower" + tfstate = "{{ config.tfstates.platform.management.tfstate }}" + } + } +} diff --git a/templates/platform/level2/identity/identity_level2_adds/readme.md b/templates/platform/level2/identity/identity_level2_adds/readme.md new file mode 100644 index 000000000..8325aa59d --- /dev/null +++ b/templates/platform/level2/identity/identity_level2_adds/readme.md @@ -0,0 +1,32 @@ + +### Identity - Active Directory Domain Controllers (ADDS) + +Deploy 2 domain controllers in the primary region + +```bash +# login a with a user member of the caf-maintainers group +rover login -t {{ config.platform_identity.tenant_name }} + +cd {{ destination_base }}/landingzones +git fetch origin +git checkout {{ resources.gitops.landingzones }} + +rover \ +{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} + --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ +{% endif %} + -lz {{ destination_base }}/landingzones/caf_solution \ + -var-folder {{ destination_path }} \ + -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +{% if platform_subscriptions_details is defined %} + -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ +{% else %} + -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ +{% endif %} + -tfstate {{ config.tfstates.platform.identity_level2_adds[deployment].tfstate }} \ + -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -level {{ level }} \ + -p ${TF_DATA_DIR}/{{ config.tfstates.platform.identity_level2_adds[deployment].tfstate }}.tfplan \ + -a plan + +``` diff --git a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 new file mode 100644 index 000000000..0797ccf1a --- /dev/null +++ b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 @@ -0,0 +1,12 @@ +dynamic_keyvault_secrets = { +{% for kv_key, kv_value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} + {{ kv_key }} = { +{% for key, value in kv_value.items() %} + {{ key }} = { + secret_name = "{{ value.secret_name }}" + value = "{{ value['value'] }}" + } +{% endfor %} + } +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/virtual_machines.tfvars.j2 b/templates/resources/virtual_machines.tfvars.j2 new file mode 100644 index 000000000..27192f331 --- /dev/null +++ b/templates/resources/virtual_machines.tfvars.j2 @@ -0,0 +1,336 @@ +virtual_machines = { +{% for key, value in resources.subscriptions[subscription_key].virtual_machines.items() %} + {{ key }} = { + resource_group = { +{% if value.resource_group.lz_key is defined %} + lz_key = "{{ value.resource_group.lz_key }}" +{% endif %} + key = "{{ value.resource_group.key }}" + } +{% if value.region is defined %} + region = "{{ value.region }}" +{% endif %} +{% if value.os_type is defined %} + os_type = "{{ value.os_type }}" +{% endif %} +{% if value.lz_key is defined %} + // lz_key name of the keyvault key holding the user_name and password when using admin_username_key and admin_password_key + lz_key = "{{ value.lz_key }}" +{% endif %} +{% if value.keyvault_key is defined %} + // keyvault key holding the user_name and password when using admin_username_key and admin_password_key + keyvault_key = "{{ value.keyvault_key }}" +{% endif %} +{% if value.public_key_pem_file is defined %} + public_key_pem_file = "{{ value.public_key_pem_file }}" +{% endif %} +{% if value.tags is defined %} + tags = { +{% for tag_key, tag_value in value.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} + + virtual_machine_settings = { +{% for os_key, os_value in value.virtual_machine_settings.items() %} + {{ os_key }} = { +{% if os_value.name is defined %} + name = "{{ os_value.name }}" +{% endif %} +{% if os_value.computer_name is defined %} + computer_name = "{{ os_value.computer_name }}" +{% endif %} +{% if os_value.admin_username_key is defined %} + admin_username_key = "{{ os_value.admin_username_key }}" +{% endif %} +{% if os_value.admin_password_key is defined %} + admin_password_key = "{{ os_value.admin_password_key }}" +{% endif %} +{% if os_value.allow_extension_operations is defined %} + allow_extension_operations = "{{ os_value.allow_extension_operations }}" +{% endif %} +{% if os_value.availability_set_key is defined %} + availability_set_key = "{{ os_value.availability_set_key }}" +{% endif %} +{% if os_value.enable_automatic_updates is defined %} + enable_automatic_updates = "{{ os_value.enable_automatic_updates }}" +{% endif %} +{% if os_value.eviction_policy is defined %} + eviction_policy = "{{ os_value.eviction_policy }}" +{% endif %} +{% if os_value.license_type is defined %} + license_type = "{{ os_value.license_type }}" +{% endif %} +{% if os_value.max_bid_price is defined %} + max_bid_price = "{{ os_value.max_bid_price }}" +{% endif %} +{% if os_value.network_interface_keys is defined %} + network_interface_keys = {{ os_value.network_interface_keys | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if os_value.priority is defined %} + priority = "{{ os_value.priority }}" +{% endif %} +{% if os_value.provision_vm_agent is defined %} + provision_vm_agent = {{ os_value.provision_vm_agent | lower }} +{% endif %} +{% if os_value.proximity_placement_group_key is defined %} + proximity_placement_group_key = "{{ os_value.proximity_placement_group_key }}" +{% endif %} +{% if os_value.size is defined %} + size = "{{ os_value.size }}" +{% endif %} +{% if os_value.timezone is defined %} + timezone = "{{ os_value.timezone }}" +{% endif %} +{% if os_value.zone is defined %} + zone = "{{ os_value.zone }}" +{% endif %} + os_disk = { + name = "{{ os_value.os_disk.name }}" + caching = "{{ os_value.os_disk.caching }}" +{% if os_value.os_disk.disk_size_gb is defined %} + disk_size_gb = "{{ os_value.os_disk.disk_size_gb }}" +{% endif %} +{% if os_value.os_disk.storage_account_type is defined %} + storage_account_type = "{{ os_value.os_disk.storage_account_type }}" +{% endif %} +{% if os_value.os_disk.write_accelerator_enabled is defined %} + write_accelerator_enabled = {{ os_value.os_disk.write_accelerator_enabled | lower }} +{% endif %} +{% if os_value.os_disk.disk_encryption_set_key is defined %} + disk_encryption_set_key = "{{ os_value.os_disk.disk_encryption_set_key }}" +{% endif %} +{% if os_value.os_disk.lz_key is defined %} + lz_key = "{{ os_value.os_disk.lz_key }}" +{% endif %} +{% if os_value.os_disk.diff_disk_settings is defined %} + diff_disk_settings = { + option = os_value.os_disk.diff_disk_settings.option + } +{% endif %} + } +{% if os_value.custom_data is defined %} + custom_data = "{{ os_value.custom_data }}" +{% endif %} +{% if os_value.dedicated_host is defined %} + diff_disk_settings = { +{% if os_value.dedicated_host.id is defined %} + id = "{{ os_value.dedicated_host.id }}" +{% else %} + key = "{{ os_value.dedicated_host.key }}" +{% if os_value.dedicated_host.lz_key is defined %} + lz_key = "{{ os_value.dedicated_host.lz_key }}" +{% endif %} +{% endif %} + } +{% endif %} +{% if os_value.source_image_reference is defined %} + source_image_reference = { +{% if os_value.source_image_reference.publisher is defined %} + publisher = "{{ os_value.source_image_reference.publisher }}" +{% endif %} +{% if os_value.source_image_reference.offer is defined %} + offer = "{{ os_value.source_image_reference.offer }}" +{% endif %} +{% if os_value.source_image_reference.sku is defined %} + sku = "{{ os_value.source_image_reference.sku }}" +{% endif %} +{% if os_value.source_image_reference.version is defined %} + version = "{{ os_value.source_image_reference.version }}" +{% endif %} + } +{% endif %} +{% if os_value.plan is defined %} + plan = { + name = "{{ os_value.plan.name }}" + product = "{{ os_value.plan.product }}" + publisher = "{{ os_value.plan.publisher }}" + } +{% endif %} +{% if os_value.custom_image_id is defined %} + custom_image_id = "{{ os_value.custom_image_id }}" +{% else %} +{% if os_value.custom_image_key is defined %} + custom_image_key = "{{ os_value.custom_image_key }}" +{% endif %} +{% endif %} +{% if os_value.additional_capabilities is defined %} + additional_capabilities = { + ultra_ssd_enabled = {{ os_value.additional_capabilities.ultra_ssd_enabled | lower }} + } +{% endif %} +{% if os_value.additional_unattend_content is defined %} + additional_unattend_content = { + content = "{{ os_value.additional_capabilities.content }}" + setting = "{{ os_value.additional_capabilities.setting }}" + } +{% endif %} +{% if os_value.identity is defined %} + identity = { + type = "{{ os_value.identity.type }}" +{% if os_value.identity.managed_identity_keys is defined %} + managed_identity_keys = {{ os_value.identity.managed_identity_keys | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if os_value.identity.remote is defined %} + remote = { +{% for msi_key, msi_value in os_value.identity.remote.items() %} + {{ msi_key }} = { + managed_identity_keys = {{ msi_value.managed_identity_keys | replace('None','[]') | replace('\'','\"') }} + } +{% endfor %} + } +{% endif %} + } +{% endif %} + } +{% endfor %} + } +{% if value.data_disks is defined %} + data_disks = { +{% for disk_key, disk_value in value.data_disks.items() %} + {{ disk_key }} = { + name = "{{ disk_value.name }}" + lun = {{ disk_value.lun }} + storage_account_type = "{{ disk_value.storage_account_type }}" + create_option = "{{ disk_value.create_option }}" +{% if disk_value.write_accelerator_enabled is defined %} + write_accelerator_enabled = {{ disk_value.write_accelerator_enabled | lower }} +{% endif %} +{% if disk_value.caching is defined %} + caching = "{{ disk_value.caching }}" +{% endif %} +{% if disk_value.disk_size_gb is defined %} + disk_size_gb = "{{ disk_value.disk_size_gb }}" +{% endif %} +{% if disk_value.disk_iops_read_write is defined %} + disk_iops_read_write = "{{ disk_value.disk_iops_read_write }}" +{% endif %} +{% if disk_value.disk_mbps_read_write is defined %} + disk_mbps_read_write = "{{ disk_value.disk_mbps_read_write }}" +{% endif %} +{% if disk_value.disk_encryption_set_key is defined %} + disk_encryption_set_key = "{{ disk_value.disk_encryption_set_key }}" +{% endif %} +{% if disk_value.zones is defined %} + zones = {{ disk_value.zones | map('string') | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if disk_value.tags is defined %} + tags = { +{% for tag_key, tag_value in nic_value.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} + } +{% endfor %} + } +{% endif %} + networking_interfaces = { +{% for nic_key, nic_value in value.networking_interfaces.items() %} + {{ nic_key }} = { + name = "{{ nic_value.name }}" +{% if nic_value.dns_servers is defined %} + dns_servers = {{ nic_value.dns_servers | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if nic_value.enable_ip_forwarding is defined %} + enable_ip_forwarding = {{ nic_value.enable_ip_forwarding | lower }} +{% endif %} +{% if nic_value.enable_accelerated_networking is defined %} + enable_accelerated_networking = {{ nic_value.enable_accelerated_networking | lower }} +{% endif %} +{% if nic_value.internal_dns_name_label is defined %} + internal_dns_name_label = "{{ nic_value.internal_dns_name_label }}" +{% endif %} +{% if nic_value.tags is defined %} + tags = { +{% for tag_key, tag_value in nic_value.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} +{% if nic_value.subnet_id is defined %} + subnet_id = "{{ nic_value.subnet_id }}" +{% endif %} +{% if nic_value.lz_key is defined %} + lz_key = "{{ nic_value.lz_key }}" +{% endif %} +{% if nic_value.vnet_key is defined %} + vnet_key = "{{ nic_value.vnet_key }}" +{% endif %} +{% if nic_value.subnet_key is defined %} + subnet_key = "{{ nic_value.subnet_key }}" +{% endif %} +{% if nic_value.private_ip_address_allocation is defined %} + private_ip_address_allocation = "{{ nic_value.private_ip_address_allocation }}" +{% endif %} +{% if nic_value.private_ip_address_version is defined %} + private_ip_address_version = "{{ nic_value.private_ip_address_version }}" +{% endif %} +{% if nic_value.private_ip_address is defined %} + private_ip_address = "{{ nic_value.private_ip_address }}" +{% endif %} +{% if nic_value.primary is defined %} + primary = {{ nic_value.primary | lower }} +{% endif %} +{% if nic_value.public_ip_address_id is defined %} + public_ip_address_id = "{{ nic_value.public_ip_address_id }}" +{% endif %} +{% if nic_value.public_ip_address_key is defined %} + public_ip_address_key = "{{ nic_value.public_ip_address_key }}" +{% endif %} +{% if nic_value.ip_configurations is defined %} + ip_configurations = { +{% for ipc_key, ipc_value in nic_value.ip_configurations.items() %} + {{ ipc_key }} = { + name = "{{ ipc_value.name }}" +{% if ipc_value.subnet_id is defined %} + subnet_id = "{{ ipc_value.subnet_id }}" +{% endif %} +{% if ipc_value.lz_key is defined %} + lz_key = "{{ ipc_value.lz_key }}" +{% endif %} +{% if ipc_value.vnet_key is defined %} + vnet_key = "{{ ipc_value.vnet_key }}" +{% endif %} +{% if ipc_value.subnet_key is defined %} + subnet_key = "{{ ipc_value.subnet_key }}" +{% endif %} +{% if ipc_value.private_ip_address_allocation is defined %} + private_ip_address_allocation = "{{ ipc_value.private_ip_address_allocation }}" +{% endif %} +{% if ipc_value.private_ip_address_version is defined %} + private_ip_address_version = "{{ ipc_value.private_ip_address_version }}" +{% endif %} +{% if ipc_value.private_ip_address is defined %} + private_ip_address = "{{ ipc_value.private_ip_address }}" +{% endif %} +{% if ipc_value.primary is defined %} + primary = {{ ipc_value.primary | lower }} +{% endif %} +{% if ipc_value.public_ip_address_id is defined %} + public_ip_address_id = "{{ ipc_value.public_ip_address_id }}" +{% endif %} +{% if ipc_value.public_ip_address_key is defined %} + public_ip_address_key = "{{ ipc_value.public_ip_address_key }}" +{% endif %} + } +{% endfor %} + } +{% endif %} +{% if nic_value.network_security_group is defined %} + network_security_group = { +{% if nic_value.network_security_group.lz_key is defined %} + lz_key = "{{ nic_value.network_security_group.lz_key }}" +{% endif %} +{% if nic_value.network_security_group.key is defined %} + key = "{{ nic_value.network_security_group.key }}" +{% endif %} + } +{% endif %} + } +{% endfor %} + } + } +{% endfor %} +} \ No newline at end of file From 4fa3a1cd1bcf95228adbfe93aed65feca98577e0 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Fri, 4 Feb 2022 10:32:38 +0000 Subject: [PATCH 12/67] Update template launchpad logged_in_user --- templates/platform/level0/launchpad/role_mappings.tfvars.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 b/templates/platform/level0/launchpad/role_mappings.tfvars.j2 index 0eca43529..e062aa812 100644 --- a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 +++ b/templates/platform/level0/launchpad/role_mappings.tfvars.j2 @@ -181,8 +181,8 @@ role_mapping = { {% endif %} ] } - } {% endif %} + } "Storage Blob Data Reader" = { azuread_groups = { keys = [ From 1107a2cfa17a0a3d7491f9c30dfee137b82d6681 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Fri, 4 Feb 2022 10:43:24 +0000 Subject: [PATCH 13/67] Add root_parent_id support --- caf_solution/add-ons/caf_eslz/enterprise_scale.tf | 2 +- caf_solution/add-ons/caf_eslz/variables.tf | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf index d5e4237e6..7c825b08d 100644 --- a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -12,7 +12,7 @@ module "enterprise_scale" { azurerm.management = azurerm } - root_parent_id = data.azurerm_client_config.current.tenant_id + root_parent_id = var.root_parent_id == null ? data.azurerm_client_config.current.tenant_id : var.root_parent_id default_location = local.global_settings.regions[local.global_settings.default_region] #path to the policies definition and assignment repo diff --git a/caf_solution/add-ons/caf_eslz/variables.tf b/caf_solution/add-ons/caf_eslz/variables.tf index 1e3ce879c..f67f92de1 100644 --- a/caf_solution/add-ons/caf_eslz/variables.tf +++ b/caf_solution/add-ons/caf_eslz/variables.tf @@ -85,6 +85,17 @@ variable "root_name" { } } +variable "root_parent_id" { + type = string + description = "If specified, will deploy the Enterprise scale bellow the root_parent_id." + default = null + + validation { + condition = can(regex("^[a-zA-Z0-9-]{2,10}$", var.root_parent_id)) + error_message = "The root_parent_id value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens." + } +} + variable "deploy_core_landing_zones" { type = bool description = "If set to true, will include the core Enterprise-scale Management Group hierarchy." From cbeb705c63a13126c46c7d8a2c5f0406ae03185e Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Fri, 4 Feb 2022 10:46:21 +0000 Subject: [PATCH 14/67] Update template --- templates/platform/level1/eslz/enterprise_scale.tfvars.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 index 4c56e4470..56045fc03 100644 --- a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 +++ b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 @@ -1,4 +1,7 @@ library_path = "../../../../{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib" +{% if config.platform_core_setup.enterprise_scale.root_parent_id is defined %} +root_parent_id = "{{ config.platform_core_setup.enterprise_scale.root_parent_id }}" +{% endif %} root_id = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}" root_name = "{{ config.platform_core_setup.enterprise_scale.management_group_name }}" deploy_core_landing_zones = {{ config.platform_core_setup.enterprise_scale.deploy_core_landing_zones | string | lower }} From 6fa7160903e1fefda45915feaff8ffb6cfde7202 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Fri, 4 Feb 2022 11:10:15 +0000 Subject: [PATCH 15/67] Update global tags --- .../level0/launchpad/global_settings.tfvars.j2 | 10 +++++++--- .../platform/level0/launchpad/role_mappings.tfvars.j2 | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/templates/platform/level0/launchpad/global_settings.tfvars.j2 b/templates/platform/level0/launchpad/global_settings.tfvars.j2 index 6bd04bfce..4e7060760 100644 --- a/templates/platform/level0/launchpad/global_settings.tfvars.j2 +++ b/templates/platform/level0/launchpad/global_settings.tfvars.j2 @@ -36,8 +36,12 @@ launchpad_key_names = { ] } + +{% if config.caf_terraform.launchpad.tags is defined %} # Global tags tags = { - ApplicationOwner = "sre" - BusinessUnit = "sre" -} \ No newline at end of file +{% for tag_key, tag_value in config.caf_terraform.launchpad.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} diff --git a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 b/templates/platform/level0/launchpad/role_mappings.tfvars.j2 index e062aa812..323e49403 100644 --- a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 +++ b/templates/platform/level0/launchpad/role_mappings.tfvars.j2 @@ -8,7 +8,7 @@ role_mapping = { built_in_role_mapping = { {% if config.platform_core_setup %} management_group = { - root = { + {{ config.platform_core_setup.enterprise_scale.root_parent_id | default('root') }} = { "User Access Administrator" = { {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in = { @@ -183,6 +183,7 @@ role_mapping = { } {% endif %} } +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} "Storage Blob Data Reader" = { azuread_groups = { keys = [ @@ -192,6 +193,7 @@ role_mapping = { ] } } +{% endif %} } } } From 6cfbd1ece61ea8a1378f5ba33edc69d731e8364d Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Fri, 4 Feb 2022 11:39:29 +0000 Subject: [PATCH 16/67] Update vhub peering and ddos --- .../platform/connectivity_virtual_wan.yaml | 9 +++++++++ .../platform/contoso.caf.platform.yaml | 3 +++ .../non_prod/connectivity_firewalls.yaml | 2 +- .../prod/connectivity_firewalls.yaml | 2 +- .../prod/identity_level2_aadds.yaml | 2 +- .../prod/identity_level2_adds.yaml | 2 +- .../launchpad/global_settings.tfvars.j2 | 1 - templates/platform/level0/launchpad/readme.md | 2 ++ .../virtual_wan/ddos_services.tfvars.j2 | 20 +++++++++++++++++++ 9 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 templates/platform/level2/connectivity/virtual_wan/ddos_services.tfvars.j2 diff --git a/templates/enterprise-scale/contoso/platform/connectivity_virtual_wan.yaml b/templates/enterprise-scale/contoso/platform/connectivity_virtual_wan.yaml index 6de263ee3..13ecd14df 100644 --- a/templates/enterprise-scale/contoso/platform/connectivity_virtual_wan.yaml +++ b/templates/enterprise-scale/contoso/platform/connectivity_virtual_wan.yaml @@ -8,3 +8,12 @@ resource_groups: global_wan: name: connectivity-global-wan region_key: region1 + ddos_services: + name: connectivity-ddos + region_key: region1 + +ddos_services: + region1: + name: ddos-re1 + region_key: region1 + resource_group_key: ddos_services diff --git a/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml index 218f86efd..d8b94122a 100644 --- a/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml +++ b/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml @@ -30,6 +30,9 @@ caf_terraform: subscription_id: subscription_name: contoso-caf-launchpad tenant_id: + # Global tags + tags: + application_owner: sre billing_subscription_role_delegations: # true: enable this deployment. The remaining attributes are required. diff --git a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml index 2f61eedcf..7541b5e4d 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml @@ -9,7 +9,7 @@ deployments: azurerm_firewalls: non_prod global_settings_key: platform: - management: + virtual_hubs: non_prod remote_tfstates: platform: virtual_hubs: non_prod diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml index 7c061b4f8..fe4c173ad 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml @@ -9,7 +9,7 @@ deployments: azurerm_firewalls: prod global_settings_key: platform: - management: + virtual_hubs: prod remote_tfstates: platform: virtual_hubs: prod diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml index 13b1c54eb..b4fa33d43 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml @@ -9,7 +9,7 @@ deployments: identity_aadds: prod global_settings_key: platform: - management: + virtual_hubs: prod remote_tfstates: platform: management: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml index e16bf3d2c..bcdc6753f 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml @@ -9,7 +9,7 @@ deployments: identity_adds: prod global_settings_key: platform: - management: + virtual_hubs: prod remote_tfstates: platform: management: diff --git a/templates/platform/level0/launchpad/global_settings.tfvars.j2 b/templates/platform/level0/launchpad/global_settings.tfvars.j2 index 4e7060760..c886e95eb 100644 --- a/templates/platform/level0/launchpad/global_settings.tfvars.j2 +++ b/templates/platform/level0/launchpad/global_settings.tfvars.j2 @@ -36,7 +36,6 @@ launchpad_key_names = { ] } - {% if config.caf_terraform.launchpad.tags is defined %} # Global tags tags = { diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index fb887b631..361e6ed95 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -23,7 +23,9 @@ Elevate your credentials to the tenant root level to have enough privileges to c # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with an account owner. {% endif %} rover login -t {{ config.platform_identity.tenant_name }} +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" +{% endif %} ``` {% endif %} diff --git a/templates/platform/level2/connectivity/virtual_wan/ddos_services.tfvars.j2 b/templates/platform/level2/connectivity/virtual_wan/ddos_services.tfvars.j2 new file mode 100644 index 000000000..7fddf3f6c --- /dev/null +++ b/templates/platform/level2/connectivity/virtual_wan/ddos_services.tfvars.j2 @@ -0,0 +1,20 @@ +ddos_services = { +{% for key, value in connectivity_virtual_wan.ddos_services.items() %} + "{{key}}" = { + resource_group_key = "{{ value.resource_group_key }}" + name = "{{ value.name }}" +{% if value.region_key is defined %} + region = "{{ value.region_key}}" +{% elif value.region is defined %} + region = "{{ value.region}}" +{% endif %} +{% if value.tags is defined %} + tags = { +{% for tag_key, tag_value in value.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} + } +{% endfor %} +} From de0061754bcff7da52ef87408a2df7bc5c925b7e Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Sat, 5 Feb 2022 08:00:05 +0000 Subject: [PATCH 17/67] Template add - subscription ids --- .../lib/v1.1.1/custom_landing_zones.tfvars.j2 | 14 +++--- .../eslz/subscription_id_overrides.tfvars.j2 | 49 ++++++++++++++++++- 2 files changed, 54 insertions(+), 9 deletions(-) diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 index d5fd9fbb1..5c0ef8732 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 @@ -1,10 +1,10 @@ custom_landing_zones = { {% for key, level in mg_custom.archetype_definitions.items() %} {{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ key }} = { - display_name = "{{ mg_custom.archetype_definitions[key].display_name }}" - parent_management_group_id = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ mg_custom.archetype_definitions[key].parent_management_group_id }}" + display_name = "{{ level.display_name }}" + parent_management_group_id = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ level.parent_management_group_id }}" archetype_config = { - archetype_id = "{{mg_custom.archetype_definitions[key].archetype_id }}" + archetype_id = "{{ mg_custom.archetype_definitions[key].archetype_id }}" {% if mg_custom.archetype_definitions[key].policy_assignments is defined %} parameters = { {% for pa_key, pa_value in mg_custom.archetype_definitions[key].policy_assignments.items() %} @@ -36,9 +36,9 @@ custom_landing_zones = { {% else %} parameters = {} {% endif %} -{% if mg_custom.archetype_definitions[key].archetype_config.access_control is defined %} +{% if level.archetype_config.access_control is defined %} access_control = { -{% for level_ac_key, level_ac in mg_custom.archetype_definitions[key].archetype_config.access_control.items() %} +{% for level_ac_key, level_ac in level.archetype_config.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} "{{ level_role_key }}" = { @@ -55,8 +55,8 @@ custom_landing_zones = { {% endif %} } subscriptions = {} -{% if mg_custom.subscription_ids is defined %} - subscription_ids = {{ mg_custom.subscription_ids | replace('None','[]') | replace('\'','\"') }} +{% if level.subscription_ids is defined %} + subscription_ids = {{ level.subscription_ids | replace('None','[]') | replace('\'','\"') }} {% else %} subscription_ids = [] {% endif %} diff --git a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 index 7cfcc03e1..6ea776b4e 100644 --- a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 @@ -1,11 +1,55 @@ subscription_id_overrides = { {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - root = [] +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.root is defined %} + root = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('\'','\"') }} +{% else %} + root = [] +{% endif %} +{% endif %} {% else %} - root = [ + {{ config.platform_core_setup.enterprise_scale.root_parent_id | default('root') }} = [ "{{ config.caf_terraform.launchpad.subscription_id }}" ] {% endif %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %} + decommissioned = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('\'','\"') }} +{% else %} + decommissioned = [] +{% endif %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes is defined %} + sandboxes = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('\'','\"') }} +{% else %} + sandboxes = [] +{% endif %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] is defined %} + landing-zones = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('\'','\"') }} +{% else %} + landing-zones = [] +{% endif %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform is defined %} + platform = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('\'','\"') }} +{% else %} + platform = [] +{% endif %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity is defined %} + connectivity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('\'','\"') }} +{% else %} + connectivity = [] +{% endif %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.management is defined %} + management = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('\'','\"') }} +{% else %} + management = [] +{% endif %} +{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity is defined %} + identity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('\'','\"') }} +{% else %} + identity = [] +{% endif %} +{% else %} + root = [] decommissioned = [] sandboxes = [] landing-zones = [] @@ -13,6 +57,7 @@ subscription_id_overrides = { connectivity = [] management = [] identity = [] +{% endif %} } {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} From 57cac28d6c932eb453e1c88b33b10eb6196d28a4 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 7 Feb 2022 10:11:25 +0000 Subject: [PATCH 18/67] Update templates for rover ignite --- .../add-ons/caf_eslz/enterprise_scale.tf | 2 +- caf_solution/landingzone.tf | 6 +- .../platform/connectivity_virtual_hub.yaml | 8 ++ .../prod/connectivity_firewall_policies.yaml | 23 ++-- .../prod/connectivity_firewalls.yaml | 23 ++-- .../prod/connectivity_private_dns.yaml | 23 ++-- .../deployments/prod/identity_level2.yaml | 53 ++++++++- .../prod/identity_level2_aadds.yaml | 25 ++--- .../prod/identity_level2_adds.yaml | 32 ++++-- ...chetype_config_overrides.caf.platform.yaml | 1 - .../custom_landing_zones.caf.platform.yaml | 12 ++- .../role_definition_caf_vhub_peering.json | 1 + .../lib/v1.1.1/custom_landing_zones.tfvars.j2 | 6 +- .../level2/ansible_resource_deployment.yaml | 11 ++ ...ration.tfvars.j2 => landingzone.tfvars.j2} | 8 +- ...ration.tfvars.j2 => landingzone.tfvars.j2} | 0 ...ration.tfvars.j2 => landingzone.tfvars.j2} | 0 .../level2/connectivity/vpn_site/readme.md | 39 +++++++ .../connectivity/vpn_site/vpn_sites.tfvars.j2 | 9 ++ .../identity_level2/landingzone.tfvars.j2 | 12 --- .../landingzone.tfvars.j2 | 17 --- .../domain_controllers.tfvars.j2.old | 102 ------------------ .../landingzone.tfvars.j2 | 17 --- .../resources/container_groups.tfvars.j2 | 34 ++++++ templates/resources/landingzone.tfvars.j2 | 34 ++++-- .../resources/virtual_machines.tfvars.j2 | 22 ++++ 26 files changed, 297 insertions(+), 223 deletions(-) rename templates/platform/level2/connectivity/virtual_hub/{configuration.tfvars.j2 => landingzone.tfvars.j2} (89%) rename templates/platform/level2/connectivity/virtual_wan/{configuration.tfvars.j2 => landingzone.tfvars.j2} (100%) rename templates/platform/level2/connectivity/vpn_site/{configuration.tfvars.j2 => landingzone.tfvars.j2} (100%) create mode 100644 templates/platform/level2/connectivity/vpn_site/readme.md delete mode 100644 templates/platform/level2/identity/identity_level2/landingzone.tfvars.j2 delete mode 100644 templates/platform/level2/identity/identity_level2_aadds/landingzone.tfvars.j2 delete mode 100644 templates/platform/level2/identity/identity_level2_adds/domain_controllers.tfvars.j2.old delete mode 100644 templates/platform/level2/identity/identity_level2_adds/landingzone.tfvars.j2 create mode 100644 templates/resources/container_groups.tfvars.j2 diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf index 7c825b08d..38311662a 100644 --- a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -4,7 +4,7 @@ module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" version = "1.1.1" - # source = "../../../../eslz" + # source = "/tf/caf/eslz" providers = { azurerm = azurerm diff --git a/caf_solution/landingzone.tf b/caf_solution/landingzone.tf index 9899b41ae..369bdca62 100644 --- a/caf_solution/landingzone.tf +++ b/caf_solution/landingzone.tf @@ -1,8 +1,8 @@ module "solution" { - source = "aztfmod/caf/azurerm" - version = "5.5.1" + # source = "aztfmod/caf/azurerm" + # version = "5.5.1" - # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=master" + source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" # source = "../../aztfmod" providers = { diff --git a/templates/enterprise-scale/contoso/platform/connectivity_virtual_hub.yaml b/templates/enterprise-scale/contoso/platform/connectivity_virtual_hub.yaml index 821036a2f..5ca7fccff 100644 --- a/templates/enterprise-scale/contoso/platform/connectivity_virtual_hub.yaml +++ b/templates/enterprise-scale/contoso/platform/connectivity_virtual_hub.yaml @@ -1,3 +1,11 @@ +custom_variables: + prod: + virtual_hub_lz_key: connectivity_virtual_hub_prod + # ddos_protection_plan_id: put ddos plan resource id + non_prod: + virtual_hub_lz_key: connectivity_virtual_hub_non_prod + # ddos_protection_plan_id: put ddos plan resource id + virtual_hubs: prod: name: Production diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml index fe412c850..1b3d47aa8 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml @@ -3,17 +3,18 @@ gitops: deployments: connectivity: - landingzone: - key: - platform: - private_dns: prod - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: - asvm: + prod: + landingzone: + key: + platform: + private_dns: prod + global_settings_key: + platform: + management: + remote_tfstates: + platform: + management: + asvm: subscriptions: connectivity: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml index fe4c173ad..601b2972a 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml @@ -3,17 +3,18 @@ gitops: deployments: connectivity: - landingzone: - key: - platform: - azurerm_firewalls: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - virtual_hubs: prod - azurerm_firewall_policies: prod + prod: + landingzone: + key: + platform: + azurerm_firewalls: prod + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + platform: + virtual_hubs: prod + azurerm_firewall_policies: prod subscriptions: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml index 67840148f..53e896c2c 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml @@ -3,16 +3,19 @@ gitops: deployments: connectivity: - landingzone: - key: - platform: - private_dns: prod - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: + prod: + landingzone: + key: + platform: + private_dns: prod + global_settings_key: + platform: + virtual_wan: + remote_tfstates: + platform: + virtual_wan: + azurerm_firewalls: prod + identity_level2: prod subscriptions: connectivity: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml index f9177405d..f888e06c4 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml @@ -3,11 +3,62 @@ gitops: deployments: identity: + prod: + landingzone: + key: + platform: + identity_level2: prod + global_settings_key: + platform: + management: + remote_tfstates: + platform: + management: subscriptions: identity: + resource_groups: + management: + name: management + azuread_groups: caf_non_prod_landingzones_dns_contributors: name: caf ac non_prod landingzones dns contributors caf_prod_landingzones_dns_contributors: - name: caf ac prod landingzones dns contributors \ No newline at end of file + name: caf ac prod landingzones dns contributors + + recovery_vaults: + asr: + name: asr + resource_group_key: management + soft_delete_enabled: true + backup_policies: + vms: + default: + name: vm-default-policy + # Default to UTC + # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + retention_weekly: + count: 2 + weekdays: + - Sunday + retention_monthly: + count: 2 + weeks: + - First + weekdays: + - Sunday + retention_yearly: + count: 1 + weeks: + - First + months: + - January + weekdays: + - Sunday \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml index b4fa33d43..f022c591b 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml @@ -3,18 +3,19 @@ gitops: deployments: identity: - landingzone: - key: - platform: - identity_aadds: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - management: - virtual_hubs: prod - + prod: + landingzone: + key: + platform: + identity_aadds: prod + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + platform: + management: + virtual_hubs: prod + identity_level2: prod subscriptions: identity: diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml index bcdc6753f..0dbe19965 100644 --- a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml +++ b/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml @@ -3,17 +3,19 @@ gitops: deployments: identity: - landingzone: - key: - platform: - identity_adds: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - management: - virtual_hubs: prod + prod: + landingzone: + key: + platform: + identity_level2_adds: prod + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + platform: + management: + virtual_hubs: prod + identity_level2: prod subscriptions: @@ -76,6 +78,10 @@ subscriptions: region: region1 os_type: windows keyvault_key: adds_credentials + backup: + vault_key: asr + policy_key: default + lz_key: identity_level2 virtual_machine_settings: windows: @@ -158,6 +164,10 @@ subscriptions: region: region1 os_type: windows keyvault_key: adds_credentials + backup: + vault_key: asr + policy_key: default + lz_key: identity_level2 virtual_machine_settings: windows: diff --git a/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml index c09590f41..7aa928486 100644 --- a/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml +++ b/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml @@ -294,7 +294,6 @@ archetype_definitions: archetype_id: platform_identity policy_assignments: Deny-RDP-From-Internet: - Deny-Public-IP: archetype_config: access_control: Owner: diff --git a/templates/enterprise-scale/contoso/platform/eslz/custom_landing_zones.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/eslz/custom_landing_zones.caf.platform.yaml index bdb6f5356..93a921f59 100644 --- a/templates/enterprise-scale/contoso/platform/eslz/custom_landing_zones.caf.platform.yaml +++ b/templates/enterprise-scale/contoso/platform/eslz/custom_landing_zones.caf.platform.yaml @@ -3,19 +3,29 @@ archetype_definitions: display_name: Corp archetype_id: landingzone_corp parent_management_group_id: landing-zones + # subscription_ids: + # policy_assignments: online: display_name: Online archetype_id: landingzone_online parent_management_group_id: landing-zones + # subscription_ids: + # policy_assignments: corp-prod: display_name: Production archetype_id: landingzone_prod parent_management_group_id: corp + # subscription_ids: + # policy_assignments: corp-non-prod: display_name: Non Production archetype_id: landingzone_non_prod parent_management_group_id: corp + # subscription_ids: + # policy_assignments: online-web: display_name: Non Production archetype_id: landingzone_online_web - parent_management_group_id: online \ No newline at end of file + parent_management_group_id: online + # subscription_ids: + # policy_assignments: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json b/templates/enterprise-scale/contoso/platform/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json index ef7060687..5a87be3b6 100644 --- a/templates/enterprise-scale/contoso/platform/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json +++ b/templates/enterprise-scale/contoso/platform/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json @@ -9,6 +9,7 @@ "permissions": [ { "actions": [ + "Microsoft.Network/ddosProtectionPlans/join/action", "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*", "Microsoft.Network/virtualHubs/read", "Microsoft.Resources/subscriptions/resourceGroups/read" diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 index 5c0ef8732..c03a6e0b6 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 @@ -4,10 +4,10 @@ custom_landing_zones = { display_name = "{{ level.display_name }}" parent_management_group_id = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ level.parent_management_group_id }}" archetype_config = { - archetype_id = "{{ mg_custom.archetype_definitions[key].archetype_id }}" -{% if mg_custom.archetype_definitions[key].policy_assignments is defined %} + archetype_id = "{{ level.archetype_id }}" +{% if level.policy_assignments is defined %} parameters = { -{% for pa_key, pa_value in mg_custom.archetype_definitions[key].policy_assignments.items() %} +{% for pa_key, pa_value in level.policy_assignments.items() %} {% if pa_value is mapping %} "{{ pa_key }}" = { {% for attribute, attribute_value in pa_value.items() %} diff --git a/templates/platform/level2/ansible_resource_deployment.yaml b/templates/platform/level2/ansible_resource_deployment.yaml index c12ab5523..cd8147542 100644 --- a/templates/platform/level2/ansible_resource_deployment.yaml +++ b/templates/platform/level2/ansible_resource_deployment.yaml @@ -14,6 +14,17 @@ path: "{{ destination_path }}" state: directory +# +# landingzone +# +- name: "{{display_name}} - {{level}} - {{subscription_key}} - {{ deployment }} - landingzone.tfvars" + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{ resource_template_folder }}/landingzone.tfvars.j2" + - name: "{{display_name}} - {{level}} - {{subscription_key}} - {{ deployment }} - Tfvars" include_tasks: "{{ level }}/ansible_resource_type.yaml" loop: "{{ resources.subscriptions[subscription_key].keys() }}" diff --git a/templates/platform/level2/connectivity/virtual_hub/configuration.tfvars.j2 b/templates/platform/level2/connectivity/virtual_hub/landingzone.tfvars.j2 similarity index 89% rename from templates/platform/level2/connectivity/virtual_hub/configuration.tfvars.j2 rename to templates/platform/level2/connectivity/virtual_hub/landingzone.tfvars.j2 index 6a7990e31..06582d453 100644 --- a/templates/platform/level2/connectivity/virtual_hub/configuration.tfvars.j2 +++ b/templates/platform/level2/connectivity/virtual_hub/landingzone.tfvars.j2 @@ -26,6 +26,10 @@ landingzone = { } } +{% if connectivity_virtual_hub.custom_variables[virtual_hub] is defined %} custom_variables = { - virtual_hub_lz_key = "{{ config.tfstates.platform.virtual_hubs[virtual_hub].lz_key_name }}" -} \ No newline at end of file +{% for key, value in connectivity_virtual_hub.custom_variables[virtual_hub].items() %} + {{key}} = "{{value}}" +{% endfor %} +} +{% endif %} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/virtual_wan/configuration.tfvars.j2 b/templates/platform/level2/connectivity/virtual_wan/landingzone.tfvars.j2 similarity index 100% rename from templates/platform/level2/connectivity/virtual_wan/configuration.tfvars.j2 rename to templates/platform/level2/connectivity/virtual_wan/landingzone.tfvars.j2 diff --git a/templates/platform/level2/connectivity/vpn_site/configuration.tfvars.j2 b/templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2 similarity index 100% rename from templates/platform/level2/connectivity/vpn_site/configuration.tfvars.j2 rename to templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2 diff --git a/templates/platform/level2/connectivity/vpn_site/readme.md b/templates/platform/level2/connectivity/vpn_site/readme.md new file mode 100644 index 000000000..0a2e56eec --- /dev/null +++ b/templates/platform/level2/connectivity/vpn_site/readme.md @@ -0,0 +1,39 @@ +# VPN Sites + +## Select the correct branch for the landingzones code + +Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services + + +{% for site in config.tfstates.platform.vpn_sites.keys() %} +site +```bash +# login a with a user member of the caf-platform-maintainers group +rover login -t {{ config.platform_identity.tenant_name }} + +cd {{ destination_base }}/landingzones +git fetch origin +git checkout {{ config.gitops.caf_landingzone_branch }} + +rover \ +{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} + --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ +{% endif %} + -lz {{ destination_base }}/landingzones/caf_solution \ + -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }} \ + -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +{% if platform_subscriptions_details is defined %} + -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ +{% else %} + -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ +{% endif %} + -tfstate {{ config.tfstates.platform.vpn_sites[site].tfstate }} \ + -log-severity ERROR \ + -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -level {{ level }} \ + -p ${TF_DATA_DIR}/{{ config.tfstates.platform.vpn_sites[site].tfstate }}.tfplan \ + -a plan + + +``` +{% endfor %} diff --git a/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 b/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 index ee6a97350..79894da6c 100644 --- a/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 +++ b/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 @@ -20,6 +20,15 @@ vpn_sites = { ip_address = "{{ link.ip_address }}" provider_name = "{{ link.provider_name }}" speed_in_mbps = "{{ link.speed_in_mbps }}" +{% if link.fqdn is defined %} + fqdn = "{{ ink.fqdn }}" +{% endif %} +{% if link.bgp is defined %} + bgp = { + asn = "{{ link.bgp.asn }}" + peering_address = "{{ link.bgp.peering_address }}" + } +{% endif %} } {% endfor %} } diff --git a/templates/platform/level2/identity/identity_level2/landingzone.tfvars.j2 b/templates/platform/level2/identity/identity_level2/landingzone.tfvars.j2 deleted file mode 100644 index f14f87604..000000000 --- a/templates/platform/level2/identity/identity_level2/landingzone.tfvars.j2 +++ /dev/null @@ -1,12 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" - level = "{{ config.tfstates.platform.identity_level2[deployment].level }}" - key = "{{ config.tfstates.platform.identity_level2[deployment].lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.management.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" - } - } -} diff --git a/templates/platform/level2/identity/identity_level2_aadds/landingzone.tfvars.j2 b/templates/platform/level2/identity/identity_level2_aadds/landingzone.tfvars.j2 deleted file mode 100644 index 45333d9e4..000000000 --- a/templates/platform/level2/identity/identity_level2_aadds/landingzone.tfvars.j2 +++ /dev/null @@ -1,17 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" - level = "{{ config.tfstates.platform.identity_level2_aadds[deployment].level }}" - key = "{{ config.tfstates.platform.identity_level2_aadds[deployment].lz_key_name }}" - tfstates = { - # Virtual Hub - {{ config.tfstates.platform.virtual_hubs[deployment].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.virtual_hubs[deployment].tfstate }}" - } - {{ config.tfstates.platform.management.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" - } - } -} diff --git a/templates/platform/level2/identity/identity_level2_adds/domain_controllers.tfvars.j2.old b/templates/platform/level2/identity/identity_level2_adds/domain_controllers.tfvars.j2.old deleted file mode 100644 index 2f3b079e0..000000000 --- a/templates/platform/level2/identity/identity_level2_adds/domain_controllers.tfvars.j2.old +++ /dev/null @@ -1,102 +0,0 @@ -# Availability set for domain controllers -availability_sets = { - avset1 = { - name = "avset-dc" - region = "region1" - resource_group_key = "contoso_identity_adds" - # Depends on the region, update and fault domain count availability varies. - platform_update_domain_count = 2 - platform_fault_domain_count = 2 - # By default availability set is configured as managed. Below can be used to change it to unmanged. - # managed = false - } -} - -# Virtual machines -virtual_machines = { -{% for key, vm in identity.virtual_machines.items() %} - # Configuration to deploy a bastion host linux virtual machine - {{ key }} = { - resource_group_key = "{{ vm.resource_group_key}}" - provision_vm_agent = true - boot_diagnostics_storage_account_key = "bootdiag_region1" - - os_type = "windows" - - # the auto-generated ssh key in keyvault secret. Secret name being {VM name}-ssh-public and {VM name}-ssh-private - keyvault_key = "dc01" - - # Define the number of networking cards to attach the virtual machine - networking_interfaces = { - nic0 = { - # Value of the keys from networking.tfvars - vnet_key = "identity_adds" - subnet_key = "ActiveDirectory" - name = "{{ vm.name }}" - enable_ip_forwarding = false - - diagnostic_profiles = { - operations = { - definition_key = "network_interface_card" - destination_type = "storage" - destination_key = "all_regions" - } - } - } - } - - virtual_machine_settings = { - windows = { - name = "{{ vm.name }}" - size = "{{ vm.size }}" - admin_username = "adminuser" - availability_set_key = "avset1" - - # Value of the nic keys to attach the VM. The first one in the list is the default nic - network_interface_keys = ["nic0"] - - os_disk = { - name = "{{ vm.name }}-os" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - } - - source_image_reference = { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - } - } - - virtual_machine_extensions = { - microsoft_enterprise_cloud_monitoring = { - diagnostic_log_analytics_key = "central_logs_region1" - } - - microsoft_azure_diagnostics = { - # Requires at least one diagnostics storage account - diagnostics_storage_account_keys = ["bootdiag_region1"] - - # Relative path to the configuration folder or full path - xml_diagnostics_file = "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ base_folder }}/adds/diagnostics/wadcfg.xml" - } - } - } -{% endfor %} -} - -diagnostic_storage_accounts = { - # Stores boot diagnostic for region1 - bootdiag_region1 = { - name = "boot-dc-re1" - resource_group_key = "contoso_identity_adds" - account_kind = "StorageV2" - account_tier = "Standard" - account_replication_type = "LRS" - access_tier = "Cool" - } -} - diff --git a/templates/platform/level2/identity/identity_level2_adds/landingzone.tfvars.j2 b/templates/platform/level2/identity/identity_level2_adds/landingzone.tfvars.j2 deleted file mode 100644 index 4d9758f75..000000000 --- a/templates/platform/level2/identity/identity_level2_adds/landingzone.tfvars.j2 +++ /dev/null @@ -1,17 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" - level = "{{ config.tfstates.platform.identity_level2_adds[deployment].level }}" - key = "{{ config.tfstates.platform.identity_level2_adds[deployment].lz_key_name }}" - tfstates = { - # Virtual Hub - {{ config.tfstates.platform.virtual_hubs[deployment].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.virtual_hubs[deployment].tfstate }}" - } - {{ config.tfstates.platform.management.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" - } - } -} diff --git a/templates/resources/container_groups.tfvars.j2 b/templates/resources/container_groups.tfvars.j2 new file mode 100644 index 000000000..0d94d9edb --- /dev/null +++ b/templates/resources/container_groups.tfvars.j2 @@ -0,0 +1,34 @@ +container_groups = { +{% for key, value in resources.subscriptions[subscription_key].container_groups.items() %} + {{ key }} = { + name = "{{ value.name }}" +{% if value.region is defined %} + region = "{{ value.region }}" +{% endif %} +{% if value.resource_group_key is defined %} + resource_group_key = "{{ value.resource_group_key }}" +{% endif %} +{% if value.resource_group is defined %} + resource_group = { +{% if value.resource_group.lz_key is defined %} + lz_key = "{{ value.resource_group.lz_key }}" +{% endif %} + key = "{{ value.resource_group.key }}" + } + ip_address_type = "{{ value.ip_address_type | default('Private') }}" + os_type = "{{ value.os_type | default('Linux') }}" + restart_policy = "{{ value.restart_policy | default('Never') }}" +{% if value.network_profile is defined %} + network_profile = { +{% if value.network_profile.lz_key is defined %} + lz_key = "{{ value.network_profile.lz_key }}" +{% endif %} +{% if value.network_profile.key is defined %} + key = "{{ value.network_profile.key }}" +{% endif %} + } +{% endif %} +{% endif %} + } +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/landingzone.tfvars.j2 b/templates/resources/landingzone.tfvars.j2 index 67c882584..bd35633c6 100644 --- a/templates/resources/landingzone.tfvars.j2 +++ b/templates/resources/landingzone.tfvars.j2 @@ -1,16 +1,29 @@ landingzone = { backend_type = "{{ config.caf_terraform.launchpad.backend_type | default("azurerm") }}" - level = "{{ config.tfstates['asvm'][subscription_key].level }}" +{% if config.tfstates['asvm'][subscription_key].level is defined %} + {% set level = config.tfstates['asvm'][subscription_key].level %} + level = "{{ level }}" +{% elif deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first %} + {% set level = config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first].level %} + level = "{{ level }}" +{% else %} + {% set level = config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].level %} + level = "{{ level }}" +{% endif %} {% if deployments.deployments[subscription_key][deployment].landingzone.key.asvm is defined %} {% for l_key, l_value in deployments.deployments[subscription_key][deployment].landingzone.key.asvm.items() %} key = "{{ config.tfstates['asvm'][l_key][l_value].lz_key_name}}" {% endfor %} +{% elif deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first %} + key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first].lz_key_name }}" +{% else %} + key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].lz_key_name }}" {% endif %} {% if deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform is defined %} -{% if deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.virtual_hubs is defined %} - global_settings_key = "{{ config.tfstates['platform'].virtual_hubs[deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.virtual_hubs].lz_key_name }}" -{% elif deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.asvm is defined %} - global_settings_key = "{{ config.tfstates['platform'].asvm.lz_key_name }}" +{% if deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.values() | first %} + global_settings_key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.values() | first].lz_key_name }}" +{% else %} + global_settings_key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" {% endif %} {% else %} {% for m_key, m_value in deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.asvm.items() %} @@ -32,15 +45,20 @@ landingzone = { {% for p_key in deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform.keys() %} {% if config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]] is defined %} {{ config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]].lz_key_name }} = { - tfstate = "{{ config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]].tfstate }}" + {% set remote_tfstate = config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]] %} + tfstate = "{{ remote_tfstate.tfstate }}" + workspace = "{{ remote_tfstate.workspace | default('tfstate') }}" +{% if remote_tfstate.level != level %} level = "lower" - workspace = "{{ config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]].workspace | default('tfstate') }}" +{% endif %} } {% else %} {{ config.tfstates['platform'][p_key].lz_key_name }} = { tfstate = "{{ config.tfstates['platform'][p_key].tfstate }}" - level = "lower" workspace = "{{ config.tfstates['platform'][p_key].workspace | default('tfstate') }}" +{% if config.tfstates['platform'][p_key].level != level %} + level = "lower" +{% endif %} } {% endif %} {% endfor %} diff --git a/templates/resources/virtual_machines.tfvars.j2 b/templates/resources/virtual_machines.tfvars.j2 index 27192f331..73d5a364e 100644 --- a/templates/resources/virtual_machines.tfvars.j2 +++ b/templates/resources/virtual_machines.tfvars.j2 @@ -24,6 +24,28 @@ virtual_machines = { {% if value.public_key_pem_file is defined %} public_key_pem_file = "{{ value.public_key_pem_file }}" {% endif %} +{% if value.backup is defined %} + backup = { +{% if value.backup.backup_vault_rg is defined %} + backup_vault_rg = "{{ value.backup.backup_vault_rg }}" +{% endif %} +{% if value.backup.backup_vault_id is defined %} + backup_vault_id = "{{ value.backup.backup_vault_id }}" +{% endif %} +{% if value.backup.backup_policy_id is defined %} + backup_policy_id = "{{ value.backup.backup_policy_id }}" +{% endif %} +{% if value.backup.vault_key is defined %} + vault_key = "{{ value.backup.vault_key }}" +{% endif %} +{% if value.backup.policy_key is defined %} + policy_key = "{{ value.backup.policy_key }}" +{% endif %} +{% if value.backup.lz_key is defined %} + lz_key = "{{ value.backup.lz_key }}" +{% endif %} + } +{% endif %} {% if value.tags is defined %} tags = { {% for tag_key, tag_value in value.tags.items() %} From 5df24a3c497decf0e4b3248f293c66801eddbfb4 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 00:52:57 +0000 Subject: [PATCH 19/67] Update templates --- caf_launchpad/landingzone.tf | 4 +- .../contoso/platform/IP Address Plan.xlsx | Bin 11859 -> 12240 bytes .../platform/contoso.caf.platform.yaml | 15 +- templates/platform/ansible.yaml | 54 +----- .../platform/level0/launchpad/ansible.yaml | 54 ++++++ .../resources/container_groups.tfvars.j2 | 171 ++++++++++++++++++ .../resources/network_profiles.tfvars.j2 | 38 ++++ 7 files changed, 284 insertions(+), 52 deletions(-) create mode 100644 templates/resources/network_profiles.tfvars.j2 diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf index 6ae4b304b..8dc19f626 100644 --- a/caf_launchpad/landingzone.tf +++ b/caf_launchpad/landingzone.tf @@ -3,8 +3,8 @@ module "launchpad" { # version = "5.5.1" - source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" - # source = "../../aztfmod" + # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" + source = "../../aztfmod" providers = { azurerm.vhub = azurerm diff --git a/templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx b/templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx index 4ffeb8f1841580ec8309e0c22dd4cb497765541d..a5b02dd5959d1eb6ae6cd3784b7cf7015dd47123 100644 GIT binary patch delta 4867 zcmZ8lbyU<{yB%WaZfRtO9BB{%=`QI`5g9s$t{){x$ACzKAcAyA2uOo4fTYBTv~(*S z*YCZ5y!U?RkF(Bt_IaLl);jxHd!I99F>YN;i;w>ftb5gi1p*l(S@G!rSNCFZvb)g9 zTiiasVM&Z>Z!p^y&-;pxqfIQlxVbje0uDJG9ZvVxiCU^tqfQySRx@-*2`u?p0WVu_ z>YbhT!NS^b$(emZjad)#@wCRA@;lcohN5cE@CAyQ#(w=j?~Rn^}MwpQK2~E;VVQ?@}Tb9Z7&Og%iza>(`Yl;nalE zLpMgMhyKaeGbFJ z^_m@H^?>;9CY>hCuMu1;vb^YPmMsT2f*;=F(jK^UZ+#LxT#hg?zHjmG*C&s%_ZLr{ zU6E$1ywWVe&tiPXbO4O-V2`fq&NfFldH{Kk3Y*Tiz&rqPAkTT^ve}!-5GO(!^fUKr z$=G%XJ`rc41^cu1Y1Mrxfp-F`97)Kr#p!#J?pjtpt{tUMw5d_~JIq|a`n)53i~E~a z^V1JSepcQVu+_-Giuc=yOp;Kz5zRN2ZYR3vr)fAwZMQ2(_pg=C3QsmGSp0t84{x6mAm7f^)!|PWIs{~6Pf&qO5_?AX4gXS=d^_* z{Zj}`6WG0+6tUENX3S=c&O@+zPpGAFyh1C2cj@CdH0FF9HD24DqdQ(E-PqbN-x#8p zt~o7@k@AVh#q0+YT3<>9h~aKivy3wijuDiFAwXW~&*Jr2dzvk5X1s(bjY_E)vL zzwJ6*(Wb<}2r9Q#Cd=Vej`&2F=ANb3LeyC*lm&_+5UhJq<{#bE*1JpPnNl;Hg&&+e zR2ur$j8Escm*it9$@)TraEA-igDXnOoY7kgbw5_#UTeTBJ-SpPF*WSCdm~EsTb;$} zt?Yp<;;GBtr=y~&wKmOPA;6V!(m7d3;y3RxmND<#kPg$Ix!Y}T`3sm&5qZcQ5skCE zU(XtZ4W3o2BYv5jRshH@9O?!v;!1o1eN_hF2gPXomEQf4xTwcLkhdldK^e-S|flnGxOkSav2F7rWRxXC7 zqlYrT$?Q#$nUyB~q@C3q4$Ks3wYdhw#e|1h1cySGH;#N!ibvKQG(VMx&mQ6_HWi7I zhfe9?eEqy4nhG2Z#mhG4rdhafW%y7p3nWBlr;jL@P6^^)N7rf%4$ClE?i-J>^Jm2i zWuexSXk_`aafPyQowofSBxf4WS|1KLH&ds^k$jZJ;|jvye$LqFg8n%2I;x|O*5L)! zl`h@Y5#hTj&ulEZBK#ehhrv5*^WKbsOP|t(dB{B!DmDP>tChlYR#h|I#u0?}E7{!I zh$Kp*61(|QXlp8!h_PT&)pEEewu=MDfaKE<<_0e?^F|%l;i=-qh*j@b<0ITBwwYpJ z<`bI_P14Dx3_k_y#X?B$2bEQdswL#CX2hi$M6{_-8FA;n&)s&4swr{j7_sW6KR@A_Rmz&h+J`AgtQgqEh}10_IhBg=Ev#t=Hni$AgXlt^2|#50XPTBmAha< ze93p}eKzSwrBU#;(a5sYt|TWGL9dfSoeZM**9edd&15PcKj)hnn>HNUw$?LzO*7mB z>yKkXE8j8CXkVSYU-SM7xbLC0g%2pk352vNJNON9-oYnD_ zHr(+S;soB}5E7 z28a^~UqgUGZ6%xaeKKraC1P~r?-LjJrcGUr{ZnHcPj*H$s}Lu{`tn}B2+ z&Lf`Kn)28(PcJE3^z#=c6fT4ij?Oy8siex z?GOrSt4Qp39@44G&sa_xjS`;K-R2$Up3ZX~2k?pq7Jjx>=a`c@6?i9P3`QD8bS~PD z5fu-RnUYmQw2qR*E&!?93pTfrq$xDqO?NU}|Q$+D~;2sNgEoV*q8QHwpNwPxY@J~ez&?pLsL zs^WO)Aaup0DogZ@qQIBk(Z$y4gFX#AF6KFn^Y2(%M4JFG9E!54Wexu|w53Z{4iD)?344`@W6eeIg{)PrWKbq<4 zbuIA$l^1X2;eWUX@;hmr{W`s%frsQY5ZiO07jx-=9&VN8$q+=rxA&)xBM|m zt^r*@ucP8l_935mMM>eUlA2wLzl;*Y`+4>#_@Oe%ZeymmdA{P4E_iM%*2d5BnJbSD zZ9E$6rBvIV-`%;pSq6@Jbe+s$1y@@;kHNcbA58QI< z@`|P|fNny(&xO!=FNB|o=8@-37L5yUVP$W1&7NEq$;0l!04M$yN_?V(3X z=A#rhr%soSUp^0GI{bR%pe`$v%*m99P{vGwoIm@NYZDYDrzStK3aiv zN}(3(5?%bLyIAd6XV7}s+1qQWw}G^&hfn7FP9^d@)L)LdNW|vCP9kSSEUc7FMOK+R z>f-~d56^GM(~@bT@rSd1%sN>Y)ltV`PXX8~2fQoH_Z20b{}CDRv(_3xNCS#d2os?2 z4C|rT6C;infO2o0q;-m{%YuF1sy5 zwN?usU1`}@L5ZEBNc*7Voh(fm1qYK36B;wIWKVh(^=yn>mSTvm@Vy0&?2LA`>zx^s zIb9;eW%12LT>8}CBq1C)w^2U$BiKjPt_nz8KQ6e$LK?CT60i*hQz5}15G4(Aobdrt zh7A`$CoKq&MIZA1VS+6o*`vb3s0rhTwG4fNTExacG@hES2&Wmp!#N0yLJ!P~A?zu% zbc4W){7?)VVs0e=NIxn5nkzi6Lf)W)?e@;~`!KiQ8$&R!Ay^?0Q=veaMTUq(-F<|< zivnWsQg!yb+qEtHf*v9qz99d~?~S^~%VR*VM!sRDi+}}!5{P{VOV>2`t+}-uMCa5> z#aJ452r)P#n$Qu7zZx}j(NaL(Fz3DqY(O`)q?s$i6uI|?6u48{WvmU=88RX0(ZxSbih+yRphVHs=wLR7sXbQ@<%L>5K{Uj-&CV7qD!=(tj$VDG z#}JcaXA>2hIM~vcU|tu4pMG%x0|tzHZ%)i|ljVEj)0{hXMNf0?m5^Xz0o{#fx^tqX zN}3oNO}zWYJ{Q=}KQ;Mh+s6Ee`x8G!MKrjmEGV}+>0$Vg5{RWbVCtWFq2f*|T2E`k zPz>AFsR!9P^pJC}NZMt%oO~}6#{RI&24_&ESa+m&e~d-NSn;8-iklR>8Q8UHOpN;N ziEmP$8P-%}!+W@gDZL#zA=Vv`BE9g+O-l~#jj<>RU0$mAi<2CHO;CXHYz6zc^v~vT z{wbNiig$ni&y;RF;kGJ3c0-*`+G4{ADI!pX)FFd$R#UE~B}L2jZ*S*|=6=>$u4Kj? zjPR}fIS6#joZbBch~>I(+FjpmB2GiUnlzc-1 zrcQrf7yj%8?&^Bj&V91oRO97f-6;Rkav>H|eNT}Kw}KSiWplh@@9XGoH?D>l)SkKx zM`$&PopxV=%!C?(H0#QF%ur_{@7tWN@}V$~Dsil}f)O4bke?QI)X$EA@(>!1dI9It zQYL=hhP&a(64HfB$SymtKq647*t>=6D2tAgMsyASzy@x%CE>(P2RKrr>2Sr|Me^VDkh7$JIGKOr3hE`K4Va68xHNdhq+yclTB*9E5+a7 z3}~MhAC3zQ@OZd{P8XK0G$3`ksyhf<{I?^tClBe*Dx!JxNL_MR<&jkcWm;;w?If>u z%9&?Uk2LXqkvJwjme-~8FO~aDNk2kB&OZ#e=uOAt($7_p`*ApaocLyn62+=pibX?be&pY!f|dhp}Gl} zI+}s!FR_PczbPWnn1BeY+>>}D zSGTnluJVF4E{^?bdJmKN(l(>t@UJ~c(m^D3aoz6cGE_93G!S7ecK%FZMyD*)m`EoJ zq5KwOr;+<{!~<8K{fL;)G(-_qVB}hC@zP6$D)dGFtQO|Q=y6R^f%5&N&fagvqb?Qb zhv&2#Pue;vzL#mPi4dQUbTG@UH`_PIJ80n6JN1_k^R#&{`F7AS zZ>Rk)zJY{1VrBftN??OP^nYzQ-M`@96(1AQ<`EC$zv}nj8(y>hJq7h& rJp?1W9`Ru6aw7L0J!Jfc6&N5;5GDvj{{ISc@F02k*m0_1|B3z&j^X}r delta 4416 zcmZ8lWmFT679R-HO@V=QBRx_@m?9w}NOz5tkijM?AvH?6M@fg|DCzDoK#`c#q(P7t z5d^8{d+(h0Kj+;K_uO;tJ@?Cv-|yZrOM+Pq0|?|W{57}h8USF3;RG?Fb({-fkN~;O z%WEsy%r_wN8b(}!Rl2R^MATWcTQ|s%#J$mB0(;!GI0JGZRv5PIJ&WwgIoNO>SX3A7 zLS+)Y`OLJZG}SkHB`GH8E8g$=SO=J{86ub!RvP;sAcy+>xO&gsjy5>bSO#)aV`P{B zV^NVNDzms7kp*`s=o!!z+#<$?F;d38$<>M9VLe5qHxe~s&Aw7rEwji2G=_+c%o4#xU%i>5oR$3Ii5O* z6$y6+$l=3!*fdEALpl^9u-hnJF#z-K^W6UZnL*cuA}imF5cFZfJGc z!Oj3pym7B3+Vl72T`WW*{<`_1s#Euw$D{DJ4*aMK0i9Rkws@mz8QQmB{RUFhnHF0q z@!MSJP-Za$80p;NB$3HCE1^Mic3rV2q}i%DZPG#p>~8JDnR1&zu|P?WkMo6hW?wn( z%cc4RFap0)(UomssFG3rnV-LWnUS4nw9Sls80>^#7VG=s=5Hy2sy|IkttI6U15+Z= z)U8#4=(=r3WwYmh)akuJ3IXL78PH}>T;pX4cinaCHFhp*E-YGe_lLf59aa~<7|3RM8Jj^@Pe4%Y3U)=VuJ zTMWO)njzPVoYv#(B-A*`pW6T7@M)=<^gi*`7Z&>TEqHYWRK6EiK_e{R@yPzh2|GsP zT>OKw{P@T0xu02sVOa3vk6MR`a-I_=>l@Ct1}9i8&k4xpJek^ec7+FwGVzn?`$kmJ zSef}=i<|pknNBr>h2L%HZ{Aen(`)J*=gaE&+38H&$h*!%)WOAFx#>4PnD>MZxjzn` zo=qi6l@BH6PA9uCL0oioK#B?w*wM~ixtaH&O~wAfZX~kt5Z9zHEYo# zy7vkw1g5ymak?XO4f2?rzm9F{czQG}usg0&^YN)4|Aybj%IK#(OHVptNJ7QBdzKPN zsr#_isy%CUBNy94%UvcQhA?nXUo}cNkv%(k!B?d4$5eE~8>{cmfWNoc8#i3)6o|Cd zi)J(UBY++@mLx@RH31xra6Bq}2XXh}bS#?8Mh;#F>wKKerB7Av8-dv0AF6#f%%1;c zZo;IZ)&!-V_R=~tZBbT^*ccuK?E@OLQku_XRw)uSql?RoHB&zG%8|fwSM#d2gMFwjNfT!|g#02*rb^cmHLPs>3GJm(t zKiK|*TO{P~O?;t>e_aK5+|E8IFt$IwYoNv-H|7y6Fa0EeVkDby$g}bYSDaa=Fe5qZ zkk}>Bfou$By6BST$*~dnLDSFf(pd2@9BuYNMz4A>u4%CmsXQDzURKTW!`M<*%H30; zq4q?ZCbka&tL-!o(M$b0IQ!jFy)@PEJF?A_-Uml^US#k#Pr`b4bCaiAG&ZiZjx)N+ zuv_p_Z{M5hy$VD3o7bJJ0{I%s3*R5F{>EJ3aZQP02>KjyDf4$SSuj)yY7FUV9xU;#n^?lBFF9n0ubg3_CwNovIwcijgsMY4h zctmx{tS#IsoPwCpRPksW1T~&O(Pt-I4kJN?Gm#=7NhnIM{XwzGNq{M;jC1#`V`*r% zs>738!XCR#vBmFEyIegN0yl~~In`I#UvNcD2i_>)@QO7O7>D#p#@u&zF=mXkb~RNi z8Vb8MDVmi)>anb^TuQ*JWgX#Ug6ZH5<@Xo@x3T5c=>r-%S4z5>(7>s}-kxQsgLX4YnwUP z%0C)3Lx?2ZAo^C^uxA;m_;4rq;Hk6cMiwz7*DAqx`KtWtsy)XJ2HeQ*AcZy6_(6WeG7(AF1iFRgs1l zdp~mh&fO~sQ~pc=SykGkY5kscRw$?jtGt!xXz09)(6`yw9*{4xQyF?*$+Il^N@mc3 zw1)iK`GP0$_ZE|<5m(FY7V#!|DxWF7a~QcrUp;=CfgT+*WfN~zi59=2if-Ksy^11G zE7|Cl5F#WfYoN-LkvURoDeOd97uUwAOY7 zK4mwV+uO;Ww!ToDrUpo9t{z#l_-x^0K>8Dz0wf$kj%*F^EZj-(=Fv-vsKho!L zAGdL853kJ*T%)o;Th3ZAT~Ay&JpXKnfHgE|O1n=h-0X|+%qTk982L%?^T#MJ2pfNH zAL5Pec++m?dtlpOR(<#eLXNd8R6b_YsyO2hOkK7eck_-og6zm&UZT_v5aR@|Y;Zk( zZev`cIj*n!qgcpTruxvQObsy`vG_iOOt!G|%42rd_{9@$+Uo&~$MLPa9AdX_C*Obb zWvg^-27IUIr`VGdW#02cDycIHOb?Kj{5QRlE@#~nwtJ-LV86g#8gUJ>=kh;fAkVh+ z;N;1TP5TAKjrM{D=k%wU4PLc!$%oq#A{#H5wtoIOrZyLP2F+Lu|M;m(6aFkWnPPSG z+xFv;)z>D_l*dKoqId&h6;ZVax^nnV%h@A9c-7Q=VAXu$LUrZrNmuMRXn;|SZ@mKL zcs^EG_8>qPy%*5D2U$vPn6iNi|Jh+Oxzfrym8R7FM9Nw>RcvgAm9`l#=wRf9QN&ZdD~L-q!>pg5cKI8-qm% z1chOBC8C2bPh_{(k{Lf{Bu$nF1+#aL;m0?$`m!g4>d0!yK(T_~Cx}O!wcVJicjN1gF4^lm#ey@Lpu}4X1EofjtFl_seOKG zS-{Y;&Y{QYMGeQj06z0+^liSqFy_YIS4+~+)AaYvXs?&N`!&BpYIbh9?@olo3f%nj z`{5{lQ%`O`rtrKBV>hqDpZn1HPl8r)$A(HO{^~oz7(DmFh;Ce)?lmiwMN)EDVLnG* zE~)2wFMsODVjj?m1k;~*(#VL)Zo@^bSp;u!vSMjx~ov5 zco4H?E}CzK`tU2#RTc~yRTaH3ocyG9X{53KsatWfOVJ@MoxZDv2HIG*E7jmj^1&Ex zHd6D{sUP_51vqRKRhZsgvRtmjXAw!e$ATNT^>y~*x0UObR5F<;w51&Q9LlZRD>VR} zUH6C@g;e04jx{Fm4E`k>tI`6^l{vx3iY?sDXkW0>SJmhHX@R`HAcQHn@#lc(Ql>29 zE0(P5n;qufFrBeRbNSy&pcCICnz4n&w`1`G=)X92b@d;WoQibn6^DdY2fGCVS;Cd+ z?oemp9~4OFqQ|2+i3^>csvS9WhAZg7#Txc~pIfIVvbUt>=UeY|1^87~;T3tX=!3ep zn03Ootcm~4$)jp#IUmNeWjATQZH9NWZ=8#WjwR0NN8=R>(H=Pq(T{gIqP8p(W$7I| z$9}w>5^i?uO;L-L+0YUF?R^h!%9g@5T!=(O;NX*+5y;cC6k`Q*P!7XRhAfCVc6+{@}3#A#c{ZSMf5MHeOSCwZ=9a-5{BSeuS1Vozp$mYzid6EUZCsZd(F-K`*4K z$Ek;ALs4?-_W`iJu|TqK!kPtSXkRu)2Q(XF@;g1S7s9{9X6|8Tole%AuMnTjw1-X_ z#a+KkvM#5++_3U|?TaeLyn7ol;@7@7=sA(yCvFkRsXRm&$wukb - # only service_principal supported with rover ignite at the moment + # Supported values + # - service_principal + # - logged_in_user azuread_identity_mode: service_principal # UPNs you want to add in the caf_platform_maintainers Azure AD group # Can use user or guest accounts diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index d9e53cc7a..75ce52a7c 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -129,8 +129,8 @@ import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" when: - (config.platform_management.enable | bool) - - level1_subscriptions is not skipped - - platform_subscriptions_details is defined + - ((level1_subscriptions is not skipped and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") + - ((platform_subscriptions_details is defined and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") vars: base_folder: "management" @@ -141,11 +141,10 @@ - name: "{{ level }}-{{ base_folder }} | Identity services" import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" when: - # - config.platform_core_setup.enterprise_scale.subscription_deployment_mode != "single_reuse" - launchpad_tfstate_exists is not skipped - credentials_tfstate_exists is not skipped - - level1_subscriptions is not skipped - - platform_subscriptions_details is defined + - ((level1_subscriptions is not skipped and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") + - ((platform_subscriptions_details is defined and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - identity.subscriptions is defined vars: @@ -158,7 +157,7 @@ import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" when: - (config.platform_core_setup.enterprise_scale.enable | bool) - - ( (config.platform_core_setup.enterprise_scale.enable | bool) and (level1_subscriptions is not skipped) ) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") + - ( (config.platform_core_setup.enterprise_scale.enable | bool) and (level1_subscriptions is not skipped) ) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == "logged_in_user") - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") - platform_subscriptions_details.identity is defined - platform_subscriptions_details.management is defined @@ -189,7 +188,7 @@ import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" when: - ( (config.networking_topology.deployment_option == "virtual_wan") or (config.platform_identity.azuread_identity_mode == 'logged_in_user') ) - - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") + - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == 'logged_in_user') vars: base_folder: "connectivity" level: "level2" @@ -226,47 +225,6 @@ shell: | terraform fmt -recursive {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }} -# - name: Level 2 - identity -# hosts: localhost -# vars: -# config: "{{ lookup('file', '{{ config_folder }}/platform.yaml') | from_yaml }}" -# identity: "{{ lookup('file', '{{ config_folder }}/identity.yaml') | from_yaml }}" -# connectivity_virtual_wan: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_wan.yaml') | from_yaml }}" -# connectivity_virtual_hub: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_hub.yaml') | from_yaml }}" -# connectivity_firewall: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall.yaml') | from_yaml }}" -# connectivity_firewall_policies: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall_policies.yaml') | from_yaml }}" -# cidr: "{{ lookup('file', '{{ config_folder }}/cidr.yaml') | from_yaml }}" -# tfstates: "{{ lookup('file', '{{ config_folder }}/tfstates.yaml') | from_yaml }}" -# base_templates_folder: /tf/caf/templates/platform -# base_folder: identity -# level: level2 -# folders: -# - virtual_wan - - -# tasks: -# - name: Creates {{ level }} directory -# file: -# path: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}" -# state: directory - -# - name: Creates {{ base_folder }} directory strcture -# file: -# path: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ base_folder }}" -# state: directory - -# - name: "{{ base_folder }} - Readme" -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ level }}/{{ base_folder }}/*.md" - -# - name: "{{ base_folder }} - adds" -# include_tasks: "{{ base_templates_folder }}/{{ level }}/{{ base_folder }}/platform.yaml" - - # # # # Pipelines diff --git a/templates/platform/level0/launchpad/ansible.yaml b/templates/platform/level0/launchpad/ansible.yaml index bd329f53c..c21fa1145 100644 --- a/templates/platform/level0/launchpad/ansible.yaml +++ b/templates/platform/level0/launchpad/ansible.yaml @@ -25,6 +25,33 @@ state: directory +# +# container_groups +# +- name: "[{{ level }}-{{ base_folder }}] - resources - container_groups" + when: + - resources.subscriptions[subscription_key].container_groups is defined + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{ resource_template_folder }}/container_groups.tfvars.j2" + +# +# network_security_group_definition +# +- name: "[{{ level }}-{{ base_folder }}] - resources - network_security_group_definition" + when: + - resources.subscriptions[subscription_key].network_security_group_definition is defined + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2" + + # # resource_groups # @@ -38,6 +65,33 @@ with_fileglob: - "{{ resource_template_folder }}/resource_groups.tfvars.j2" +# +# virtual_networks +# +- name: "[{{ level }}-{{ base_folder }}] - resources - virtual_networks" + when: + - resources.subscriptions[subscription_key].virtual_networks is defined + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{ resource_template_folder }}/virtual_networks.tfvars.j2" + + +# +# network_profiles +# +- name: "[{{ level }}-{{ base_folder }}] - resources - network_profiles" + when: + - resources.subscriptions[subscription_key].network_profiles is defined + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{ resource_template_folder }}/network_profiles.tfvars.j2" + - name: "[{{ level }}-{{ base_folder }}] launchpad" ansible.builtin.template: diff --git a/templates/resources/container_groups.tfvars.j2 b/templates/resources/container_groups.tfvars.j2 index 0d94d9edb..f58a03762 100644 --- a/templates/resources/container_groups.tfvars.j2 +++ b/templates/resources/container_groups.tfvars.j2 @@ -15,6 +15,7 @@ container_groups = { {% endif %} key = "{{ value.resource_group.key }}" } +{% endif %} ip_address_type = "{{ value.ip_address_type | default('Private') }}" os_type = "{{ value.os_type | default('Linux') }}" restart_policy = "{{ value.restart_policy | default('Never') }}" @@ -28,6 +29,176 @@ container_groups = { {% endif %} } {% endif %} +{% for c_key, c_value in value.containers.items() %} + containers = { + {{ c_key }} = { +{% if c_value.count is defined %} + count = "{{ c_value.count }}" +{% endif %} + name = "{{ c_value.name }}" + image = "{{ c_value.image }}" + cpu = "{{ c_value.cpu }}" + memory = "{{ c_value.memory }}" +{% if c_value.commands is defined %} + commands = "{{ c_value.commands }}" +{% endif %} +{% if c_value.gpu is defined %} + gpu = { + count = c_value.gpu.count + sku = c_value.gpu.sku + } +{% endif %} +{% if c_value.ports is defined %} + ports = { +{% for p_key, p_value in c_value.ports.items() %} + {{p_key}} = { + port = "{{p_value.port}}" +{% if p_value.protocol is defined %} + protocol = "{{p_value.protocol}}" +{% endif %} + } +{% endfor %} + } +{% endif %} +{% if c_value.readiness_probe is defined %} + readiness_probe = { +{% if c_value.readiness_probe.exec is defined %} + exec = "{{ c_value.readiness_probe.exec }}" +{% endif %} +{% if c_value.readiness_probe.initial_delay_seconds is defined %} + initial_delay_seconds = {{ c_value.readiness_probe.initial_delay_seconds }} +{% endif %} +{% if c_value.readiness_probe.period_seconds is defined %} + period_seconds = {{ c_value.readiness_probe.period_seconds }} +{% endif %} +{% if c_value.readiness_probe.failure_threshold is defined %} + failure_threshold = {{ c_value.readiness_probe.failure_threshold }} +{% endif %} +{% if c_value.readiness_probe.success_threshold is defined %} + success_threshold = {{ c_value.readiness_probe.success_threshold }} +{% endif %} +{% if c_value.readiness_probe.timeout_seconds is defined %} + timeout_seconds = {{ c_value.readiness_probe.timeout_seconds }} +{% endif %} + } +{% endif %} +{% if c_value.liveness_probe is defined %} + liveness_probe = { +{% if c_value.liveness_probe.exec is defined %} + exec = "{{ c_value.liveness_probe.exec }}" +{% endif %} +{% if c_value.liveness_probe.initial_delay_seconds is defined %} + initial_delay_seconds = {{ c_value.liveness_probe.initial_delay_seconds }} +{% endif %} +{% if c_value.liveness_probe.period_seconds is defined %} + period_seconds = {{ c_value.liveness_probe.period_seconds }} +{% endif %} +{% if c_value.liveness_probe.failure_threshold is defined %} + failure_threshold = {{ c_value.liveness_probe.failure_threshold }} +{% endif %} +{% if c_value.liveness_probe.success_threshold is defined %} + success_threshold = {{ c_value.liveness_probe.success_threshold }} +{% endif %} +{% if c_value.liveness_probe.timeout_seconds is defined %} + timeout_seconds = {{ c_value.liveness_probe.timeout_seconds }} +{% endif %} +{% if c_value.liveness_probe.http_get is defined %} + http_get = { +{% if c_value.liveness_probe.http_get.path is defined %} + path = "{{c_value.liveness_probe.http_get.path}}" +{% endif %} +{% if c_value.liveness_probe.http_get.port is defined %} + port = "{{c_value.liveness_probe.http_get.port}}" +{% endif %} +{% if c_value.liveness_probe.http_get.scheme is defined %} + scheme = "{{c_value.liveness_probe.http_get.paschemeth}}" +{% endif %} + } +{% endif %} + } +{% endif %} +{% if c_value.volume is defined %} + volume = { + name = "{{c_value.volume.name}}" + mount_path = "{{c_value.volume.mount_path}}" + read_only = {{c_value.volume.read_only | lower | default(false)}} + empty_dir = {{c_value.volume.empty_dir | lower | default(false)}} +{% if c_value.volume.storage_account_name is defined %} + storage_account_name = {{ c_value.volume.storage_account_name }} +{% endif %} +{% if c_value.volume.storage_account_key is defined %} + storage_account_key = {{ c_value.volume.storage_account_key }} +{% endif %} +{% if c_value.volume.share_name is defined %} + share_name = {{ c_value.volume.share_name }} +{% endif %} +{% if c_value.volume.secret is defined %} + secret = {{ c_value.volume.secret }} +{% endif %} +{% if c_value.volume.git_repo is defined %} + git_repo = { + url = "{{c_value.volume.git_repo.git_repo}}" +{% if c_value.volume.git_repo.directory is defined %} + directory = "{{c_value.volume.git_repo.directory}}" +{% endif %} +{% if c_value.volume.git_repo.revision is defined %} + revision = "{{c_value.volume.git_repo.revision}}" +{% endif %} + } +{% endif %} + } +{% endif %} +{% if c_value.environment_variables is defined %} + environment_variables = { +{% for ev_key, ev_value in c_value.environment_variables.items() %} + {{ev_key}} = "{{ev_value}}" +{% endfor %} + } +{% endif %} +{% if c_value.secure_environment_variables is defined %} + secure_environment_variables = { +{% for sev_key, sev_value in c_value.secure_environment_variables.items() %} + {{sev_key}} = "{{sev_value}}" +{% endfor %} + } +{% endif %} +{% if c_value.environment_variables_from_resources is defined %} + environment_variables_from_resources = { +{% for evr_key, evr_value in c_value.environment_variables_from_resources.items() %} + {{evr_key}} = { + lz_key = "{{evr_value.lz_key}}" + output_key = "{{evr_value.output_key}}" + resource_key = "{{evr_value.resource_key}}" + attribute_key = "{{evr_value.attribute_key}}" + } +{% endfor %} + } +{% endif %} + } + } +{% endfor%} +{% if value.identity is defined %} + identity = { + type = "{{ value.identity.type }}" +{% if value.identity.managed_identity_keys is defined %} + managed_identity_keys = {{ value.identity.managed_identity_keys | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if value.identity.remote is defined %} + remote = { +{% for msi_key, msi_value in value.identity.remote.items() %} + {{ msi_key }} = { + managed_identity_keys = {{ msi_value.managed_identity_keys | replace('None','[]') | replace('\'','\"') }} + } +{% endfor %} + } +{% endif %} + } +{% endif %} +{% if value.dns_config is defined %} + dns_config = { + nameservers = {{ value.dns_config.nameservers | replace('None','[]') | replace('\'','\"') }} + search_domains = {{ value.dns_config.search_domains | replace('None','[]') | replace('\'','\"') }} + } {% endif %} } {% endfor %} diff --git a/templates/resources/network_profiles.tfvars.j2 b/templates/resources/network_profiles.tfvars.j2 new file mode 100644 index 000000000..1f30cba73 --- /dev/null +++ b/templates/resources/network_profiles.tfvars.j2 @@ -0,0 +1,38 @@ +network_profiles = { +{% for key, value in resources.subscriptions[subscription_key].network_profiles.items() %} + {{ key }} = { + name = "{{ value.name }}" + resource_group = { +{% if value.resource_group.lz_key is defined %} + lz_key = "{{ value.resource_group.lz_key }}" +{% endif %} + key = "{{ value.resource_group.key }}" + } + container_network_interface = { + name = "{{ value.container_network_interface.name }}" + ip_configurations = { +{% for ip_key, ip_value in value.container_network_interface.ip_configurations.items() %} + {{ip_key}} = { + name = "{{ ip_value.name }}" +{% if ip_value.subnet_id is defined %} + subnet_id = "{{ ip_value.subnet_id }}" +{% endif %} +{% if ip_value.lz_key is defined %} + subnetlz_key_id = "{{ ip_value.lz_key }}" +{% endif %} +{% if ip_value.vnet_key is defined %} + vnet_key = "{{ ip_value.vnet_key }}" +{% endif %} +{% if ip_value.subnet_key is defined %} + subnet_key = "{{ ip_value.subnet_key }}" +{% endif %} +{% if ip_value.virtual_subnet_key is defined %} + virtual_subnet_key = "{{ ip_value.virtual_subnet_key }}" +{% endif %} + } +{% endfor %} + } + } + } +{% endfor %} +} \ No newline at end of file From d2d70fe50af0ae195fdbbc655d7580abb67a70a5 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 01:30:59 +0000 Subject: [PATCH 20/67] Update ESLZ templates for logged_in_users --- .../enterprise-scale/contoso/platform/management.yaml | 5 +++-- templates/platform/level1/eslz/configuration.tfvars.j2 | 2 -- .../level1/eslz/subscription_id_overrides.tfvars.j2 | 8 ++++---- .../platform/level2/connectivity/virtual_wan/ansible.yaml | 2 ++ 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/templates/enterprise-scale/contoso/platform/management.yaml b/templates/enterprise-scale/contoso/platform/management.yaml index 773853f28..2532e9eca 100644 --- a/templates/enterprise-scale/contoso/platform/management.yaml +++ b/templates/enterprise-scale/contoso/platform/management.yaml @@ -16,12 +16,13 @@ subscriptions: monitor_action_groups: networking_operations: + resource_group_key: management action_group_name: Networking Operations shortname: netops arm_role_alert: contributors: - name: contributors - role_name: servicehealth-alerts-contributors + name: Monitoring Contributor + role_name: Monitoring Contributor use_common_alert_schema: false email_receiver: noc: diff --git a/templates/platform/level1/eslz/configuration.tfvars.j2 b/templates/platform/level1/eslz/configuration.tfvars.j2 index 87f255e2d..63fb10fde 100644 --- a/templates/platform/level1/eslz/configuration.tfvars.j2 +++ b/templates/platform/level1/eslz/configuration.tfvars.j2 @@ -18,11 +18,9 @@ landingzone = { tfstate = "{{ config.tfstates.platform.platform_subscriptions.tfstate }}" } {% endif %} -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} {{ config.tfstates.platform.identity.lz_key_name }} = { level = "current" tfstate = "{{ config.tfstates.platform.identity.tfstate }}" } -{% endif %} } } diff --git a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 index 6ea776b4e..39efa0e57 100644 --- a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 @@ -1,17 +1,17 @@ subscription_id_overrides = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.root is defined %} - root = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('\'','\"') }} + root = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('\'','\"') }} {% else %} root = [] {% endif %} -{% endif %} {% else %} - {{ config.platform_core_setup.enterprise_scale.root_parent_id | default('root') }} = [ +{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} + root = [ "{{ config.caf_terraform.launchpad.subscription_id }}" ] {% endif %} +{% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %} decommissioned = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('\'','\"') }} diff --git a/templates/platform/level2/connectivity/virtual_wan/ansible.yaml b/templates/platform/level2/connectivity/virtual_wan/ansible.yaml index 9294e0ff0..bf536f576 100644 --- a/templates/platform/level2/connectivity/virtual_wan/ansible.yaml +++ b/templates/platform/level2/connectivity/virtual_wan/ansible.yaml @@ -15,6 +15,8 @@ src: "{{ item }}" dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ folder_name }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes + when: + - connectivity_virtual_wan[folder_name] is defined with_fileglob: - "{{ level }}/{{ base_folder }}/{{ folder_name }}/*.j2" - "{{ level }}/{{ base_folder }}/{{ folder_name }}/*.md" From 6daf05d89fa3e28190c5e737b01f9664aefb4b02 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 01:37:11 +0000 Subject: [PATCH 21/67] Udpate eslz template --- templates/platform/ansible.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index 75ce52a7c..228c00196 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -158,7 +158,7 @@ when: - (config.platform_core_setup.enterprise_scale.enable | bool) - ( (config.platform_core_setup.enterprise_scale.enable | bool) and (level1_subscriptions is not skipped) ) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == "logged_in_user") - - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") + - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == "logged_in_user") - platform_subscriptions_details.identity is defined - platform_subscriptions_details.management is defined From 300e431dd6323ab7517bd7b5cda51b71a1ed5ccb Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 01:45:07 +0000 Subject: [PATCH 22/67] Update --- templates/platform/ansible.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index 228c00196..9a9dc5252 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -106,6 +106,7 @@ # Level 1 # + ## subscriptions - name: "{{ level }}-{{ base_folder }} | Create platform subscriptions" import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" @@ -158,9 +159,9 @@ when: - (config.platform_core_setup.enterprise_scale.enable | bool) - ( (config.platform_core_setup.enterprise_scale.enable | bool) and (level1_subscriptions is not skipped) ) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == "logged_in_user") - - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == "logged_in_user") - - platform_subscriptions_details.identity is defined - - platform_subscriptions_details.management is defined + - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") + - platform_subscriptions_details.identity is defined or (config.platform_identity.azuread_identity_mode == "logged_in_user") + - platform_subscriptions_details.management is defined or (config.platform_identity.azuread_identity_mode == "logged_in_user") vars: base_folder: "eslz" @@ -177,7 +178,7 @@ when: - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - launchpad_azuread_groups is defined - - platform_subscriptions_details is defined + - platform_subscriptions_details is defined or (config.platform_identity.azuread_identity_mode == "logged_in_user") vars: base_folder: "asvm" level: "level2" @@ -202,7 +203,7 @@ - config.platform_core_setup.enterprise_scale.subscription_deployment_mode != "single_reuse" - launchpad_tfstate_exists is not skipped - credentials_tfstate_exists is not skipped - - level1_subscriptions is not skipped + - level1_subscriptions is not skipped or (config.platform_identity.azuread_identity_mode == "logged_in_user") - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") vars: From 8c770b0103ef3f45e6462d57189521c3db00555f Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Tue, 8 Feb 2022 08:36:32 +0000 Subject: [PATCH 23/67] Update templates --- ...chetype_config_overrides.caf.platform.yaml | 12 +- templates/platform/ansible.yaml | 9 +- .../archetype_config_overrides.tfvars.j2 | 6 + .../lib/v1.1.1/custom_landing_zones.tfvars.j2 | 6 + .../platform/level2/asvm/keyvaults.tfvars.j2 | 4 +- .../level2/asvm/role_mappings.tfvars.j2 | 18 +++ .../platform/level2/connectivity/ansible.yaml | 43 +++++--- .../ansible.yaml | 0 .../landingzone.tfvars.j2.old} | 0 .../{virtual_hub => virtual_hubs}/readme.md | 0 .../virtual_hubs_route_tables.tfvars.j2 | 0 .../connectivity/virtual_wan/ansible.yaml | 22 ---- .../virtual_wan/landingzone.tfvars.j2 | 12 -- .../virtual_wan/resource_groups.tfvars.j2 | 8 -- .../{virtual_wan => virtual_wans}/readme.md | 8 +- .../ddos_services.tfvars.j2 | 2 +- .../express_route_connections.tfvars.j2} | 42 ------- templates/resources/virtual_hubs.tfvars.j2 | 103 ++++++++++++++++++ .../virtual_wans.tfvars.j2} | 2 +- 19 files changed, 176 insertions(+), 121 deletions(-) rename templates/platform/level2/connectivity/{virtual_hub => virtual_hubs}/ansible.yaml (100%) rename templates/platform/level2/connectivity/{virtual_hub/landingzone.tfvars.j2 => virtual_hubs/landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/connectivity/{virtual_hub => virtual_hubs}/readme.md (100%) rename templates/platform/level2/connectivity/{virtual_hub => virtual_hubs}/virtual_hubs_route_tables.tfvars.j2 (100%) delete mode 100644 templates/platform/level2/connectivity/virtual_wan/ansible.yaml delete mode 100644 templates/platform/level2/connectivity/virtual_wan/landingzone.tfvars.j2 delete mode 100644 templates/platform/level2/connectivity/virtual_wan/resource_groups.tfvars.j2 rename templates/platform/level2/connectivity/{virtual_wan => virtual_wans}/readme.md (71%) rename templates/{platform/level2/connectivity/virtual_wan => resources}/ddos_services.tfvars.j2 (85%) rename templates/{platform/level2/connectivity/virtual_hub/virtual_hubs.tfvars.j2 => resources/express_route_connections.tfvars.j2} (55%) create mode 100644 templates/resources/virtual_hubs.tfvars.j2 rename templates/{platform/level2/connectivity/virtual_wan/virtual_wan.tfvars.j2 => resources/virtual_wans.tfvars.j2} (70%) diff --git a/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml index 7aa928486..cfc8c8e14 100644 --- a/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml +++ b/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml @@ -47,7 +47,7 @@ archetype_definitions: lz_key: management output_key: diagnostics resource_type: log_analytics - resource_key: central_logs_sea + resource_key: region1 attribute_key: id enableAscForKubernetes: DeployIfNotExists enableAscForSql: DeployIfNotExists @@ -65,7 +65,7 @@ archetype_definitions: lz_key: management output_key: diagnostics resource_type: log_analytics - resource_key: central_logs_sea + resource_key: region1 attribute_key: id Deploy-LX-Arc-Monitoring: Deploy-Resource-Diag: @@ -74,28 +74,28 @@ archetype_definitions: lz_key: management output_key: diagnostics resource_type: log_analytics - resource_key: central_logs_sea + resource_key: region1 attribute_key: id Deploy-WS-Arc-Monitoring: logAnalytics: lz_key: management output_key: diagnostics resource_type: log_analytics - resource_key: central_logs_sea + resource_key: region1 attribute_key: id Deploy-VM-Monitoring: logAnalytics_1: lz_key: management output_key: diagnostics resource_type: log_analytics - resource_key: central_logs_sea + resource_key: region1 attribute_key: id Deploy-VMSS-Monitoring: logAnalytics_1: lz_key: management output_key: diagnostics resource_type: log_analytics - resource_key: central_logs_sea + resource_key: region1 attribute_key: id policy_definitions: Append-AppService-httpsonly: diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index 9a9dc5252..d6720d526 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -158,10 +158,9 @@ import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" when: - (config.platform_core_setup.enterprise_scale.enable | bool) - - ( (config.platform_core_setup.enterprise_scale.enable | bool) and (level1_subscriptions is not skipped) ) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == "logged_in_user") - - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") - - platform_subscriptions_details.identity is defined or (config.platform_identity.azuread_identity_mode == "logged_in_user") - - platform_subscriptions_details.management is defined or (config.platform_identity.azuread_identity_mode == "logged_in_user") + - ( (config.platform_core_setup.enterprise_scale.enable | bool) and level1_subscriptions is not skipped ) or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" or config.platform_identity.azuread_identity_mode == "logged_in_user" + - platform_subscriptions_details.identity is defined or config.platform_identity.azuread_identity_mode == "logged_in_user" or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" + - platform_subscriptions_details.management is defined or config.platform_identity.azuread_identity_mode == "logged_in_user" or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" vars: base_folder: "eslz" @@ -193,8 +192,6 @@ vars: base_folder: "connectivity" level: "level2" - folders: - - virtual_wan ## identity - name: "{{ level }}-{{ base_folder }} | Identity services" diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 index e24a0bef6..304554212 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 @@ -35,6 +35,7 @@ archetype_config_overrides = { {% endif %} {% if level.archetype_config.access_control is defined %} access_control = { +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} {% for level_ac_key, level_ac in level.archetype_config.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} @@ -46,6 +47,11 @@ archetype_config_overrides = { {% endfor %} } {% endfor %} +{% else %} + "Owner" = { + "principal_ids" = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] + } +{% endif %} } {% else %} access_control = {} diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 index c03a6e0b6..8d96940d2 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 @@ -38,6 +38,7 @@ custom_landing_zones = { {% endif %} {% if level.archetype_config.access_control is defined %} access_control = { +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} {% for level_ac_key, level_ac in level.archetype_config.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} @@ -49,6 +50,11 @@ custom_landing_zones = { {% endfor %} } {% endfor %} +{% else %} + "Owner" = { + "principal_ids" = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] + } +{% endif %} } {% else %} access_control = {} diff --git a/templates/platform/level2/asvm/keyvaults.tfvars.j2 b/templates/platform/level2/asvm/keyvaults.tfvars.j2 index c73a72a5e..c0d1b5156 100644 --- a/templates/platform/level2/asvm/keyvaults.tfvars.j2 +++ b/templates/platform/level2/asvm/keyvaults.tfvars.j2 @@ -12,6 +12,7 @@ keyvaults = { } creation_policies = { +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} subscription_creation_landingzones = { object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" secret_permissions = ["Get"] @@ -20,7 +21,6 @@ keyvaults = { object_id = "{{launchpad_azuread_groups.level0.id}}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} caf_platform_maintainers = { object_id = "{{launchpad_azuread_groups.caf_platform_maintainers.id}}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -49,6 +49,7 @@ keyvaults = { } creation_policies = { +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} subscription_creation_landingzones = { object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" secret_permissions = ["Get"] @@ -65,7 +66,6 @@ keyvaults = { object_id = "{{launchpad_azuread_groups.level0.id}}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} caf_platform_maintainers = { object_id = "{{launchpad_azuread_groups.caf_platform_maintainers.id}}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] diff --git a/templates/platform/level2/asvm/role_mappings.tfvars.j2 b/templates/platform/level2/asvm/role_mappings.tfvars.j2 index 8691e97ca..bf465f538 100644 --- a/templates/platform/level2/asvm/role_mappings.tfvars.j2 +++ b/templates/platform/level2/asvm/role_mappings.tfvars.j2 @@ -6,6 +6,7 @@ role_mapping = { built_in_role_mapping = { +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} resource_groups = { level3 = { "Reader" = { @@ -40,17 +41,25 @@ role_mapping = { } } } +{% endif %} storage_accounts = { level3 = { "Storage Blob Data Contributor" = { +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" // subscription_creation_landingzones ] } +{% else %} + logged_in = { + keys = [ "user" ] + } +{% endif %} } +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { object_ids = { keys = [ @@ -58,17 +67,25 @@ role_mapping = { ] } } +{% endif %} } level4 = { "Storage Blob Data Contributor" = { +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" // subscription_creation_landingzones ] } +{% else %} + logged_in = { + keys = [ "user" ] + } +{% endif %} } +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { object_ids = { keys = [ @@ -76,6 +93,7 @@ role_mapping = { ] } } +{% endif %} } } diff --git a/templates/platform/level2/connectivity/ansible.yaml b/templates/platform/level2/connectivity/ansible.yaml index 119700857..c22c86eab 100644 --- a/templates/platform/level2/connectivity/ansible.yaml +++ b/templates/platform/level2/connectivity/ansible.yaml @@ -1,28 +1,37 @@ - name: Creates {{ base_folder }} directory structure shell: mkdir -p "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" -# - name: "{{ base_folder }} - Readme" -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ level }}/{{ base_folder }}/*.md" - -- name: "{{ base_folder }} - Virtual WAN" - include_tasks: "{{ level }}/{{ base_folder }}/{{ folder_name }}/ansible.yaml" - loop: - - virtual_wan +- name: "[{{ level }} {{ subscription_key }}] - virtual_wans" + include_tasks: "{{ level }}/ansible_deployment.yaml" + when: + - config.tfstates.platform.virtual_wans is defined + loop: "{{ config.tfstates.platform.virtual_wans.keys() }}" loop_control: - loop_var: folder_name + loop_var: deployment + vars: + files_matching: "connectivity_virtual_wan.yaml|connectivity_virtual_wan.caf.yaml" + resource_folder: virtual_wans + display_name: Virtual Wan -- name: Virtual Hubs - include_tasks: "{{ level }}/{{ base_folder }}/virtual_hub/ansible.yaml" +- name: "[{{ level }} {{ subscription_key }}] - virtual_hubs" + include_tasks: "{{ level }}/ansible_deployment.yaml" when: - - connectivity_virtual_hub.virtual_hubs is defined + - config.tfstates.platform.virtual_hubs is defined loop: "{{ config.tfstates.platform.virtual_hubs.keys() }}" loop_control: - loop_var: virtual_hub + loop_var: deployment + vars: + files_matching: "connectivity_virtual_hubs.yaml|connectivity_virtual_hubs.caf.yaml" + resource_folder: virtual_hubs + display_name: Virtual Wan + +# - name: Virtual Hubs +# include_tasks: "{{ level }}/{{ base_folder }}/virtual_hub/ansible.yaml" +# when: +# - connectivity_virtual_hub.virtual_hubs is defined +# loop: "{{ config.tfstates.platform.virtual_hubs.keys() }}" +# loop_control: +# loop_var: virtual_hub - name: VPN Sites include_tasks: "{{ level }}/{{ base_folder }}/vpn_site/ansible.yaml" diff --git a/templates/platform/level2/connectivity/virtual_hub/ansible.yaml b/templates/platform/level2/connectivity/virtual_hubs/ansible.yaml similarity index 100% rename from templates/platform/level2/connectivity/virtual_hub/ansible.yaml rename to templates/platform/level2/connectivity/virtual_hubs/ansible.yaml diff --git a/templates/platform/level2/connectivity/virtual_hub/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/virtual_hubs/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/connectivity/virtual_hub/landingzone.tfvars.j2 rename to templates/platform/level2/connectivity/virtual_hubs/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/virtual_hub/readme.md b/templates/platform/level2/connectivity/virtual_hubs/readme.md similarity index 100% rename from templates/platform/level2/connectivity/virtual_hub/readme.md rename to templates/platform/level2/connectivity/virtual_hubs/readme.md diff --git a/templates/platform/level2/connectivity/virtual_hub/virtual_hubs_route_tables.tfvars.j2 b/templates/platform/level2/connectivity/virtual_hubs/virtual_hubs_route_tables.tfvars.j2 similarity index 100% rename from templates/platform/level2/connectivity/virtual_hub/virtual_hubs_route_tables.tfvars.j2 rename to templates/platform/level2/connectivity/virtual_hubs/virtual_hubs_route_tables.tfvars.j2 diff --git a/templates/platform/level2/connectivity/virtual_wan/ansible.yaml b/templates/platform/level2/connectivity/virtual_wan/ansible.yaml deleted file mode 100644 index bf536f576..000000000 --- a/templates/platform/level2/connectivity/virtual_wan/ansible.yaml +++ /dev/null @@ -1,22 +0,0 @@ -- name: ({{ folder_name }}) - Clean-up directory - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ folder_name }}" - state: absent - when: - - config.configuration_folders.platform.cleanup_destination | bool - -- name: ({{ folder_name }}) - Creates directory structure - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ folder_name }}" - state: directory - -- name: ({{ folder_name }}) - Tfvars - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ folder_name }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - when: - - connectivity_virtual_wan[folder_name] is defined - with_fileglob: - - "{{ level }}/{{ base_folder }}/{{ folder_name }}/*.j2" - - "{{ level }}/{{ base_folder }}/{{ folder_name }}/*.md" diff --git a/templates/platform/level2/connectivity/virtual_wan/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/virtual_wan/landingzone.tfvars.j2 deleted file mode 100644 index d9a3f9cd5..000000000 --- a/templates/platform/level2/connectivity/virtual_wan/landingzone.tfvars.j2 +++ /dev/null @@ -1,12 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" - level = "{{ config.tfstates.platform.virtual_wan.level }}" - key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.management.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" - } - } -} diff --git a/templates/platform/level2/connectivity/virtual_wan/resource_groups.tfvars.j2 b/templates/platform/level2/connectivity/virtual_wan/resource_groups.tfvars.j2 deleted file mode 100644 index eae3fe158..000000000 --- a/templates/platform/level2/connectivity/virtual_wan/resource_groups.tfvars.j2 +++ /dev/null @@ -1,8 +0,0 @@ -resource_groups = { -{% for key, resource_group in connectivity_virtual_wan.resource_groups.items() %} - {{ key }} = { - name = "{{ resource_group.name }}" - region = "{{ resource_group.region_key | default(config.caf_terraform.launchpad.default_region_key) }}" - } -{% endfor %} -} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/virtual_wan/readme.md b/templates/platform/level2/connectivity/virtual_wans/readme.md similarity index 71% rename from templates/platform/level2/connectivity/virtual_wan/readme.md rename to templates/platform/level2/connectivity/virtual_wans/readme.md index c54911c52..8754cc6d8 100644 --- a/templates/platform/level2/connectivity/virtual_wan/readme.md +++ b/templates/platform/level2/connectivity/virtual_wans/readme.md @@ -6,24 +6,24 @@ rover login -t {{ config.platform_identity.tenant_name }} cd {{ destination_base }}/landingzones git fetch origin -git checkout {{ config.gitops.caf_landingzone_branch }} +git checkout {{ resources.gitops.landingzones }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ folder_name }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform[folder_name].tfstate }} \ + -tfstate {{ config.tfstates.platform.virtual_wans[deployment].tfstate }} \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform[folder_name].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ config.tfstates.platform.virtual_wans[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/connectivity/virtual_wan/ddos_services.tfvars.j2 b/templates/resources/ddos_services.tfvars.j2 similarity index 85% rename from templates/platform/level2/connectivity/virtual_wan/ddos_services.tfvars.j2 rename to templates/resources/ddos_services.tfvars.j2 index 7fddf3f6c..d463d4e6c 100644 --- a/templates/platform/level2/connectivity/virtual_wan/ddos_services.tfvars.j2 +++ b/templates/resources/ddos_services.tfvars.j2 @@ -1,5 +1,5 @@ ddos_services = { -{% for key, value in connectivity_virtual_wan.ddos_services.items() %} +{% for key, value in resources.subscriptions[subscription_key].ddos_services.items() %} "{{key}}" = { resource_group_key = "{{ value.resource_group_key }}" name = "{{ value.name }}" diff --git a/templates/platform/level2/connectivity/virtual_hub/virtual_hubs.tfvars.j2 b/templates/resources/express_route_connections.tfvars.j2 similarity index 55% rename from templates/platform/level2/connectivity/virtual_hub/virtual_hubs.tfvars.j2 rename to templates/resources/express_route_connections.tfvars.j2 index 42a7db4c7..25b463ff0 100644 --- a/templates/platform/level2/connectivity/virtual_hub/virtual_hubs.tfvars.j2 +++ b/templates/resources/express_route_connections.tfvars.j2 @@ -1,45 +1,3 @@ -virtual_hubs = { - {{ virtual_hub }} = { - virtual_wan = { -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].virtual_wan.lz_key is defined %} - lz_key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}" -{% endif %} - key = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].virtual_wan.key }}" - } - - resource_group = { -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].virtual_wan.lz_key is defined %} - lz_key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}" -{% endif %} - key = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].virtual_wan.key }}" - } - - hub_name = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].name }}" - region = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].region_key }}" - hub_address_prefix = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].hub_address_prefix }}" - deploy_firewall = false - deploy_p2s = false - p2s_config = {} -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_s2s %} - deploy_s2s = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_s2s | string | lower }} - s2s_config = { - name = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].s2s_config.name }}" - scale_unit = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].s2s_config.scale_unit }} - } -{% else %} - deploy_s2s = false -{% endif %} -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_er %} - deploy_er = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_er | string | lower }} - er_config = { - name = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].er_config.name }}" - scale_units = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].er_config.scale_units }} - } -{% else %} - deploy_er = false -{% endif %} - } -} {% if connectivity_virtual_hub.virtual_hubs[virtual_hub].enable_er_connections and connectivity_virtual_hub.express_route_connections is defined %} express_route_connections = { diff --git a/templates/resources/virtual_hubs.tfvars.j2 b/templates/resources/virtual_hubs.tfvars.j2 new file mode 100644 index 000000000..6410403e6 --- /dev/null +++ b/templates/resources/virtual_hubs.tfvars.j2 @@ -0,0 +1,103 @@ +virtual_hubs = { +{% for key, value in resources.subscriptions[subscription_key].virtual_hubs.items() %} + {{ key }} = { + virtual_wan = { +{% if value.virtual_wan.lz_key is defined %} + lz_key = "{{ value.virtual_wan.lz_key }}" +{% endif %} + key = "{{ value.virtual_wan.key }}" + } + + resource_group = { +{% if value.virtual_wan.lz_key is defined %} + lz_key = "{{ value.virtual_wan.lz_key }}" +{% endif %} + key = "{{ value.virtual_wan.key }}" + } + + hub_name = "{{ value.name }}" +{% if value.region_key is defined %} + region = "{{ value.region_key }}" +{% endif %} + hub_address_prefix = "{{ value.hub_address_prefix }}" + +{% if value.routes is defined %} + routes = { +{% for rt_key, rt_value in value.routes.items() %} + {{rt_key}} = { + address_prefixes = {{ rt_value.address_prefixes | replace('None','[]') | replace('\'','\"') }} + next_hop_ip_address = "{{ rt_value.next_hop_ip_address }}" + } +{% endfor %} + } +{% endif %} + +{% if value.deploy_p2s is defined %} + deploy_p2s = {{ value.deploy_p2s | lower }} +{% endif %} +{% if value.p2s_config is defined %} + p2s_config = { + name = "{{ value.p2s_config.name }}" + scale_unit = "{{ value.p2s_config.scale_unit }}" +{% if value.p2s_config.connection_configuration is defined %} + connection_configuration = { + name = "{{ value.p2s_config.connection_configuration.name }}" +{% if value.p2s_config.connection_configuration.vpn_client_address_pool is defined %} + vpn_client_address_pool = { +{% for cap_key, cap_value in value.p2s_config.connection_configuration.vpn_client_address_pool.items() %} + {{cap_key}} = { + address_prefixes = {{cap_value | replace('None','[]') | replace('\'','\"') }} + } +{% endfor %} + } +{% endif %} + } +{% endif %} + } +{% endif %} + +{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_s2s %} + deploy_s2s = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_s2s | string | lower }} + s2s_config = { + name = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].s2s_config.name }}" + scale_unit = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].s2s_config.scale_unit }} + } +{% else %} + deploy_s2s = false +{% endif %} +{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_er %} + deploy_er = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_er | string | lower }} + er_config = { + name = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].er_config.name }}" + scale_units = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].er_config.scale_units }} + } +{% else %} + deploy_er = false +{% endif %} + +{% if value.security_partner_provider is defined %} + security_partner_provider = { +{% for spp_key, spp_value in value.security_partner_provider.items() %} + {{spp_key}} = { + name = "{{ spp_value.name }}" + security_provider_name = "{{ spp_value.security_provider_name }}" + } +{% endfor %} + } +{% endif %} + +{% if value.bgp_connection is defined %} + bgp_connection = { +{% for bgp_key, bgp_value in value.bgp_connection.items() %} + {{bgp_key}} = { + name = "{{ bgp_value.name }}" + peer_asn = "{{ bgp_value.peer_asn }}" + peer_ip = "{{ bgp_value.peer_ip }}" + } +{% endfor %} + } +{% endif %} + + } +{% endfor %} +} diff --git a/templates/platform/level2/connectivity/virtual_wan/virtual_wan.tfvars.j2 b/templates/resources/virtual_wans.tfvars.j2 similarity index 70% rename from templates/platform/level2/connectivity/virtual_wan/virtual_wan.tfvars.j2 rename to templates/resources/virtual_wans.tfvars.j2 index 128c9e9ad..659ee3eb9 100644 --- a/templates/platform/level2/connectivity/virtual_wan/virtual_wan.tfvars.j2 +++ b/templates/resources/virtual_wans.tfvars.j2 @@ -1,5 +1,5 @@ virtual_wans = { -{% for key, vwan in connectivity_virtual_wan.virtual_wans.items() %} +{% for key, vwan in resources.subscriptions[subscription_key].virtual_wans.items() %} "{{key}}" = { resource_group_key = "{{ vwan.resource_group_key }}" name = "{{ vwan.name }}" From 336de667b9a197e8735338934f2ac1423d117849 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 11:39:26 +0000 Subject: [PATCH 24/67] Update templates --- templates/platform/ansible.yaml | 4 +- ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 .../{ansible.yaml => ansible.yaml.old} | 0 .../custom_role_definitions.tfvars.j2 | 2 +- .../express_route_connections.tfvars.j2 | 87 ++++++++++++++----- templates/resources/virtual_hubs.tfvars.j2 | 66 ++++++++------ 6 files changed, 109 insertions(+), 50 deletions(-) rename templates/platform/level2/connectivity/private_dns/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/connectivity/virtual_hubs/{ansible.yaml => ansible.yaml.old} (100%) diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index d6720d526..a22d1b019 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -1,8 +1,8 @@ - name: CAF Terraform - Generate Azure Subscription Vending Machine (asvm) configuration files hosts: localhost vars: - connectivity_virtual_wan: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_wan.yaml') | from_yaml }}" - connectivity_virtual_hub: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_hub.yaml') | from_yaml }}" + # connectivity_virtual_wan: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_wan.yaml') | from_yaml }}" + # connectivity_virtual_hub: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_hub.yaml') | from_yaml }}" connectivity_firewall: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall.yaml', errors='ignore') | from_yaml }}" connectivity_firewall_policies: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall_policies.yaml', errors='ignore') | from_yaml }}" connectivity_vpn_sites: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_sites.yaml', errors='ignore') | from_yaml }}" diff --git a/templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2 rename to templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/virtual_hubs/ansible.yaml b/templates/platform/level2/connectivity/virtual_hubs/ansible.yaml.old similarity index 100% rename from templates/platform/level2/connectivity/virtual_hubs/ansible.yaml rename to templates/platform/level2/connectivity/virtual_hubs/ansible.yaml.old diff --git a/templates/resources/custom_role_definitions.tfvars.j2 b/templates/resources/custom_role_definitions.tfvars.j2 index 0cbfac619..02f75f995 100644 --- a/templates/resources/custom_role_definitions.tfvars.j2 +++ b/templates/resources/custom_role_definitions.tfvars.j2 @@ -11,7 +11,7 @@ custom_role_definitions = { {% if value.permissions is defined %} permissions = { {% for p_key, permission in value.permissions.items() %} - {{ p_key }} = {{ permission | sort | replace('None','[]') | replace('\'','\"') | replace(',', ',\n') }} + {{ p_key }} = {{ permission | sort | replace('None','[]') | replace('\'','\"') | replace(',', ',\n') | replace('[', '[\n') | replace(']', '\n]') }} {% endfor %} } {% endif %} diff --git a/templates/resources/express_route_connections.tfvars.j2 b/templates/resources/express_route_connections.tfvars.j2 index 25b463ff0..2c16008ad 100644 --- a/templates/resources/express_route_connections.tfvars.j2 +++ b/templates/resources/express_route_connections.tfvars.j2 @@ -1,40 +1,83 @@ - -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].enable_er_connections and connectivity_virtual_hub.express_route_connections is defined %} express_route_connections = { - {{ virtual_hub }} = { - name = "{{ connectivity_virtual_hub.express_route_connections[virtual_hub].name }}" -{% if connectivity_virtual_hub.express_route_connections[virtual_hub].enable_internet_security is defined %} - enable_internet_security = {{ connectivity_virtual_hub.express_route_connections[virtual_hub].enable_internet_security | string | lower }} +{% for key, value in resources.subscriptions[subscription_key].express_route_connections.items() %} +{% if value.enable_er_connections %} + {{ key }} = { + name = "{{ value.name }}" +{% if value.enable_internet_security is defined %} + enable_internet_security = {{ value.enable_internet_security | string | lower }} {% endif %} -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].enable_er_connections %} - enable_er_connections = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].enable_er_connections | string | lower }} +{% if value.routing_weight is defined %} + routing_weight = {{ value.routing_weight }} {% endif %} -{% if connectivity_virtual_hub.express_route_connections[virtual_hub].routing_weight is defined %} - routing_weight = {{ connectivity_virtual_hub.express_route_connections[virtual_hub].routing_weight }} +{% if value.express_route_gateway_id is defined %} + express_route_gateway_id = "{{ value.express_route_gateway_id }}" {% endif %} virtual_hub = { - key = "{{ connectivity_virtual_hub.express_route_connections[virtual_hub].virtual_hub.key }}" +{% if value.virtual_hub.key is defined %} + key = "{{ value.virtual_hub.key }}" +{% endif %} +{% if value.virtual_hub.lz_key is defined %} + lz_key = "{{ value.virtual_hub.lz_key }}" +{% endif %} +{% if value.virtual_hub.id is defined %} + id = "{{ value.virtual_hub.id }}" +{% endif %} } +{% if value.express_route_circuit_peering_id is defined %} + express_route_circuit_peering_id = "{{ value.express_route_circuit_peering_id }}" +{% endif %} circuit_peering = { - lz_key = "{{ config.tfstates.platform.express_route_circuit_peerings[connectivity_virtual_hub.express_route_connections[virtual_hub].circuit_peering.tfstate_key].lz_key_name }}" - key = "{{ connectivity_virtual_hub.express_route_connections[virtual_hub].circuit_peering.key }}" +{% if value.circuit_peering.lz_key is defined %} + lz_key = "{{ value.circuit_peering.lz_key }}" +{% endif %} + key = "{{ value.circuit_peering.key }}" } -{% if connectivity_virtual_hub.express_route_connections[virtual_hub].express_route_circuit_authorization is defined %} +{% if value.express_route_circuit_authorization is defined %} express_route_circuit_authorization = { - lz_key = "{{ config.tfstates.platform.express_route_circuits[connectivity_virtual_hub.express_route_connections[virtual_hub].express_route_circuit_authorization.tfstate_key].lz_key_name }}" - key = "{{ connectivity_virtual_hub.express_route_connections[virtual_hub].express_route_circuit_authorization.key }}" +{% if value.express_route_circuit_authorization.lz_key is defined %} + lz_key = "{{ value.express_route_circuit_authorization.lz_key }}" +{% endif %} + key = "{{ value.express_route_circuit_authorization.key }}" } {% endif %} -{% if connectivity_virtual_hub.express_route_connections[virtual_hub].route_table is defined %} +{% if value.routing is defined %} + routing = { +{% if value.routing.propagated_route_table is defined %} + propagated_route_table = { +{% if value.routing.propagated_route_table.labels is defined %} + labels = {{ value.routing.propagated_route_table.labels | replace('None','[]') | replace('\'','\"') }} +{% endif %} + } +{% endif %} + } +{% endif %} +{% if value.route_table is defined %} route_table = { - key = "{{ connectivity_virtual_hub.express_route_connections[virtual_hub].route_table.key }}" +{% if value.route_table.key is defined %} + key = "{{ value.route_table.key }}" +{% endif %} +{% if value.route_table.lz_key is defined %} + lz_key = "{{ value.route_table.lz_key }}" +{% endif %} +{% if value.route_table.id is defined %} + id = "{{ value.route_table.id }}" +{% endif %} } {% endif %} -{% if connectivity_virtual_hub.express_route_connections[virtual_hub].propagated_route_tables is defined %} +{% if value.propagated_route_tables is defined %} propagated_route_tables = { - key = "{{ connectivity_virtual_hub.express_route_connections[virtual_hub].propagated_route_tables.key }}" +{% if value.propagated_route_tables.lz_key is defined %} + lz_key = "{{ value.propagated_route_tables.lz_key }}" +{% endif %} +{% if value.propagated_route_tables.keys is defined %} + keys = {{ value.propagated_route_tables.keys | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if value.propagated_route_tables.ids is defined %} + ids = {{ value.propagated_route_tables.ids | replace('None','[]') | replace('\'','\"') }} +{% endif %} } {% endif %} } -} -{% endif %} \ No newline at end of file +{% endif %} +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/virtual_hubs.tfvars.j2 b/templates/resources/virtual_hubs.tfvars.j2 index 6410403e6..35b43cb6e 100644 --- a/templates/resources/virtual_hubs.tfvars.j2 +++ b/templates/resources/virtual_hubs.tfvars.j2 @@ -7,20 +7,17 @@ virtual_hubs = { {% endif %} key = "{{ value.virtual_wan.key }}" } - resource_group = { {% if value.virtual_wan.lz_key is defined %} lz_key = "{{ value.virtual_wan.lz_key }}" {% endif %} key = "{{ value.virtual_wan.key }}" } - hub_name = "{{ value.name }}" {% if value.region_key is defined %} region = "{{ value.region_key }}" {% endif %} hub_address_prefix = "{{ value.hub_address_prefix }}" - {% if value.routes is defined %} routes = { {% for rt_key, rt_value in value.routes.items() %} @@ -31,10 +28,7 @@ virtual_hubs = { {% endfor %} } {% endif %} - -{% if value.deploy_p2s is defined %} - deploy_p2s = {{ value.deploy_p2s | lower }} -{% endif %} + deploy_p2s = {{ value.deploy_p2s | default(false) | lower }} {% if value.p2s_config is defined %} p2s_config = { name = "{{ value.p2s_config.name }}" @@ -53,28 +47,52 @@ virtual_hubs = { {% endif %} } {% endif %} - } +{% if value.deploy_p2s.server_config is defined %} + server_config = { + vpn_authentication_types = "{{ value.deploy_p2s.server_config.vpn_authentication_types }}" + client_root_certificate = { + name = "{{ value.deploy_p2s.server_config.client_root_certificate.name }}" + public_cert_data = "{{ value.deploy_p2s.server_config.client_root_certificate.public_cert_data }}" + } + } {% endif %} - -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_s2s %} - deploy_s2s = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_s2s | string | lower }} - s2s_config = { - name = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].s2s_config.name }}" - scale_unit = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].s2s_config.scale_unit }} } {% else %} - deploy_s2s = false + p2s_config = {} +{% endif %} + deploy_s2s = {{ value.deploy_s2s | string | lower | default(false) }} + s2s_config = { +{% if value.s2s_config.name is defined %} + name = "{{ value.s2s_config.name }}" +{% endif %} +{% if value.s2s_config.scale_unit is defined %} + scale_unit = {{ value.s2s_config.scale_unit }} +{% endif %} +{% if value.s2s_config.routing_preference is defined %} + routing_preference = "{{ value.s2s_config.routing_preference | default('Microsoft Network') }}" +{% endif %} +{% if value.deploy_s2s.bgp_settings is defined %} + bgp_settings = { + asn = "{{ value.deploy_s2s.bgp_settings.asn }}" + peer_weight = {{ value.deploy_s2s.bgp_settings.peer_weight }} +{% if value.deploy_s2s.bgp_settings.instance_0_bgp_peering_address is defined %} + instance_0_bgp_peering_address = { + custom_ips = {{ value.deploy_s2s.bgp_settings.instance_0_bgp_peering_address.custom_ips | replace('None','[]') | replace('\'','\"') }} + } +{% endif %} +{% if value.deploy_s2s.bgp_settings.instance_1_bgp_peering_address is defined %} + instance_1_bgp_peering_address = { + custom_ips = {{ value.deploy_s2s.bgp_settings.instance_1_bgp_peering_address.custom_ips | replace('None','[]') | replace('\'','\"') }} + } +{% endif %} + } {% endif %} -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_er %} - deploy_er = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].deploy_er | string | lower }} + } + deploy_er = {{ value.deploy_er | string | lower | default(false) }} er_config = { - name = "{{ connectivity_virtual_hub.virtual_hubs[virtual_hub].er_config.name }}" - scale_units = {{ connectivity_virtual_hub.virtual_hubs[virtual_hub].er_config.scale_units }} + name = "{{ value.er_config.name }}" + scale_units = {{ value.er_config.scale_units }} } -{% else %} - deploy_er = false -{% endif %} - {% if value.security_partner_provider is defined %} security_partner_provider = { {% for spp_key, spp_value in value.security_partner_provider.items() %} @@ -85,7 +103,6 @@ virtual_hubs = { {% endfor %} } {% endif %} - {% if value.bgp_connection is defined %} bgp_connection = { {% for bgp_key, bgp_value in value.bgp_connection.items() %} @@ -97,7 +114,6 @@ virtual_hubs = { {% endfor %} } {% endif %} - } {% endfor %} } From d921d09f131cf778eac7b58f3ed3c90d6dcd359a Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 11:40:26 +0000 Subject: [PATCH 25/67] Update path --- caf_launchpad/landingzone.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf index 8dc19f626..6ae4b304b 100644 --- a/caf_launchpad/landingzone.tf +++ b/caf_launchpad/landingzone.tf @@ -3,8 +3,8 @@ module "launchpad" { # version = "5.5.1" - # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" - source = "../../aztfmod" + source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" + # source = "../../aztfmod" providers = { azurerm.vhub = azurerm From 4e0d6a1bcfc74f21648e9d7e4cbbeccaed859c46 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 12:28:29 +0000 Subject: [PATCH 26/67] Update template --- .../platform/level0/launchpad/keyvaults.tfvars.j2 | 6 +++--- .../level2/connectivity/virtual_hubs/readme.md | 14 +++++--------- templates/resources/landingzone.tfvars.j2 | 8 ++++++++ 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 index 7bc86e60e..afaf49f6f 100644 --- a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 +++ b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 @@ -3,7 +3,7 @@ keyvaults = { level0 = { name = "{{ resources.subscriptions[subscription_key].keyvaults.level0.name }}" resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level0.resource_group_key }}" - sku_name = "{{ config.platform_core_setup.sku.keyvault}}" + sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level0" caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" @@ -35,7 +35,7 @@ keyvaults = { level1 = { name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.name }}" resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level1.resource_group_key }}" - sku_name = "{{ config.platform_core_setup.sku.keyvault}}" + sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level1" caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" @@ -67,7 +67,7 @@ keyvaults = { level2 = { name = "{{ resources.subscriptions[subscription_key].keyvaults.level2.name }}" resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level2.resource_group_key }}" - sku_name = "{{ config.platform_core_setup.sku.keyvault}}" + sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level2" caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" diff --git a/templates/platform/level2/connectivity/virtual_hubs/readme.md b/templates/platform/level2/connectivity/virtual_hubs/readme.md index 277d9e193..1284c0a47 100644 --- a/templates/platform/level2/connectivity/virtual_hubs/readme.md +++ b/templates/platform/level2/connectivity/virtual_hubs/readme.md @@ -4,9 +4,7 @@ Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services - -{% for virtual_hub in config.tfstates.platform.virtual_hubs.keys() %} -### {{ virtual_hub }} +## {{ deployment }} ```bash # login a with a user member of the caf-platform-maintainers group @@ -14,27 +12,25 @@ rover login -t {{ config.platform_identity.tenant_name }} cd {{ destination_base }}/landingzones git fetch origin -git checkout {{ config.gitops.caf_landingzone_branch }} +git checkout {{ resources.gitops.landingzones }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.virtual_hubs[virtual_hub].tfstate }} \ + -tfstate {{ config.tfstates.platform.virtual_hubs[deployment].tfstate }} \ -log-severity ERROR \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.virtual_hubs[virtual_hub].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ config.tfstates.platform.virtual_hubs[deployment].tfstate }}.tfplan \ -a plan - ``` -{% endfor %} diff --git a/templates/resources/landingzone.tfvars.j2 b/templates/resources/landingzone.tfvars.j2 index bd35633c6..c3fb3d132 100644 --- a/templates/resources/landingzone.tfvars.j2 +++ b/templates/resources/landingzone.tfvars.j2 @@ -66,3 +66,11 @@ landingzone = { } {% endif %} } + +{% if deployments.deployments[subscription_key][deployment].custom_variables is defined %} +custom_variables = { +{% for cv_key, cv_value in deployments.deployments[subscription_key][deployment].custom_variables.items() %} + {{cv_key}} = "{{cv_value}}" +{% endfor %} +} +{% endif %} \ No newline at end of file From 12db791e5876c3c1d5db3b9e2a2ba0490a4f0718 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 12:37:56 +0000 Subject: [PATCH 27/67] Add caf_platform_contributors in templates --- .../level0/launchpad/keyvaults.tfvars.j2 | 12 ++++++++++++ .../level0/launchpad/role_mappings.tfvars.j2 | 19 +++++++++++++++---- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 index afaf49f6f..06f112bfc 100644 --- a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 +++ b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 @@ -20,6 +20,10 @@ keyvaults = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } + caf_platform_contributors = { + azuread_group_key = "caf_platform_contributors" + secret_permissions = ["Get"] + } {% endif %} {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { @@ -52,6 +56,10 @@ keyvaults = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } + caf_platform_contributors = { + azuread_group_key = "caf_platform_contributors" + secret_permissions = ["Get"] + } {% endif %} {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { @@ -84,6 +92,10 @@ keyvaults = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } + caf_platform_contributors = { + azuread_group_key = "caf_platform_contributors" + secret_permissions = ["Get"] + } {% endif %} {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { diff --git a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 b/templates/platform/level0/launchpad/role_mappings.tfvars.j2 index 323e49403..6456f0c7b 100644 --- a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 +++ b/templates/platform/level0/launchpad/role_mappings.tfvars.j2 @@ -45,6 +45,11 @@ role_mapping = { } {% endif %} } + "Reader" = { + azuread_groups = { + keys = ["caf_platform_contributors"] + } + } } } {% endif %} @@ -76,7 +81,8 @@ role_mapping = { azuread_groups = { keys = [ "identity", - "subscription_creation_platform" + "subscription_creation_platform", + "caf_platform_contributors" ] } } @@ -88,7 +94,8 @@ role_mapping = { "identity", "management", "eslz", - "subscription_creation_platform" + "subscription_creation_platform", + "caf_platform_contributors" ] } } @@ -100,7 +107,8 @@ role_mapping = { "identity", "connectivity", "management", - "subscription_creation_landingzones" + "subscription_creation_landingzones", + "caf_platform_contributors" ] } } @@ -126,7 +134,8 @@ role_mapping = { keys = [ "management", "eslz", - "subscription_creation_platform" + "subscription_creation_platform", + "caf_platform_contributors" ] } } @@ -155,6 +164,7 @@ role_mapping = { azuread_groups = { keys = [ "connectivity", + "caf_platform_contributors", {% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} "level0" {% endif %} @@ -187,6 +197,7 @@ role_mapping = { "Storage Blob Data Reader" = { azuread_groups = { keys = [ + "caf_platform_contributors", {% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} "subscription_creation_landingzones" {% endif %} From 02b22e920b166ac9db6b801802d09da723ee315c Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 12:42:25 +0000 Subject: [PATCH 28/67] Update asvm --- templates/platform/level2/asvm/keyvaults.tfvars.j2 | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/templates/platform/level2/asvm/keyvaults.tfvars.j2 b/templates/platform/level2/asvm/keyvaults.tfvars.j2 index c0d1b5156..8a2d656f8 100644 --- a/templates/platform/level2/asvm/keyvaults.tfvars.j2 +++ b/templates/platform/level2/asvm/keyvaults.tfvars.j2 @@ -3,10 +3,8 @@ keyvaults = { level3 = { name = "{{ resources.subscriptions[subscription_key].keyvaults.level3.name }}" resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level3.resource_group_key }}" - sku_name = "{{ config.platform_core_setup.sku.keyvault}}" + sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level3.sku_name | default('standard') }}" tags = { - tfstate = "level3" - environment = "{{ config.caf_terraform.launchpad.caf_environment }}" caf_tfstate = "level3" caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" } @@ -40,10 +38,8 @@ keyvaults = { level4 = { name = "{{ resources.subscriptions[subscription_key].keyvaults.level4.name }}" resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level4.resource_group_key }}" - sku_name = "{{ config.platform_core_setup.sku.keyvault}}" + sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { - tfstate = "level4" - environment = "{{ config.caf_terraform.launchpad.caf_environment }}" caf_tfstate = "level4" caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" } From 6462c623bb69babd211232d3cf512e931f3e36e0 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 12:48:30 +0000 Subject: [PATCH 29/67] Patch role mapping --- templates/platform/level0/launchpad/role_mappings.tfvars.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 b/templates/platform/level0/launchpad/role_mappings.tfvars.j2 index 6456f0c7b..d2e5340aa 100644 --- a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 +++ b/templates/platform/level0/launchpad/role_mappings.tfvars.j2 @@ -45,11 +45,13 @@ role_mapping = { } {% endif %} } +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} "Reader" = { azuread_groups = { keys = ["caf_platform_contributors"] } } +{% endif %} } } {% endif %} From ffc0e8e1fec0c2a797dc3ce10f7ec1128fd3bd1a Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 13:17:05 +0000 Subject: [PATCH 30/67] Update reuse subscriptions --- .../platform/level1/eslz/subscription_id_overrides.tfvars.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 index 39efa0e57..1d0d43eca 100644 --- a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 @@ -6,7 +6,7 @@ subscription_id_overrides = { root = [] {% endif %} {% else %} -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if config.platform_core_setup.enterprise_scale.subscription_deployment_mode == 'single_reuse' %} root = [ "{{ config.caf_terraform.launchpad.subscription_id }}" ] From 27fe77e5330d4725bf46602d3996c96b1edbf9b9 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 13:55:22 +0000 Subject: [PATCH 31/67] Update asvm for logged_in_user --- .../__pycache__/merge_vars.cpython-39.pyc | Bin 4806 -> 4806 bytes .../level2/asvm/role_mappings.tfvars.j2 | 13 ++++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc b/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc index 149a2864e0f386995bd1a2c3652fd8482ff93ff1..983ff35eecb4b7d12b9a0ff50f47b873b073ffe0 100644 GIT binary patch delta 21 bcmX@6dQ6okk(ZZ?0SGQxFePo|*(C%3JJtnX delta 21 bcmX@6dQ6okk(ZZ?0SK<0dy%-2XO|EFMQ;Y) diff --git a/templates/platform/level2/asvm/role_mappings.tfvars.j2 b/templates/platform/level2/asvm/role_mappings.tfvars.j2 index bf465f538..8e5576d50 100644 --- a/templates/platform/level2/asvm/role_mappings.tfvars.j2 +++ b/templates/platform/level2/asvm/role_mappings.tfvars.j2 @@ -10,6 +10,7 @@ role_mapping = { resource_groups = { level3 = { "Reader" = { +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -22,10 +23,16 @@ role_mapping = { "caf_ac_landingzone_maintainers_prod" ] } +{% else %} + logged_in = { + keys = [ "user" ] + } +{% endif %} } } level4 = { "Reader" = { +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -38,10 +45,14 @@ role_mapping = { "caf_ac_landingzone_maintainers_prod" ] } +{% else %} + logged_in = { + keys = [ "user" ] + } +{% endif %} } } } -{% endif %} storage_accounts = { level3 = { From dc09cd08bfdf62cf9c49202dd7a0e581f7feb43e Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 8 Feb 2022 13:57:01 +0000 Subject: [PATCH 32/67] Update --- templates/platform/level2/asvm/role_mappings.tfvars.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/platform/level2/asvm/role_mappings.tfvars.j2 b/templates/platform/level2/asvm/role_mappings.tfvars.j2 index 8e5576d50..c5076acbf 100644 --- a/templates/platform/level2/asvm/role_mappings.tfvars.j2 +++ b/templates/platform/level2/asvm/role_mappings.tfvars.j2 @@ -6,7 +6,6 @@ role_mapping = { built_in_role_mapping = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} resource_groups = { level3 = { "Reader" = { From f951450f9202eb2557a6c65a25a2561ee16293fd Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 9 Feb 2022 01:56:01 +0000 Subject: [PATCH 33/67] Update asvm templates --- templates/applications/ansible.yaml | 6 +++--- templates/applications/level3/resources/ansible.yaml | 2 +- templates/applications/level3/resources/readme.md | 4 ++++ templates/applications/level3/subscription/readme.md | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/templates/applications/ansible.yaml b/templates/applications/ansible.yaml index c25bbbd50..306f4622a 100644 --- a/templates/applications/ansible.yaml +++ b/templates/applications/ansible.yaml @@ -59,9 +59,9 @@ state: directory - - name: "{{ level }} | Get platform details (requires '-e config_folder_platform=path to yamls' path to be set)" - include_tasks: "ansible-get-platform-details.yaml" - when: config_folder_platform is defined + # - name: "{{ level }} | Get platform details (requires '-e config_folder_platform=path to yamls' path to be set)" + # include_tasks: "ansible-get-platform-details.yaml" + # when: config_folder_platform is defined # # Level 3 diff --git a/templates/applications/level3/resources/ansible.yaml b/templates/applications/level3/resources/ansible.yaml index 5eb5ae7b2..a92cf1131 100644 --- a/templates/applications/level3/resources/ansible.yaml +++ b/templates/applications/level3/resources/ansible.yaml @@ -253,7 +253,7 @@ # Readme # - name: "[{{ level }}-{{ subscription_key }}] - resources - *.md" - when: subscription_tfstate_exists.rc == 0 + # when: subscription_tfstate_exists.rc == 0 ansible.builtin.template: src: "{{ item }}" dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" diff --git a/templates/applications/level3/resources/readme.md b/templates/applications/level3/resources/readme.md index 01f97b9cf..c5aa5b579 100644 --- a/templates/applications/level3/resources/readme.md +++ b/templates/applications/level3/resources/readme.md @@ -17,7 +17,11 @@ rover \ -lz /tf/caf/landingzones/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +{% if subscriptions.subscriptions[asvm_folder][subscription_key].subscription_id is defined %} + -target_subscription {{ subscriptions.subscriptions[asvm_folder][subscription_key].subscription_id }} \ +{% else %} -target_subscription {{ asvm_subscriptions_details[asvm_folder].subscription_id }} \ +{% endif %} -tfstate {{ config.tfstates['asvm'][asvm_folder].resources.tfstate }} \ --workspace {{ config.tfstates['asvm'][asvm_folder].workspace }} \ -log-severity {{ config.gitops.rover_log_error }} \ diff --git a/templates/applications/level3/subscription/readme.md b/templates/applications/level3/subscription/readme.md index 8f1ad09ab..c05bcfc71 100644 --- a/templates/applications/level3/subscription/readme.md +++ b/templates/applications/level3/subscription/readme.md @@ -29,7 +29,7 @@ Note you need to logout and login as a caf_maintainer group member rover login -t {{ config.platform_identity.tenant_name }} rover ignite \ - --playbook /tf/caf/starter/templates/landingzones/ansible.yaml \ + --playbook /tf/caf/landingzones/templates/applications/ansible.yaml \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{ resource_template_folder }} \ -e config_folder={{ config_folder }} \ From 8e02e528f03ed22c7aaadb28ad3a343b4a7bd0ee Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Thu, 10 Feb 2022 00:52:59 +0000 Subject: [PATCH 34/67] Add templates --- .../ansible-get-platform-details.yaml | 8 +- templates/applications/ansible.yaml | 9 +- .../{ => create_subscriptions}/README.md | 0 .../{ => create_subscriptions}/asvm.yaml | 0 .../connectivity_express_route_peerings.yaml | 0 .../connectivity_express_routes.yaml | 0 .../connectivity_virtual_hub.yaml | 0 .../connectivity_virtual_wan.yaml | 0 .../connectivity_vpn_gateway_connections.yaml | 0 .../connectivity_vpn_sites.yaml | 0 .../contoso.caf.platform.yaml | 0 .../connectivity_firewall_policies.yaml | 0 .../non_prod/connectivity_firewalls.yaml | 0 .../non_prod/connectivity_private_dns.yaml | 0 .../prod/connectivity_firewall_policies.yaml | 0 .../prod/connectivity_firewalls.yaml | 0 .../prod/connectivity_private_dns.yaml | 0 .../deployments/prod/identity_level2.yaml | 0 .../prod/identity_level2_aadds.yaml | 0 .../prod/identity_level2_adds.yaml | 0 ...chetype_config_overrides.caf.platform.yaml | 0 .../custom_landing_zones.caf.platform.yaml | 0 .../eslz/lib/policy_assignments/README.md | 0 .../policy_assignment_caf_aks_capability.json | 0 ...olicy_assignment_es_allowed_locations.json | 0 .../eslz/lib/policy_definitions/README.md | 0 .../eslz/lib/policy_set_definitions/README.md | 0 .../eslz/lib/readme.md | 0 .../eslz/lib/role_definitions/README.md | 0 .../role_definition_caf_vhub_peering.json | 0 .../{ => create_subscriptions}/identity.yaml | 0 .../{ => create_subscriptions}/launchpad.yaml | 0 .../launchpad_credentials.yaml | 0 .../management.yaml | 0 .../subscriptions.yaml | 0 .../{ => create_subscriptions}/tfstates.yaml | 0 .../platform/reuse_subscriptions/README.md | 37 ++ .../platform/reuse_subscriptions/asvm.yaml | 38 ++ .../contoso.caf.platform.yaml | 132 ++++++ .../connectivity_firewall_policies.yaml | 34 ++ .../non_prod/connectivity_firewalls.yaml | 78 ++++ .../non_prod/connectivity_private_dns.yaml | 189 ++++++++ .../non_prod/connectivity_virtual_hubs.yaml | 54 +++ .../prod/connectivity_firewall_policies.yaml | 33 ++ .../prod/connectivity_firewalls.yaml | 78 ++++ .../prod/connectivity_private_dns.yaml | 191 ++++++++ .../prod/connectivity_virtual_hubs.yaml | 53 +++ .../prod/connectivity_virtual_wan.yaml | 29 ++ .../deployments/prod/identity_level2.yaml | 13 + ...chetype_config_overrides.caf.platform.yaml | 314 +++++++++++++ .../custom_landing_zones.caf.platform.yaml | 26 ++ .../eslz/lib/policy_assignments/README.md | 10 + .../policy_assignment_caf_aks_capability.json | 18 + ...olicy_assignment_es_allowed_locations.json | 18 + .../eslz/lib/policy_definitions/README.md | 10 + .../eslz/lib/policy_set_definitions/README.md | 10 + .../reuse_subscriptions/eslz/lib/readme.md | 2 + .../eslz/lib/role_definitions/README.md | 11 + .../role_definition_caf_vhub_peering.json | 27 ++ .../reuse_subscriptions/identity.yaml | 69 +++ .../reuse_subscriptions/launchpad.yaml | 40 ++ .../launchpad_credentials.yaml | 415 ++++++++++++++++++ .../reuse_subscriptions/management.yaml | 84 ++++ .../reuse_subscriptions/tfstates.yaml | 105 +++++ 64 files changed, 2129 insertions(+), 6 deletions(-) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/README.md (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/asvm.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/connectivity_express_route_peerings.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/connectivity_express_routes.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/connectivity_virtual_hub.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/connectivity_virtual_wan.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/connectivity_vpn_gateway_connections.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/connectivity_vpn_sites.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/contoso.caf.platform.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/non_prod/connectivity_firewall_policies.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/non_prod/connectivity_firewalls.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/non_prod/connectivity_private_dns.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/prod/connectivity_firewall_policies.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/prod/connectivity_firewalls.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/prod/connectivity_private_dns.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/prod/identity_level2.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/prod/identity_level2_aadds.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/deployments/prod/identity_level2_adds.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/archetype_config_overrides.caf.platform.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/custom_landing_zones.caf.platform.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/lib/policy_assignments/README.md (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/lib/policy_definitions/README.md (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/lib/policy_set_definitions/README.md (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/lib/readme.md (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/lib/role_definitions/README.md (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/identity.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/launchpad.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/launchpad_credentials.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/management.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/subscriptions.yaml (100%) rename templates/enterprise-scale/contoso/platform/{ => create_subscriptions}/tfstates.yaml (100%) create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/custom_landing_zones.caf.platform.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml create mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml diff --git a/templates/applications/ansible-get-platform-details.yaml b/templates/applications/ansible-get-platform-details.yaml index 0f24f413d..24efbc579 100644 --- a/templates/applications/ansible-get-platform-details.yaml +++ b/templates/applications/ansible-get-platform-details.yaml @@ -7,8 +7,9 @@ --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ --query "[?tags.caf_tfstate=='{{ config.tfstates["platform"].platform_subscriptions.level | default('level1') }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name -- debug: - msg: "{{ subscription_tfstate_file_name.stdout }}" +# - debug: +# when: lookup('file', '{{ config_folder_platform }}/subscriptions.yaml', errors='ignore') +# msg: "{{ subscription_tfstate_file_name.stdout }}" - name: "Download platform subscriptions tfstate details" register: platform_subscription_tfstate_exists @@ -21,7 +22,8 @@ --file "{{ job_cache_base_path }}/{{ config.tfstates["platform"].platform_subscriptions.tfstate | default('platform_subscriptions.tfstate') }}" - name: "Get platform_subscriptions details" - when: platform_subscription_tfstate_exists.rc == 0 + when: + - platform_subscription_tfstate_exists.rc == 0 shell: "cat {{ job_cache_base_path }}/{{ config.tfstates[\"platform\"].platform_subscriptions.tfstate | default('platform_subscriptions.tfstate') }}" register: platform_subscriptions diff --git a/templates/applications/ansible.yaml b/templates/applications/ansible.yaml index 306f4622a..549560c98 100644 --- a/templates/applications/ansible.yaml +++ b/templates/applications/ansible.yaml @@ -3,6 +3,7 @@ vars: base_templates_folder: "{{ base_templates_folder }}/asvm" resource_template_folder: "{{ base_templates_folder }}/resources" + subscriptions: "{{ lookup('file', '{{ config_folder }}/subscriptions.yaml') | from_yaml }}" level: level3 @@ -59,9 +60,11 @@ state: directory - # - name: "{{ level }} | Get platform details (requires '-e config_folder_platform=path to yamls' path to be set)" - # include_tasks: "ansible-get-platform-details.yaml" - # when: config_folder_platform is defined + - name: "{{ level }} | Get platform details (requires '-e config_folder_platform=path to yamls' path to be set)" + include_tasks: "ansible-get-platform-details.yaml" + when: + - config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'reuse_subscriptions' + - config_folder_platform is defined # # Level 3 diff --git a/templates/enterprise-scale/contoso/platform/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/README.md similarity index 100% rename from templates/enterprise-scale/contoso/platform/README.md rename to templates/enterprise-scale/contoso/platform/create_subscriptions/README.md diff --git a/templates/enterprise-scale/contoso/platform/asvm.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/asvm.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/asvm.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/asvm.yaml diff --git a/templates/enterprise-scale/contoso/platform/connectivity_express_route_peerings.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_route_peerings.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/connectivity_express_route_peerings.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_route_peerings.yaml diff --git a/templates/enterprise-scale/contoso/platform/connectivity_express_routes.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_routes.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/connectivity_express_routes.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_routes.yaml diff --git a/templates/enterprise-scale/contoso/platform/connectivity_virtual_hub.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_hub.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/connectivity_virtual_hub.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_hub.yaml diff --git a/templates/enterprise-scale/contoso/platform/connectivity_virtual_wan.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_wan.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/connectivity_virtual_wan.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_wan.yaml diff --git a/templates/enterprise-scale/contoso/platform/connectivity_vpn_gateway_connections.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_gateway_connections.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/connectivity_vpn_gateway_connections.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_gateway_connections.yaml diff --git a/templates/enterprise-scale/contoso/platform/connectivity_vpn_sites.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_sites.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/connectivity_vpn_sites.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_sites.yaml diff --git a/templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/contoso.caf.platform.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/contoso.caf.platform.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewall_policies.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewalls.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_firewalls.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewalls.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_private_dns.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/non_prod/connectivity_private_dns.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_private_dns.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewall_policies.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewall_policies.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewall_policies.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewalls.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_firewalls.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewalls.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_private_dns.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/prod/connectivity_private_dns.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_private_dns.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_aadds.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_aadds.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_aadds.yaml diff --git a/templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_adds.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/deployments/prod/identity_level2_adds.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_adds.yaml diff --git a/templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/archetype_config_overrides.caf.platform.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml diff --git a/templates/enterprise-scale/contoso/platform/eslz/custom_landing_zones.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/custom_landing_zones.caf.platform.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/custom_landing_zones.caf.platform.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/custom_landing_zones.caf.platform.yaml diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/policy_assignments/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/README.md similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/lib/policy_assignments/README.md rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/README.md diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/policy_definitions/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_definitions/README.md similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/lib/policy_definitions/README.md rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_definitions/README.md diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/policy_set_definitions/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_set_definitions/README.md similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/lib/policy_set_definitions/README.md rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_set_definitions/README.md diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/readme.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/readme.md similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/lib/readme.md rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/readme.md diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/role_definitions/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/README.md similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/lib/role_definitions/README.md rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/README.md diff --git a/templates/enterprise-scale/contoso/platform/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json similarity index 100% rename from templates/enterprise-scale/contoso/platform/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json rename to templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json diff --git a/templates/enterprise-scale/contoso/platform/identity.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/identity.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/identity.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/identity.yaml diff --git a/templates/enterprise-scale/contoso/platform/launchpad.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/launchpad.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad.yaml diff --git a/templates/enterprise-scale/contoso/platform/launchpad_credentials.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad_credentials.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/launchpad_credentials.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad_credentials.yaml diff --git a/templates/enterprise-scale/contoso/platform/management.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/management.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/management.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/management.yaml diff --git a/templates/enterprise-scale/contoso/platform/subscriptions.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/subscriptions.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/subscriptions.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/subscriptions.yaml diff --git a/templates/enterprise-scale/contoso/platform/tfstates.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/tfstates.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/tfstates.yaml rename to templates/enterprise-scale/contoso/platform/create_subscriptions/tfstates.yaml diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md new file mode 100644 index 000000000..a2fb0beb8 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md @@ -0,0 +1,37 @@ +# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform + + +:rocket: START HERE: [Follow the onboarding guide from](https://aztfmod.github.io/documentation/docs/enterprise-scale/landingzones/platform/org-setup) + + +For further executions or command, you can refer to the following sections + +## Commands + +### Clone the landingzone project (Terraform base code) +```bash +git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/landingzones +cd /tf/caf/landingzones +git pull +git checkout aci_network + +``` + +### Rover ignite the platform +Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps. +Rover ignite creates the tfvars and also the documentation. + +```bash +rover login -t tenantname -s + +rover ignite \ + --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ + -e base_templates_folder=/tf/caf/landingzones/templates/platform \ + -e resource_template_folder=/tf/caf/landingzones/templates/resources \ + -e config_folder=/tf/caf/definitions/platform + +``` + +### Next step + +Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created. diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml new file mode 100644 index 000000000..bdb1a5876 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml @@ -0,0 +1,38 @@ +gitops: + landingzones: aci_network + +subscriptions: + asvm: + resource_groups: + level3: + name: caf-level3 + tags: + level: level3 + level4: + name: caf-level4 + tags: + level: level4 + + storage_accounts: + level3: + name: l3 + resource_group_key: level3 + level4: + name: l4 + resource_group_key: level4 + + keyvaults: + level3: + name: l3 + resource_group_key: level3 + level4: + name: l4 + resource_group_key: level4 + + + # azuread_groups: + # caf_ac_landingzone_maintainers_non_prod: + # name: caf_ac_landingzone_maintainers_non_prod + + # caf_ac_landingzone_maintainers_prod: + # name: caf_ac_landingzone_maintainers_prod diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml new file mode 100644 index 000000000..c01e14308 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml @@ -0,0 +1,132 @@ +caf_terraform: + naming_convention: + # When set to false use the CAF provider to generate names aligned to CAF guidance + # true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace. + passthrough: false + inherit_tags: false + # set: define the prefix to add to all resource names + # unset: if passthrough is set to false, generate a random prefix + prefix: cont + # if passthrough is set to false, add random suffix to name, up to the random_lenght value. + random_length: 5 + launchpad: + caf_environment: + account_replication_type: GRS + regions: + region1: + # set the short form of the Azure region + name: southeastasia # Use the lower-case region's name, short version with no space + slug: sea + region2: + name: eastasia # Use the lower-case region's name, short version with no space + slug: ea + default_region_key: region1 + # Define the number of CAF levels to use. Recommeded is 3 for the platform. + number_of_levels: 3 + blob_versioning_enabled: true + container_delete_retention_policy: 7 + delete_retention_policy: 7 + # Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd. + subscription_id: + subscription_name: + tenant_id: + global_tags_propagated: yes + tags: + test: + date: + + billing_subscription_role_delegations: + # true: enable this deployment. The remaining attributes are required. + # false: disable this deployment. + # azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform + # azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running: + # az ad signed-in-user show --query objectId -o tsv + # The remaining attributes are ignored: [billing_account_name, enrollment_account_name] + enable: false + # Azure Active Directory User (UPN) that is Account Owner in the EA portal + # if enable=false, set the upn of the user doing the manual deployment + azuread_user_ea_account_owner: + # see comments above to get the object_id + azuread_user_ea_account_owner_object_id: + # Only set the following two attributes when enable=true + billing_account_name: + enrollment_account_name: + +# cleanup_destination - recommended to clean and recreated a clean state from template. +configuration_folders: + platform: + # true: force the destination folder to be deleted and re-created before the files are created. + # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. + cleanup_destination: true + # base destination folder where rover ignite will store the tfvars files. No / at the end + destination_base_path: /tf/caf + # destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end + destination_relative_path: configuration/contoso/platform + + +platform_core_setup: + enterprise_scale: + enable: true + management_group_name: + management_group_prefix: + deploy_core_landing_zones: true + enable_azure_subscription_vending_machine: true + clean_up_destination_folder: false + update_lib_folder: true + # resuse_subscriptions - do not create subscriptions through API automation. Requires the following subscription_id_overrides to be set with 4 subscriptions + subscription_deployment_mode: reuse_subscriptions + # Option only set if you've be given a delegated management group ID. + # Comment to deploy to deploy at the tenant root level + root_parent_id: lab + private_lib: + version_to_deploy: v1.1.1 + v0.1.x: + caf_landingzone_branch: "2107.1" + v0.3.3: + caf_landingzone_branch: "patch.5.4.4" + v1.1.1: + caf_landingzone_branch: "aci_network" + subscription_id_overrides: + connectivity: + - + management: + - # launchpad + - + identity: + - + +platform_management: + enable: true + +networking_topology: + deployment_option: virtual_wan + +platform_identity: + # Set the Azure Active Directory tenant name (primary domain name) + # has to be the default domain name (custom dns name or tenantname.onmicrosoft.com) + # check the AAD property + tenant_name: terraformdev.onmicrosoft.com + # only service_principal supported with rover ignite at the moment + azuread_identity_mode: logged_in_user + # UPNs you want to add in the caf_platform_maintainers Azure AD group + # Can use user or guest accounts + # Those users will have full permissions on platform. + # Once setup, you can remove them from here or add them from + # Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts. + caf_platform_maintainers: + - + caf_platform_contributors: + - + +notifications: + service_health_alerts: + emails: + support1: + name: + email_address: + security_center_email_contact: + +gitops: + caf_landingzone_branch: "aci_network" + deployment_mode: interactive + rover_log_error: ERROR diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml new file mode 100644 index 000000000..529eb6662 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml @@ -0,0 +1,34 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + non_prod: + landingzone: + key: + platform: + azurerm_firewall_policies: non_prod + global_settings_key: + platform: + azurerm_firewalls: non_prod + remote_tfstates: + platform: + azurerm_firewalls: non_prod + +subscriptions: + connectivity: + resource_groups: + firewall_policies: + name: connectivity-non-prod-firewall-policies + region_key: region1 + + azurerm_firewall_policies: + root: + name: "non-prod-root-policy" + region_key: region1 + resource_group: + key: firewall_policies + dns: + proxy_enabled: true + threat_intelligence_mode: "Alert" + diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml new file mode 100644 index 000000000..f2a165cdd --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml @@ -0,0 +1,78 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + non_prod: + landingzone: + key: + platform: + azurerm_firewalls: non_prod + global_settings_key: + platform: + virtual_hubs: non_prod + remote_tfstates: + platform: + virtual_hubs: non_prod + azurerm_firewall_policies: non_prod + + +subscriptions: + connectivity: + resource_groups: + firewall_policies: + name: connectivity-non-prod-firewall + region_key: region1 + + + virtual_networks: + vnet: + name: vnet-connectivity-non-prod-fw-plinks + resource_group_key: firewall_policies + region_key: region1 + address_space: + - 10.101.61.0/24 + specialsubnets: + AzureFirewallSubnet: + name: AzureFirewallSubnet + cidr: + - 10.101.61.0/26 + + public_ip_addresses: + fw_pip1: + name: pip-non-prod-fw-01 + resource_group_key: firewall_policies + sku: Standard + allocation_method: Static + ip_version: IPv4 + idle_timeout_in_minutes: 4 + + azurerm_firewalls: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + resource_group_key: firewall_policies + vnet_key: vnet + sku_tier: Standard + firewall_policy: + key: root + lz_key: connectivity_firewall_policies_non_prod + zones: + - 1 + - 2 + - 3 + public_ips: + ip1: + name: pip1 + public_ip_key: fw_pip1 + vnet_key: vnet + subnet_key: AzureFirewallSubnet + + + virtual_hub_connections: + vnet_to_hub: + name: vnet-connectivity-non-prod-fw-plinks-TO-vhub-non_prod + virtual_hub: + lz_key: connectivity_virtual_hub_non_prod + key: non_prod + vnet: + vnet_key: vnet \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml new file mode 100644 index 000000000..d1d3b4f22 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml @@ -0,0 +1,189 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + non_prod: + landingzone: + key: + platform: + private_dns: non_prod + global_settings_key: + platform: + virtual_hubs: non_prod + remote_tfstates: + platform: + virtual_hubs: non_prod + + +subscriptions: + connectivity: + resource_groups: + dns_connectivity_non_prod: + name: dns-connectivity-non-prod + private_dns: + privatelink.adf.azure.com: + name: privatelink.adf.azure.com + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.datafactory.azure.net: + name: privatelink.datafactory.azure.net + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.blob.core.windows.net: + name: privatelink.blob.core.windows.net + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.file.core.windows.net: + name: privatelink.file.core.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.notebooks.azure.net: + name: privatelink.notebooks.azure.net + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.dfs.core.windows.net: + name: privatelink.dfs.core.windows.net + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.vaultcore.azure.net: + name: privatelink.vaultcore.azure.net + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.southeastasia.azmk8s.io: + name: privatelink.southeastasia.azmk8s.io + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.azurecr.io: + name: privatelink.azurecr.io + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.southeastasia.backup.windowsazure.com: + name: privatelink.southeastasia.backup.windowsazure.com + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.siterecovery.windowsazure.com: + name: privatelink.siterecovery.windowsazure.com + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.servicebus.windows.net: + name: privatelink.servicebus.windows.net + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.api.azureml.ms: + name: privatelink.api.azureml.ms + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.monitor.azure.com: + name: privatelink.monitor.azure.com + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.oms.opinsights.non_prod.com: + name: privatelink.oms.opinsights.azure.com + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.ods.opinsights.azure.com: + name: privatelink.ods.opinsights.azure.com + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + privatelink.agentsvc.azure-automation.net: + name: privatelink.agentsvc.azure-automation.net + resource_group_key: dns_connectivity_non_prod + vnet_links: + fw_non_prod_plinks_01: + name: fw-non-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_non_prod + + custom_role_definitions: + landgingzone_extended: + name: landingzone-networking-non-prod-private-dns-extended + useprefix: true + description: "(non-prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read + - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write + + # role_mapping: + # custom_role_mapping: + # resource_groups: + # dns_connectivity_prod: + # landgingzone_extended: + # azuread_groups: + # lz_key: identity_level2 + # keys: + # - caf_non_prod_landingzones_dns_contributors + # built_in_role_mapping: + # resource_groups: + # dns_connectivity_non_prod: + # Private DNS Zone Contributor: + # azuread_groups: + # lz_key: identity_level2 + # keys: + # - caf_non_prod_landingzones_dns_contributors diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml new file mode 100644 index 000000000..2159b3fca --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml @@ -0,0 +1,54 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + non_prod: + landingzone: + key: + platform: + virtual_hubs: non_prod + global_settings_key: + platform: + virtual_wans: prod + remote_tfstates: + platform: + virtual_wans: prod + + custom_variables: + virtual_hub_lz_key: connectivity_virtual_hub_non_prod + # ddos_protection_plan_id: + +subscriptions: + connectivity: + virtual_hubs: + non_prod: + name: non_production + virtual_wan: + lz_key: virtual_wan + key: global_wan + region_key: region1 + hub_address_prefix: 10.201.51.0/24 + deploy_s2s: false + s2s_config: + name: non_prod + scale_unit: 1 + deploy_er: false + er_config: + name: non_prod + scale_units: 1 + + + express_route_connections: + non_prod: + enable_er_connections: true + name: er-1-non_prod + virtual_hub: + key: non_prod + circuit_peering: + tfstate_key: non_prod + key: private_peering + express_route_circuit_authorization: + tfstate_key: non_prod + key: vhub-non_prod + diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml new file mode 100644 index 000000000..aba52746b --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml @@ -0,0 +1,33 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + prod: + landingzone: + key: + platform: + azurerm_firewall_policies: prod + global_settings_key: + platform: + azurerm_firewalls: prod + remote_tfstates: + platform: + azurerm_firewalls: prod + +subscriptions: + connectivity: + resource_groups: + firewall_policies: + name: connectivity-prod-firewall-policies + region_key: region1 + + azurerm_firewall_policies: + root: + name: "prod-root-policy" + region_key: region1 + resource_group: + key: firewall_policies + dns: + proxy_enabled: true + threat_intelligence_mode: "Alert" diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml new file mode 100644 index 000000000..601b2972a --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml @@ -0,0 +1,78 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + prod: + landingzone: + key: + platform: + azurerm_firewalls: prod + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + platform: + virtual_hubs: prod + azurerm_firewall_policies: prod + + +subscriptions: + connectivity: + resource_groups: + firewall_policies: + name: connectivity-prod-firewall + region_key: region1 + + + virtual_networks: + vnet: + name: vnet-connectivity-prod-fw-plinks + resource_group_key: firewall_policies + region_key: region1 + address_space: + - 10.101.61.0/24 + specialsubnets: + AzureFirewallSubnet: + name: AzureFirewallSubnet + cidr: + - 10.101.61.0/26 + + public_ip_addresses: + fw_pip1: + name: pip-prod-fw-01 + resource_group_key: firewall_policies + sku: Standard + allocation_method: Static + ip_version: IPv4 + idle_timeout_in_minutes: 4 + + azurerm_firewalls: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + resource_group_key: firewall_policies + vnet_key: vnet + sku_tier: Standard + firewall_policy: + key: root + lz_key: connectivity_firewall_policies_prod + zones: + - 1 + - 2 + - 3 + public_ips: + ip1: + name: pip1 + public_ip_key: fw_pip1 + vnet_key: vnet + subnet_key: AzureFirewallSubnet + + + virtual_hub_connections: + vnet_to_hub: + name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod + virtual_hub: + lz_key: connectivity_virtual_hub_prod + key: prod + vnet: + vnet_key: vnet \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml new file mode 100644 index 000000000..c58281dd4 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml @@ -0,0 +1,191 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + prod: + landingzone: + key: + platform: + private_dns: prod + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + platform: + virtual_hubs: prod + +subscriptions: + connectivity: + + # role_mapping: + # custom_role_mapping: + # resource_groups: + # dns_connectivity_prod: + # landgingzone_extended: + # azuread_groups: + # lz_key: identity_level2 + # keys: + # - caf_prod_landingzones_dns_contributors + # built_in_role_mapping: + # resource_groups: + # dns_connectivity_prod: + # Private DNS Zone Contributor: + # azuread_groups: + # lz_key: identity_level2 + # keys: + # - caf_prod_landingzones_dns_contributors + + resource_groups: + dns_connectivity_prod: + name: dns-connectivity-prod + private_dns: + privatelink.adf.azure.com: + name: privatelink.adf.azure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.datafactory.azure.net: + name: privatelink.datafactory.azure.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.blob.core.windows.net: + name: privatelink.blob.core.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.file.core.windows.net: + name: privatelink.file.core.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.notebooks.azure.net: + name: privatelink.notebooks.azure.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.dfs.core.windows.net: + name: privatelink.dfs.core.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.vaultcore.azure.net: + name: privatelink.vaultcore.azure.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.southeastasia.azmk8s.io: + name: privatelink.southeastasia.azmk8s.io + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.azurecr.io: + name: privatelink.azurecr.io + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.southeastasia.backup.windowsazure.com: + name: privatelink.southeastasia.backup.windowsazure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.siterecovery.windowsazure.com: + name: privatelink.siterecovery.windowsazure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.servicebus.windows.net: + name: privatelink.servicebus.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.api.azureml.ms: + name: privatelink.api.azureml.ms + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.monitor.azure.com: + name: privatelink.monitor.azure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.oms.opinsights.azure.com: + name: privatelink.oms.opinsights.azure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.ods.opinsights.azure.com: + name: privatelink.ods.opinsights.azure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.agentsvc.azure-automation.net: + name: privatelink.agentsvc.azure-automation.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + + custom_role_definitions: + landgingzone_extended: + name: landingzone-networking-private-dns-extended + useprefix: true + description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read + - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write + + diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml new file mode 100644 index 000000000..61c6aa203 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml @@ -0,0 +1,53 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + prod: + landingzone: + key: + platform: + virtual_hubs: prod + global_settings_key: + platform: + virtual_wans: prod + remote_tfstates: + platform: + virtual_wans: prod + + custom_variables: + virtual_hub_lz_key: connectivity_virtual_hub_prod + # ddos_protection_plan_id: + +subscriptions: + connectivity: + virtual_hubs: + prod: + name: Production + virtual_wan: + lz_key: virtual_wan + key: global_wan + region_key: region1 + hub_address_prefix: 10.101.51.0/24 + deploy_s2s: false + s2s_config: + name: prod + scale_unit: 1 + deploy_er: false + er_config: + name: prod + scale_units: 1 + + express_route_connections: + prod: + enable_er_connections: false + name: erc-er-1-prod + virtual_hub: + key: prod + circuit_peering: + tfstate_key: prod + key: private_peering + express_route_circuit_authorization: + tfstate_key: prod + key: vhub-prod + diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml new file mode 100644 index 000000000..3d51a61ab --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml @@ -0,0 +1,29 @@ +gitops: + landingzones: aci_network + +deployments: + connectivity: + prod: + landingzone: + key: + platform: + virtual_wans: prod + global_settings_key: + platform: + management: + remote_tfstates: + platform: + management: + +subscriptions: + connectivity: + virtual_wans: + global_wan: + name: vwan + resource_group_key: global_wan + region_key: region1 + + resource_groups: + global_wan: + name: connectivity-global-wan + region_key: region1 diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml new file mode 100644 index 000000000..f9177405d --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml @@ -0,0 +1,13 @@ +gitops: + landingzones: aci_network + +deployments: + identity: + +subscriptions: + identity: + azuread_groups: + caf_non_prod_landingzones_dns_contributors: + name: caf ac non_prod landingzones dns contributors + caf_prod_landingzones_dns_contributors: + name: caf ac prod landingzones dns contributors \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml new file mode 100644 index 000000000..678d0df5a --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml @@ -0,0 +1,314 @@ +archetype_definitions: + root: + archetype_id: root + policy_assignments: + Allowed-Locations: + listOfAllowedLocations: + - southeastasia # Use the lower-case region's name, short version with no space + - eastasia + Deny-RSG-Locations: + listOfAllowedLocations: + - southeastasia + - eastasia + # Set to Audit as Terraform cannot combine both in one operation yet. + Deny-Subnet-Without-Nsg: + effect: Audit + # Set to Audit as Terraform cannot combine both in one operation yet. + Deny-Subnet-Without-Udr: + effect: Audit + # More details on in the parameters in the Azure Policy definition (Azure Security Benchmark) 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 + # Change the attributes values as they are not the same. Some are DeployIfNotExist, Some Disabled, Enabled... + Deploy-ASC-Monitoring: + aadAuthenticationInSqlServerMonitoringEffect: Disabled + diskEncryptionMonitoringEffect: Disabled + encryptionOfAutomationAccountMonitoringEffect: Disabled + identityDesignateLessThanOwnersMonitoringEffect: Disabled + identityDesignateMoreThanOneOwnerMonitoringEffect: Disabled + identityEnableMFAForWritePermissionsMonitoringEffect: Disabled + identityRemoveDeprecatedAccountMonitoringEffect: Disabled + identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithReadPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithWritePermissionsMonitoringEffect: Disabled + jitNetworkAccessMonitoringEffect: Disabled + networkSecurityGroupsOnSubnetsMonitoringEffect: Disabled + sqlDbEncryptionMonitoringEffect: Disabled + sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled + sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled + sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled + sqlServerAdvancedDataSecurityMonitoringEffect: Disabled + systemUpdatesMonitoringEffect: Disabled + useRbacRulesMonitoringEffect: Disabled + vmssSystemUpdatesMonitoringEffect: Disabled + windowsDefenderExploitGuardMonitoringEffect: Disabled + Deploy-ASCDF-Config: + emailSecurityContact: + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + enableAscForKubernetes: DeployIfNotExists + enableAscForSql: DeployIfNotExists + enableAscForSqlOnVm: DeployIfNotExists + enableAscForDns: DeployIfNotExists + enableAscForArm: DeployIfNotExists + enableAscForOssDb: DeployIfNotExists + enableAscForAppServices: DeployIfNotExists + enableAscForRegistries: DeployIfNotExists + enableAscForKeyVault: DeployIfNotExists + enableAscForStorage: DeployIfNotExists + enableAscForServers: DeployIfNotExists + Deploy-AzActivity-Log: + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-LX-Arc-Monitoring: + Deploy-Resource-Diag: + profileName: eslz-diagnostic-log + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-WS-Arc-Monitoring: + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-VM-Monitoring: + logAnalytics_1: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-VMSS-Monitoring: + logAnalytics_1: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + policy_definitions: + Append-AppService-httpsonly: + Append-AppService-latestTLS: + Append-KV-SoftDelete: + Append-Redis-disableNonSslPort: + Append-Redis-sslEnforcement: + Audit-MachineLearning-PrivateEndpointId: + Deny-AA-child-resources: + Deny-AppGW-Without-WAF: + Deny-AppServiceApiApp-http: + Deny-AppServiceFunctionApp-http: + Deny-AppServiceWebApp-http: + Deny-Databricks-NoPublicIp: + Deny-Databricks-Sku: + Deny-Databricks-VirtualNetwork: + Deny-MachineLearning-Aks: + Deny-MachineLearning-Compute-SubnetId: + Deny-MachineLearning-Compute-VmSize: + Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess: + Deny-MachineLearning-ComputeCluster-Scale: + Deny-MachineLearning-HbiWorkspace: + Deny-MachineLearning-PublicAccessWhenBehindVnet: + Deny-MachineLearning-PublicNetworkAccess: + Deny-MySql-http: + Deny-PostgreSql-http: + Deny-Private-DNS-Zones: + Deny-PublicEndpoint-MariaDB: + Deny-PublicIP: + Deny-RDP-From-Internet: + Deny-Redis-http: + Deny-Sql-minTLS: + Deny-SqlMi-minTLS: + Deny-Storage-minTLS: + Deny-Subnet-Without-Nsg: + Deny-Subnet-Without-Udr: + Deny-VNET-Peer-Cross-Sub: + Deny-VNet-Peering: + Deploy-ASC-SecurityContacts: + Deploy-Budget: + Deploy-Custom-Route-Table: + Deploy-DDoSProtection: + Deploy-Diagnostics-AA: + Deploy-Diagnostics-ACI: + Deploy-Diagnostics-ACR: + Deploy-Diagnostics-AnalysisService: + Deploy-Diagnostics-ApiForFHIR: + Deploy-Diagnostics-APIMgmt: + Deploy-Diagnostics-ApplicationGateway: + Deploy-Diagnostics-CDNEndpoints: + Deploy-Diagnostics-CognitiveServices: + Deploy-Diagnostics-CosmosDB: + Deploy-Diagnostics-Databricks: + Deploy-Diagnostics-DataExplorerCluster: + Deploy-Diagnostics-DataFactory: + Deploy-Diagnostics-DLAnalytics: + Deploy-Diagnostics-EventGridSub: + Deploy-Diagnostics-EventGridSystemTopic: + Deploy-Diagnostics-EventGridTopic: + Deploy-Diagnostics-ExpressRoute: + Deploy-Diagnostics-Firewall: + Deploy-Diagnostics-FrontDoor: + Deploy-Diagnostics-Function: + Deploy-Diagnostics-HDInsight: + Deploy-Diagnostics-iotHub: + Deploy-Diagnostics-LoadBalancer: + Deploy-Diagnostics-LogicAppsISE: + Deploy-Diagnostics-MariaDB: + Deploy-Diagnostics-MediaService: + Deploy-Diagnostics-MlWorkspace: + Deploy-Diagnostics-MySQL: + Deploy-Diagnostics-NetworkSecurityGroups: + Deploy-Diagnostics-NIC: + Deploy-Diagnostics-PostgreSQL: + Deploy-Diagnostics-PowerBIEmbedded: + Deploy-Diagnostics-RedisCache: + Deploy-Diagnostics-Relay: + Deploy-Diagnostics-SignalR: + Deploy-Diagnostics-SQLElasticPools: + Deploy-Diagnostics-SQLMI: + Deploy-Diagnostics-TimeSeriesInsights: + Deploy-Diagnostics-TrafficManager: + Deploy-Diagnostics-VirtualNetwork: + Deploy-Diagnostics-VM: + Deploy-Diagnostics-VMSS: + Deploy-Diagnostics-VNetGW: + Deploy-Diagnostics-WebServerFarm: + Deploy-Diagnostics-Website: + Deploy-Diagnostics-WVDAppGroup: + Deploy-Diagnostics-WVDHostPools: + Deploy-Diagnostics-WVDWorkspace: + Deploy-FirewallPolicy: + Deploy-MySQL-sslEnforcement: + Deploy-Nsg-FlowLogs-to-LA: + Deploy-Nsg-FlowLogs: + Deploy-PostgreSQL-sslEnforcement: + Deploy-Sql-AuditingSettings: + Deploy-SQL-minTLS: + Deploy-Sql-SecurityAlertPolicies: + Deploy-Sql-Tde: + Deploy-Sql-vulnerabilityAssessments: + Deploy-SqlMi-minTLS: + Deploy-Storage-sslEnforcement: + Deploy-Windows-DomainJoin: + policy_set_definitions: + Deny-PublicPaaSEndpoints: + Deploy-ASCDF-Config: + Deploy-Diagnostics-LogAnalytics: + Deploy-Sql-Security: + Enforce-Encryption-CMK: + Enforce-EncryptTransit: + remediation: + policy: + policy_set_definitions: + # policyDefinitionReferenceId = https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/c7958266bd227e52dc1a3468e8c881633bc1b373/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json#L766 + # /providers/microsoft.management/managementgroups/contlle/providers/microsoft.authorization/policyassignments/deploy-resource-diag + Deploy-Diagnostics-LogAnalytics: + - ExpressRouteDeployDiagnosticLogDeployLogAnalytics + - FirewallDeployDiagnosticLogDeployLogAnalytics + - KeyVaultDeployDiagnosticLogDeployLogAnalytics + - LoadBalancerDeployDiagnosticLogDeployLogAnalytics + - NetworkNICDeployDiagnosticLogDeployLogAnalytics + - NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics + - NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics + - RecoveryVaultDeployDiagnosticLogDeployLogAnalytics + - storageaccountdeploydiagnosticlogdeployloganalytics + - VirtualNetworkDeployDiagnosticLogDeployLogAnalytics + - VNetGWDeployDiagnosticLogDeployLogAnalytics + Deploy-ASCDF-Config: + - defenderForOssDb + - defenderForVM + - defenderForSqlServerVirtualMachines + - defenderForAppServices + - defenderForStorageAccounts + - defenderForKubernetesService + - defenderForContainerRegistry + - defenderForKeyVaults + - defenderForDns + - defenderForArm + - defenderForSqlPaas + - securityEmailContact + - ascExport + landing-zones: + archetype_id: landing-zones + policy_assignments: + Deny-IP-Forwarding: + Deny-Priv-Containers-AKS: + Deny-Priv-Escalation-AKS: + Deny-RDP-From-Internet: + Deny-Storage-http: + Deploy-AKS-Policy: + Deploy-SQL-DB-Auditing: + Deploy-SQL-Threat: + Enable-DDoS-VNET: + Enforce-AKS-HTTPS: + Enforce-TLS-SSL: + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - subscription_creation_landingzones + connectivity: + archetype_id: platform_connectivity + policy_assignments: + Enable-DDoS-VNET: + role_definitions: + CAF-network-vhub-peering: + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - connectivity + # Make sure you replace with the Management Group ID in UPPER CASE + '[-CONNECTIVITY] CAF-network-vhub-peering': + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - subscription_creation_landingzones + - identity + - management + management: + archetype_id: platform_management + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - management + identity: + archetype_id: platform_identity + policy_assignments: + Deny-RDP-From-Internet: + Deny-Public-IP: + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - identity + decommissioned: + archetype_id: platform_decommissioned + platform: + archetype_id: platform + sandboxes: + archetype_id: platform_sandboxes \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/custom_landing_zones.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/custom_landing_zones.caf.platform.yaml new file mode 100644 index 000000000..6ae8db0c4 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/custom_landing_zones.caf.platform.yaml @@ -0,0 +1,26 @@ +archetype_definitions: + corp: + display_name: Corp + archetype_id: landingzone_corp + parent_management_group_id: landing-zones + subscription_ids: + online: + display_name: Online + archetype_id: landingzone_online + parent_management_group_id: landing-zones + subscription_ids: + corp-prod: + display_name: Production + archetype_id: landingzone_prod + parent_management_group_id: corp + subscription_ids: + corp-non-prod: + display_name: Non Production + archetype_id: landingzone_non_prod + parent_management_group_id: corp + subscription_ids: + online-web: + display_name: Non Production + archetype_id: landingzone_online_web + parent_management_group_id: online + subscription_ids: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md new file mode 100644 index 000000000..def2a5a6d --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy assignments + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json new file mode 100644 index 000000000..789acde60 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json @@ -0,0 +1,18 @@ +{ + "name": "aks-capability", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)", + "displayName": "Kubernetes cluster containers should only use allowed capabilities.", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "scope": "${current_scope_resource_id}", + "enforcementMode": true + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json new file mode 100644 index 000000000..bce0689ad --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json @@ -0,0 +1,18 @@ +{ + "name": "Allowed-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "displayName": "Limit allowed locations for Resources", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "scope": "${current_scope_resource_id}", + "enforcementMode": null + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md new file mode 100644 index 000000000..e47f922fd --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md new file mode 100644 index 000000000..c09d2c016 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy set definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md new file mode 100644 index 000000000..f3f823e56 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md @@ -0,0 +1,2 @@ +# Custom ESLZ library +In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance. \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md new file mode 100644 index 000000000..2230928aa --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md @@ -0,0 +1,11 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + + +# List of the default role defitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json new file mode 100644 index 000000000..19523d87b --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json @@ -0,0 +1,27 @@ +{ + "name": "48ec94a9-9a14-488d-928d-5e73f96b335c", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "CAF-network-vhub-peering", + "description": "Authorize vnet peerings to the vhub and DDOS to be deployed by policy.", + "type": "customRole", + "permissions": [ + { + "actions": [ + "Microsoft.Network/ddosProtectionPlans/join/action", + "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*", + "Microsoft.Network/virtualHubs/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + ], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [ + "${current_scope_resource_id}" + ] + } +} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml new file mode 100644 index 000000000..6285e6da3 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml @@ -0,0 +1,69 @@ +subscriptions: + identity: + resource_groups: + management: + name: management + alerts: + name: alerts + + service_health_alerts: + enable_service_health_alerts: true + name: alerts + shortname: HealthAlerts + resource_group_key: alerts + action_group_name: actiongrp + email_alert_settings: + support1: + name: email_alert_support1 + email_address: lalesle@microsoft.com + use_common_alert_schema: false + + recovery_vaults: + asr: + name: asr + resource_group_key: management + soft_delete_enabled: true + backup_policies: + vms: + default: + name: vm-default-policy + # Default to UTC + # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + retention_weekly: + count: 2 + weekdays: + - Sunday + retention_monthly: + count: 2 + weeks: + - First + weekdays: + - Sunday + retention_yearly: + count: 1 + weeks: + - First + months: + - January + weekdays: + - Sunday + + +# Bring here you existing active directory security groups. +# Those are the groups you will inject to RBAC in the Enterprise Scale deployment. +# Note Terraform will create a new Azure AD group and add the existing as a member +# +# level1: +# azuread_groups: +# network_ops_team: +# name: netops +# members: +# # Set the list of the existing groups +# objects_ids: +# - existing_azure_ad_group_object_id diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml new file mode 100644 index 000000000..2dcd971f2 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml @@ -0,0 +1,40 @@ +subscriptions: + launchpad: + resource_groups: + level0: + name: caf-level0 + tags: + level: level0 + level1: + name: caf-level1 + tags: + level: level1 + level2: + name: caf-level2 + tags: + level: level2 + + storage_accounts: + level0: + name: l0 + resource_group_key: level0 + level1: + name: l1 + resource_group_key: level1 + level2: + name: l2 + resource_group_key: level2 + + keyvaults: + level0: + name: l0 + sku_name: premium + resource_group_key: level0 + level1: + name: l1 + sku_name: premium + resource_group_key: level1 + level2: + name: l2 + sku_name: premium + resource_group_key: level2 diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml new file mode 100644 index 000000000..7d843436b --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml @@ -0,0 +1,415 @@ +subscriptions: + launchpad_credentials: + resource_groups: + sp_credentials: + name: credentials + + keyvaults: + cred_ea_account_owner: + name: eaowner + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + cred_level0: + name: idl0 + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + level0: + lz_key: launchpad + azuread_group_key: level0 + secret_permissions: + - Get + cred_identity: + name: id + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + cred_management: + name: mg + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + management_azuread_group: + lz_key: launchpad + azuread_group_key: management + secret_permissions: + - Get + cred_eslz: + name: es + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + eslz_azuread_group: + lz_key: launchpad + azuread_group_key: eslz + secret_permissions: + - Get + cred_connectivity: + name: co + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + connectivity_azuread_group: + lz_key: launchpad + azuread_group_key: connectivity + secret_permissions: + - Get + cred_subscription_creation_platform: + name: scp + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + subscription_creation_platform_azuread_group: + lz_key: launchpad + azuread_group_key: subscription_creation_platform + secret_permissions: + - Get + cred_subscription_creation_landingzones: + name: scl + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + subscription_creation_platform_azuread_group: + lz_key: launchpad + azuread_group_key: subscription_creation_landingzones + secret_permissions: + - Get + cred_gitops: + name: gitops + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + cred_ea_account_owner: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_level0: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_identity: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_management: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_eslz: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_connectivity: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_subscription_creation_platform: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_subscription_creation_landingzones: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_gitops: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + + + azuread_applications: + gitops: + application_name: app-azure-platform-credentials-for-gitops + + azuread_service_principals: + gitops: + azuread_application: + key: gitops + + azuread_credentials: + gitops: + type: password + azuread_credential_policy_key: gitops + azuread_application: + key: gitops + keyvaults: + cred_gitops: + secret_prefix: sp + level0: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: level0 + keyvaults: + cred_level0: + secret_prefix: sp + identity: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: identity + keyvaults: + cred_identity: + secret_prefix: sp + management: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: management + keyvaults: + cred_management: + secret_prefix: sp + eslz: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: eslz + keyvaults: + cred_eslz: + secret_prefix: sp + connectivity: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: connectivity + keyvaults: + cred_connectivity: + secret_prefix: sp + subscription_creation_platform: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: subscription_creation_platform + keyvaults: + cred_subscription_creation_platform: + secret_prefix: sp + subscription_creation_landingzones: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: subscription_creation_landingzones + keyvaults: + cred_subscription_creation_landingzones: + secret_prefix: sp + + azuread_credential_policies: + gitops: + length: 250 + special: false + upper: true + number: true + expire_in_days: 360 + rotation_key0: + days: 181 + rotation_key1: + days: 300 + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 65 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml new file mode 100644 index 000000000..1ff5c8e52 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml @@ -0,0 +1,84 @@ +subscriptions: + management: + resource_groups: + management: + name: management + alerts: + name: alerts + + diagnostic_log_analytics: + # if you change this key you also need to change it in the ESLZ deployment + # eslz/archetype_config_overrides.caf.platform.yaml + # eslz/custom_landing_zones.caf.platform.yaml + region1: + name: logre1 + resource_group_key: management + + monitor_action_groups: + networking_operations: + action_group_name: Networking Operations + resource_group_key: alerts + shortname: netops + arm_role_alert: + contributors: + name: Monitoring Contributor + role_name: Monitoring Contributor + use_common_alert_schema: false + email_receiver: + noc: + name: email_alert_support1 + email_address: arnaul@microsoft.com + use_common_alert_schema: false + + service_health_alerts: + enable_service_health_alerts: true + name: alerts + shortname: HealthAlerts + resource_group_key: alerts + action_group_name: actiongrp + email_alert_settings: + support1: + name: email_alert_support1 + email_address: arnaul@microsoft.com + use_common_alert_schema: false + + automation_accounts: + account1: + name: automationAccount1 + resource_group_key: management + + recovery_vaults: + asr: + name: asr + resource_group_key: management + soft_delete_enabled: true + backup_policies: + vms: + default: + name: vm-default-policy + # Default to UTC + # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + retention_weekly: + count: 2 + weekdays: + - Sunday + retention_monthly: + count: 2 + weeks: + - First + weekdays: + - Sunday + retention_yearly: + count: 1 + weeks: + - First + months: + - January + weekdays: + - Sunday diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml new file mode 100644 index 000000000..a9ecd6e97 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml @@ -0,0 +1,105 @@ +tfstates: + platform: + ### Level0 ### + launchpad: + lz_key_name: launchpad + tfstate: caf_launchpad.tfstate + workspace: tfstate + base_config_path: launchpad + level: level0 + launchpad_credentials: + lz_key_name: launchpad_credentials_rotation + tfstate: launchpad_credentials_rotation.tfstate + base_config_path: credentials + level: level0 + + ### Level1 ### + management: + lz_key_name: management + tfstate: management.tfstate + base_config_path: management + level: level1 + identity: + lz_key_name: identity + tfstate: identity.tfstate + base_config_path: identity + level: level1 + eslz: + lz_key_name: eslz + tfstate: eslz.tfstate + base_config_path: eslz + level: level1 + + ## Level2 ## + identity_level2: + prod: + lz_key_name: identity_level2 + tfstate: identity_level2.tfstate + level: level2 + non_prod: + lz_key_name: identity_level2 + tfstate: identity_level2.tfstate + level: level2 + + identity_level2_aadds: + prod: + lz_key_name: identity_level2_aadds + tfstate: identity_level2_aadds.tfstate + level: level2 + + virtual_wans: + prod: + lz_key_name: connectivity_virtual_wan + tfstate: connectivity_virtual_wan.tfstate + base_config_path: connectivity/virtual_wan + level: level2 + + virtual_hubs: + prod: + lz_key_name: connectivity_virtual_hub_prod + tfstate: connectivity_virtual_hub_prod.tfstate + workspace: tfstate + base_config_path: connectivity/virtual_hub + level: level2 + non_prod: + lz_key_name: connectivity_virtual_hub_non_prod + tfstate: connectivity_virtual_hub_non_prod.tfstate + workspace: tfstate + base_config_path: connectivity/virtual_hub + level: level2 + + azurerm_firewalls: + prod: + lz_key_name: connectivity_firewalls_prod + tfstate: connectivity_firewalls_prod.tfstate + level: level2 + non_prod: + lz_key_name: connectivity_firewalls_non_prod + tfstate: connectivity_firewalls_non_prod.tfstate + level: level2 + + azurerm_firewall_policies: + prod: + lz_key_name: connectivity_firewall_policies_prod + tfstate: connectivity_firewall_policies_prod.tfstate + level: level2 + non_prod: + lz_key_name: connectivity_firewall_policies_non_prod + tfstate: connectivity_firewall_policies_non_prod.tfstate + level: level2 + + private_dns: + prod: + lz_key_name: connectivity_private_dns_prod + tfstate: connectivity_private_dns_prod.tfstate + level: level2 + non_prod: + lz_key_name: connectivity_private_dns_non_prod + tfstate: connectivity_private_dns_non_prod.tfstate + level: level2 + + + asvm: + lz_key_name: asvm + tfstate: asvm_subscription_vending_machine.tfstate + level: level2 From 321fcf0a1ad837467affd1a2da000551044a2171 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Fri, 11 Feb 2022 02:31:23 +0000 Subject: [PATCH 35/67] Add alias to launchpad existing subscription --- .../__pycache__/merge_vars.cpython-39.pyc | Bin 4806 -> 4806 bytes .../subscriptions/subscriptions.tfvars.j2 | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc b/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc index 983ff35eecb4b7d12b9a0ff50f47b873b073ffe0..234152fea485aa659350e63eef21fecc16f60d7a 100644 GIT binary patch delta 20 acmX@6dQ6o&k(ZZ?0SL Date: Fri, 11 Feb 2022 15:27:08 +0800 Subject: [PATCH 36/67] Update parent_root_id --- caf_solution/add-ons/caf_eslz/variables.tf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/caf_solution/add-ons/caf_eslz/variables.tf b/caf_solution/add-ons/caf_eslz/variables.tf index f67f92de1..701bced5a 100644 --- a/caf_solution/add-ons/caf_eslz/variables.tf +++ b/caf_solution/add-ons/caf_eslz/variables.tf @@ -89,11 +89,6 @@ variable "root_parent_id" { type = string description = "If specified, will deploy the Enterprise scale bellow the root_parent_id." default = null - - validation { - condition = can(regex("^[a-zA-Z0-9-]{2,10}$", var.root_parent_id)) - error_message = "The root_parent_id value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens." - } } variable "deploy_core_landing_zones" { @@ -244,4 +239,4 @@ variable "reconcile_vending_subscriptions" { type = bool default = false description = "Will reconcile the subrisciptions created outside of enterprise scale to prevent them to be revoved by the execution of this module." -} \ No newline at end of file +} From a21b7cb0a1fb72cd0bb05eba0c9566f7a76726b6 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 11 Feb 2022 10:28:26 +0000 Subject: [PATCH 37/67] Update README and precommit --- .pre-commit-config.yaml | 9 +++++++-- README.md | 39 ++++++++++----------------------------- 2 files changed, 17 insertions(+), 31 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5b8d832d2..5c8e56012 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ # See http://pre-commit.com/hooks.html for more hooks repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.62.3 + rev: v1.64.0 hooks: - id: terraform_fmt - id: terraform_docs @@ -14,8 +14,13 @@ repos: hooks: - id: check-merge-conflict - id: trailing-whitespace - # - id: check-yaml + # - id: check-yaml + - id: detect-private-key - id: check-added-large-files + # - repo: git://github.com/ansible-community/ansible-lint + # rev: v5.3.2 + # hooks: + # - id: ansible-lint # - repo: git://github.com/markdownlint/markdownlint # rev: v0.9.0 # hooks: diff --git a/README.md b/README.md index 6de6611e9..1a5a0ef31 100644 --- a/README.md +++ b/README.md @@ -6,46 +6,27 @@ Microsoft [Cloud Adoption Framework for Azure](https://docs.microsoft.com/azure/cloud-adoption-framework/overview) provides you with guidance and best practices to adopt Azure. -A landing zone is a segment of a cloud environment, that has been pre-provisioned through code, and is dedicated to the support of one or more workloads. Landing zones provide access to foundational tools and controls to establish a compliant place to innovate and build new workloads in the cloud, or to migrate existing workloads to the cloud. Landing zones use defined sets of cloud services and best practices to set you up for success. +CAF Terraform landing zones team mission statement is to: -We leverage Azure enterprise-scale landing zones and propose a Terraform-native structure, set of mechanisms and artifacts to get started to deploy workloads fast. +* Equip the Site Reliability Engineering teams for Terraform on Azure. +* Democratize an IaC: Infrastructure-as-Configuration. +* Commoditize state management and enterprise-wide composition. +* Standardize deployments using Azure enterprise-scale landing zones. +* Implement Azure enterprise-scale design and approach with native Terraform and DevOps. +* Propose a prescriptive guidance on how to enable DevOps for infrastructure as code on Microsoft Azure. +* Foster a community of Azure *Terraformers* using a common set of practices and sharing best practices. You can review the different components parts of the Cloud Adoption Framework for Azure Terraform landing zones and look at the quick intro :vhs: below: [![caf_elements](./_pictures/caf_elements.png)](https://www.youtube.com/watch?v=FlQ17u4NNts "CAF Introduction") -## Goals - -Cloud Adoption Framework for Azure Terraform landing zones is an Open Source project equiping the Site Reliability Engineer on Azure with: - -* Enable the community with a set of reusable landing artifacts. -* Standardize deployments using battlefield-proven components. -* Accelerate the setup of complex environments on Azure. -* Implement Azure enterprise-scale design and approach with native Terraform and DevOps. -* Propose a prescriptive guidance on how to enable DevOps for infrastructure as code on Microsoft Azure. -* Foster a community of Azure *Terraformers* using a common set of practices and sharing best practices. - ## :rocket: Getting started When starting an enterprise deployment, we recommend you start creating a configuration repository where you craft the configuration files for your environments. -The best way to start is to clone the [starter repository](https://github.com/Azure/caf-terraform-landingzones-starter) and getting started with the configuration files, you can find a quick [onboarding video here](https://www.youtube.com/watch?v=M5BXm30IpdY) - -## Documentation - -The documentation on this repo is on how to develop, deploy and operate with landing zones can be found in the reference section [here](./documentation/README.md) - -## Repositories - -In CAF Terraform landing zones, we use multiple projects in a modular way so you can leverage all of them or some of them depending on where you are in your DevOps and GitOps journey. The main repositories are listed below, feel free to evaluate, use them and contribute to them also! +The best way to start is to clone the [platform starter repository](https://github.com/Azure/caf-terraform-landingzones-platform-starter) and getting started with the configuration files. If you are reading this, you are probably interested also in reading the doc as below: -| Repo | Description | -|---------------------------------------------------------------------------------------------------|------------------------------------------------------------| -| [starter kit](https://github.com/azure/caf-terraform-landingzones-starter) | landing zones configuration repository | -| [caf-terraform-landingzones](https://github.com/azure/caf-terraform-landingzones) (You are here!) | landing zones repo with sample and core documentations | -| [rover](https://github.com/aztfmod/rover) | devops toolset for operating landing zones | -| [azure_caf_provider](https://github.com/aztfmod/terraform-provider-azurecaf) | custom provider for naming conventions | -| [module](https://github.com/aztfmod/terraform-azurerm-caf) | CAF universal module available in the Terraform registry | +:books: Read our [centralized documentation page](https://aka.ms/caf/terraform) ## Community From e93289b134e62d786468a34012affe124ad41d16 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 14 Feb 2022 11:45:34 +0000 Subject: [PATCH 38/67] Update templates --- caf_solution/local.networking.tf | 9 +- .../orion-landingzone/tfstates.asvm.yaml | 29 --- .../orion-landingzone/config.asvm.yaml | 0 .../orion-landingzone/deployments.yaml | 16 +- .../orion-landingzone/readme.md | 0 .../orion-landingzone/resources.asvm.yaml | 28 +- .../orion-landingzone/subscriptions.asvm.yaml | 8 +- .../asvm/orion-landingzone/tfstates.asvm.yaml | 29 +++ templates/platform/ansible.yaml | 243 +++--------------- templates/platform/generic/readme.md | 27 ++ .../platform/level0/credentials/readme.md | 4 +- .../platform/level0/launchpad/ansible.yaml | 242 ----------------- .../level0/launchpad/ansible.yaml.old | 242 +++++++++++++++++ .../azuread_api_permissions.tfvars.j2 | 60 ----- ....j2 => azuread_applications.tfvars.j2.old} | 0 .../launchpad/azuread_group_members.tfvars.j2 | 6 +- .../level0/launchpad/azuread_groups.tfvars.j2 | 4 + .../level0/launchpad/azuread_roles.tfvars.j2 | 28 -- .../launchpad/dynamic_secrets.tfvars.j2 | 67 ----- ...ars.j2 => keyvault_policies.tfvars.j2.old} | 0 .../level0/launchpad/keyvaults.tfvars.j2 | 6 +- ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 templates/platform/level0/launchpad/readme.md | 9 +- ....tfvars.j2 => role_mappings.tfvars.j2.OLD} | 0 ...rs.j2 => service_principals.tfvars.j2.old} | 0 .../launchpad/storage_accounts.tfvars.j2 | 90 ------- templates/platform/level1/eslz/ansible.yaml | 51 ++-- .../level1/eslz/enterprise_scale.tfvars.j2 | 2 +- ...ration.tfvars.j2 => landingzone.tfvars.j2} | 0 .../lib/v1.1.1/custom_landing_zones.tfvars.j2 | 2 +- templates/platform/level1/eslz/readme.md | 2 +- .../eslz/subscription_id_overrides.tfvars.j2 | 16 +- .../{ansible.yaml => ansible.yaml.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 templates/platform/level1/identity/readme.md | 2 +- .../{ansible.yaml => ansible.yaml.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 .../platform/level1/management/readme.md | 2 +- .../{ansible.yaml => ansible.yaml.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 .../platform/level1/subscriptions/readme.md | 2 +- ...yment.yaml => ansible_deployment.yaml.old} | 0 ...l => ansible_resource_deployment.yaml.old} | 0 ...pe.yaml => ansible_resource_type.yaml.old} | 0 templates/platform/level2/asvm/ansible.yaml | 129 +++++----- ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 templates/platform/level2/asvm/readme.md | 2 +- ...vars.j2 => storage_accounts.tfvars.j2.old} | 0 .../{ansible.yaml => ansible.yaml.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 ...ne.tfvars.j2 => landingzone.tfvars.j2.old} | 0 .../connectivity/vpn_site/vpn_sites.tfvars.j2 | 36 --- .../{ansible.yaml => ansible.yaml.old} | 0 templates/platform/process_deployments.yaml | 21 ++ templates/platform/process_foundations.yaml | 10 + templates/platform/process_resources.yaml | 30 +++ templates/platform/process_stages.yaml | 33 +++ .../process_subscription_resources.yaml | 76 ++++++ templates/platform/process_tfstate.yaml | 22 ++ .../azuread_api_permissions.tfvars.j2 | 32 +++ templates/resources/azuread_roles.tfvars.j2 | 15 ++ .../dynamic_keyvault_secrets.tfvars.j2 | 15 +- .../dynamic_keyvault_secrets.tfvars.j2.old | 12 + templates/resources/landingzone.tfvars.j2 | 56 ++-- .../resources/storage_accounts.tfvars.j2 | 110 ++++++++ .../vpn_gateway_connections.tfvars.j2} | 16 +- templates/resources/vpn_sites.tfvars.j2 | 38 +++ 68 files changed, 948 insertions(+), 931 deletions(-) delete mode 100644 templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/config.asvm.yaml (100%) rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/deployments.yaml (82%) rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/readme.md (100%) rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/resources.asvm.yaml (98%) rename templates/enterprise-scale/contoso/{application => asvm}/orion-landingzone/subscriptions.asvm.yaml (53%) create mode 100644 templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml create mode 100644 templates/platform/generic/readme.md delete mode 100644 templates/platform/level0/launchpad/ansible.yaml create mode 100644 templates/platform/level0/launchpad/ansible.yaml.old delete mode 100644 templates/platform/level0/launchpad/azuread_api_permissions.tfvars.j2 rename templates/platform/level0/launchpad/{azuread_applications.tfvars.j2 => azuread_applications.tfvars.j2.old} (100%) delete mode 100644 templates/platform/level0/launchpad/azuread_roles.tfvars.j2 delete mode 100644 templates/platform/level0/launchpad/dynamic_secrets.tfvars.j2 rename templates/platform/level0/launchpad/{keyvault_policies.tfvars.j2 => keyvault_policies.tfvars.j2.old} (100%) rename templates/platform/level0/launchpad/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level0/launchpad/{role_mappings.tfvars.j2 => role_mappings.tfvars.j2.OLD} (100%) rename templates/platform/level0/launchpad/{service_principals.tfvars.j2 => service_principals.tfvars.j2.old} (100%) delete mode 100644 templates/platform/level0/launchpad/storage_accounts.tfvars.j2 rename templates/platform/level1/eslz/{configuration.tfvars.j2 => landingzone.tfvars.j2} (100%) rename templates/platform/level1/identity/{ansible.yaml => ansible.yaml.old} (100%) rename templates/platform/level1/identity/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level1/management/{ansible.yaml => ansible.yaml.old} (100%) rename templates/platform/level1/management/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level1/subscriptions/{ansible.yaml => ansible.yaml.old} (100%) rename templates/platform/level1/subscriptions/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/{ansible_deployment.yaml => ansible_deployment.yaml.old} (100%) rename templates/platform/level2/{ansible_resource_deployment.yaml => ansible_resource_deployment.yaml.old} (100%) rename templates/platform/level2/{ansible_resource_type.yaml => ansible_resource_type.yaml.old} (100%) rename templates/platform/level2/asvm/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/asvm/{storage_accounts.tfvars.j2 => storage_accounts.tfvars.j2.old} (100%) rename templates/platform/level2/connectivity/{ansible.yaml => ansible.yaml.old} (100%) rename templates/platform/level2/connectivity/azurerm_firewall_policies/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/connectivity/azurerm_firewalls/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) rename templates/platform/level2/connectivity/vpn_site/{landingzone.tfvars.j2 => landingzone.tfvars.j2.old} (100%) delete mode 100644 templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 rename templates/platform/level2/identity/{ansible.yaml => ansible.yaml.old} (100%) create mode 100644 templates/platform/process_deployments.yaml create mode 100644 templates/platform/process_foundations.yaml create mode 100644 templates/platform/process_resources.yaml create mode 100644 templates/platform/process_stages.yaml create mode 100644 templates/platform/process_subscription_resources.yaml create mode 100644 templates/platform/process_tfstate.yaml create mode 100644 templates/resources/azuread_api_permissions.tfvars.j2 create mode 100644 templates/resources/azuread_roles.tfvars.j2 create mode 100644 templates/resources/dynamic_keyvault_secrets.tfvars.j2.old create mode 100644 templates/resources/storage_accounts.tfvars.j2 rename templates/{platform/level2/connectivity/vpn_site/vpn_gateways_connections.tfvars.j2 => resources/vpn_gateway_connections.tfvars.j2} (60%) create mode 100644 templates/resources/vpn_sites.tfvars.j2 diff --git a/caf_solution/local.networking.tf b/caf_solution/local.networking.tf index c27380a3f..f0bfeed6a 100644 --- a/caf_solution/local.networking.tf +++ b/caf_solution/local.networking.tf @@ -2,9 +2,9 @@ locals { networking = merge( var.networking, { - application_gateway_platforms = var.application_gateway_platforms - application_gateway_applications_v1 = var.application_gateway_applications_v1 application_gateway_applications = var.application_gateway_applications + application_gateway_applications_v1 = var.application_gateway_applications_v1 + application_gateway_platforms = var.application_gateway_platforms application_gateway_waf_policies = var.application_gateway_waf_policies application_gateways = var.application_gateways application_security_groups = var.application_security_groups @@ -15,8 +15,8 @@ locals { azurerm_firewall_policy_rule_collection_groups = var.azurerm_firewall_policy_rule_collection_groups azurerm_firewalls = var.azurerm_firewalls azurerm_routes = var.azurerm_routes - cdn_profiles = var.cdn_profiles cdn_endpoints = var.cdn_endpoints + cdn_profiles = var.cdn_profiles ddos_services = var.ddos_services dns_zone_records = var.dns_zone_records dns_zones = var.dns_zones @@ -46,10 +46,11 @@ locals { virtual_hubs = var.virtual_hubs virtual_network_gateway_connections = var.virtual_network_gateway_connections virtual_network_gateways = var.virtual_network_gateways + virtual_subnets = var.virtual_subnets virtual_wans = var.virtual_wans vnet_peerings = var.vnet_peerings vnets = var.vnets - virtual_subnets = var.virtual_subnets + vpn_gateway_connections = var.vpn_gateway_connections vpn_sites = var.vpn_sites } ) diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml b/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml deleted file mode 100644 index 54e176178..000000000 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/tfstates.asvm.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# ### orion ### -tfstates: - asvm: - asvm_storage_containers: - subscriptions: - lz_key_name: it_dna_orion_storage_containers - tfstate: it_dna_orion_storage_containers.tfstate - workspace: tfstate - level: level3 - - it_dna_orion_dev: - subscriptions: - lz_key_name: it_dna_orion_dev_subscriptions - tfstate: it_dna_orion_dev_subscriptions.tfstate - resources: - lz_key_name: it_dna_orion_dev_resources - tfstate: it_dna_orion_dev_resources.tfstate - workspace: orion-dev - level: level3 - - it_dna_orion_prod: - subscriptions: - lz_key_name: it_dna_orion_prod_subscriptions - tfstate: it_dna_orion_prod_subscriptions.tfstate - resources: - lz_key_name: it_dna_orion_prod_resources - tfstate: it_dna_orion_prod_resources.tfstate - workspace: orion-prod - level: level3 diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/config.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/config.asvm.yaml similarity index 100% rename from templates/enterprise-scale/contoso/application/orion-landingzone/config.asvm.yaml rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/config.asvm.yaml diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml similarity index 82% rename from templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml index f22cebc46..7b83be426 100644 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/deployments.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml @@ -12,12 +12,12 @@ deployments: platform: asvm: - it_dna_orion_dev: + orion_dev: subscriptions: landingzone: key: asvm: - it_dna_orion_dev: subscriptions + orion_dev: subscriptions global_settings_key: asvm: asvm_storage_containers: subscriptions @@ -29,13 +29,13 @@ deployments: landingzone: key: asvm: - it_dna_orion_dev: resources + orion_dev: resources global_settings_key: platform: virtual_hubs: non_prod remote_tfstates: asvm: - it_dna_orion_dev: subscriptions + orion_dev: subscriptions asvm_storage_containers: subscriptions platform: virtual_hubs: non_prod @@ -44,12 +44,12 @@ deployments: asvm: azurerm_firewalls: non_prod - it_dna_orion_prod: + orion_prod: subscriptions: landingzone: key: asvm: - it_dna_orion_prod: subscriptions + orion_prod: subscriptions global_settings_key: asvm: asvm_storage_containers: subscriptions @@ -61,13 +61,13 @@ deployments: landingzone: key: asvm: - it_dna_orion_prod: resources + orion_prod: resources global_settings_key: platform: virtual_hubs: prod remote_tfstates: asvm: - it_dna_orion_prod: subscriptions + orion_prod: subscriptions asvm_storage_containers: subscriptions platform: virtual_hubs: prod diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/readme.md b/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md similarity index 100% rename from templates/enterprise-scale/contoso/application/orion-landingzone/readme.md rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml similarity index 98% rename from templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml index c37374424..a75c16210 100644 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/resources.asvm.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml @@ -3,7 +3,7 @@ gitops: subscriptions: - it_dna_orion_dev: + orion_dev: resource_groups: rg: @@ -458,8 +458,8 @@ subscriptions: built_in_role_mapping: subscriptions: - it_dna_orion_dev: - lz_key: it_dna_orion_dev_subscriptions + orion_dev: + lz_key: orion_dev_subscriptions Contributor: azuread_service_principals: keys: @@ -486,21 +486,21 @@ subscriptions: keys: - sp_LZContributors storage_containers: - it_dna_orion_prod_level3: - lz_key: it_dna_orion_storage_containers + orion_prod_level3: + lz_key: orion_storage_containers Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors - it_dna_orion_dev_level4: - lz_key: it_dna_orion_storage_containers + orion_dev_level4: + lz_key: orion_storage_containers Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors - it_dna_orion_prod: + orion_prod: resource_groups: rg: @@ -972,8 +972,8 @@ subscriptions: built_in_role_mapping: subscriptions: - it_dna_orion_prod: - lz_key: it_dna_orion_prod_subscriptions + orion_prod: + lz_key: orion_prod_subscriptions Contributor: azuread_service_principals: keys: @@ -1000,14 +1000,14 @@ subscriptions: keys: - sp_LZContributors storage_containers: - it_dna_orion_prod_level3: - lz_key: it_dna_orion_storage_containers + orion_prod_level3: + lz_key: orion_storage_containers Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors - it_dna_orion_prod_level4: - lz_key: it_dna_orion_storage_containers + orion_prod_level4: + lz_key: orion_storage_containers Storage Blob Data Contributor: azuread_service_principals: keys: diff --git a/templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml similarity index 53% rename from templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml rename to templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml index db45e7c58..8a7a49156 100644 --- a/templates/enterprise-scale/contoso/application/orion-landingzone/subscriptions.asvm.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml @@ -2,12 +2,12 @@ gitops: landingzones: aci_network subscriptions: - it_dna_orion_dev: - it_dna_orion_dev: + orion_dev: + orion_dev: name: orion-dev management_group_suffix: non-prod - it_dna_orion_prod: - it_dna_orion_prod: + orion_prod: + orion_prod: name: orion-prod management_group_suffix: prod \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml new file mode 100644 index 000000000..8a1f94f17 --- /dev/null +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml @@ -0,0 +1,29 @@ +# ### orion ### +tfstates: + asvm: + asvm_storage_containers: + subscriptions: + lz_key_name: orion_storage_containers + tfstate: orion_storage_containers.tfstate + workspace: tfstate + level: level3 + + orion_dev: + subscriptions: + lz_key_name: orion_dev_subscriptions + tfstate: orion_dev_subscriptions.tfstate + resources: + lz_key_name: orion_dev_resources + tfstate: orion_dev_resources.tfstate + workspace: orion-dev + level: level3 + + orion_prod: + subscriptions: + lz_key_name: orion_prod_subscriptions + tfstate: orion_prod_subscriptions.tfstate + resources: + lz_key_name: orion_prod_resources + tfstate: orion_prod_resources.tfstate + workspace: orion-prod + level: level3 diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index a22d1b019..2f33594bd 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -1,211 +1,69 @@ -- name: CAF Terraform - Generate Azure Subscription Vending Machine (asvm) configuration files +- name: Process deployment based on bootstrap.yaml hosts: localhost - vars: - # connectivity_virtual_wan: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_wan.yaml') | from_yaml }}" - # connectivity_virtual_hub: "{{ lookup('file', '{{ config_folder }}/connectivity_virtual_hub.yaml') | from_yaml }}" - connectivity_firewall: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall.yaml', errors='ignore') | from_yaml }}" - connectivity_firewall_policies: "{{ lookup('file', '{{ config_folder }}/connectivity_firewall_policies.yaml', errors='ignore') | from_yaml }}" - connectivity_vpn_sites: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_sites.yaml', errors='ignore') | from_yaml }}" - connectivity_vpn_gateway_connections: "{{ lookup('file', '{{ config_folder }}/connectivity_vpn_gateway_connections.yaml', errors='ignore') | from_yaml }}" - connectivity_express_routes: "{{ lookup('file', '{{ config_folder }}/connectivity_express_routes.yaml', errors='ignore') | from_yaml }}" - connectivity_express_route_peerings: "{{ lookup('file', '{{ config_folder }}/connectivity_express_route_peerings.yaml', errors='ignore') | from_yaml }}" - identity: "{{ lookup('file', '{{ config_folder }}/identity.yaml') | from_yaml }}" - management: "{{ lookup('file', '{{ config_folder }}/management.yaml') | from_yaml }}" - subscriptions: "{{ lookup('file', '{{ config_folder }}/subscriptions.yaml') | from_yaml }}" - mg: "{{ lookup('file', '{{ config_folder }}/eslz/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" - mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/custom_landing_zones.caf.platform.yaml') | from_yaml }}" - tfstates: "{{ lookup('file', '{{ config_folder }}/tfstates.yaml') | from_yaml }}" - base_templates_folder: "{{ base_templates_folder }}" - boostrap_launchpad: boostrap_launchpad | default(false) - deploy_subscriptions: deploy_subscriptions | default(false) - tasks: + + - name: "load {{ config_folder }}/bootstrap.yaml" + include_vars: + name: bootstrap + dir: "{{ config_folder }}" + depth: 1 + ignore_unknown_extensions: true + files_matching: "bootstrap.yaml" - name: "Load variable for platform config" include_vars: name: config - dir: "{{config_folder_platform | default(config_folder)}}" + dir: "{{config_folder}}" depth: 1 ignore_unknown_extensions: true - files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml" + files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml|subscriptions.yaml" - - name: "Get latest cache folder" - set_fact: - job_cache_base_path: "/home/vscode/.terraform.cache" - destination_base: "{{ destination_base_path | default(config.configuration_folders.platform.destination_base_path) }}" - - - name: "Creates cache directory" - file: - path: "{{ job_cache_base_path }}/launchpad" - state: directory - - name: "Destination folder" - debug: - msg: "{{destination_base}}" + - name: "{{deployment}} - Set tfstate_object" + set_fact: + destination_base: '{{config.configuration_folders.platform.destination_base_path}}' - - name: "Content of config" - debug: - msg: "{{config}}" + - debug: + msg: + - "{{bootstrap}}" + - "{{config}}" + verbosity: 2 # -# Level 0 +# Generate the foundation services # -## launchpad - - - name: "[{{ level }}-{{ base_folder }}] launchpad" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" + - include_tasks: "process_foundations.yaml" + loop: "{{bootstrap.deployments.keys()}}" + when: boostrap is defined + loop_control: + loop_var: stage vars: - base_folder: "launchpad" - level: "level0" - subscription_key: launchpad - -## credentials - - name: "[{{ level }}-{{ base_folder }}] Setup credentials" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - config.platform_identity.azuread_identity_mode == "service_principal" - - launchpad_tfstate_exists.rc == 0 - vars: - base_folder: "credentials" - level: "level0" - subscription_key: launchpad_credentials - - - name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: - - config.platform_identity.azuread_identity_mode == "logged_in_user" - - launchpad_tfstate_exists.rc == 0 - vars: - base_folder: "credentials" - level: "level0" - -## billing_subscription_role_delegations - - name: "[{{ level }}-{{ base_folder }}] Configure subscription role delegations" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: ((config.caf_terraform.billing_subscription_role_delegations is defined) and (config.platform_identity.azuread_identity_mode == "service_principal") and (launchpad_tfstate_exists.rc == 0) and (credentials_tfstate_exists is not skipped)) - vars: - base_folder: "billing_subscription_role_delegations" - level: "level0" - - - name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: - - level0_billing_subscription_role_delegations is skipped - vars: - base_folder: "billing_subscription_role_delegations" - level: "level0" - + step: deployments # -# Level 1 +# Process the deployments folders # + - find: + paths: "{{config_folder}}/deployments" + recurse: yes + patterns: "*.yaml" + file_type: file + register: files_to_process -## subscriptions - - name: "{{ level }}-{{ base_folder }} | Create platform subscriptions" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "dedicated_new" and config.platform_identity.azuread_identity_mode != "logged_in_user" and launchpad_tfstate_exists is succeeded and credentials_tfstate_exists is succeeded) - vars: - base_folder: "subscriptions" - level: "level1" - - - name: "{{ level }}-{{ base_folder }} | Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: - - level1_subscriptions is skipped - vars: - base_folder: "subscriptions" - level: "level1" + - debug: + msg: + - "{{files_to_process}}" + verbosity: 2 -## management - - name: "{{ level }}-{{ base_folder }} | Management services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - (config.platform_management.enable | bool) - - ((level1_subscriptions is not skipped and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - - ((platform_subscriptions_details is defined and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - - vars: - base_folder: "management" - level: "level1" - subscription_key: management - -## identity - - name: "{{ level }}-{{ base_folder }} | Identity services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - launchpad_tfstate_exists is not skipped - - credentials_tfstate_exists is not skipped - - ((level1_subscriptions is not skipped and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - - ((platform_subscriptions_details is defined and config.platform_identity.azuread_identity_mode != "logged_in_user") or config.platform_identity.azuread_identity_mode == "logged_in_user") - - identity.subscriptions is defined - - vars: - base_folder: "identity" - level: "level1" - subscription_key: identity - -## eslz - - name: "{{ level }}-{{ base_folder }} | Enterprise-scale services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - (config.platform_core_setup.enterprise_scale.enable | bool) - - ( (config.platform_core_setup.enterprise_scale.enable | bool) and level1_subscriptions is not skipped ) or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" or config.platform_identity.azuread_identity_mode == "logged_in_user" - - platform_subscriptions_details.identity is defined or config.platform_identity.azuread_identity_mode == "logged_in_user" or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" - - platform_subscriptions_details.management is defined or config.platform_identity.azuread_identity_mode == "logged_in_user" or config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse" - - vars: - base_folder: "eslz" - level: "level1" - -# -# Level 2 -# - -## asvm - - name: "{{ level }}-{{ base_folder }} | Azure Subscription Vending Machine (asvm)" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - - launchpad_azuread_groups is defined - - platform_subscriptions_details is defined or (config.platform_identity.azuread_identity_mode == "logged_in_user") - vars: - base_folder: "asvm" - level: "level2" - subscription_key: asvm - -## Connectivity - - name: "{{ level }}-{{ base_folder }} | Connectivity services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - ( (config.networking_topology.deployment_option == "virtual_wan") or (config.platform_identity.azuread_identity_mode == 'logged_in_user') ) - - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") or (config.platform_identity.azuread_identity_mode == 'logged_in_user') - vars: - base_folder: "connectivity" - level: "level2" - -## identity - - name: "{{ level }}-{{ base_folder }} | Identity services" - import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml" - when: - - config.platform_core_setup.enterprise_scale.subscription_deployment_mode != "single_reuse" - - launchpad_tfstate_exists is not skipped - - credentials_tfstate_exists is not skipped - - level1_subscriptions is not skipped or (config.platform_identity.azuread_identity_mode == "logged_in_user") - - (platform_subscriptions_details is defined) or (config.platform_core_setup.enterprise_scale.subscription_deployment_mode == "single_reuse") - - vars: - base_folder: "identity" - level: "level2" + - name: Process deployments folder configuration files + include_tasks: "process_deployments.yaml" + loop: "{{files_to_process.files}}" + loop_control: + loop_var: file_to_process ## Platform readme @@ -223,20 +81,3 @@ shell: | terraform fmt -recursive {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }} - -# # -# # Pipelines -# # -# - name: Pipelines -# hosts: localhost -# vars: -# config: "{{ lookup('file', '{{ config_folder }}/platform.yaml') | from_yaml }}" -# connectivity: "{{ lookup('file', '{{ config_folder }}/connectivity.yaml') | from_yaml }}" -# cidr: "{{ lookup('file', '{{ config_folder }}/cidr.yaml') | from_yaml }}" -# tfstates: "{{ lookup('file', '{{ config_folder }}/tfstates.yaml') | from_yaml }}" -# base_templates_folder: /tf/caf/templates/platform -# base_folder: pipelines - -# tasks: -# - import_tasks: "{{ base_folder }}/platform.yaml" -# - debug: msg="You can now proceed to the next steps and execute the deployment. Refer to the readme in {{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/README.md" diff --git a/templates/platform/generic/readme.md b/templates/platform/generic/readme.md new file mode 100644 index 000000000..d0dd39cf6 --- /dev/null +++ b/templates/platform/generic/readme.md @@ -0,0 +1,27 @@ + +```bash +#Note: close previous session if you logged with a different service principal using --impersonate-sp-from-keyvault-url +rover logout + +# login a with a user member of the caf-maintainers group +rover login -t {{ config.platform_identity.tenant_name }} + +rover \ +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} + --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ +{% endif %} + -lz /tf/caf/landingzones/caf_solution \ + -var-folder {{ destination_path }} \ + -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +{% if config.subscriptions[resources.subscriptions.keys() | first ].subscription_id is defined %} + -target_subscription {{ config.subscriptions[resources.subscriptions.keys() | first ].subscription_id }} \ +{% endif %} + -tfstate {{ config.tfstates.platform[resources.deployments.tfstate.keys() | first][resources.deployments.tfstate.values() | first].tfstate }} \ + -log-severity {{ config.gitops.rover_log_error }} \ + -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -level {{ level }} \ + -p ${TF_DATA_DIR}/{{ config.tfstates.platform[resources.deployments.tfstate.keys() | first][resources.deployments.tfstate.values() | first].tfstate }}.tfplan \ + -a plan + +``` + diff --git a/templates/platform/level0/credentials/readme.md b/templates/platform/level0/credentials/readme.md index 23353e464..e93e7d096 100644 --- a/templates/platform/level0/credentials/readme.md +++ b/templates/platform/level0/credentials/readme.md @@ -11,7 +11,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \ @@ -35,7 +35,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \ diff --git a/templates/platform/level0/launchpad/ansible.yaml b/templates/platform/level0/launchpad/ansible.yaml deleted file mode 100644 index c21fa1145..000000000 --- a/templates/platform/level0/launchpad/ansible.yaml +++ /dev/null @@ -1,242 +0,0 @@ -- name: "[{{ level }}-{{ base_folder }}] - Set variables" - set_fact: - destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - -- name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "launchpad.yaml|level0.yaml|configuration.caf.platform.yaml" - -- debug: - msg: "{{resources}}" - -- name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: config.configuration_folders.platform.cleanup_destination | bool - -- name: "[{{ level }}-{{ base_folder }}] Creates directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: directory - - -# -# container_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resources - container_groups" - when: - - resources.subscriptions[subscription_key].container_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/container_groups.tfvars.j2" - -# -# network_security_group_definition -# -- name: "[{{ level }}-{{ base_folder }}] - resources - network_security_group_definition" - when: - - resources.subscriptions[subscription_key].network_security_group_definition is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2" - - -# -# resource_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resources - resource_groups" - when: - - resources.subscriptions[subscription_key].resource_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/resource_groups.tfvars.j2" - -# -# virtual_networks -# -- name: "[{{ level }}-{{ base_folder }}] - resources - virtual_networks" - when: - - resources.subscriptions[subscription_key].virtual_networks is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/virtual_networks.tfvars.j2" - - -# -# network_profiles -# -- name: "[{{ level }}-{{ base_folder }}] - resources - network_profiles" - when: - - resources.subscriptions[subscription_key].network_profiles is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/network_profiles.tfvars.j2" - - -- name: "[{{ level }}-{{ base_folder }}] launchpad" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" - force: yes - loop: - - dynamic_secrets - - global_settings - - keyvaults - - landingzone - - role_mappings - - storage_accounts - -- name: "[{{ level }}-{{ base_folder }}] Clean-up identity files" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" - state: absent - when: config.platform_identity.azuread_identity_mode == "logged_in_user" - loop: - - azuread_api_permissions - - azuread_applications - - azuread_group_members - - azuread_groups - - azuread_roles - - keyvault_policies - - service_principals - -- name: "[{{ level }}-{{ base_folder }}] lauchpad - identity - service_principal" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" - force: yes - when: config.platform_identity.azuread_identity_mode != 'logged_in_user' - loop: - - azuread_api_permissions - - azuread_applications - - azuread_group_members - - azuread_groups - - azuread_roles - - keyvault_policies - - service_principals - -- name: "[{{ level }}-{{ base_folder }}] Deploy the launchpad" - when: boostrap_launchpad | bool | default(false) - shell: | - /tf/rover/rover.sh \ - -lz /tf/caf/landingzones/caf_launchpad \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ - -launchpad \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -a apply - -- name: "[{{ level }}-{{ base_folder }}] Get tfstate account name" - register: launchpad_storage_account - shell: | - az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - -- debug: - msg: "{{launchpad_storage_account}}" - -- name: "[{{ level }}-{{ base_folder }}] Get launchpad tfstate details" - register: launchpad_tfstate_exists - ignore_errors: true - shell: | - az storage blob download \ - --name "{{ config.tfstates.platform.launchpad.tfstate }}" \ - --account-name "{{ launchpad_storage_account.stdout | default('') }}" \ - --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ - --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" - -- name: "[{{ level }}-{{ base_folder }}] Get subscription_creation_landingzones details" - when: - - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" - register: launchpad_tfstate - -- name: "[{{ level }}-{{ base_folder }}] Get launchpad json data" - when: - - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - set_fact: - scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" - -- name: "[{{ level }}-{{ base_folder }}] set launchpad_azuread_groups" - when: - - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - set_fact: - launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" - vars: - path: 'outputs.objects.value.launchpad.azuread_groups' - -- name: "[{{ level }}-{{ base_folder }}] Get credentials tfstate details" - register: credentials_tfstate_exists - ignore_errors: true - shell: | - az storage blob download \ - --name "{{ config.tfstates.platform.launchpad_credentials.tfstate }}" \ - --account-name "{{ launchpad_storage_account.stdout }}" \ - --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ - --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - -- name: "[{{ level }}-{{ base_folder }}] Get launchpad_credentials details" - when: credentials_tfstate_exists.rc == 0 - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - register: launchpad_credentials - -- name: "[{{ level }}-{{ base_folder }}] Get launchpad_credentials json data" - when: credentials_tfstate_exists.rc == 0 - set_fact: - credjsondata: "{{ launchpad_credentials.stdout | from_json }}" - -- name: "[{{ level }}-{{ base_folder }}] set keyvaults" - when: credentials_tfstate_exists.rc == 0 - set_fact: - keyvaults: "{{ credjsondata | json_query(path) }}" - vars: - path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults' - -- name: "[{{ level }}-{{ base_folder }}] cleanup" - when: credentials_tfstate_exists.rc == 0 - file: - path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - state: absent - -- name: "[{{ level }}-{{ base_folder }}] cleanup" - when: launchpad_tfstate_exists.rc == 0 - file: - path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" - state: absent - -# Update readme -- name: "[{{ level }}-{{ base_folder }}] launchpad - readme" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/readme.md" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/readme.md" - force: yes \ No newline at end of file diff --git a/templates/platform/level0/launchpad/ansible.yaml.old b/templates/platform/level0/launchpad/ansible.yaml.old new file mode 100644 index 000000000..3e58c3865 --- /dev/null +++ b/templates/platform/level0/launchpad/ansible.yaml.old @@ -0,0 +1,242 @@ +- name: "{{deployment}} - Set variables" + set_fact: + destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}" + +- debug: + msg: + - "{{tfstate_object}}" + - "{{resources}}" + +- name: "[{{resources.relative_destination_folder}}] Clean-up directory" + file: + path: "{{destination_path}}" + state: absent + when: config.configuration_folders.platform.cleanup_destination | bool + +- name: "[{{resources.relative_destination_folder}}] Creates directory" + file: + path: "{{destination_path}}" + state: directory + + +- name: "{{deployment}} - process subscription resources" + include_tasks: "process_subscription_resources.yaml" + loop: "{{resources.subscriptions.keys()}}" + loop_control: + loop_var: subscription_key + +# # +# # container_groups +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - container_groups" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].container_groups is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/container_groups.tfvars.j2" + +# # +# # network_security_group_definition +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - network_security_group_definition" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].network_security_group_definition is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2" + + +# # +# # resource_groups +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - resource_groups" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].resource_groups is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/resource_groups.tfvars.j2" + +# # +# # virtual_networks +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - virtual_networks" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].virtual_networks is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/virtual_networks.tfvars.j2" + + +# # +# # network_profiles +# # +# - name: "[{{resources.relative_destination_folder}}] - resources - network_profiles" +# when: +# - resources.subscriptions[resources.subscriptions.keys()].network_profiles is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/network_profiles.tfvars.j2" + + +# - name: "[{{resources.relative_destination_folder}}] launchpad" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" +# dest: "{{destination_path}}/{{ item }}.tfvars" +# force: yes +# loop: +# - dynamic_secrets +# - global_settings +# - keyvaults +# - landingzone +# - role_mappings +# - storage_accounts + +# - name: "[{{resources.relative_destination_folder}}] Clean-up identity files" +# file: +# path: "{{destination_path}}/{{ item }}.tfvars" +# state: absent +# when: config.platform_identity.azuread_identity_mode == "logged_in_user" +# loop: +# - azuread_api_permissions +# - azuread_applications +# - azuread_group_members +# - azuread_groups +# - azuread_roles +# - keyvault_policies +# - service_principals + +# - name: "[{{resources.relative_destination_folder}}] lauchpad - identity - service_principal" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" +# dest: "{{destination_path}}/{{ item }}.tfvars" +# force: yes +# when: config.platform_identity.azuread_identity_mode != 'logged_in_user' +# loop: +# - azuread_api_permissions +# - azuread_applications +# - azuread_group_members +# - azuread_groups +# - azuread_roles +# - keyvault_policies +# - service_principals + +# - name: "[{{resources.relative_destination_folder}}] Deploy the launchpad" +# when: boostrap_launchpad | bool | default(false) +# shell: | +# /tf/rover/rover.sh \ +# -lz /tf/caf/landingzones/caf_launchpad \ +# -var-folder {{destination_path}} \ +# -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +# -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ +# -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ +# -log-severity {{ config.gitops.rover_log_error }} \ +# -launchpad \ +# -env {{ config.caf_terraform.launchpad.caf_environment }} \ +# -level {{ level }} \ +# -a apply + +- name: "[{{resources.relative_destination_folder}}] Get tfstate account name" + register: launchpad_storage_account + shell: | + az storage account list \ + --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + +- debug: + msg: "{{launchpad_storage_account}}" + +- name: "[{{resources.relative_destination_folder}}] Get launchpad tfstate details" + register: launchpad_tfstate_exists + ignore_errors: true + shell: | + az storage blob download \ + --name "{{ config.tfstates.platform.launchpad.tfstate }}" \ + --account-name "{{ launchpad_storage_account.stdout | default('') }}" \ + --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --auth-mode "login" \ + --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + +- name: "[{{resources.relative_destination_folder}}] Get subscription_creation_landingzones details" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + register: launchpad_tfstate + +- name: "[{{resources.relative_destination_folder}}] Get launchpad json data" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + set_fact: + scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" + +- name: "[{{resources.relative_destination_folder}}] set launchpad_azuread_groups" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + set_fact: + launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" + vars: + path: 'outputs.objects.value.launchpad.azuread_groups' + +- name: "[{{resources.relative_destination_folder}}] Get credentials tfstate details" + register: credentials_tfstate_exists + ignore_errors: true + shell: | + az storage blob download \ + --name "{{ config.tfstates.platform.launchpad_credentials.tfstate }}" \ + --account-name "{{ launchpad_storage_account.stdout }}" \ + --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --auth-mode "login" \ + --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + +- name: "[{{resources.relative_destination_folder}}] Get launchpad_credentials details" + when: credentials_tfstate_exists.rc == 0 + shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + register: launchpad_credentials + +- name: "[{{resources.relative_destination_folder}}] Get launchpad_credentials json data" + when: credentials_tfstate_exists.rc == 0 + set_fact: + credjsondata: "{{ launchpad_credentials.stdout | from_json }}" + +- name: "[{{resources.relative_destination_folder}}] set keyvaults" + when: credentials_tfstate_exists.rc == 0 + set_fact: + keyvaults: "{{ credjsondata | json_query(path) }}" + vars: + path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults' + +- name: "[{{resources.relative_destination_folder}}] cleanup" + when: credentials_tfstate_exists.rc == 0 + file: + path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + state: absent + +- name: "[{{resources.relative_destination_folder}}] cleanup" + when: launchpad_tfstate_exists.rc == 0 + file: + path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + state: absent + +# Update readme +# - name: "[{{resources.relative_destination_folder}}] launchpad - readme" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/readme.md" +# dest: "{{destination_path}}/readme.md" +# force: yes \ No newline at end of file diff --git a/templates/platform/level0/launchpad/azuread_api_permissions.tfvars.j2 b/templates/platform/level0/launchpad/azuread_api_permissions.tfvars.j2 deleted file mode 100644 index 01e3e4656..000000000 --- a/templates/platform/level0/launchpad/azuread_api_permissions.tfvars.j2 +++ /dev/null @@ -1,60 +0,0 @@ - - -azuread_api_permissions = { - level0 = { - microsoft_graph = { - resource_app_id = "00000003-0000-0000-c000-000000000000" - resource_access = { - AppRoleAssignment_ReadWrite_All = { - id = "06b708a9-e830-4db3-a914-8e69da51d44f" - type = "Role" - } - DelegatedPermissionGrant_ReadWrite_All = { - id = "8e8e4742-1d95-4f68-9d56-6ee75648c72a" - type = "Role" - } - DelegatedPermissionGrant_ReadWrite_All = { - id = "18a4783c-866b-4cc7-a460-3d5e5662c884" - type = "Role" - } - } - } - } - identity = { - active_directory_graph = { - resource_app_id = "00000002-0000-0000-c000-000000000000" - resource_access = { - Application_ReadWrite_OwnedBy = { - id = "824c81eb-e3f8-4ee6-8f6d-de7f50d565b7" - type = "Role" - } - Directory_ReadWrite_All = { - id = "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175" - type = "Role" - } - } - } - microsoft_graph = { - resource_app_id = "00000003-0000-0000-c000-000000000000" - resource_access = { - AppRoleAssignment_ReadWrite_All = { - id = "06b708a9-e830-4db3-a914-8e69da51d44f" - type = "Role" - } - DelegatedPermissionGrant_ReadWrite_All = { - id = "8e8e4742-1d95-4f68-9d56-6ee75648c72a" - type = "Role" - } - GroupReadWriteAll = { - id = "62a82d76-70ea-41e2-9197-370581804d09" - type = "Role" - } - RoleManagement_ReadWrite_Directory = { - id = "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" - type = "Role" - } - } - } - } - -} diff --git a/templates/platform/level0/launchpad/azuread_applications.tfvars.j2 b/templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old similarity index 100% rename from templates/platform/level0/launchpad/azuread_applications.tfvars.j2 rename to templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old diff --git a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 index ec156a815..137706f8f 100644 --- a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 +++ b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 @@ -1,3 +1,4 @@ +{% if config.platform_identity.enable_azuread_groups %} azuread_groups_membership = { caf_platform_maintainers = { {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} @@ -31,4 +32,7 @@ azuread_groups_membership = { ] } } -} \ No newline at end of file +} +{% else %} +# Azure AD Groups in config.platform_identity.enable_azuread_groups is not set to true +{% endif %} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 b/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 index a551a004a..3eaee1839 100644 --- a/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 +++ b/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 @@ -1,3 +1,4 @@ +{% if config.platform_identity.enable_azuread_groups %} azuread_groups = { caf_platform_maintainers = { name = "caf-platform-maintainers" @@ -95,3 +96,6 @@ azuread_groups = { } } +{% else %} +# Azure AD Groups in config.platform_identity.enable_azuread_groups is not set to true +{% endif %} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/azuread_roles.tfvars.j2 b/templates/platform/level0/launchpad/azuread_roles.tfvars.j2 deleted file mode 100644 index 88162fee6..000000000 --- a/templates/platform/level0/launchpad/azuread_roles.tfvars.j2 +++ /dev/null @@ -1,28 +0,0 @@ -# -# Available roles: -# az rest --method Get --uri https://graph.microsoft.com/v1.0/directoryRoleTemplates -o json | jq -r .value[].displayName -# -azuread_roles = { - azuread_service_principals = { - level0 = { - roles = [ - "Privileged Role Administrator", - "Application Administrator", - "Groups Administrator" - ] - } - identity = { - roles = [ - "User Administrator", - "Application Administrator", - "Groups Administrator" - ] - } - subscription_creation_landingzones = { - roles = [ - "Application Administrator", - "Groups Administrator" - ] - } - } -} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/dynamic_secrets.tfvars.j2 b/templates/platform/level0/launchpad/dynamic_secrets.tfvars.j2 deleted file mode 100644 index 0b967297e..000000000 --- a/templates/platform/level0/launchpad/dynamic_secrets.tfvars.j2 +++ /dev/null @@ -1,67 +0,0 @@ - -# Store output attributes into keyvault secret -# Those values are used by the rover to connect the current remote state and -# identity the lower level -dynamic_keyvault_secrets = { - level0 = { - subscription_id = { - output_key = "client_config" - attribute_key = "subscription_id" - secret_name = "subscription-id" - } - tenant_id = { - output_key = "client_config" - attribute_key = "tenant_id" - secret_name = "tenant-id" - } - } - level1 = { - lower_stg = { - output_key = "storage_accounts" - resource_key = "level0" - attribute_key = "name" - secret_name = "lower-storage-account-name" - } - lower_rg = { - output_key = "resource_groups" - resource_key = "level0" - attribute_key = "name" - secret_name = "lower-resource-group-name" - } - subscription_id = { - output_key = "client_config" - attribute_key = "subscription_id" - secret_name = "subscription-id" - } - tenant_id = { - output_key = "client_config" - attribute_key = "tenant_id" - secret_name = "tenant-id" - } - } - level2 = { - lower_stg = { - output_key = "storage_accounts" - resource_key = "level1" - attribute_key = "name" - secret_name = "lower-storage-account-name" - } - lower_rg = { - output_key = "resource_groups" - resource_key = "level1" - attribute_key = "name" - secret_name = "lower-resource-group-name" - } - subscription_id = { - output_key = "client_config" - attribute_key = "subscription_id" - secret_name = "subscription-id" - } - tenant_id = { - output_key = "client_config" - attribute_key = "tenant_id" - secret_name = "tenant-id" - } - } - -} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/keyvault_policies.tfvars.j2 b/templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old similarity index 100% rename from templates/platform/level0/launchpad/keyvault_policies.tfvars.j2 rename to templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old diff --git a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 index 06f112bfc..3dca65e8a 100644 --- a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 +++ b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 @@ -15,7 +15,7 @@ keyvaults = { object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -51,7 +51,7 @@ keyvaults = { object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -87,7 +87,7 @@ keyvaults = { object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] diff --git a/templates/platform/level0/launchpad/landingzone.tfvars.j2 b/templates/platform/level0/launchpad/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level0/launchpad/landingzone.tfvars.j2 rename to templates/platform/level0/launchpad/landingzone.tfvars.j2.old diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index 361e6ed95..46cbefbaf 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -17,7 +17,7 @@ This scenario requires the following privileges: Elevate your credentials to the tenant root level to have enough privileges to create the management group hierarchy. ```bash -{% if config.caf_terraform.billing_subscription_role_delegations.enable %} +{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} {% else %} # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with an account owner. @@ -34,7 +34,7 @@ az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?ap ```bash {% if config.caf_terraform.billing_subscription_role_delegations is defined %} -{% if config.caf_terraform.billing_subscription_role_delegations.enable %} +{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} {% else %} # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with an account owner. @@ -45,13 +45,14 @@ rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terra cd /tf/caf/landingzones git fetch origin git checkout {{ config.gitops.caf_landingzone_branch }} +git pull rover \ {% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_launchpad \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ @@ -75,7 +76,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_launchpad \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ diff --git a/templates/platform/level0/launchpad/role_mappings.tfvars.j2 b/templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD similarity index 100% rename from templates/platform/level0/launchpad/role_mappings.tfvars.j2 rename to templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD diff --git a/templates/platform/level0/launchpad/service_principals.tfvars.j2 b/templates/platform/level0/launchpad/service_principals.tfvars.j2.old similarity index 100% rename from templates/platform/level0/launchpad/service_principals.tfvars.j2 rename to templates/platform/level0/launchpad/service_principals.tfvars.j2.old diff --git a/templates/platform/level0/launchpad/storage_accounts.tfvars.j2 b/templates/platform/level0/launchpad/storage_accounts.tfvars.j2 deleted file mode 100644 index 8aa17568c..000000000 --- a/templates/platform/level0/launchpad/storage_accounts.tfvars.j2 +++ /dev/null @@ -1,90 +0,0 @@ - -storage_accounts = { - level0 = { - name = "{{ resources.subscriptions[subscription_key].storage_accounts.level0.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level0.resource_group_key }}" - account_kind = "BlobStorage" - account_tier = "Standard" - shared_access_key_enabled = false - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - - tags = { - ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. - # Only adjust the environment value at creation time - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - caf_launchpad = "launchpad" - caf_tfstate = "level0" - ## - } - - blob_properties = { - versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }} - container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }} - delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }} - } - - containers = { - {{ config.tfstates.platform.launchpad.workspace | default('tfstate') }} = { - name = "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" - } - } - } - - level1 = { - name = "{{ resources.subscriptions[subscription_key].storage_accounts.level1.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level1.resource_group_key }}" - account_kind = "BlobStorage" - account_tier = "Standard" - shared_access_key_enabled = false - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - - tags = { - # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates. - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - caf_launchpad = "launchpad" - caf_tfstate = "level1" - } - - blob_properties = { - versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }} - container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }} - delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }} - } - - containers = { - {{ config.tfstates.platform.launchpad.workspace | default('tfstate') }} = { - name = "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" - } - } - } - - level2 = { - name = "{{ resources.subscriptions[subscription_key].storage_accounts.level2.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level2.resource_group_key }}" - account_kind = "BlobStorage" - account_tier = "Standard" - shared_access_key_enabled = false - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - - tags = { - # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates. - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - caf_launchpad = "launchpad" - caf_tfstate = "level2" - } - - blob_properties = { - versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }} - container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }} - delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }} - } - - containers = { - {{ config.tfstates.platform.launchpad.workspace | default('tfstate') }} = { - name = "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" - } - } - } - - -} \ No newline at end of file diff --git a/templates/platform/level1/eslz/ansible.yaml b/templates/platform/level1/eslz/ansible.yaml index 583a6ed3e..02159edd4 100644 --- a/templates/platform/level1/eslz/ansible.yaml +++ b/templates/platform/level1/eslz/ansible.yaml @@ -1,58 +1,69 @@ -- name: "{{ level }}-{{ base_folder }} | Clean-up base directory" +- name: "{{level }}-{{ deployment}} - Set landingzone file_path" + set_fact: + destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{ level }}/{{ deployment }}" + mg: "{{ lookup('file', '{{ config_folder }}/eslz/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" + mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/custom_landing_zones.caf.platform.yaml') | from_yaml }}" + level: "{{tfstate_object.level}}" + verbosity: 2 + +- debug: + msg: "{{destination_path}}" + +- name: "{{ level }}-{{ deployment }} | Clean-up base directory" shell: | - rm -rf "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" + rm -rf "{{ destination_path }}" when: - config.platform_core_setup.enterprise_scale.enable - config.platform_core_setup.enterprise_scale.clean_up_destination_folder -- name: "{{ level }}-{{ base_folder }} | Creates directory structure" - shell: mkdir -p "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib/{{ item.path }}" - with_filetree: "{{ level }}/{{ base_folder }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}" +- name: "{{ level }}-{{ deployment }} | Creates directory structure" + shell: mkdir -p "{{ destination_path }}/lib/{{ item.path }}" + with_filetree: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder}}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}" when: item.state == 'directory' -- name: "{{ level }}-{{ base_folder }} | Tfvars" +- name: "{{ level }}-{{ deployment }} | Tfvars" ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - - "{{ level }}/{{ base_folder }}/*.j2" - - "{{ level }}/{{ base_folder }}/*.md" + - "{{ level }}/{{ deployment }}/*.j2" + - "{{ level }}/{{ deployment }}/*.md" -- name: "{{ level }}-{{ base_folder }} | Lib - archetypes - built-in" +- name: "{{ level }}-{{ deployment }} | Lib - archetypes - built-in" ansible.builtin.template: - src: "{{ base_templates_folder }}/{{ level }}/eslz/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/archetype_definition_template.json.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib/archetype_definitions/archetype_definition_{{ mg.archetype_definitions[item].archetype_id }}.json" + src: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder}}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/archetype_definition_template.json.j2" + dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg.archetype_definitions[item].archetype_id }}.json" force: yes loop: "{{ mg.archetype_definitions.keys() }}" loop_control: loop_var: item -- name: "{{ level }}-{{ base_folder }} | Lib - archetypes - custom" +- name: "{{ level }}-{{ deployment }} | Lib - archetypes - custom" when: - mg_custom.archetype_definitions is defined ansible.builtin.template: - src: "{{ base_templates_folder }}/{{ level }}/eslz/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/custom_landing_zone_template.json.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib/archetype_definitions/archetype_definition_{{ mg_custom.archetype_definitions[item].archetype_id }}.json" + src: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/custom_landing_zone_template.json.j2" + dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg_custom.archetype_definitions[item].archetype_id }}.json" force: yes loop: "{{ mg_custom.archetype_definitions.keys() }}" loop_control: loop_var: item -- name: "{{ level }}-{{ base_folder }} | Lib" +- name: "{{ level }}-{{ deployment }} | Lib" ansible.builtin.template: src: "{{ item.src }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib/{{ item.path }}" + dest: "{{ destination_path }}/lib/{{ item.path }}" force: yes with_filetree: "{{ config_folder }}/eslz/lib" when: item.state == 'file' and config.platform_core_setup.enterprise_scale.update_lib_folder -- name: "{{ level }}-{{ base_folder }} | overrides" +- name: "{{ level }}-{{ deployment }} | overrides" when: - mg_custom.archetype_definitions is defined ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - - "{{ level }}/{{ base_folder }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/*.tfvars.j2" + - "{{ level }}/{{ deployment }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/*.tfvars.j2" diff --git a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 index 56045fc03..3b51b0112 100644 --- a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 +++ b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 @@ -1,4 +1,4 @@ -library_path = "../../../../{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/lib" +library_path = "../../../../{{ config.configuration_folders.platform.destination_relative_path }}/{{ tfstate_object.sub_template_folder }}/lib" {% if config.platform_core_setup.enterprise_scale.root_parent_id is defined %} root_parent_id = "{{ config.platform_core_setup.enterprise_scale.root_parent_id }}" {% endif %} diff --git a/templates/platform/level1/eslz/configuration.tfvars.j2 b/templates/platform/level1/eslz/landingzone.tfvars.j2 similarity index 100% rename from templates/platform/level1/eslz/configuration.tfvars.j2 rename to templates/platform/level1/eslz/landingzone.tfvars.j2 diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 index 8d96940d2..c95c57d8a 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 @@ -62,7 +62,7 @@ custom_landing_zones = { } subscriptions = {} {% if level.subscription_ids is defined %} - subscription_ids = {{ level.subscription_ids | replace('None','[]') | replace('\'','\"') }} + subscription_ids = {{ level.subscription_ids | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} subscription_ids = [] {% endif %} diff --git a/templates/platform/level1/eslz/readme.md b/templates/platform/level1/eslz/readme.md index 96b22db83..17a616b85 100644 --- a/templates/platform/level1/eslz/readme.md +++ b/templates/platform/level1/eslz/readme.md @@ -18,7 +18,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_eslz.vault_uri }} \ {% endif %} -lz {{ destination_base }}/landingzones/caf_solution/add-ons/caf_eslz \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.eslz.tfstate }} \ -log-severity ERROR \ diff --git a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 index 1d0d43eca..19082ee50 100644 --- a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 @@ -1,7 +1,7 @@ subscription_id_overrides = { {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.root is defined %} - root = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('\'','\"') }} + root = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} root = [] {% endif %} @@ -14,37 +14,37 @@ subscription_id_overrides = { {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %} - decommissioned = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('\'','\"') }} + decommissioned = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} decommissioned = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes is defined %} - sandboxes = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('\'','\"') }} + sandboxes = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} sandboxes = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] is defined %} - landing-zones = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('\'','\"') }} + landing-zones = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} landing-zones = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform is defined %} - platform = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('\'','\"') }} + platform = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} platform = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity is defined %} - connectivity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('\'','\"') }} + connectivity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} connectivity = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.management is defined %} - management = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('\'','\"') }} + management = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} management = [] {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity is defined %} - identity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('\'','\"') }} + identity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} identity = [] {% endif %} diff --git a/templates/platform/level1/identity/ansible.yaml b/templates/platform/level1/identity/ansible.yaml.old similarity index 100% rename from templates/platform/level1/identity/ansible.yaml rename to templates/platform/level1/identity/ansible.yaml.old diff --git a/templates/platform/level1/identity/landingzone.tfvars.j2 b/templates/platform/level1/identity/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level1/identity/landingzone.tfvars.j2 rename to templates/platform/level1/identity/landingzone.tfvars.j2.old diff --git a/templates/platform/level1/identity/readme.md b/templates/platform/level1/identity/readme.md index d2a8ecee1..f7c0f8314 100644 --- a/templates/platform/level1/identity/readme.md +++ b/templates/platform/level1/identity/readme.md @@ -22,7 +22,7 @@ rover \ {% endif %} {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ diff --git a/templates/platform/level1/management/ansible.yaml b/templates/platform/level1/management/ansible.yaml.old similarity index 100% rename from templates/platform/level1/management/ansible.yaml rename to templates/platform/level1/management/ansible.yaml.old diff --git a/templates/platform/level1/management/landingzone.tfvars.j2 b/templates/platform/level1/management/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level1/management/landingzone.tfvars.j2 rename to templates/platform/level1/management/landingzone.tfvars.j2.old diff --git a/templates/platform/level1/management/readme.md b/templates/platform/level1/management/readme.md index 130826048..23edecc4c 100644 --- a/templates/platform/level1/management/readme.md +++ b/templates/platform/level1/management/readme.md @@ -22,7 +22,7 @@ rover \ {% endif %} {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.management.subscription_id }} \ diff --git a/templates/platform/level1/subscriptions/ansible.yaml b/templates/platform/level1/subscriptions/ansible.yaml.old similarity index 100% rename from templates/platform/level1/subscriptions/ansible.yaml rename to templates/platform/level1/subscriptions/ansible.yaml.old diff --git a/templates/platform/level1/subscriptions/landingzone.tfvars.j2 b/templates/platform/level1/subscriptions/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level1/subscriptions/landingzone.tfvars.j2 rename to templates/platform/level1/subscriptions/landingzone.tfvars.j2.old diff --git a/templates/platform/level1/subscriptions/readme.md b/templates/platform/level1/subscriptions/readme.md index dc36cd7b9..3aea9caab 100644 --- a/templates/platform/level1/subscriptions/readme.md +++ b/templates/platform/level1/subscriptions/readme.md @@ -14,7 +14,7 @@ rover \ {% endif %} {% endif %} -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.platform_subscriptions.tfstate }} \ -log-severity {{ config.gitops.rover_log_error }} \ diff --git a/templates/platform/level2/ansible_deployment.yaml b/templates/platform/level2/ansible_deployment.yaml.old similarity index 100% rename from templates/platform/level2/ansible_deployment.yaml rename to templates/platform/level2/ansible_deployment.yaml.old diff --git a/templates/platform/level2/ansible_resource_deployment.yaml b/templates/platform/level2/ansible_resource_deployment.yaml.old similarity index 100% rename from templates/platform/level2/ansible_resource_deployment.yaml rename to templates/platform/level2/ansible_resource_deployment.yaml.old diff --git a/templates/platform/level2/ansible_resource_type.yaml b/templates/platform/level2/ansible_resource_type.yaml.old similarity index 100% rename from templates/platform/level2/ansible_resource_type.yaml rename to templates/platform/level2/ansible_resource_type.yaml.old diff --git a/templates/platform/level2/asvm/ansible.yaml b/templates/platform/level2/asvm/ansible.yaml index 2135fd666..0b26e230c 100644 --- a/templates/platform/level2/asvm/ansible.yaml +++ b/templates/platform/level2/asvm/ansible.yaml @@ -1,31 +1,31 @@ -- name: "[{{ level }}-{{ base_folder }}] - Set variables" - set_fact: - destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" +# - name: "[{{ level }}-{{ base_folder }}] - Set variables" +# set_fact: +# destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" -- name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "asvm.yaml" +# - name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad" +# include_vars: +# name: resources +# dir: "{{config_folder}}" +# depth: 1 +# ignore_unknown_extensions: true +# files_matching: "asvm.yaml" -- debug: - msg: "{{resources}}" +# - debug: +# msg: "{{resources}}" -- name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: config.configuration_folders.platform.cleanup_destination | bool +# - name: "[{{ level }}-{{ base_folder }}] Clean-up directory" +# file: +# path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" +# state: absent +# when: config.configuration_folders.platform.cleanup_destination | bool -- name: "[{{ level }}-{{ base_folder }}] Creates directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: directory +# - name: "[{{ level }}-{{ base_folder }}] Creates directory" +# file: +# path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" +# state: directory -- name: "[{{ level }}-{{ base_folder }}] Get level2 tfstate account name" +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get level2 tfstate account name" register: level2_storage_account shell: | az storage account list \ @@ -34,9 +34,9 @@ - debug: msg: "{{level2_storage_account}}" + verbosity: 2 - -- name: "[{{ level }}-{{ base_folder }}] Get level2 tfstate account name" +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get level2 tfstate account name" register: level2_storage_rg shell: | az storage account list \ @@ -45,48 +45,49 @@ - debug: msg: "{{level2_storage_account}}" + verbosity: 2 -# -# resource_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resource_groups" - when: - - resources.subscriptions[subscription_key].resource_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/resource_groups.tfvars.j2" +# # +# # resource_groups +# # +# - name: "[{{ level }}-{{ base_folder }}] - resource_groups" +# when: +# - resources.subscriptions[subscription_key].resource_groups is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/resource_groups.tfvars.j2" -# -# azuread_groups -# -- name: "[{{ level }}-{{ base_folder }}] - azuread_groups" - when: - - resources.subscriptions[subscription_key].azuread_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_groups.tfvars.j2" +# # +# # azuread_groups +# # +# - name: "[{{ level }}-{{ base_folder }}] - azuread_groups" +# when: +# - resources.subscriptions[subscription_key].azuread_groups is defined +# ansible.builtin.template: +# src: "{{ item }}" +# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" +# force: yes +# with_fileglob: +# - "{{ resource_template_folder }}/azuread_groups.tfvars.j2" -- name: "[{{ level }}-{{ base_folder }}] asvm" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" - force: yes - loop: - - dynamic_secrets - - keyvaults - - landingzone - - role_mappings - - storage_accounts +# - name: "[{{ level }}-{{ base_folder }}] asvm" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" +# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" +# force: yes +# loop: +# - dynamic_secrets +# - keyvaults +# - landingzone +# - role_mappings +# - storage_accounts -- name: "[{{ level }}-{{ base_folder }}] launchpad - readme" - ansible.builtin.template: - src: "{{ level }}/{{ base_folder }}/readme.md" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/readme.md" - force: yes \ No newline at end of file +# - name: "[{{ level }}-{{ base_folder }}] launchpad - readme" +# ansible.builtin.template: +# src: "{{ level }}/{{ base_folder }}/readme.md" +# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/readme.md" +# force: yes \ No newline at end of file diff --git a/templates/platform/level2/asvm/landingzone.tfvars.j2 b/templates/platform/level2/asvm/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/asvm/landingzone.tfvars.j2 rename to templates/platform/level2/asvm/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/asvm/readme.md b/templates/platform/level2/asvm/readme.md index 70b86198e..cbd54f9b1 100644 --- a/templates/platform/level2/asvm/readme.md +++ b/templates/platform/level2/asvm/readme.md @@ -13,7 +13,7 @@ rover \ --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ + -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.asvm.tfstate }} \ diff --git a/templates/platform/level2/asvm/storage_accounts.tfvars.j2 b/templates/platform/level2/asvm/storage_accounts.tfvars.j2.old similarity index 100% rename from templates/platform/level2/asvm/storage_accounts.tfvars.j2 rename to templates/platform/level2/asvm/storage_accounts.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/ansible.yaml b/templates/platform/level2/connectivity/ansible.yaml.old similarity index 100% rename from templates/platform/level2/connectivity/ansible.yaml rename to templates/platform/level2/connectivity/ansible.yaml.old diff --git a/templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2 rename to templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2 rename to templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old similarity index 100% rename from templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2 rename to templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old diff --git a/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 b/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 deleted file mode 100644 index 79894da6c..000000000 --- a/templates/platform/level2/connectivity/vpn_site/vpn_sites.tfvars.j2 +++ /dev/null @@ -1,36 +0,0 @@ -vpn_sites = { - {{ site }} = { - name = "{{ connectivity_vpn_sites.vpn_sites[site].name }}" - resource_group = { - lz_key = "{{ connectivity_vpn_sites.vpn_sites[site].resource_group.lz_key }}" - key = "{{ connectivity_vpn_sites.vpn_sites[site].resource_group.key }}" - } - virtual_wan = { - lz_key = "{{ connectivity_vpn_sites.vpn_sites[site].virtual_wan.lz_key }}" - key = "{{ connectivity_vpn_sites.vpn_sites[site].virtual_wan.key }}" - } - device_vendor = "{{ connectivity_vpn_sites.vpn_sites[site].device_vendor }}" -{% if connectivity_vpn_sites.vpn_sites[site].address_cidrs is defined %} - address_cidrs = {{ connectivity_vpn_sites.vpn_sites[site].address_cidrs | replace('None','[]') | replace('\'','\"') }} -{% endif %} - links = { -{% for link_key, link in connectivity_vpn_sites.vpn_sites[site].links.items() %} - {{ link_key }} = { - name = "{{ link.name }}" - ip_address = "{{ link.ip_address }}" - provider_name = "{{ link.provider_name }}" - speed_in_mbps = "{{ link.speed_in_mbps }}" -{% if link.fqdn is defined %} - fqdn = "{{ ink.fqdn }}" -{% endif %} -{% if link.bgp is defined %} - bgp = { - asn = "{{ link.bgp.asn }}" - peering_address = "{{ link.bgp.peering_address }}" - } -{% endif %} - } -{% endfor %} - } - } -} \ No newline at end of file diff --git a/templates/platform/level2/identity/ansible.yaml b/templates/platform/level2/identity/ansible.yaml.old similarity index 100% rename from templates/platform/level2/identity/ansible.yaml rename to templates/platform/level2/identity/ansible.yaml.old diff --git a/templates/platform/process_deployments.yaml b/templates/platform/process_deployments.yaml new file mode 100644 index 000000000..7aae3f269 --- /dev/null +++ b/templates/platform/process_deployments.yaml @@ -0,0 +1,21 @@ + +- debug: + msg: "file {{file_to_process.path}}" + +- set_fact: + resources: "{{ lookup('file', '{{ file_to_process.path }}') | from_yaml }}" + +- set_fact: + env: "{{resources.deployments.tfstate.values() | first | default('')}}" + +- name: "{{tfstates[tfstate]}} - Set tfstate_object" + set_fact: + tfstate_object: '{{config.tfstates.platform[resources.deployments.tfstate.keys() | first] if env == "" else config.tfstates.platform[resources.deployments.tfstate.keys() | first][env]}}' + +- name: "Including tasks process_tfstate.yaml" + include_tasks: "process_tfstate.yaml" + loop: ["{{resources.deployments.tfstate.keys() | first }}"] + loop_control: + loop_var: deployment + vars: + config_file: "{{ file_to_process.path }}" \ No newline at end of file diff --git a/templates/platform/process_foundations.yaml b/templates/platform/process_foundations.yaml new file mode 100644 index 000000000..fff4a2ccd --- /dev/null +++ b/templates/platform/process_foundations.yaml @@ -0,0 +1,10 @@ + +- debug: + msg: "stage {{stage}} - {{bootstrap[step][stage]}}" + +- include_tasks: "process_stages.yaml" + loop: "{{bootstrap[step][stage].keys()}}" + loop_control: + loop_var: tfstate + vars: + tfstates: "{{bootstrap[step][stage]}}" \ No newline at end of file diff --git a/templates/platform/process_resources.yaml b/templates/platform/process_resources.yaml new file mode 100644 index 000000000..c3b7a0054 --- /dev/null +++ b/templates/platform/process_resources.yaml @@ -0,0 +1,30 @@ +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}} - check file to process" + stat: + path: "{{ansible_to_process}}/{{resource_type}}.tfvars.j2" + register: override_file + +- name: "{{deployment}} - Set resource_type file_path" + set_fact: + resource_type_template: "{{resource_template_folder}}/{{resource_type}}.tfvars.j2" + resource_type_override: "{{ansible_to_process }}/{{resource_type}}.tfvars.j2" + verbosity: 2 + +- debug: + msg: + - "resource_type_template for {{resource_type_template}}" + - "{{resource_type_override}}" + - "{{override_file}}" + verbosity: 2 + + +# +# resources +# +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}}" + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{resource_type_override if override_file.stat.exists else resource_type_template}}" + diff --git a/templates/platform/process_stages.yaml b/templates/platform/process_stages.yaml new file mode 100644 index 000000000..f2c043615 --- /dev/null +++ b/templates/platform/process_stages.yaml @@ -0,0 +1,33 @@ + +- debug: + msg: "tfstate {{tfstate}} - {{tfstates[tfstate]}}" + + +- name: "{{tfstates[tfstate]}} - Set env" + set_fact: + env: "{{tfstates[tfstate].values() | first | default()}}" + verbosity: 2 + + +- name: "{{tfstates[tfstate]}} - Set tfstate_object" + set_fact: + tfstate_object: '{{config.tfstates.platform[tfstates[tfstate].keys() | first] if env == "" else config.tfstates.platform[tfstates[tfstate].keys() | first][env]}}' + verbosity: 2 + +- name: "{{tfstates[tfstate]}} - Set config_file" + set_fact: + config_file: "{{config_folder + '/' + tfstate_object.config_file }}" + +- debug: + msg: '{{ config_file }}' + verbosity: 2 + +- name: "Including tasks process_tfstate.yaml" + include_tasks: "process_tfstate.yaml" + loop: "{{tfstates[tfstate].keys()}}" + loop_control: + loop_var: deployment + vars: + key: "{{tfstates[tfstate]}}" + resources: "{{ lookup('file', '{{ config_file }}') | from_yaml }}" + deployments: "{{ lookup('file', '{{ config_file }}') | from_yaml }}" \ No newline at end of file diff --git a/templates/platform/process_subscription_resources.yaml b/templates/platform/process_subscription_resources.yaml new file mode 100644 index 000000000..3bb94c2ba --- /dev/null +++ b/templates/platform/process_subscription_resources.yaml @@ -0,0 +1,76 @@ + +- debug: + msg: + - "subscription_key {{subscription_key}}" + - "{{resources.subscriptions[subscription_key]}}" + +- name: "{{deployment}} - Set ansible_to_process" + set_fact: + ansible_to_process: "{{base_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else base_templates_folder + '/generic'}}" + verbosity: 2 + +- name: "{{deployment}} - Set landingzone file_path" + set_fact: + landingzone_template: "{{resource_template_folder}}/landingzone.tfvars.j2" + landingzone_override: "{{ansible_to_process}}/landingzone.tfvars.j2" + destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}" + level: "{{tfstate_object.level}}" + verbosity: 2 + + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - check file to process" + stat: + path: "{{landingzone_override}}" + register: landingzone_override_file + + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - Clean-up directory" + file: + path: "{{destination_path}}" + state: absent + when: config.configuration_folders.platform.cleanup_destination | bool + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - Creates directory" + file: + path: "{{destination_path}}" + state: directory + + + +- name: "{{deployment}} - process custom yaml process" + include_tasks: "{{base_templates_folder}}/{{tfstate_object.yaml}}" + when: tfstate_object.yaml is defined + +# +# landingzone.tfvars +# +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone" + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{landingzone_override if landingzone_override_file.stat.exists else landingzone_template}}" + +# +# Resources +# + +- name: "{{deployment}} - process resources" + include_tasks: "process_resources.yaml" + loop: "{{resources.subscriptions[subscription_key] | list if resources.subscriptions[subscription_key] is mapping else [] }}" + loop_control: + loop_var: resource_type + +# +# overrides +# +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - overrides" + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + with_fileglob: + - "{{ ansible_to_process }}/*.j2" + - "{{ ansible_to_process }}/*.md" + diff --git a/templates/platform/process_tfstate.yaml b/templates/platform/process_tfstate.yaml new file mode 100644 index 000000000..acbc3ba87 --- /dev/null +++ b/templates/platform/process_tfstate.yaml @@ -0,0 +1,22 @@ + +- name: "Verify {{deployment}} {{key[deployment] | default()}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :" + debug: + msg: + - "{{config.tfstates.platform[deployment]}}" + - "resources - {{resources}}" + +- name: "{{deployment}} - tfstate_object sub_template_folder and config_file - {{env}}" + debug: + msg: + - 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}' + - 'config_file - {{tfstate_object.config_file | default()}}' + - 'tfstate_object - {{tfstate_object}}' + verbosity: 2 + +- name: "{{deployment}} - process subscription resources" + include_tasks: "process_subscription_resources.yaml" + loop: "{{resources.subscriptions.keys()}}" + loop_control: + loop_var: subscription_key + vars: + level: "{{tfstate_object.level}}" diff --git a/templates/resources/azuread_api_permissions.tfvars.j2 b/templates/resources/azuread_api_permissions.tfvars.j2 new file mode 100644 index 000000000..4a5ebc39e --- /dev/null +++ b/templates/resources/azuread_api_permissions.tfvars.j2 @@ -0,0 +1,32 @@ +azuread_api_permissions = { +{% for key, value in resources.subscriptions[subscription_key].azuread_api_permissions.items() %} + {{ key }} = { +{% if value.microsoft_graph is defined %} + microsoft_graph = { + resource_app_id = "{{ value.microsoft_graph.resource_app_id }}" + resource_access = { +{% for r_key, r_value in value.microsoft_graph.resource_access.items() %} + {{r_key}} = { + id = "{{ r_value.id }}" + type = "{{ r_value.type }}" + } +{% endfor%} + } + } +{% endif %} +{% if value.active_directory_graph is defined %} + active_directory_graph = { + resource_app_id = "{{ value.active_directory_graph.resource_app_id }}" + resource_access = { +{% for r_key, r_value in value.active_directory_graph.resource_access.items() %} + {{r_key}} = { + id = "{{ r_value.id }}" + type = "{{ r_value.type }}" + } +{% endfor%} + } + } +{% endif %} + } +{% endfor %} +} diff --git a/templates/resources/azuread_roles.tfvars.j2 b/templates/resources/azuread_roles.tfvars.j2 new file mode 100644 index 000000000..338f4a52d --- /dev/null +++ b/templates/resources/azuread_roles.tfvars.j2 @@ -0,0 +1,15 @@ +# +# Available roles: +# az rest --method Get --uri https://graph.microsoft.com/v1.0/directoryRoleTemplates -o json | jq -r .value[].displayName +# +azuread_roles = { +{% for key, value in resources.subscriptions[subscription_key].azuread_roles.items() %} + {{ key }} = { +{% for l_key, l_value in value.items() %} + {{l_key}} = { + roles = {{ l_value.roles | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} + } +{% endfor %} + } +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 index 0797ccf1a..b43870518 100644 --- a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 +++ b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 @@ -1,12 +1,13 @@ dynamic_keyvault_secrets = { -{% for kv_key, kv_value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} - {{ kv_key }} = { -{% for key, value in kv_value.items() %} - {{ key }} = { - secret_name = "{{ value.secret_name }}" - value = "{{ value['value'] }}" +{% for key, value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} + {{ key }} = { +{% for l1_key, l1_value in value.items() %} + {{l1_key}} = { +{% for l2_key, l2_value in l1_value.items() %} + {{l2_key}} = "{{l2_value}}" +{% endfor%} } -{% endfor %} +{% endfor%} } {% endfor %} } \ No newline at end of file diff --git a/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old b/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old new file mode 100644 index 000000000..0797ccf1a --- /dev/null +++ b/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old @@ -0,0 +1,12 @@ +dynamic_keyvault_secrets = { +{% for kv_key, kv_value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} + {{ kv_key }} = { +{% for key, value in kv_value.items() %} + {{ key }} = { + secret_name = "{{ value.secret_name }}" + value = "{{ value['value'] }}" + } +{% endfor %} + } +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/landingzone.tfvars.j2 b/templates/resources/landingzone.tfvars.j2 index c3fb3d132..cc3ef7b07 100644 --- a/templates/resources/landingzone.tfvars.j2 +++ b/templates/resources/landingzone.tfvars.j2 @@ -3,49 +3,56 @@ landingzone = { {% if config.tfstates['asvm'][subscription_key].level is defined %} {% set level = config.tfstates['asvm'][subscription_key].level %} level = "{{ level }}" -{% elif deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first %} - {% set level = config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first].level %} +{% elif resources.deployments.landingzone.key.platform.values() | first %} + {% set level = config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first][resources.deployments.landingzone.key.platform.values() | first].level %} level = "{{ level }}" +{% elif resources.deployments.landingzone is defined %} + {% set level = config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].level %} + level = "{{config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].level}}" {% else %} - {% set level = config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].level %} + {% set level = config.tfstates['platform'][resources.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].level %} level = "{{ level }}" {% endif %} -{% if deployments.deployments[subscription_key][deployment].landingzone.key.asvm is defined %} -{% for l_key, l_value in deployments.deployments[subscription_key][deployment].landingzone.key.asvm.items() %} +{% if resources.deployments.landingzone.key.asvm is defined %} +{% for l_key, l_value in resources.deployments.landingzone.key.asvm.items() %} key = "{{ config.tfstates['asvm'][l_key][l_value].lz_key_name}}" {% endfor %} -{% elif deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first %} - key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.key.platform.values() | first].lz_key_name }}" +{% elif resources.deployments.landingzone.key.platform.values() | first %} + key = "{{ config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first][resources.deployments.landingzone.key.platform.values() | first].lz_key_name }}" +{% elif resources.deployments.landingzone.key.platform is defined %} + key = "{{config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].lz_key_name}}" {% else %} - key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].lz_key_name }}" + key = "{{ config.tfstates['platform'][resources.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].lz_key_name }}" {% endif %} -{% if deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform is defined %} -{% if deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.values() | first %} - global_settings_key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.keys() | first][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.values() | first].lz_key_name }}" +{% if resources.deployments.landingzone.global_settings_key.platform is defined %} +{% if resources.deployments.landingzone.global_settings_key.platform.values() | first %} + global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first][resources.deployments.landingzone.global_settings_key.platform.values() | first].lz_key_name }}" {% else %} - global_settings_key = "{{ config.tfstates['platform'][deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" + global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" {% endif %} +{% elif resources.deployments[subscription_key].landingzone.global_settings_key.platform is defined %} + global_settings_key = "{{ config.tfstates['platform'][resources.deployments[subscription_key].landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" +{% elif resources.deployments[subscription_key].landingzone.global_settings_key.platform is not defined %} {% else %} -{% for m_key, m_value in deployments.deployments[subscription_key][deployment].landingzone.global_settings_key.asvm.items() %} +{% for m_key, m_value in resources.deployments[subscription_key][deployment].landingzone.global_settings_key.asvm.items() %} global_settings_key = "{{ config.tfstates['asvm'][m_key][m_value].lz_key_name }}" {% endfor %} {% endif %} - -{% if deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates is defined %} +{% if resources.deployments.landingzone.remote_tfstates is defined %} tfstates = { -{% if deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.asvm is defined %} -{% for a_key, a_value in deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.asvm.items() %} +{% if resources.deployments.landingzone.remote_tfstates.asvm is defined %} +{% for a_key, a_value in resources.deployments.landingzone.remote_tfstates.asvm.items() %} {{ config.tfstates['asvm'][a_key][a_value].lz_key_name }} = { tfstate = "{{ config.tfstates['asvm'][a_key][a_value].tfstate }}" workspace = "{{ config.tfstates['asvm'][a_key].workspace }}" } {% endfor %} {% endif %} -{% if deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform is defined %} -{% for p_key in deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform.keys() %} -{% if config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]] is defined %} - {{ config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]].lz_key_name }} = { - {% set remote_tfstate = config.tfstates['platform'][p_key][deployments.deployments[subscription_key][deployment].landingzone.remote_tfstates.platform[p_key]] %} +{% if resources.deployments.landingzone.remote_tfstates.platform is defined %} +{% for p_key in resources.deployments.landingzone.remote_tfstates.platform.keys() %} +{% if config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]] is defined %} + {{ config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]].lz_key_name }} = { + {% set remote_tfstate = config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]] %} tfstate = "{{ remote_tfstate.tfstate }}" workspace = "{{ remote_tfstate.workspace | default('tfstate') }}" {% if remote_tfstate.level != level %} @@ -66,10 +73,9 @@ landingzone = { } {% endif %} } - -{% if deployments.deployments[subscription_key][deployment].custom_variables is defined %} +{% if resources.deployments[subscription_key][deployment].custom_variables is defined %} custom_variables = { -{% for cv_key, cv_value in deployments.deployments[subscription_key][deployment].custom_variables.items() %} +{% for cv_key, cv_value in resources.deployments[subscription_key][deployment].custom_variables.items() %} {{cv_key}} = "{{cv_value}}" {% endfor %} } diff --git a/templates/resources/storage_accounts.tfvars.j2 b/templates/resources/storage_accounts.tfvars.j2 new file mode 100644 index 000000000..b9d9079ec --- /dev/null +++ b/templates/resources/storage_accounts.tfvars.j2 @@ -0,0 +1,110 @@ +storage_accounts = { +{% for key, value in resources.subscriptions[subscription_key].storage_accounts.items() %} + {{ key }} = { + name = "{{ value.name }}" + resource_group_key = "{{ value.resource_group_key }}" + account_kind = "{{ value.account_kind | default('BlobStorage') }}" + account_tier = "{{ value.account_tier | default('Standard') }}" + shared_access_key_enabled = {{ value.shared_access_key_enabled | lower | default('false') }} + account_replication_type = "{{ value.account_replication_type }}" +{% if value.access_tier is defined %} + access_tier = "{{ value.access_tier }}" +{% endif %} +{% if value.min_tls_version is defined %} + min_tls_version = "{{ value.min_tls_version }}" +{% endif %} +{% if value.allow_blob_public_access is defined %} + allow_blob_public_access = {{ value.allow_blob_public_access | lower }} +{% endif %} +{% if value.is_hns_enabled is defined %} + is_hns_enabled = {{ value.is_hns_enabled | lower }} +{% endif %} +{% if value.nfsv3_enabled is defined %} + nfsv3_enabled = {{ value.nfsv3_enabled | lower }} +{% endif %} +{% if value.large_file_share_enabled is defined %} + large_file_share_enabled = {{ value.large_file_share_enabled | lower }} +{% endif %} +{% if value.enable_system_msi is defined %} + enable_system_msi = {{ value.enable_system_msi | lower }} +{% endif %} + +{% if value.blob_properties is defined %} + blob_properties = { +{% if value.blob_properties.versioning_enabled is defined %} + versioning_enabled = {{ value.blob_properties.versioning_enabled | lower }} +{% endif %} +{% if value.blob_properties.change_feed_enabled is defined %} + change_feed_enabled = {{ value.blob_properties.change_feed_enabled | lower }} +{% endif %} +{% if value.blob_properties.last_access_time_enabled is defined %} + last_access_time_enabled = {{ value.blob_properties.last_access_time_enabled | lower }} +{% endif %} +{% if value.blob_properties.default_service_version is defined %} + default_service_version = "{{ value.blob_properties.default_service_version }}" +{% endif %} +{% if value.blob_properties.container_delete_retention_policy is defined %} + container_delete_retention_policy = { + days = {{ value.blob_properties.container_delete_retention_policy.days }} + } +{% endif %} +{% if value.blob_properties.delete_retention_policy is defined %} + delete_retention_policy = { + days = {{ value.blob_properties.delete_retention_policy.days }} + } +{% endif %} + } +{% endif %} + +{% if value.network is defined %} + network = { +{% if value.network.default_action is defined %} + default_action = {{ value.network.default_action | lower }} +{% endif %} +{% if value.network.bypass is defined %} + bypass = {{ value.network.bypass | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if value.network.ip_rules is defined %} + ip_rules = {{ value.network.ip_rules | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if value.network.subnets is defined %} + subnets = { +{% for s_key, s_value in value.network.subnets.items() %} + {{ s_key }} = { +{% if s_value.remote_subnet_id is defined %} + remote_subnet_id = "{{ s_value.remote_subnet_id }}" +{% else %} +{% if s_value.lz_key is defined %} + lz_key = "{{ s_value.lz_key }}" +{% endif %} + vnet_key = "{{ s_value.vnet_key }}" + subnet_key = "{{ s_value.subnet_key }}" +{% endif %} + } +{% endfor %} + } +{% endif %} + } +{% endif %} + +{% if value.containers is defined %} + containers = { +{% for c_key, c_value in value.containers.items() %} + {{ c_key }} = { + name = "{{ c_value.name }}" + } +{% endfor %} + } +{% endif %} + +{% if value.tags is defined %} + tags = { +{% for tag_key, tag_value in value.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} + } + +{% endfor %} +} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/vpn_site/vpn_gateways_connections.tfvars.j2 b/templates/resources/vpn_gateway_connections.tfvars.j2 similarity index 60% rename from templates/platform/level2/connectivity/vpn_site/vpn_gateways_connections.tfvars.j2 rename to templates/resources/vpn_gateway_connections.tfvars.j2 index 0720ce648..4cb978052 100644 --- a/templates/platform/level2/connectivity/vpn_site/vpn_gateways_connections.tfvars.j2 +++ b/templates/resources/vpn_gateway_connections.tfvars.j2 @@ -1,17 +1,18 @@ vpn_gateway_connections = { - {{ site }} = { - name = "{{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].name }}" - internet_security_enabled = {{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].internet_security_enabled | default(true) | string | lower }} // propagate to default route table +{% for key, value in resources.subscriptions[subscription_key].vpn_gateway_connections.items() %} + {{ key }} = { + name = "{{ value.name }}" + internet_security_enabled = {{ value.internet_security_enabled | default(true) | string | lower }} // propagate to default route table vpn_site = { - key = "{{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].vpn_site.key }}" + key = "{{ value.vpn_site.key }}" } virtual_hub = { - lz_key = "{{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].virtual_hub.lz_key }}" - key = "{{ connectivity_vpn_gateway_connections.vpn_gateway_connections[site].virtual_hub.key }}" + lz_key = "{{ value.virtual_hub.lz_key }}" + key = "{{ value.virtual_hub.key }}" } vpn_links = { -{% for link_key, link in connectivity_vpn_gateway_connections.vpn_gateway_connections[site].vpn_links.items() %} +{% for link_key, link in value.vpn_links.items() %} {{ link_key }} = { name = "{{ link.name }}" shared_key = "{{ link.shared_key }}" @@ -37,4 +38,5 @@ vpn_gateway_connections = { {% endfor %} } } +{% endfor %} } \ No newline at end of file diff --git a/templates/resources/vpn_sites.tfvars.j2 b/templates/resources/vpn_sites.tfvars.j2 new file mode 100644 index 000000000..d79984684 --- /dev/null +++ b/templates/resources/vpn_sites.tfvars.j2 @@ -0,0 +1,38 @@ +vpn_sites = { +{% for key, value in resources.subscriptions[subscription_key].vpn_sites.items() %} + {{ key }} = { + name = "{{ value.name }}" + resource_group = { + lz_key = "{{ value.resource_group.lz_key }}" + key = "{{ value.resource_group.key }}" + } + virtual_wan = { + lz_key = "{{ value.virtual_wan.lz_key }}" + key = "{{ value.virtual_wan.key }}" + } + device_vendor = "{{ value.device_vendor }}" + } +{% if value.address_cidrs is defined %} + address_cidrs = {{ value.address_cidrs | replace('None','[]') | replace('\'','\"') }} +{% endif %} + links = { +{% for link_key, link in value.links.items() %} + {{ link_key }} = { + name = "{{ link.name }}" + ip_address = "{{ link.ip_address }}" + provider_name = "{{ link.provider_name }}" + speed_in_mbps = "{{ link.speed_in_mbps }}" +{% if link.fqdn is defined %} + fqdn = "{{ ink.fqdn }}" +{% endif %} +{% if link.bgp is defined %} + bgp = { + asn = "{{ link.bgp.asn }}" + peering_address = "{{ link.bgp.peering_address }}" + } +{% endif %} + } +{% endfor %} + } +{% endfor %} +} \ No newline at end of file From a5b31ca9a09bf742ce47f76bdab618c848d430ff Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 14 Feb 2022 12:16:17 +0000 Subject: [PATCH 39/67] Fix type --- templates/platform/ansible.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index 2f33594bd..3a1701774 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -36,7 +36,7 @@ - include_tasks: "process_foundations.yaml" loop: "{{bootstrap.deployments.keys()}}" - when: boostrap is defined + when: bootstrap is defined loop_control: loop_var: stage vars: From a1f522e606c81da9a5e85b0ff35baf1462fe2fa5 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 14 Feb 2022 12:23:33 +0000 Subject: [PATCH 40/67] Update launchpad ansible --- .../{ansible.yaml.old => ansible.yaml} | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) rename templates/platform/level0/launchpad/{ansible.yaml.old => ansible.yaml} (90%) diff --git a/templates/platform/level0/launchpad/ansible.yaml.old b/templates/platform/level0/launchpad/ansible.yaml similarity index 90% rename from templates/platform/level0/launchpad/ansible.yaml.old rename to templates/platform/level0/launchpad/ansible.yaml index 3e58c3865..a60611111 100644 --- a/templates/platform/level0/launchpad/ansible.yaml.old +++ b/templates/platform/level0/launchpad/ansible.yaml @@ -1,29 +1,29 @@ -- name: "{{deployment}} - Set variables" - set_fact: - destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}" +# - name: "{{deployment}} - Set variables" +# set_fact: +# destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}" -- debug: - msg: - - "{{tfstate_object}}" - - "{{resources}}" +# - debug: +# msg: +# - "{{tfstate_object}}" +# - "{{resources}}" -- name: "[{{resources.relative_destination_folder}}] Clean-up directory" - file: - path: "{{destination_path}}" - state: absent - when: config.configuration_folders.platform.cleanup_destination | bool +# - name: "[{{resources.relative_destination_folder}}] Clean-up directory" +# file: +# path: "{{destination_path}}" +# state: absent +# when: config.configuration_folders.platform.cleanup_destination | bool -- name: "[{{resources.relative_destination_folder}}] Creates directory" - file: - path: "{{destination_path}}" - state: directory +# - name: "[{{resources.relative_destination_folder}}] Creates directory" +# file: +# path: "{{destination_path}}" +# state: directory -- name: "{{deployment}} - process subscription resources" - include_tasks: "process_subscription_resources.yaml" - loop: "{{resources.subscriptions.keys()}}" - loop_control: - loop_var: subscription_key +# - name: "{{deployment}} - process subscription resources" +# include_tasks: "process_subscription_resources.yaml" +# loop: "{{resources.subscriptions.keys()}}" +# loop_control: +# loop_var: subscription_key # # # # container_groups From bf7ca31b197e3a64a80bb2e264e5d738a27a7c36 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 14 Feb 2022 12:42:47 +0000 Subject: [PATCH 41/67] Update ASVM templates --- templates/platform/level2/asvm/ansible.yaml | 34 +++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/templates/platform/level2/asvm/ansible.yaml b/templates/platform/level2/asvm/ansible.yaml index 0b26e230c..c06883c46 100644 --- a/templates/platform/level2/asvm/ansible.yaml +++ b/templates/platform/level2/asvm/ansible.yaml @@ -24,6 +24,40 @@ # path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" # state: directory +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get launchpad tfstate details" + register: launchpad_tfstate_exists + ignore_errors: true + shell: | + az storage blob download \ + --name "{{ config.tfstates.platform.launchpad.tfstate }}" \ + --account-name "{{ launchpad_storage_account.stdout | default('') }}" \ + --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --auth-mode "login" \ + --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get subscription_creation_landingzones details" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + register: launchpad_tfstate + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get launchpad json data" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + set_fact: + scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" + +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - set launchpad_azuread_groups" + when: + - launchpad_tfstate_exists.rc == 0 + - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + set_fact: + launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" + vars: + path: 'outputs.objects.value.launchpad.azuread_groups' + - name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get level2 tfstate account name" register: level2_storage_account From bead8002c499c7be0ae642898d38b68882b059a8 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 14 Feb 2022 12:45:04 +0000 Subject: [PATCH 42/67] Update asvm --- templates/platform/level2/asvm/ansible.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/templates/platform/level2/asvm/ansible.yaml b/templates/platform/level2/asvm/ansible.yaml index c06883c46..bc1a94d01 100644 --- a/templates/platform/level2/asvm/ansible.yaml +++ b/templates/platform/level2/asvm/ansible.yaml @@ -24,6 +24,16 @@ # path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" # state: directory +- name: "[{{resources.relative_destination_folder}}] Get tfstate account name" + register: launchpad_storage_account + shell: | + az storage account list \ + --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + +- debug: + msg: "{{launchpad_storage_account}}" + - name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get launchpad tfstate details" register: launchpad_tfstate_exists ignore_errors: true From 3e1301c48767eea77d9a207ab0ba9ddf8de72323 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 16 Feb 2022 10:37:53 +0000 Subject: [PATCH 43/67] Add support for single subscription deployment --- caf_solution/add-ons/caf_eslz/variables.tf | 5 - .../__pycache__/merge_vars.cpython-39.pyc | Bin 4806 -> 0 bytes .../applications/action_plugins/merge_vars.py | 155 --- .../ansible-get-platform-details.yaml | 82 -- templates/applications/ansible.yaml | 87 -- .../level3/ansible-subscription-id.yaml | 66 -- .../level3/ansible-subscription.yaml | 62 - templates/applications/level3/ansible.yaml | 58 - .../level3/resources/ansible.yaml | 262 ----- .../applications/level3/resources/readme.md | 35 - .../level3/storage_containers/ansible.yaml | 80 -- .../level3/storage_containers/readme.md | 28 - .../storage_containers.tfvars.j2 | 16 - .../level3/subscription/readme.md | 40 - templates/applications/level4/readme.md | 1 - .../asvm/orion-landingzone/deployments.yaml | 77 -- .../contoso/asvm/orion-landingzone/readme.md | 12 +- .../orion-landingzone/resources.asvm.yaml | 1015 ----------------- .../orion-landingzone/subscriptions.asvm.yaml | 13 - .../asvm/orion-landingzone/tfstates.asvm.yaml | 31 +- .../__pycache__/merge_vars.cpython-39.pyc | Bin 4806 -> 4802 bytes templates/platform/ansible.yaml | 26 +- templates/platform/generic/readme.md | 18 +- .../readme.md | 8 +- .../platform/level0/credentials/ansible.yaml | 154 --- .../platform/level0/credentials/readme.md | 15 +- .../platform/level0/launchpad/ansible.yaml | 165 +-- .../azuread_applications.tfvars.j2.old | 44 - .../launchpad/azuread_group_members.tfvars.j2 | 16 +- .../level0/launchpad/azuread_groups.tfvars.j2 | 101 -- .../launchpad/keyvault_policies.tfvars.j2.old | 64 -- .../launchpad/landingzone.tfvars.j2.old | 5 - templates/platform/level0/launchpad/readme.md | 17 +- .../launchpad/role_mappings.tfvars.j2.OLD | 213 ---- .../service_principals.tfvars.j2.old | 44 - .../level1/eslz/enterprise_scale.tfvars.j2 | 1 + .../level1/eslz/landingzone.tfvars.j2 | 2 +- templates/platform/level1/eslz/readme.md | 7 +- .../eslz/subscription_id_overrides.tfvars.j2 | 14 +- .../platform/level1/identity/ansible.yaml.old | 73 -- .../level1/identity/landingzone.tfvars.j2.old | 12 - templates/platform/level1/identity/readme.md | 7 +- .../level1/management/ansible.yaml.old | 162 --- .../management/landingzone.tfvars.j2.old | 12 - .../platform/level1/management/readme.md | 5 +- .../level1/subscriptions/ansible.yaml.old | 88 -- .../subscriptions/landingzone.tfvars.j2.old | 12 - .../platform/level1/subscriptions/readme.md | 5 +- .../level2/ansible_deployment.yaml.old | 29 - .../ansible_resource_deployment.yaml.old | 42 - .../level2/ansible_resource_type.yaml.old | 7 - templates/platform/level2/asvm/ansible.yaml | 70 -- .../level2/asvm/landingzone.tfvars.j2.old | 12 - templates/platform/level2/asvm/readme.md | 8 +- .../asvm/storage_accounts.tfvars.j2.old | 54 - .../level2/connectivity/ansible.yaml.old | 95 -- .../landingzone.tfvars.j2.old | 12 - .../azurerm_firewall_policies/readme.md | 8 +- .../landingzone.tfvars.j2.old | 18 - .../connectivity/azurerm_firewalls/readme.md | 8 +- .../express_route_circuit/readme.md | 4 +- .../express_route_circuit_peering/readme.md | 4 +- .../private_dns/landingzone.tfvars.j2.old | 20 - .../level2/connectivity/private_dns/readme.md | 8 +- .../platform/level2/connectivity/readme.md | 151 --- .../virtual_hubs/ansible.yaml.old | 20 - .../virtual_hubs/landingzone.tfvars.j2.old | 35 - .../connectivity/virtual_hubs/readme.md | 6 +- .../virtual_hubs_route_tables.tfvars.j2 | 35 - .../connectivity/virtual_wans/readme.md | 6 +- .../level2/connectivity/vpn_site/ansible.yaml | 20 - .../vpn_site/landingzone.tfvars.j2.old | 16 - .../level2/connectivity/vpn_site/readme.md | 39 - .../platform/level2/identity/ansible.yaml.old | 38 - .../level2/identity/identity_level2/readme.md | 2 +- .../identity/identity_level2_aadds/readme.md | 8 +- .../identity/identity_level2_adds/readme.md | 6 +- templates/platform/process_deployments.yaml | 26 +- templates/platform/process_foundations.yaml | 3 +- templates/platform/process_stages.yaml | 38 +- .../process_subscription_resources.yaml | 2 +- templates/platform/process_tfstate.yaml | 10 +- templates/resources/azuread_groups.tfvars.j2 | 14 +- templates/resources/landingzone.tfvars.j2 | 44 +- templates/resources/subscriptions.tfvars.j2 | 6 +- 85 files changed, 215 insertions(+), 4124 deletions(-) delete mode 100644 templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc delete mode 100644 templates/applications/action_plugins/merge_vars.py delete mode 100644 templates/applications/ansible-get-platform-details.yaml delete mode 100644 templates/applications/ansible.yaml delete mode 100644 templates/applications/level3/ansible-subscription-id.yaml delete mode 100644 templates/applications/level3/ansible-subscription.yaml delete mode 100644 templates/applications/level3/ansible.yaml delete mode 100644 templates/applications/level3/resources/ansible.yaml delete mode 100644 templates/applications/level3/resources/readme.md delete mode 100644 templates/applications/level3/storage_containers/ansible.yaml delete mode 100644 templates/applications/level3/storage_containers/readme.md delete mode 100644 templates/applications/level3/storage_containers/storage_containers.tfvars.j2 delete mode 100644 templates/applications/level3/subscription/readme.md delete mode 100644 templates/applications/level4/readme.md delete mode 100644 templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml delete mode 100644 templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml delete mode 100644 templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml delete mode 100644 templates/platform/level0/credentials/ansible.yaml delete mode 100644 templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old delete mode 100644 templates/platform/level0/launchpad/azuread_groups.tfvars.j2 delete mode 100644 templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old delete mode 100644 templates/platform/level0/launchpad/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD delete mode 100644 templates/platform/level0/launchpad/service_principals.tfvars.j2.old delete mode 100644 templates/platform/level1/identity/ansible.yaml.old delete mode 100644 templates/platform/level1/identity/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level1/management/ansible.yaml.old delete mode 100644 templates/platform/level1/management/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level1/subscriptions/ansible.yaml.old delete mode 100644 templates/platform/level1/subscriptions/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level2/ansible_deployment.yaml.old delete mode 100644 templates/platform/level2/ansible_resource_deployment.yaml.old delete mode 100644 templates/platform/level2/ansible_resource_type.yaml.old delete mode 100644 templates/platform/level2/asvm/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level2/asvm/storage_accounts.tfvars.j2.old delete mode 100644 templates/platform/level2/connectivity/ansible.yaml.old delete mode 100644 templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level2/connectivity/readme.md delete mode 100644 templates/platform/level2/connectivity/virtual_hubs/ansible.yaml.old delete mode 100644 templates/platform/level2/connectivity/virtual_hubs/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level2/connectivity/virtual_hubs/virtual_hubs_route_tables.tfvars.j2 delete mode 100644 templates/platform/level2/connectivity/vpn_site/ansible.yaml delete mode 100644 templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old delete mode 100644 templates/platform/level2/connectivity/vpn_site/readme.md delete mode 100644 templates/platform/level2/identity/ansible.yaml.old diff --git a/caf_solution/add-ons/caf_eslz/variables.tf b/caf_solution/add-ons/caf_eslz/variables.tf index f67f92de1..2772c632c 100644 --- a/caf_solution/add-ons/caf_eslz/variables.tf +++ b/caf_solution/add-ons/caf_eslz/variables.tf @@ -89,11 +89,6 @@ variable "root_parent_id" { type = string description = "If specified, will deploy the Enterprise scale bellow the root_parent_id." default = null - - validation { - condition = can(regex("^[a-zA-Z0-9-]{2,10}$", var.root_parent_id)) - error_message = "The root_parent_id value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens." - } } variable "deploy_core_landing_zones" { diff --git a/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc b/templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc deleted file mode 100644 index 234152fea485aa659350e63eef21fecc16f60d7a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4806 zcmZu#&2uA16`!6NNn=^IwO+@`CSj`s0k0^p6q4m@vly1_h6IQ!MHVQOY$;=POPcj) zM%&%8S7Ka6#arxhp^|GVMcKz(IPh0+;t!ZBC(hhB5Pq*m^4Bu1ZuQr^?tbt0e(#OL zrKPHaXD{)0{;}>j|D?{@CqU;XDEf0$!f88#2{&d#x9u`&d$Bk4+rDl4acNj?mzguI zW2O{WhCw@E&TpOMRo{^dlaH7~f0!%B)!|}$kvVel&}j$1a}xJ8=Vy+nh~Tj!0_h%l z?V4B+)yGbINi2#QewW3PSjO*)SP^yn*2N{Uir-7(@&`_1ZTfljcEWEbI@*aP54$Ex z6F!Q^{V3rkR6#Zfmhd?*zr`aJD%5p@j@6T#z18{Wg4x>>Cbj2Y>htyVuW zgYizYn+{vC3`aec_R}Pe64?rit*(hs5s@Cn;e?uZie{GtoqarXeuAQ3 zL?xXz6HeO|tnG=C@Pz-EwSD12J!R}>_kJ%GV_f9d%yFt5&wF%w(hkQBq7b^%92)DU ziII;C-^cZN$h%UR5W{-h>qU?FHBy!4sj|vLBZ(&sD~|NoRWdY?$rHJMB9)s#XslSs z(dbF8q#nnHOkf6)wkDBHes3VPw6dZkGEo@MHkIN;mge0s;X9HG*~22tgvn%oAeE$} zljtbfgCbKk*`!16OlD`B@D#HOTfum5@=)_Q1qkqq;mOA7`}6Df@HWX)<0K)tkU2K3 zF#7_uhErGo2w;Zvx!om`%pdZtG76392hjOb=YjKp9l=DxJ$C=ZPWm4854@AUFG}e9 zC;jpIRwAgj=-gCGm~&aV3@Q#G9AIom4tor8tMkEnj%EMoZ?R=pd zb_bH&B>WZ3c@Nn5_+;o~o{lW-h!kFwq@b0q8N;_GT!4X+32>hDH@S|It~{Zt*PGvM z^6iulLj&I6`|y)Z3%a>OaxD!oj4^o0jM4U^0(&$y!#pt;90SMWQIAj3F&~6`(h`~- zCj82TjxL&<-%EKP@2W_gIN*M$2;`e^%wdW*3HWC(7pnev2)E)O!69uxjs*4~UBZJx zy-RZGkTXeOkK&YtKtU%Bd2ejS@U%S%?Si7`?q6K2*>H286rTIUG1Kektip$5P&8bQ zu6=ET)@_i3Z_wI}Msxbo1?!%DVcNVnx$#ZC!Esz`DX>cnWt=i_yV^Mc&b0NO<;fZU z*<(mhou$W(({&p#ZmQJel`g<>^0;V~P%fibqV7AHbAR=KW$XxyaLkmSvCrIx{s+#N z6ea?Q)+G8%H+P$_<=(DD5Kt6~)g@H_d8cK1t!~(B#o$|*Y?>xgw~QQupA1^zh{9Y* zSVYJ2ey7l{Zk?K}Ihy3vTckQfx6#&{bUGhZz^Y$OUp*Txn&7|YtvKz5vED*s{>tGeBlvSIjcf>dCDg1o@0<4j~B zIKuzw^w?u*7UVlNEyyd~L74QVXk5-q9ojhe;S@Ue;7Yl_lcsU*!&X|6wezZwBd`c8 zA`}GxMaosHG*t#lFr2f!yo?wF*Uzhn{)sjrsKK5%uNIafWvdk{uNWx2gAUoKDhm6# zXNDv75(%exqZX;EQME+XH&D%m0pmI^TREaov1dgT*s>x>fw>2Rzk-IogUVrb`?t*2 z+&c4_`<1^CumCNpYpluw_eHN>S@WuBm)$Z}*HD&Sm({=WOJ(N%cUr%Qr-r+|-6+Ap zmWDf>9PT!>$qCxEPUj(rlL#8UN~a^zZl|MKI80$?a)UDlub}$^$_&4LplIY=C?@Dp zd5f0)4V8ft8g_^@7U9Ut5Zdm4e&A=W{#NE4xtUL4?cr+XA9)n^?q>(3tdw~OsP7;U zm999Mmz8cg51YoP7Q$HR&{fKmi(av&?`GKHnUxq*e=(JdD>J0M^R?&qz&SjGG&cQ( zO)@~<1#SrodXqmOS{#oArCp$cf|iKBVec_Qk>yy4eC!cIi!|M)mC^|EDxyVq*G9Yo zW934M1&z7}EfwC=pw_ohHOlHbwJpXhyqf6d9yU_X(ZmJA&^sTYXmWVRuUgRftX8f8 zG|Oz6y^L}du(Hy-#FX=gT!xA@*w@iGHJEWT$}pf@b=7!K8?`Csv*`_rY=v^jbLPrH zLI+2rkTz`cI~4ILNbZNoauE$1zPf=83csuLK%zz_`J&AXERo8Fcjn%7<%<_34eg_7 zazV$1PuQy}8b5a}x*`z)T}>C)dg36-LPChtX_jE=s|KG|l+*|Wg+^)mJ$^UQ6gF)d zP3ihj4tEej$+p7@U6qHJp3xV#CT;R(2$*($gLWowK@h4RFsKz2eCYlLpJoqT;UEaH zZG;=Le#2F3_{seU?E57n)&uXHI$pkTt1khok=ptM>l9ge`n6L~oe3KAb<^9oarzlB zPY8G(*k?%9aD2gM`_7W+hllD4RDHjEPAB+BoqR9uGKvDmhTM$CuLea0H!si0B z%)Cx_$Qal+prk2tEjy!ao&N7uAwRdtp&Ek(5mS+2M}|Hpk&wg^U#nxyccmN^*~w<{ z#XlRjj?Tx)Ak+g&kgYhItb;$|Xcu3aM6^x*PCAmkF(verU+>#&0-+L#Es(6o-2vZ; z`UN7ar_Kc-C8ktZBI%{{HRNz28~5o$Akum)XOztHGLkpsf3VDtp#c07fXE6N#7*=r zD)a{!`wXQZo$@>&D;nQ!tSa*K_WCS`Y0fghW|0soGD5yQpOo}Z2yHzoU!4z*O%&@U z<#slAp?O>h?99gdL4*#BST&z*m1_P+~7A=d_DOYoKs3$7*O+k>9Dl=WSk lfCRUSTwu$BngHlmYRD>TCFB(J%W7WzPViE&5R`+({{j43^8^3@ diff --git a/templates/applications/action_plugins/merge_vars.py b/templates/applications/action_plugins/merge_vars.py deleted file mode 100644 index b7edcc27a..000000000 --- a/templates/applications/action_plugins/merge_vars.py +++ /dev/null @@ -1,155 +0,0 @@ -#!/usr/bin/env python - -""" -An Ansible action plugin to allow explicit merging of dict and list facts. - -https://github.com/leapfrogonline/ansible-merge-vars/blob/master/LICENSE.md - -""" - -from ansible.plugins.action import ActionBase -from ansible.errors import AnsibleError -from ansible.utils.vars import isidentifier - - -# Funky import dance for Ansible backwards compatitility (not sure if we -# actually need to do this or not) -try: - from __main__ import display -except ImportError: - from ansible.utils.display import Display # pylint: disable=ungrouped-imports - display = Display() - - -class ActionModule(ActionBase): - """ - Merge all variables in context with a certain suffix (lists or dicts only) - and create a new variable that contains the result of this merge. These - initial suffixed variables can be definied anywhere in the inventory, or by - any other means; as long as they're in the context for the running play, - they'll be merged. - - """ - def run(self, tmp=None, task_vars=None): - suffix_to_merge = self._task.args.get('suffix_to_merge', '') - merged_var_name = self._task.args.get('merged_var_name', '') - dedup = self._task.args.get('dedup', True) - expected_type = self._task.args.get('expected_type') - recursive_dict_merge = bool(self._task.args.get('recursive_dict_merge', False)) - - if 'cacheable' in self._task.args.keys(): - display.deprecated( - "The `cacheable` option does not actually do anything, since Ansible 2.5. " - "No matter what, the variable set by this plugin will be set in the fact " - "cache if you have fact caching enabled. To get rid of this warning, " - "remove the `cacheable` argument from your merge_vars task. This warning " - "will be removed in a future version of this plugin." - ) - - # Validate args - if expected_type not in ['dict', 'list']: - raise AnsibleError("expected_type must be set ('dict' or 'list').") - if not merged_var_name: - raise AnsibleError("merged_var_name must be set") - if not isidentifier(merged_var_name): - raise AnsibleError("merged_var_name '%s' is not a valid identifier" % merged_var_name) - if not suffix_to_merge.endswith('__to_merge'): - raise AnsibleError("Merge suffix must end with '__to_merge', sorry!") - - keys = sorted([key for key in task_vars.keys() - if key.endswith(suffix_to_merge)]) - - display.v("Merging vars in this order: {}".format(keys)) - - # We need to render any jinja in the merged var now, because once it - # leaves this plugin, ansible will cleanse it by turning any jinja tags - # into comments. - # And we need it done before merging the variables, - # in case any structured data is specified with templates. - merge_vals = [self._templar.template(task_vars[key]) for key in keys] - - # Dispatch based on type that we're merging - if merge_vals == []: - if expected_type == 'list': - merged = [] - else: - merged = {} - elif isinstance(merge_vals[0], list): - merged = merge_list(merge_vals, dedup) - elif isinstance(merge_vals[0], dict): - merged = merge_dict(merge_vals, dedup, recursive_dict_merge) - else: - raise AnsibleError( - "Don't know how to merge variables of type: {}".format(type(merge_vals[0])) - ) - - return { - 'ansible_facts': {merged_var_name: merged}, - 'changed': False, - } - - -def merge_dict(merge_vals, dedup, recursive_dict_merge): - """ - To merge dicts, just update one with the values of the next, etc. - """ - check_type(merge_vals, dict) - merged = {} - for val in merge_vals: - if not recursive_dict_merge: - merged.update(val) - else: - # Recursive merging of dictionaries with overlapping keys: - # LISTS: merge with merge_list - # DICTS: recursively merge with merge_dict - # any other types: replace (same as usual behaviour) - for key in val.keys(): - if not key in merged: - # first hit of the value - just assign - merged[key] = val[key] - elif isinstance(merged[key], list): - merged[key] = merge_list([merged[key], val[key]], dedup) - elif isinstance(merged[key], dict): - merged[key] = merge_dict([merged[key], val[key]], dedup, recursive_dict_merge) - else: - merged[key] = val[key] - return merged - - -def merge_list(merge_vals, dedup): - """ To merge lists, just concat them. Dedup if wanted. """ - check_type(merge_vals, list) - merged = flatten(merge_vals) - if dedup: - merged = deduplicate(merged) - return merged - - -def check_type(mylist, _type): - """ Ensure that all members of mylist are of type _type. """ - if not all(isinstance(item, _type) for item in mylist): - raise AnsibleError("All values to merge must be of the same type, either dict or list") - - -def flatten(list_of_lists): - """ - Flattens a list of lists: - >>> flatten([[1, 2] [3, 4]]) - [1, 2, 3, 4] - - I wish Python had this in the standard lib :( - """ - return list((x for y in list_of_lists for x in y)) - - -def deduplicate(mylist): - """ - Just brute force it. This lets us keep order, and lets us dedup unhashable - things, like dicts. Hopefully you won't run into such big lists that - this will ever be a performance issue. - """ - deduped = [] - for item in mylist: - if item not in deduped: - deduped.append(item) - return deduped \ No newline at end of file diff --git a/templates/applications/ansible-get-platform-details.yaml b/templates/applications/ansible-get-platform-details.yaml deleted file mode 100644 index 24efbc579..000000000 --- a/templates/applications/ansible-get-platform-details.yaml +++ /dev/null @@ -1,82 +0,0 @@ -# Get Platform subscriptions - -- name: "Get platform subscriptions tfstate details" - register: subscription_tfstate_file_name - shell: | - az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates["platform"].platform_subscriptions.level | default('level1') }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - -# - debug: -# when: lookup('file', '{{ config_folder_platform }}/subscriptions.yaml', errors='ignore') -# msg: "{{ subscription_tfstate_file_name.stdout }}" - -- name: "Download platform subscriptions tfstate details" - register: platform_subscription_tfstate_exists - shell: | - az storage blob download \ - --name "{{ config.tfstates["platform"].platform_subscriptions.tfstate | default('platform_subscriptions.tfstate') }}" \ - --account-name "{{ subscription_tfstate_file_name.stdout }}" \ - --container-name "tfstate" \ - --auth-mode "login" \ - --file "{{ job_cache_base_path }}/{{ config.tfstates["platform"].platform_subscriptions.tfstate | default('platform_subscriptions.tfstate') }}" - -- name: "Get platform_subscriptions details" - when: - - platform_subscription_tfstate_exists.rc == 0 - shell: "cat {{ job_cache_base_path }}/{{ config.tfstates[\"platform\"].platform_subscriptions.tfstate | default('platform_subscriptions.tfstate') }}" - register: platform_subscriptions - -- name: "Get platform_subscriptions json data" - when: platform_subscription_tfstate_exists.rc == 0 - set_fact: - platform_sub_jsondata: "{{ platform_subscriptions.stdout | from_json }}" - -- name: "Get subscriptions list" - when: platform_subscription_tfstate_exists.rc == 0 - set_fact: - platform_subscriptions_details: "{{ platform_sub_jsondata | json_query(path) }}" - vars: - path: 'outputs.objects.value.{{ config.tfstates["platform"].platform_subscriptions.lz_key_name }}.subscriptions' - - -# Get Platform keyvaults -- name: "Get tfstate keyvaults account name" - register: launchpad_storage_account - ignore_errors: yes - shell: | - az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates["platform"].launchpad.level | default('level0') }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - -- debug: - msg: "{{launchpad_storage_account}}" - -- name: "Get tfstate keyvaults details" - register: credentials_tfstate_exists - when: launchpad_storage_account.stderr == "" - ignore_errors: yes - shell: | - az storage blob download \ - --name "{{ config.tfstates["platform"].launchpad_credentials.tfstate | default('launchpad_credentials.tfstate') }}" \ - --account-name "{{ launchpad_storage_account.stdout }}" \ - --container-name "{{ config.tfstates["platform"].launchpad.workspace | default('tfstate') }}" \ - --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates["platform"].launchpad_credentials.tfstate | default('launchpad_credentials.tfstate') }}" - -- name: "Get launchpad_credentials details" - when: credentials_tfstate_exists is not skipped - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates[\"platform\"].launchpad_credentials.tfstate | default('launchpad_credentials.tfstate') }}" - register: launchpad_credentials - -- name: "Get launchpad_credentials json data" - when: credentials_tfstate_exists is not skipped - set_fact: - credjsondata: "{{ launchpad_credentials.stdout | from_json }}" - -- name: "Set keyvaults variable" - when: credentials_tfstate_exists is not skipped - set_fact: - keyvaults: "{{ credjsondata | json_query(path) }}" - vars: - path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults' diff --git a/templates/applications/ansible.yaml b/templates/applications/ansible.yaml deleted file mode 100644 index 549560c98..000000000 --- a/templates/applications/ansible.yaml +++ /dev/null @@ -1,87 +0,0 @@ -- name: CAF Terraform - Generate configuration files - hosts: localhost - vars: - base_templates_folder: "{{ base_templates_folder }}/asvm" - resource_template_folder: "{{ base_templates_folder }}/resources" - subscriptions: "{{ lookup('file', '{{ config_folder }}/subscriptions.yaml') | from_yaml }}" - level: level3 - - - tasks: - - - name: "Load variable for landingzones config" - include_vars: - name: asvm_config__to_merge - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "config.asvm.yaml|tfstates.asvm.yaml|deployments.yaml" - - - name: "Set base variables" - set_fact: - job_cache_base_path: "/home/vscode/.terraform.cache" - config: "{{asvm_config__to_merge}}" - - - name: "Content of asvm_config__to_merge" - debug: - msg: "{{asvm_config__to_merge}}" - - - name: "Load variable for platform config" - include_vars: - name: platform_config__to_merge - dir: "{{config_folder_platform | default(config_folder)}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml" - - - name: "Content of platform_config__to_merge" - debug: - msg: "{{platform_config__to_merge}}" - - - name: Merge asvm and platform variables - merge_vars: - suffix_to_merge: config__to_merge - merged_var_name: config - expected_type: 'dict' - recursive_dict_merge: True - - - name: "Set base config variables" - set_fact: - config: "{{ ansible_facts.config }}" - - - name: "Content of config" - debug: - msg: "{{config}}" - - - - name: "Creates cache directory" - file: - path: "{{ job_cache_base_path }}/launchpad" - state: directory - - - - name: "{{ level }} | Get platform details (requires '-e config_folder_platform=path to yamls' path to be set)" - include_tasks: "ansible-get-platform-details.yaml" - when: - - config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'reuse_subscriptions' - - config_folder_platform is defined - -# -# Level 3 -# - - # landingzones deployments - - - name: "{{ level }} | landingzones" - include_tasks: "{{ level }}/ansible.yaml" - loop: "{{asvm_config__to_merge.deployments.keys()}}" - loop_control: - loop_var: asvm_long_folder - -# -# Linters -# - - - name: Terraform linter - shell: | - terraform fmt -recursive {{ destination_base_path }} diff --git a/templates/applications/level3/ansible-subscription-id.yaml b/templates/applications/level3/ansible-subscription-id.yaml deleted file mode 100644 index 571777bb6..000000000 --- a/templates/applications/level3/ansible-subscription-id.yaml +++ /dev/null @@ -1,66 +0,0 @@ -- name: "Load variable for subscriptions" - include_vars: - name: subscriptions - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "subscriptions.asvm.yaml|subscription.asvm.yaml" - -- name: "Content of subscriptions" - debug: - msg: "{{subscriptions}}" - -- name: "[{{ level }}-{{ subscription_key }}] Get tfstate details" - register: subscription_tfstate_storage_account_name - shell: | - az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates['asvm'][subscription_key].level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - -- debug: - msg: "{{ subscription_tfstate_storage_account_name.stdout }}" - -- name: "[{{ level }}-{{ subscription_key }}] Download tfstate details" - register: subscription_tfstate_exists - ignore_errors: true - shell: | - az storage blob download \ - --name "{{ config.tfstates['asvm'][subscription_key].subscriptions.tfstate }}" \ - --account-name "{{ subscription_tfstate_storage_account_name.stdout }}" \ - --container-name "{{ config.tfstates['asvm'][subscription_key].workspace }}" \ - --auth-mode "login" \ - --file "{{ job_cache_base_path }}/{{ config.tfstates['asvm'][subscription_key].subscriptions.tfstate }}" - -- debug: - msg: "{{ subscription_tfstate_exists }}" - when: subscriptions.subscriptions[subscription_key] is defined - -- name: "[{{ level }}-{{ subscription_key }}] Get landingzones_subscriptions details" - shell: "cat {{ job_cache_base_path }}/{{ config.tfstates['asvm'][subscription_key].subscriptions.tfstate }}" - register: platform_subscriptions - when: - - subscriptions.subscriptions[subscription_key] is defined - - subscription_tfstate_exists.rc == 0 - -- name: "[{{ level }}-{{ subscription_key }}] Get subscriptions data" - when: - - subscriptions.subscriptions[subscription_key] is defined - - subscription_tfstate_exists.rc == 0 - set_fact: - asvm_subscriptions_details: "{{ platform_subscriptions.stdout | from_json | json_query(path) }}" - vars: - path: 'outputs.objects.value."{{ config.tfstates["asvm"][subscription_key].subscriptions.lz_key_name }}".subscriptions' - -- name: "[{{ level }}-{{ subscription_key }}] cleanup" - when: - - subscriptions.subscriptions[subscription_key] is defined - - subscription_tfstate_exists.rc == 0 - file: - path: "{{ job_cache_base_path }}/{{ config.tfstates['asvm'][subscription_key].subscriptions.tfstate }}" - state: absent - -- debug: - msg: "Platform subscriptions - {{ asvm_subscriptions_details }}" - when: - - subscriptions.subscriptions[subscription_key] is defined - - subscription_tfstate_exists.rc == 0 diff --git a/templates/applications/level3/ansible-subscription.yaml b/templates/applications/level3/ansible-subscription.yaml deleted file mode 100644 index da33410fe..000000000 --- a/templates/applications/level3/ansible-subscription.yaml +++ /dev/null @@ -1,62 +0,0 @@ - -- name: set destination paths - set_fact: - destination_path: "{{ destination_base_path }}/{{ subscription_key }}/subscription" - deployment: "subscriptions" - -- name: "Clean-up directory - subscription - {{ destination_path }}" - file: - path: "{{ destination_path }}" - state: absent - -- name: "Content of subscriptions' resources" - debug: - msg: "{{resources}}" - -- name: "[{{ level }} {{ subscription_key }}] Creates directory" - file: - path: "{{ destination_path }}" - state: directory - -# -# global_settings -# -- name: "[{{ level }} {{ subscription_key }}] - subscription - global_settings" - when: resources.subscriptions[subscription_key].global_settings is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/global_settings.tfvars.j2" -# -# landingzone -# -- name: "[{{ level }} {{ subscription_key }}] - subscription - landingzone" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/landingzone.tfvars.j2" -# -# subscription -# -- name: "[{{ level }} {{ subscription_key }}] - subscription - subscription" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/subscriptions.tfvars.j2" - -# -# Readme -# -- name: "[{{ level }}-{{ subscription_key }}] - subscription - *.md" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ base_templates_folder }}/{{ level }}/subscription/*.md" diff --git a/templates/applications/level3/ansible.yaml b/templates/applications/level3/ansible.yaml deleted file mode 100644 index ed6688cfb..000000000 --- a/templates/applications/level3/ansible.yaml +++ /dev/null @@ -1,58 +0,0 @@ -- name: set asvm context - set_fact: - asvm_folder: "{{ asvm_long_folder if 'path' not in asvm_long_folder else asvm_long_folder.path | regex_search('[^\/]+(?=\/$|$)') }}" - -- name: "[{{ level }}-{{ asvm_folder }}] Set cache folder" - set_fact: - # job_cache_base_path: "/home/vscode/.terraform.cache" - subscription_key: "{{ asvm_folder }}" - -- name: "Load variable for deployments" - include_vars: - name: deployments - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "deployments.asvm.yaml|deployments.yaml" - -- debug: - msg: "{{deployments}}" - -### Generate remote state storage containers - -- name: "[{{ level }} {{ subscription_key }}] - remote state container" - include_tasks: "{{ level }}/storage_containers/ansible.yaml" - when: - - deployments.deployments[subscription_key].storage_containers is defined - -#### Get subscription_id - -- name: "[{{ level }} {{ subscription_key }}] - subscription" - include_tasks: "{{ level }}/ansible-subscription-id.yaml" - when: - - config.tfstates['asvm'][subscription_key].subscriptions is defined - - config.tfstates['asvm'][subscription_key].subscriptions.subscription_id is not defined - -### Subscription - -- name: "Load variable for subscriptions" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "subscriptions.asvm.yaml|subscription.asvm.yaml|tfstates.asvm.yaml" - -- name: "[{{ level }} {{ subscription_key }}] - subscription" - include_tasks: "{{ level }}/ansible-subscription.yaml" - when: - - resources.subscriptions[subscription_key] is defined - - config.tfstates['asvm'][subscription_key].subscriptions.subscription_id is not defined - - -#### Privileged resources to deploy in the landingzone - -- name: "[{{ level }} {{ subscription_key }}] - resources" - include_tasks: "{{ level }}/resources/ansible.yaml" - when: - - config.tfstates['asvm'][subscription_key].resources is defined diff --git a/templates/applications/level3/resources/ansible.yaml b/templates/applications/level3/resources/ansible.yaml deleted file mode 100644 index a92cf1131..000000000 --- a/templates/applications/level3/resources/ansible.yaml +++ /dev/null @@ -1,262 +0,0 @@ - -- name: set destination paths - set_fact: - destination_path: "{{ destination_base_path }}/{{ subscription_key }}/resources" - deployment: "resources" - -- name: "Clean-up directory - subscription - {{ destination_path }}" - file: - path: "{{ destination_path }}" - state: absent - when: config.configuration_folders.asvm.cleanup_destination | default(true) | bool - -- name: "Load variable for resources" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "resources.asvm.yaml" - -- name: "Content of resources" - debug: - msg: "{{resources}}" - -- name: "[{{ level }} {{ asvm_folder }}] - resources - Creates directory" - file: - path: "{{ destination_path }}" - state: directory -# -# azuread_credentials -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_credentials" - when: - - resources.subscriptions[subscription_key].azuread_credentials is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_credentials.tfvars.j2" - -# -# azuread_applications -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_applications" - when: - - resources.subscriptions[subscription_key].azuread_applications is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_applications.tfvars.j2" - -# -# azuread_credential_policies -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_credential_policies" - when: - - resources.subscriptions[subscription_key].azuread_credential_policies is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_credential_policies.tfvars.j2" - -# -# azuread_groups -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_groups" - when: - - resources.subscriptions[subscription_key].azuread_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_groups.tfvars.j2" - -# -# azuread_groups_membership -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_groups_membership" - when: - - resources.subscriptions[subscription_key].azuread_groups_membership is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_groups_membership.tfvars.j2" - -# -# azuread_service_principals -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_service_principals" - when: - - resources.subscriptions[subscription_key].azuread_service_principals is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_service_principals.tfvars.j2" - -# -# custom_role_definitions -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - custom_role_definitions" - when: - - resources.subscriptions[subscription_key].custom_role_definitions is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/custom_role_definitions.tfvars.j2" - -# -# keyvaults -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - keyvaults" - when: - - resources.subscriptions[subscription_key].keyvaults is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/keyvaults.tfvars.j2" - -# -# keyvault_access_policies -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - keyvault_access_policies" - when: - - resources.subscriptions[subscription_key].keyvault_access_policies is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/keyvault_access_policies.tfvars.j2" - -# -# landingzone -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - landingzone" - when: - - deployments.deployments[subscription_key][deployment].landingzone is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/landingzone.tfvars.j2" - -# -# managed_identities -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - managed_identities" - when: - - resources.subscriptions[subscription_key].managed_identities is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/managed_identities.tfvars.j2" - -# -# network_security_group_definition -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - network_security_group_definition" - when: - - resources.subscriptions[subscription_key].network_security_group_definition is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2" - -# -# recovery_vaults -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - recovery_vaults" - when: - - resources.subscriptions[subscription_key].recovery_vaults is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/recovery_vaults.tfvars.j2" - -# -# resource_groups -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - resource_groups" - when: - - resources.subscriptions[subscription_key].resource_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/resource_groups.tfvars.j2" - -# -# role_mapping -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - role_mapping" - when: - - resources.subscriptions[subscription_key].role_mapping is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/role_mapping.tfvars.j2" - -# -# virtual_hub_connections -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - virtual_hub_connections" - when: - - resources.subscriptions[subscription_key].virtual_hub_connections is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/virtual_hub_connections.tfvars.j2" - - -# -# virtual_networks -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - virtual_networks" - when: - - resources.subscriptions[subscription_key].virtual_networks is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/virtual_networks.tfvars.j2" - - -# -# Readme -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - *.md" - # when: subscription_tfstate_exists.rc == 0 - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ base_templates_folder }}/{{ level }}/resources/*.md" diff --git a/templates/applications/level3/resources/readme.md b/templates/applications/level3/resources/readme.md deleted file mode 100644 index c5aa5b579..000000000 --- a/templates/applications/level3/resources/readme.md +++ /dev/null @@ -1,35 +0,0 @@ - -### Deploy base resources in {{ asvm_folder }} - -```bash -rover login -t {{ config.platform_identity.tenant_name }} - -unset ARM_SKIP_PROVIDER_REGISTRATION - -cd /tf/caf/landingzones -git pull -git checkout {{ resources.gitops.landingzones }} - -rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \ -{% endif %} - -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -{% if subscriptions.subscriptions[asvm_folder][subscription_key].subscription_id is defined %} - -target_subscription {{ subscriptions.subscriptions[asvm_folder][subscription_key].subscription_id }} \ -{% else %} - -target_subscription {{ asvm_subscriptions_details[asvm_folder].subscription_id }} \ -{% endif %} - -tfstate {{ config.tfstates['asvm'][asvm_folder].resources.tfstate }} \ - --workspace {{ config.tfstates['asvm'][asvm_folder].workspace }} \ - -log-severity {{ config.gitops.rover_log_error }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates['asvm'][asvm_folder].resources.tfstate }}.tfplan \ - -a plan - -rover logout - -``` diff --git a/templates/applications/level3/storage_containers/ansible.yaml b/templates/applications/level3/storage_containers/ansible.yaml deleted file mode 100644 index 903064ad1..000000000 --- a/templates/applications/level3/storage_containers/ansible.yaml +++ /dev/null @@ -1,80 +0,0 @@ -- name: set destination paths - set_fact: - destination_path: "{{ destination_base_path }}/storage_containers" - deployment: "storage_containers" - -- name: "Load variable for resources" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "tfstates.asvm.yaml|subscriptions.asvm.yaml|subscription.asvm.yaml" - -- name: "Content of resources" - debug: - msg: "{{resources}}" - -- name: "[{{ level }} {{ asvm_folder }}] - storage_containers - Creates directory" - file: - path: "{{ destination_path }}" - state: directory - -# -# Get storage account names -# - -- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - launchpad level3" - register: storage_account_level3 - shell: | - az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='level3' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r - -- debug: - msg: "{{storage_account_level3.stdout}}" - -- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - launchpad level4" - register: storage_account_level4 - shell: | - az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='level4' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r - -- debug: - msg: "{{storage_account_level4.stdout}}" - - -# -# landingzone -# -- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - landingzone" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/landingzone.tfvars.j2" - -# -# storage_containers -# -- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - storage_containers" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ base_templates_folder }}/{{ level }}/storage_containers/storage_containers.tfvars.j2" - - -# -# Readme -# -- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - *.md" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ base_templates_folder }}/{{ level }}/storage_containers/*.md" diff --git a/templates/applications/level3/storage_containers/readme.md b/templates/applications/level3/storage_containers/readme.md deleted file mode 100644 index ad1f01be9..000000000 --- a/templates/applications/level3/storage_containers/readme.md +++ /dev/null @@ -1,28 +0,0 @@ - -### Create storage containers for the landingzone - -```bash -rover login -t {{ config.platform_identity.tenant_name }} - -cd /tf/caf/landingzones -git pull -git checkout {{ resources.gitops.landingzones }} - -rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \ -{% endif %} - -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.asvm[asvm_folder].subscriptions.tfstate }} \ - --workspace {{ config.tfstates.asvm[asvm_folder].subscriptions.workspace | default('tfstate') }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.asvm[asvm_folder].subscriptions.tfstate }}.tfplan \ - -a plan - -rover logout - -``` diff --git a/templates/applications/level3/storage_containers/storage_containers.tfvars.j2 b/templates/applications/level3/storage_containers/storage_containers.tfvars.j2 deleted file mode 100644 index 8784606bf..000000000 --- a/templates/applications/level3/storage_containers/storage_containers.tfvars.j2 +++ /dev/null @@ -1,16 +0,0 @@ -storage_containers = { -{% for key in resources.subscriptions.keys() %} - {{ key }}_level3 = { - name = "{{ resources.tfstates.asvm[key].workspace }}" - storage_account = { - name = "{{storage_account_level3.stdout|from_json|json_query('name')}}" - } - } - {{ key }}_level4 = { - name = "{{ resources.tfstates.asvm[key].workspace }}" - storage_account = { - name = "{{storage_account_level4.stdout|from_json|json_query('name')}}" - } - } -{% endfor %} -} \ No newline at end of file diff --git a/templates/applications/level3/subscription/readme.md b/templates/applications/level3/subscription/readme.md deleted file mode 100644 index c05bcfc71..000000000 --- a/templates/applications/level3/subscription/readme.md +++ /dev/null @@ -1,40 +0,0 @@ - -### Generate asvm for {{ asvm_folder }} - -```bash -rover login -t {{ config.platform_identity.tenant_name }} - -ARM_SKIP_PROVIDER_REGISTRATION=true && rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \ -{% endif %} - -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates["asvm"][asvm_folder].subscriptions.tfstate }} \ - --workspace {{ config.tfstates["asvm"][asvm_folder].workspace }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates["asvm"][asvm_folder].subscriptions.tfstate }}.tfplan \ - -a plan - -rover logout - -``` -Once you have executed the rover apply to create the subscription, you need to re-execute the rover ignite to generate the instructions for the next steps. - -Note you need to logout and login as a caf_maintainer group member - -```bash -rover login -t {{ config.platform_identity.tenant_name }} - -rover ignite \ - --playbook /tf/caf/landingzones/templates/applications/ansible.yaml \ - -e base_templates_folder={{ base_templates_folder }} \ - -e resource_template_folder={{ resource_template_folder }} \ - -e config_folder={{ config_folder }} \ - -e destination_base_path={{ destination_base_path }} \ - -e config_folder_platform={{ config_folder_platform }} - -``` - diff --git a/templates/applications/level4/readme.md b/templates/applications/level4/readme.md deleted file mode 100644 index b3905517b..000000000 --- a/templates/applications/level4/readme.md +++ /dev/null @@ -1 +0,0 @@ -yaml support for level coming soon. \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml deleted file mode 100644 index 7b83be426..000000000 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml +++ /dev/null @@ -1,77 +0,0 @@ -deployments: - asvm_storage_containers: - storage_containers: - landingzone: - key: - asvm: - asvm_storage_containers: subscriptions - global_settings_key: - platform: - asvm: - remote_tfstates: - platform: - asvm: - - orion_dev: - subscriptions: - landingzone: - key: - asvm: - orion_dev: subscriptions - global_settings_key: - asvm: - asvm_storage_containers: subscriptions - remote_tfstates: - asvm: - asvm_storage_containers: subscriptions - - resources: - landingzone: - key: - asvm: - orion_dev: resources - global_settings_key: - platform: - virtual_hubs: non_prod - remote_tfstates: - asvm: - orion_dev: subscriptions - asvm_storage_containers: subscriptions - platform: - virtual_hubs: non_prod - private_dns: non_prod - identity_level2: non_prod - asvm: - azurerm_firewalls: non_prod - - orion_prod: - subscriptions: - landingzone: - key: - asvm: - orion_prod: subscriptions - global_settings_key: - asvm: - asvm_storage_containers: subscriptions - remote_tfstates: - asvm: - asvm_storage_containers: subscriptions - - resources: - landingzone: - key: - asvm: - orion_prod: resources - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - asvm: - orion_prod: subscriptions - asvm_storage_containers: subscriptions - platform: - virtual_hubs: prod - private_dns: prod - identity_level2: prod - asvm: - azurerm_firewalls: prod \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md b/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md index 6ba8ecf43..3b2cc9d0c 100644 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md @@ -3,12 +3,14 @@ ## Generate the configuration files ```bash + rover ignite \ - --playbook /tf/caf/landingzones/templates/applications/ansible.yaml \ - -e base_templates_folder=/tf/caf/landingzones/templates/applications \ + --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ + -e base_templates_folder=/tf/caf/landingzones/templates/platform \ -e resource_template_folder=/tf/caf/landingzones/templates/resources \ - -e destination_base_path=/tf/caf/configuration/contoso/landingzones/ \ - -e config_folder=/tf/caf/platform-definition/application/ \ - -e config_folder_platform=/tf/caf/platform-definition + -e config_folder=/tf/caf/definitions/asvm/orion-landingzone \ + -e config_folder_platform=/tf/caf/definitions/single_subscription \ + -e landingzones_folder=/tf/caf/landingzones + ``` \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml deleted file mode 100644 index a75c16210..000000000 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml +++ /dev/null @@ -1,1015 +0,0 @@ -gitops: - landingzones: aci_network - -subscriptions: - - orion_dev: - - resource_groups: - rg: - name: rg-orion-dev - backup: - name: rg-orion-dev-backup - networking: - name: rg-orion-dev-networking - preparation: - name: rg-orion-dev-preparation - modeling: - name: rg-orion-dev-modeling - consumption: - name: rg-orion-dev-consumption - analytics: - name: rg-orion-dev-analytics - - virtual_networks: - vnet: - name: vnet-orion-dev - resource_group_key: networking - region_key: region1 - dns_servers_keys: - fw_prod_plinks_01: - resource_type: azurerm_firewall - lz_key: connectivity_firewalls_non_prod - key: fw_non_prod_plinks_01 - address_space: - - 10.101.200.0/23 - subnets: - databricks_preparation_egress: - name: databricks-preparation-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.200.0/26 - databricks_preparation_private: - name: databricks-preparation-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.200.64/26 - databricks_modeling_egress: - name: databricks-modeling-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.201.0/26 - databricks_modeling_private: - name: databricks-modeling-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.201.64/26 - consumption: - name: consumption - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.200.128/25 - databricks_notebooks: - name: databricks-notebooks - service_endpoints: - - Microsoft.Storage - - Microsoft.KeyVault - nsg_key: databricks_notebooks - cidr: - - 10.101.201.128/27 - private_endpoints: - name: private-endpoints - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.201.192/27 - - network_security_group_definition: - databricks_egress: - version: 1 - resource_group_key: networking - name: nsg-databricks-egress - nsg: - Inbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 5557 - destination_address_prefix: "*" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 22 - destination_address_prefix: "*" - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - 405: - name: ICMP - access: Allow - protocol: icmp - source_port_range: "*" - source_address_prefix: "*" - destination_port_range: "*" - destination_address_prefix: "*" - databricks_private: - version: 1 - resource_group_key: networking - name: nsg-databricks-private - nsg: - Inbound: - 400: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 401: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - consumption: - version: 1 - resource_group_key: networking - name: nsg-consumption - databricks_notebooks: - version: 1 - resource_group_key: networking - name: nsg-databricks-notebook - nsg: - Inbound: - 500: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 501: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 500: - name: AzureActiveDirectory - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureActiveDirectory" - destination_port_ranges: - - 80 - - 443 - 501: - name: AzureMachineLearning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureMachineLearning" - destination_port_ranges: - - 443 - 502: - name: AzureResourceManager - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureResourceManager" - destination_port_ranges: - - 443 - 503: - name: Storage SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "Storage.SoutheastAsia" - destination_port_ranges: - - 443 - 504: - name: AzureFrontDoor Frontend - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.Frontend" - destination_port_ranges: - - 443 - 505: - name: Container Registry SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureContainerRegistry.SoutheastAsia" - destination_port_ranges: - - 443 - 506: - name: Microsoft Container Registry SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "MicrosoftContainerRegistry.SoutheastAsia" - destination_port_ranges: - - 443 - 507: - name: Keyvault SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureKeyVault.SoutheastAsia" - destination_port_ranges: - - 443 - 508: - name: AzureFrontDoor FirstParty - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.FirstParty" - destination_port_range: "*" - - virtual_hub_connections: - vnet_to_dev: - name: vnet-orion-dev-TO-non-prod - virtual_hub: - lz_key: connectivity_virtual_hub_non_prod - key: non_prod - vnet: - vnet_key: vnet - - recovery_vaults: - asr: - name: vault-orion-dev - resource_group_key: backup - backup_policies: - vms: - default: - name: vm-default-policy - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - - keyvaults: - kv_delegated_sp: - name: kvoriondev0001 - resource_group_key: rg - creation_policies: - logged_in_user: - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - landingzone_maintainers_non_prod: - lz_key: asvm - azuread_group_key: caf_ac_landingzone_maintainers_non_prod - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - kv_delegated_sp: - app_LZContributors: - azuread_service_principal_key: sp_LZContributors - secret_permissions: - - Get - - azuread_applications: - app_LZContributors: - application_name: app-asvm-orion-dev-Contributors - - azuread_service_principals: - sp_LZContributors: - azuread_application: - key: app_LZContributors - - azuread_credentials: - app_LZContributors: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - key: app_LZContributors - keyvaults: - kv_delegated_sp: - secret_prefix: sp - - azuread_credential_policies: - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 70 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - - custom_role_definitions: - contributors_extended: - name: lz-orion-dev-contributors-extended - useprefix: true - description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/virtualNetworks/join/action - - role_mapping: - custom_role_mapping: - networking: - vnet: - contributors_extended: - azuread_service_principals: - keys: - - sp_LZContributors - - built_in_role_mapping: - subscriptions: - orion_dev: - lz_key: orion_dev_subscriptions - Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - resource_groups: - preparation: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - modeling: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - consumption: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - analytics: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - storage_containers: - orion_prod_level3: - lz_key: orion_storage_containers - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - orion_dev_level4: - lz_key: orion_storage_containers - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - - - orion_prod: - - resource_groups: - rg: - name: rg-orion-prod - backup: - name: rg-orion-prod-backup - networking: - name: rg-orion-prod-networking - preparation: - name: rg-orion-prod-preparation - modeling: - name: rg-orion-prod-modeling - consumption: - name: rg-orion-prod-consumption - analytics: - name: rg-orion-prod-analytics - - virtual_networks: - vnet: - name: vnet-orion-prod - resource_group_key: networking - region_key: region1 - dns_servers_keys: - fw_prod_plinks_01: - resource_type: azurerm_firewall - lz_key: connectivity_firewalls_prod - key: fw_prod_plinks_01 - address_space: - - 10.101.8.0/23 - subnets: - databricks_preparation_egress: - name: databricks-preparation-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.8.0/26 - databricks_preparation_private: - name: databricks-preparation-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.8.64/26 - databricks_modeling_egress: - name: databricks-modeling-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.9.0/26 - databricks_modeling_private: - name: databricks-modeling-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.9.64/26 - consumption: - name: consumption - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.8.128/25 - databricks_notebooks: - name: databricks-notebooks - service_endpoints: - - Microsoft.Storage - - Microsoft.KeyVault - nsg_key: databricks_notebooks - cidr: - - 10.101.9.128/27 - private_endpoints: - name: private-endpoints - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.9.192/27 - - network_security_group_definition: - databricks_egress: - version: 1 - resource_group_key: networking - name: nsg-databricks-egress - nsg: - Inbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 5557 - destination_address_prefix: "*" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 22 - destination_address_prefix: "*" - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - 405: - name: ICMP - access: Allow - protocol: icmp - source_port_range: "*" - source_address_prefix: "*" - destination_port_range: "*" - destination_address_prefix: "*" - databricks_private: - version: 1 - resource_group_key: networking - name: nsg-databricks-private - nsg: - Inbound: - 400: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 401: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - consumption: - version: 1 - resource_group_key: networking - name: nsg-consumption - databricks_notebooks: - version: 1 - resource_group_key: networking - name: nsg-databricks-notebooks - nsg: - Inbound: - 500: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 501: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 500: - name: AzureActiveDirectory - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureActiveDirectory" - destination_port_ranges: - - 80 - - 443 - 501: - name: AzureMachineLearning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureMachineLearning" - destination_port_ranges: - - 443 - 502: - name: AzureResourceManager - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureResourceManager" - destination_port_ranges: - - 443 - 503: - name: Storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "Storage" - destination_port_ranges: - - 443 - 504: - name: AzureFrontDoor Frontend - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.Frontend" - destination_port_ranges: - - 443 - 505: - name: Container Registry - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureContainerRegistry" - destination_port_ranges: - - 443 - 506: - name: Microsoft Container Registry - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "MicrosoftContainerRegistry" - destination_port_ranges: - - 443 - 507: - name: Keyvault - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureKeyVault" - destination_port_ranges: - - 443 - 508: - name: AzureFrontDoor FirstParty - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.FirstParty" - destination_port_range: "*" - - virtual_hub_connections: - vnet_to_prod: - name: vnet-orion-prod-TO-prod - virtual_hub: - lz_key: connectivity_virtual_hub_prod - key: prod - vnet: - vnet_key: vnet - - recovery_vaults: - asr: - name: vault-orion-prod - resource_group_key: backup - backup_policies: - vms: - default: - name: vm-default-policy - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - - keyvaults: - kv_delegated_sp: - name: kvolymprod001 - resource_group_key: rg - creation_policies: - logged_in_user: - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - landingzone_maintainers_prod: - lz_key: asvm - azuread_group_key: caf_ac_landingzone_maintainers_prod - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - kv_delegated_sp: - app_LZContributors: - azuread_service_principal_key: sp_LZContributors - secret_permissions: - - Get - - azuread_applications: - app_LZContributors: - application_name: app-asvm-orion-prod-Contributors - - azuread_service_principals: - sp_LZContributors: - azuread_application: - key: app_LZContributors - - azuread_credentials: - app_LZContributors: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - key: app_LZContributors - keyvaults: - kv_delegated_sp: - secret_prefix: sp - - azuread_credential_policies: - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 70 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - - azuread_groups_membership: - caf_prod_landingzones_dns_contributors: - azuread_service_principals: - sp_LZContributors: - group_lz_key: identity_level2 - keys: - - sp_LZContributors - caf_ac_landingzone_maintainers_prod: - azuread_service_principals: - sp_LZContributors: - group_lz_key: asvm - keys: - - sp_LZContributors - - custom_role_definitions: - contributors_extended: - name: lz-orion-prod-contributors-extended - useprefix: true - description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/virtualNetworks/join/action - - role_mapping: - custom_role_mapping: - networking: - vnet: - contributors_extended: - managed_identities: - keys: - - aks_consumption - azuread_service_principals: - keys: - - sp_LZContributors - - built_in_role_mapping: - subscriptions: - orion_prod: - lz_key: orion_prod_subscriptions - Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - resource_groups: - preparation: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - modeling: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - consumption: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - analytics: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - storage_containers: - orion_prod_level3: - lz_key: orion_storage_containers - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - orion_prod_level4: - lz_key: orion_storage_containers - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml deleted file mode 100644 index 8a7a49156..000000000 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml +++ /dev/null @@ -1,13 +0,0 @@ -gitops: - landingzones: aci_network - -subscriptions: - orion_dev: - orion_dev: - name: orion-dev - management_group_suffix: non-prod - - orion_prod: - orion_prod: - name: orion-prod - management_group_suffix: prod \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml index 8a1f94f17..e745ac2f8 100644 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml @@ -1,29 +1,28 @@ # ### orion ### tfstates: asvm: - asvm_storage_containers: - subscriptions: - lz_key_name: orion_storage_containers - tfstate: orion_storage_containers.tfstate + subscriptions: + lz_key_name: orion_subscriptions + tfstate: orion_subscriptions.tfstate workspace: tfstate level: level3 + sub_template_folder: level3 + yaml: level3/ansible.yaml orion_dev: - subscriptions: - lz_key_name: orion_dev_subscriptions - tfstate: orion_dev_subscriptions.tfstate - resources: - lz_key_name: orion_dev_resources - tfstate: orion_dev_resources.tfstate + lz_key_name: orion_dev_level3 + tfstate: orion_dev_level3.tfstate workspace: orion-dev level: level3 + sub_template_folder: level3 + yaml: level3/ansible.yaml + orion_prod: - subscriptions: - lz_key_name: orion_prod_subscriptions - tfstate: orion_prod_subscriptions.tfstate - resources: - lz_key_name: orion_prod_resources - tfstate: orion_prod_resources.tfstate + lz_key_name: orion_prod_level3 + tfstate: orion_prod_level3.tfstate workspace: orion-prod level: level3 + sub_template_folder: level3 + yaml: level3/ansible.yaml + diff --git a/templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc b/templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc index 149a2864e0f386995bd1a2c3652fd8482ff93ff1..a0f3b5a62b926324788902eea5da8cc98ef86e2a 100644 GIT binary patch delta 41 vcmX@6dPtQgk(ZZ?0SI*RS&}yLtYT+$nY^7{o}(Zqu_P_OD0lNC_9t8b-=PeD delta 45 zcmX@4dQ6okk(ZZ?0SK<0dy%-2XB9i6$K>to@;r$J1v#0?i6xo&dBvOWu|MGg08bqd A5dZ)H diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml index 3a1701774..ee88a105e 100644 --- a/templates/platform/ansible.yaml +++ b/templates/platform/ansible.yaml @@ -11,24 +11,40 @@ ignore_unknown_extensions: true files_matching: "bootstrap.yaml" - - name: "Load variable for platform config" + - name: "Load variable for landingzones config" include_vars: - name: config + name: asvm_config__to_merge dir: "{{config_folder}}" depth: 1 ignore_unknown_extensions: true + files_matching: "config.asvm.yaml|tfstates.asvm.yaml|deployments.yaml" + + - name: "Load variable for platform config" + include_vars: + name: platform_config__to_merge + dir: "{{config_folder_platform | default(config_folder)}}" + depth: 1 + ignore_unknown_extensions: true files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml|subscriptions.yaml" + - name: Merge asvm and platform variables + merge_vars: + suffix_to_merge: config__to_merge + merged_var_name: config + expected_type: 'dict' + recursive_dict_merge: True - - name: "{{deployment}} - Set tfstate_object" + - name: "Get latest cache folder" set_fact: + job_cache_base_path: "/home/vscode/.terraform.cache" destination_base: '{{config.configuration_folders.platform.destination_base_path}}' + config: "{{ ansible_facts.config }}" - debug: msg: - "{{bootstrap}}" - "{{config}}" - verbosity: 2 + # verbosity: 2 # # Generate the foundation services @@ -36,7 +52,7 @@ - include_tasks: "process_foundations.yaml" loop: "{{bootstrap.deployments.keys()}}" - when: bootstrap is defined + when: bootstrap != {} loop_control: loop_var: stage vars: diff --git a/templates/platform/generic/readme.md b/templates/platform/generic/readme.md index d0dd39cf6..920e71fd6 100644 --- a/templates/platform/generic/readme.md +++ b/templates/platform/generic/readme.md @@ -7,20 +7,24 @@ rover logout rover login -t {{ config.platform_identity.tenant_name }} rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} + --impersonate-sp-from-keyvault-url {{ keyvaults[ tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -{% if config.subscriptions[resources.subscriptions.keys() | first ].subscription_id is defined %} - -target_subscription {{ config.subscriptions[resources.subscriptions.keys() | first ].subscription_id }} \ +{% if platform_subscriptions_details is defined %} + -target_subscription {{ platform_subscriptions_details[resources.subscriptions.keys() | first].subscription_id }} \ +{% elif subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id is defined %} + -target_subscription {{ subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id }} \ +{% else %} + -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform[resources.deployments.tfstate.keys() | first][resources.deployments.tfstate.values() | first].tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ + -tfstate {{ tfstate_object.tfstate }} \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform[resources.deployments.tfstate.keys() | first][resources.deployments.tfstate.values() | first].tfstate }}.tfplan \ + -w {{ tfstate_object.workspace | default('tfstate') }} \ + -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level0/billing_subscription_role_delegations/readme.md b/templates/platform/level0/billing_subscription_role_delegations/readme.md index 5e25a441a..40fe1e65f 100644 --- a/templates/platform/level0/billing_subscription_role_delegations/readme.md +++ b/templates/platform/level0/billing_subscription_role_delegations/readme.md @@ -7,12 +7,11 @@ Set-up the subscription delegations for platform and landingzone subscriptions rover login -t {{ config.platform_identity.tenant_name }} rover \ - -lz /tf/caf/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/level0/billing_subscription_role_delegations \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.billing_subscription_role_delegations.tfstate }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -log-severity {{ config.gitops.rover_log_error }} \ -launchpad \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ @@ -35,10 +34,11 @@ To execute this step you need to login with on of the CAF maintainers: rover login -t {{ config.platform_identity.tenant_name }} rover ignite \ - --playbook /tf/caf/starter/templates/platform/ansible.yaml \ + --playbook {{ landingzones_folder }}/ansible.yaml \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{resource_template_folder}} \ - -e config_folder={{ config_folder }} + -e config_folder={{ config_folder }} \ + -e landingzones_folder={{ landingzones_folder }} ``` diff --git a/templates/platform/level0/credentials/ansible.yaml b/templates/platform/level0/credentials/ansible.yaml deleted file mode 100644 index f5abc0fed..000000000 --- a/templates/platform/level0/credentials/ansible.yaml +++ /dev/null @@ -1,154 +0,0 @@ -- name: "[{{ level }}-{{ base_folder }}] - Set variables" - set_fact: - destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - -- name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "launchpad_credentials.yaml" - -- debug: - msg: "{{resources}}" - -- name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: config.configuration_folders.platform.cleanup_destination | bool - -- name: "[{{ level }}-{{ base_folder }}] Creates directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: directory - -# -# resource_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resource_groups" - when: - - resources.subscriptions[subscription_key].resource_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/resource_groups.tfvars.j2" -# -# azuread_credentials -# -- name: "[{{ level }}-{{ subscription_key }}] - credentials - azuread_credentials" - when: - - resources.subscriptions[subscription_key].azuread_credentials is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_credentials.tfvars.j2" - -# -# azuread_applications -# -- name: "[{{ level }}-{{ subscription_key }}] - credentials - azuread_applications" - when: - - resources.subscriptions[subscription_key].azuread_applications is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_applications.tfvars.j2" - -# -# azuread_credential_policies -# -- name: "[{{ level }}-{{ subscription_key }}] - credentials - azuread_credential_policies" - when: - - resources.subscriptions[subscription_key].azuread_credential_policies is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_credential_policies.tfvars.j2" - -# -# azuread_service_principals -# -- name: "[{{ level }}-{{ subscription_key }}] - credentials - azuread_service_principals" - when: - - resources.subscriptions[subscription_key].azuread_service_principals is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/azuread_service_principals.tfvars.j2" - - -# -# keyvaults -# -- name: "[{{ level }}-{{ subscription_key }}] - credentials - keyvaults" - when: - - resources.subscriptions[subscription_key].keyvaults is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/keyvaults.tfvars.j2" - -# -# keyvault_access_policies -# -- name: "[{{ level }}-{{ subscription_key }}] - credentials - keyvault_access_policies" - when: - - resources.subscriptions[subscription_key].keyvault_access_policies is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/keyvault_access_policies.tfvars.j2" - - -- name: "[{{ level }}-{{ base_folder }}] generate configuration files." - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/*.tfvars.j2" - -- name: "[{{ level }}-{{ base_folder }}] deploy." - when: boostrap_launchpad | bool - shell: | - /tf/rover/rover.sh \ - -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ tfstates.launchpad_credentials.tfstate }} \ - -launchpad \ - -log-severity {{ config.gitops.rover_log_error }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -a apply - args: - warn: no - -- debug: - msg: "{{ keyvaults.cred_subscription_creation_platform.vault_uri }}" - when: credentials_tfstate_exists.rc == 0 - -- name: "[{{ level }}-{{ base_folder }}] generate configuration files." - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/*.md" diff --git a/templates/platform/level0/credentials/readme.md b/templates/platform/level0/credentials/readme.md index e93e7d096..9ad485217 100644 --- a/templates/platform/level0/credentials/readme.md +++ b/templates/platform/level0/credentials/readme.md @@ -8,15 +8,14 @@ rover login -t {{ config.platform_identity.tenant_name }} rover \ {% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ + --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} - -lz /tf/caf/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \ -launchpad \ - -log-severity {{ config.gitops.rover_log_error }} \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \ @@ -32,15 +31,14 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla rover \ {% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ + --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} - -lz /tf/caf/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \ -launchpad \ - -log-severity {{ config.gitops.rover_log_error }} \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \ @@ -52,10 +50,11 @@ rover \ # On success, re-execute the rover ignite rover ignite \ - --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ + --playbook {{ base_templates_folder }}/ansible.yaml \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{resource_template_folder}} \ - -e config_folder={{ config_folder }} + -e config_folder={{ config_folder }} \ + -e landingzones_folder={{ landingzones_folder }} ``` diff --git a/templates/platform/level0/launchpad/ansible.yaml b/templates/platform/level0/launchpad/ansible.yaml index a60611111..fb41fe5e2 100644 --- a/templates/platform/level0/launchpad/ansible.yaml +++ b/templates/platform/level0/launchpad/ansible.yaml @@ -1,154 +1,10 @@ -# - name: "{{deployment}} - Set variables" -# set_fact: -# destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}" - -# - debug: -# msg: -# - "{{tfstate_object}}" -# - "{{resources}}" - -# - name: "[{{resources.relative_destination_folder}}] Clean-up directory" -# file: -# path: "{{destination_path}}" -# state: absent -# when: config.configuration_folders.platform.cleanup_destination | bool - -# - name: "[{{resources.relative_destination_folder}}] Creates directory" -# file: -# path: "{{destination_path}}" -# state: directory - - -# - name: "{{deployment}} - process subscription resources" -# include_tasks: "process_subscription_resources.yaml" -# loop: "{{resources.subscriptions.keys()}}" -# loop_control: -# loop_var: subscription_key - -# # -# # container_groups -# # -# - name: "[{{resources.relative_destination_folder}}] - resources - container_groups" -# when: -# - resources.subscriptions[resources.subscriptions.keys()].container_groups is defined -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ resource_template_folder }}/container_groups.tfvars.j2" - -# # -# # network_security_group_definition -# # -# - name: "[{{resources.relative_destination_folder}}] - resources - network_security_group_definition" -# when: -# - resources.subscriptions[resources.subscriptions.keys()].network_security_group_definition is defined -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2" - - -# # -# # resource_groups -# # -# - name: "[{{resources.relative_destination_folder}}] - resources - resource_groups" -# when: -# - resources.subscriptions[resources.subscriptions.keys()].resource_groups is defined -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ resource_template_folder }}/resource_groups.tfvars.j2" - -# # -# # virtual_networks -# # -# - name: "[{{resources.relative_destination_folder}}] - resources - virtual_networks" -# when: -# - resources.subscriptions[resources.subscriptions.keys()].virtual_networks is defined -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ resource_template_folder }}/virtual_networks.tfvars.j2" - - -# # -# # network_profiles -# # -# - name: "[{{resources.relative_destination_folder}}] - resources - network_profiles" -# when: -# - resources.subscriptions[resources.subscriptions.keys()].network_profiles is defined -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ resource_template_folder }}/network_profiles.tfvars.j2" - - -# - name: "[{{resources.relative_destination_folder}}] launchpad" -# ansible.builtin.template: -# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" -# dest: "{{destination_path}}/{{ item }}.tfvars" -# force: yes -# loop: -# - dynamic_secrets -# - global_settings -# - keyvaults -# - landingzone -# - role_mappings -# - storage_accounts - -# - name: "[{{resources.relative_destination_folder}}] Clean-up identity files" -# file: -# path: "{{destination_path}}/{{ item }}.tfvars" -# state: absent -# when: config.platform_identity.azuread_identity_mode == "logged_in_user" -# loop: -# - azuread_api_permissions -# - azuread_applications -# - azuread_group_members -# - azuread_groups -# - azuread_roles -# - keyvault_policies -# - service_principals - -# - name: "[{{resources.relative_destination_folder}}] lauchpad - identity - service_principal" -# ansible.builtin.template: -# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" -# dest: "{{destination_path}}/{{ item }}.tfvars" -# force: yes -# when: config.platform_identity.azuread_identity_mode != 'logged_in_user' -# loop: -# - azuread_api_permissions -# - azuread_applications -# - azuread_group_members -# - azuread_groups -# - azuread_roles -# - keyvault_policies -# - service_principals - -# - name: "[{{resources.relative_destination_folder}}] Deploy the launchpad" -# when: boostrap_launchpad | bool | default(false) -# shell: | -# /tf/rover/rover.sh \ -# -lz /tf/caf/landingzones/caf_launchpad \ -# -var-folder {{destination_path}} \ -# -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -# -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -# -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ -# -log-severity {{ config.gitops.rover_log_error }} \ -# -launchpad \ -# -env {{ config.caf_terraform.launchpad.caf_environment }} \ -# -level {{ level }} \ -# -a apply +# +# Check if the launchpad and the credentials for service principal have been deployed. +# +- name: "Creates cache directory" + file: + path: "{{ job_cache_base_path }}/launchpad" + state: directory - name: "[{{resources.relative_destination_folder}}] Get tfstate account name" register: launchpad_storage_account @@ -233,10 +89,3 @@ file: path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" state: absent - -# Update readme -# - name: "[{{resources.relative_destination_folder}}] launchpad - readme" -# ansible.builtin.template: -# src: "{{ level }}/{{ base_folder }}/readme.md" -# dest: "{{destination_path}}/readme.md" -# force: yes \ No newline at end of file diff --git a/templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old b/templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old deleted file mode 100644 index f929fa977..000000000 --- a/templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old +++ /dev/null @@ -1,44 +0,0 @@ -azuread_applications = { - level0 = { - application_name = "sp-caf-level0" -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } - identity = { - application_name = "sp-caf-identity" -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } - management = { - application_name = "sp-caf-management" -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } - eslz = { - application_name = "sp-caf-eslz" -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } - connectivity = { - application_name = "sp-caf-connectivity" -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } - subscription_creation_platform = { - application_name = "sp-caf-subscription-creation-platform" -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } - subscription_creation_landingzones = { - application_name = "sp-caf-subscription-creation-landingzones" -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } -} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 index 137706f8f..6f7c91e37 100644 --- a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 +++ b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 @@ -10,26 +10,26 @@ azuread_groups_membership = { {% endif %} {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} members = { +{% if config.platform_identity.caf_platform_maintainers.user_principal_names is defined %} user_principal_names = [ "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}", -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user'%} -{% for user in config.platform_identity.caf_platform_maintainers %} +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_identity.caf_platform_maintainers.user_principal_names is mapping%} +{% for user in config.platform_identity.caf_platform_maintainers.user_principal_names %} "{{ user }}", {% endfor %} {% endif %} ] +{% endif %} } {% endif %} } caf_platform_contributors = { members = { - user_principal_names = [ -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_identity.caf_platform_contributors is defined %} -{% for user in config.platform_identity.caf_platform_contributors %} - "{{ user }}", -{% endfor %} +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.caf_platform_maintainers.user_principal_names is mapping %} + user_principal_names = {{ config.platform_identity.caf_platform_maintainers.user_principal_names | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% endif %} {% endif %} - ] } } } diff --git a/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 b/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 deleted file mode 100644 index 3eaee1839..000000000 --- a/templates/platform/level0/launchpad/azuread_groups.tfvars.j2 +++ /dev/null @@ -1,101 +0,0 @@ -{% if config.platform_identity.enable_azuread_groups %} -azuread_groups = { - caf_platform_maintainers = { - name = "caf-platform-maintainers" - description = "High privileged group to run all CAF deployments from vscode. Can be used to bootstrap or troubleshoot deployments." - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } - - caf_platform_contributors = { - name = "caf-platform-contributors" - description = "Can only execute terraform plans for level1 and level2. They can test platform improvements and propose PR." - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - } - - level0 = { - name = "caf-level0" - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - members = { - azuread_service_principal_keys = ["level0"] - } - } - - eslz = { - name = "caf-eslz" - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - members = { - azuread_service_principal_keys = ["eslz"] - } - } - - identity = { - name = "caf-identity" - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - members = { - azuread_service_principal_keys = ["identity"] - } - } - - management = { - name = "caf-management" - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - members = { - azuread_service_principal_keys = ["management"] - } - } - - connectivity = { - name = "caf-connectivity" - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - members = { - azuread_service_principal_keys = ["connectivity"] - } - } - - subscription_creation_platform = { - name = "caf-subscription_creation_platform" - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - members = { - azuread_service_principal_keys = ["subscription_creation_platform"] - } - } - - subscription_creation_landingzones = { - name = "caf-subscription_creation_landingzones" - prevent_duplicate_name = true -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %} - owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account -{% endif %} - members = { - azuread_service_principal_keys = ["subscription_creation_landingzones"] - } - } - -} -{% else %} -# Azure AD Groups in config.platform_identity.enable_azuread_groups is not set to true -{% endif %} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old b/templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old deleted file mode 100644 index 0835a0d73..000000000 --- a/templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old +++ /dev/null @@ -1,64 +0,0 @@ -keyvault_access_policies = { - # A maximum of 16 access policies per keyvault - level0 = { - sp_level0 = { - azuread_group_key = "level0" - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - } - identity = { - azuread_group_key = "identity" - secret_permissions = ["Get"] - } - } - - # A maximum of 16 access policies per keyvault - level1 = { - sp_level0 = { - # Allow level1 devops agent to be managed from agent pool level0 - azuread_group_key = "level0" - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - } - identity = { - azuread_group_key = "identity" - secret_permissions = ["Get"] - } - management = { - azuread_group_key = "management" - secret_permissions = ["Get"] - } - eslz = { - azuread_group_key = "eslz" - secret_permissions = ["Get"] - } - subscription_creation_platform = { - azuread_group_key = "subscription_creation_platform" - secret_permissions = ["Get"] - } - } - # A maximum of 16 access policies per keyvault - level2 = { - sp_level0 = { - azuread_group_key = "level0" - secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] - } - connectivity = { - azuread_group_key = "connectivity" - secret_permissions = ["Get"] - } - identity = { - azuread_group_key = "identity" - secret_permissions = ["Get"] - } - management = { - azuread_group_key = "management" - secret_permissions = ["Get"] - } -{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} - subscription_creation_landingzones = { - azuread_group_key = "subscription_creation_landingzones" - secret_permissions = ["Get"] - } -{% endif %} - } - -} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/landingzone.tfvars.j2.old b/templates/platform/level0/launchpad/landingzone.tfvars.j2.old deleted file mode 100644 index 9fe64e7ca..000000000 --- a/templates/platform/level0/launchpad/landingzone.tfvars.j2.old +++ /dev/null @@ -1,5 +0,0 @@ -landingzone = { - backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}" - level = "{{ config.tfstates.platform.launchpad.level }}" - key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" -} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index 46cbefbaf..7ffc72441 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -42,21 +42,20 @@ az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?ap {% endif %} rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }} -cd /tf/caf/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ config.gitops.caf_landingzone_branch }} +git checkout {{ resources.gitops.caf_landingzone_branch }} git pull rover \ {% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ + --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} - -lz /tf/caf/landingzones/caf_launchpad \ + -lz {{ landingzones_folder }}/caf_launchpad \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ -launchpad \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ @@ -75,12 +74,11 @@ rover \ {% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} - -lz /tf/caf/landingzones/caf_launchpad \ + -lz {{ landingzones_folder }}/caf_launchpad \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ -launchpad \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ @@ -93,10 +91,11 @@ rover \ # On success, re-execute the rover ignite rover ignite \ - --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ + --playbook {{ base_templates_folder }}/ansible.yaml \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{resource_template_folder}} \ - -e config_folder={{ config_folder }} + -e config_folder={{ config_folder }} \ + -e landingzones_folder={{ landingzones_folder }} ``` diff --git a/templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD b/templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD deleted file mode 100644 index d2e5340aa..000000000 --- a/templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD +++ /dev/null @@ -1,213 +0,0 @@ - -# -# Services supported: subscriptions, storage accounts and resource groups -# Can assign roles to: AD groups, AD object ID, AD applications, Managed identities -# - -role_mapping = { - built_in_role_mapping = { -{% if config.platform_core_setup %} - management_group = { - {{ config.platform_core_setup.enterprise_scale.root_parent_id | default('root') }} = { - "User Access Administrator" = { -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} - logged_in = { - keys = ["user"] - } -{% endif %} -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - azuread_groups = { - keys = ["level0"] - } -{% endif %} - } - "Management Group Contributor" = { -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} - logged_in = { - keys = ["user"] - } -{% endif %} -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - azuread_groups = { - keys = ["eslz", "caf_platform_maintainers"] - } -{% endif %} - } - "Owner" = { -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} - logged_in = { - keys = ["user"] - } -{% endif %} -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - azuread_groups = { - keys = ["eslz", "caf_platform_maintainers"] - } -{% endif %} - } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - "Reader" = { - azuread_groups = { - keys = ["caf_platform_contributors"] - } - } -{% endif %} - } - } -{% endif %} -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - subscriptions = { - logged_in_subscription = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - "Owner" = { - azuread_groups = { - keys = ["level0", "caf_platform_maintainers", "subscription_creation_platform"] - } - } -{% endif %} -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - "Reader" = { - azuread_groups = { - keys = ["identity"] - } - } -{% endif %} - } - } -{% endif %} - -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - resource_groups = { - level0 = { - "Reader" = { - azuread_groups = { - keys = [ - "identity", - "subscription_creation_platform", - "caf_platform_contributors" - ] - } - } - } - level1 = { - "Reader" = { - azuread_groups = { - keys = [ - "identity", - "management", - "eslz", - "subscription_creation_platform", - "caf_platform_contributors" - ] - } - } - } - level2 = { - "Reader" = { - azuread_groups = { - keys = [ - "identity", - "connectivity", - "management", - "subscription_creation_landingzones", - "caf_platform_contributors" - ] - } - } - } - } -{% endif %} - - storage_accounts = { - level0 = { - "Storage Blob Data Contributor" = { - logged_in = { - keys = ["user"] - } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - azuread_groups = { - keys = ["level0", "caf_platform_maintainers", "identity"] - } -{% endif %} - } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - "Storage Blob Data Reader" = { - azuread_groups = { - keys = [ - "management", - "eslz", - "subscription_creation_platform", - "caf_platform_contributors" - ] - } - } -{% endif %} - } - - level1 = { - "Storage Blob Data Contributor" = { - logged_in = { - keys = ["user"] - } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - azuread_groups = { - keys = [ - "caf_platform_maintainers", - "identity", - "management", - "eslz", - "subscription_creation_platform" - ] - } -{% endif %} - } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - "Storage Blob Data Reader" = { - azuread_groups = { - keys = [ - "connectivity", - "caf_platform_contributors", -{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} - "level0" -{% endif %} - ] - } - } -{% endif %} - } - - level2 = { - "Storage Blob Data Contributor" = { - logged_in = { - keys = ["user"] - } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - azuread_groups = { - keys = [ - "identity", - "connectivity", - "management", - "caf_platform_maintainers", -{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} - "level0" -{% endif %} - ] - } -{% endif %} - } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} - "Storage Blob Data Reader" = { - azuread_groups = { - keys = [ - "caf_platform_contributors", -{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} - "subscription_creation_landingzones" -{% endif %} - ] - } - } -{% endif %} - } - } - } -} diff --git a/templates/platform/level0/launchpad/service_principals.tfvars.j2.old b/templates/platform/level0/launchpad/service_principals.tfvars.j2.old deleted file mode 100644 index 75e0ef5d2..000000000 --- a/templates/platform/level0/launchpad/service_principals.tfvars.j2.old +++ /dev/null @@ -1,44 +0,0 @@ -azuread_service_principals = { - # Manage the deployment of the level0 - level0 = { - azuread_application = { - key = "level0" - } - } - # Manage the deployment of Enterprise Scale - eslz = { - azuread_application = { - key = "eslz" - } - } - # Manage the deployment of the connectivity services - connectivity = { - azuread_application = { - key = "connectivity" - } - } - # Manage the deployment of the shared services - management = { - azuread_application = { - key = "management" - } - } - # Manage the deployment of the identity services - identity = { - azuread_application = { - key = "identity" - } - } - # Has delegation to create platform subscriptions - subscription_creation_platform = { - azuread_application = { - key = "subscription_creation_platform" - } - } - # Has delegation to create landingzone subscriptions - subscription_creation_landingzones = { - azuread_application = { - key = "subscription_creation_landingzones" - } - } -} \ No newline at end of file diff --git a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 index 3b51b0112..8a1c36582 100644 --- a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 +++ b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 @@ -1,3 +1,4 @@ +# relative path to {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz library_path = "../../../../{{ config.configuration_folders.platform.destination_relative_path }}/{{ tfstate_object.sub_template_folder }}/lib" {% if config.platform_core_setup.enterprise_scale.root_parent_id is defined %} root_parent_id = "{{ config.platform_core_setup.enterprise_scale.root_parent_id }}" diff --git a/templates/platform/level1/eslz/landingzone.tfvars.j2 b/templates/platform/level1/eslz/landingzone.tfvars.j2 index 63fb10fde..a532255c1 100644 --- a/templates/platform/level1/eslz/landingzone.tfvars.j2 +++ b/templates/platform/level1/eslz/landingzone.tfvars.j2 @@ -12,7 +12,7 @@ landingzone = { level = "current" tfstate = "{{ config.tfstates.platform.management.tfstate }}" } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'single_reuse' %} {{ config.tfstates.platform.platform_subscriptions.lz_key_name }} = { level = "current" tfstate = "{{ config.tfstates.platform.platform_subscriptions.tfstate }}" diff --git a/templates/platform/level1/eslz/readme.md b/templates/platform/level1/eslz/readme.md index 17a616b85..553131925 100644 --- a/templates/platform/level1/eslz/readme.md +++ b/templates/platform/level1/eslz/readme.md @@ -9,19 +9,18 @@ az account clear # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin git checkout {{ config.platform_core_setup.enterprise_scale.private_lib[config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy].caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_eslz.vault_uri }} \ + --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution/add-ons/caf_eslz \ + -lz {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.eslz.tfstate }} \ - -log-severity ERROR \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ config.tfstates.platform.eslz.tfstate }}.tfplan \ diff --git a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 index 19082ee50..d1d1846aa 100644 --- a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 @@ -5,12 +5,6 @@ subscription_id_overrides = { {% else %} root = [] {% endif %} -{% else %} -{% if config.platform_core_setup.enterprise_scale.subscription_deployment_mode == 'single_reuse' %} - root = [ - "{{ config.caf_terraform.launchpad.subscription_id }}" - ] -{% endif %} {% endif %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} {% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %} @@ -48,8 +42,14 @@ subscription_id_overrides = { {% else %} identity = [] {% endif %} +{% else %} +{% if config.platform_core_setup.enterprise_scale.subscription_deployment_mode == 'single_reuse' %} + root = [ + "{{ config.caf_terraform.launchpad.subscription_id }}" + ] {% else %} root = [] +{% endif %} decommissioned = [] sandboxes = [] landing-zones = [] @@ -60,7 +60,7 @@ subscription_id_overrides = { {% endif %} } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'single_reuse' %} subscription_id_overrides_by_keys = { connectivity = { connectivity = { diff --git a/templates/platform/level1/identity/ansible.yaml.old b/templates/platform/level1/identity/ansible.yaml.old deleted file mode 100644 index f0068fb9a..000000000 --- a/templates/platform/level1/identity/ansible.yaml.old +++ /dev/null @@ -1,73 +0,0 @@ -- name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: config.configuration_folders.platform.cleanup_destination | bool - -- name: "[{{ level }}-{{ base_folder }}] Creates directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: directory - -- name: "[{{ level }}-{{ base_folder }}] - Set variables" - set_fact: - destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - -- name: "[{{ level }}-{{ base_folder }}] - Load variables" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "identity.yaml|identity.caf.platform.yaml" - - -# -# resource_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resources - resource_groups" - when: - - resources.subscriptions[subscription_key].resource_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/resource_groups.tfvars.j2" - -# -# recovery_vaults -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - recovery_vaults" - when: - - resources.subscriptions[subscription_key].recovery_vaults is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/recovery_vaults.tfvars.j2" - -# -# service_health_alerts -# -- name: "[{{ level }}-{{ base_folder }}] - resources - service_health_alerts" - when: - - resources.subscriptions[subscription_key].service_health_alerts is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/servicehealth.tfvars.j2" - - -- name: "[{{ level }}-{{ base_folder }}] generate configuration files." - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/*.tfvars.j2" - - "{{ level }}/{{ base_folder }}/*.md" - diff --git a/templates/platform/level1/identity/landingzone.tfvars.j2.old b/templates/platform/level1/identity/landingzone.tfvars.j2.old deleted file mode 100644 index 48704bdde..000000000 --- a/templates/platform/level1/identity/landingzone.tfvars.j2.old +++ /dev/null @@ -1,12 +0,0 @@ -landingzone = { - backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}" - global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" - level = "{{ config.tfstates.platform.identity.level }}" - key = "{{ config.tfstates.platform.identity.lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.launchpad.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}" - } - } -} diff --git a/templates/platform/level1/identity/readme.md b/templates/platform/level1/identity/readme.md index f7c0f8314..b7aea606e 100644 --- a/templates/platform/level1/identity/readme.md +++ b/templates/platform/level1/identity/readme.md @@ -16,12 +16,10 @@ rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terra {% endif %} rover \ -{% if platform_subscriptions_details.eslz is defined %} {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ + --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -{% endif %} - -lz /tf/caf/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} @@ -32,7 +30,6 @@ rover \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ {% endif %} -tfstate {{ config.tfstates.platform.identity.tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ config.tfstates.platform.identity.tfstate }}.tfplan \ diff --git a/templates/platform/level1/management/ansible.yaml.old b/templates/platform/level1/management/ansible.yaml.old deleted file mode 100644 index c61cf23d6..000000000 --- a/templates/platform/level1/management/ansible.yaml.old +++ /dev/null @@ -1,162 +0,0 @@ -- name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: - - config.configuration_folders.platform.cleanup_destination | bool - -- name: "[{{ level }}-{{ base_folder }}] Creates directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: directory - - -- name: "[{{ level }}-{{ base_folder }}] - Set variables" - set_fact: - destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - -- name: "[{{ level }}-{{ base_folder }}] - Load variables" - include_vars: - name: resources - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "management.yaml|configuration.caf.platform.yaml" - -# -# automation_accounts -# -- name: "[{{ level }}-{{ base_folder }}] - resources - automation_accounts" - when: - - resources.subscriptions[subscription_key].automation_accounts is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/automation_accounts.tfvars.j2" - -# -# diagnostic_log_analytics -# -- name: "[{{ level }}-{{ base_folder }}] - resources - diagnostic_log_analytics" - when: - - resources.subscriptions[subscription_key].diagnostic_log_analytics is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/diagnostic_log_analytics.tfvars.j2" - -# -# diagnostic_storage_accounts -# -- name: "[{{ level }}-{{ base_folder }}] - resources - diagnostic_storage_accounts" - when: - - resources.subscriptions[subscription_key].diagnostic_storage_accounts is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/diagnostic_storage_accounts.tfvars.j2" - -# diagnostics_definition -# -- name: "[{{ level }}-{{ base_folder }}] - resources - diagnostics_definition" - when: - - resources.subscriptions[subscription_key].diagnostics_definition is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/diagnostics_definition.tfvars.j2" - -# diagnostics_destinations -# -- name: "[{{ level }}-{{ base_folder }}] - resources - diagnostics_destinations" - when: - - resources.subscriptions[subscription_key].diagnostics_destinations is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/diagnostics_destinations.tfvars.j2" - -# -# monitor_action_groups -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - monitor_action_groups" - when: - - resources.subscriptions[subscription_key].monitor_action_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/monitor_action_groups.tfvars.j2" - -# -# recovery_vaults -# -- name: "[{{ level }}-{{ subscription_key }}] - resources - recovery_vaults" - when: - - resources.subscriptions[subscription_key].recovery_vaults is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/recovery_vaults.tfvars.j2" - -# -# resource_groups -# -- name: "[{{ level }}-{{ base_folder }}] - resources - resource_groups" - when: - - resources.subscriptions[subscription_key].resource_groups is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/resource_groups.tfvars.j2" - -# -# service_health_alerts -# -- name: "[{{ level }}-{{ base_folder }}] - resources - service_health_alerts" - when: - - resources.subscriptions[subscription_key].service_health_alerts is defined - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/servicehealth.tfvars.j2" - -# -# Readme -# -- name: "[{{ level }}-{{ base_folder }}] - resources - *.md" - # when: always - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/*.md" - -# -# Legacy calls -# -- name: "[{{ level }}-{{ base_folder }}] - generate configuration files." - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/*.tfvars.j2" \ No newline at end of file diff --git a/templates/platform/level1/management/landingzone.tfvars.j2.old b/templates/platform/level1/management/landingzone.tfvars.j2.old deleted file mode 100644 index 367d6aaf8..000000000 --- a/templates/platform/level1/management/landingzone.tfvars.j2.old +++ /dev/null @@ -1,12 +0,0 @@ -landingzone = { - backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}" - global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" - level = "{{ config.tfstates.platform.management.level }}" - key = "{{ config.tfstates.platform.management.lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.launchpad.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}" - } - } -} diff --git a/templates/platform/level1/management/readme.md b/templates/platform/level1/management/readme.md index 23edecc4c..6ae638062 100644 --- a/templates/platform/level1/management/readme.md +++ b/templates/platform/level1/management/readme.md @@ -18,10 +18,10 @@ rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terra rover \ {% if platform_subscriptions_details.eslz is defined %} {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_management.vault_uri }} \ + --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} {% endif %} - -lz /tf/caf/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} @@ -32,7 +32,6 @@ rover \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ {% endif %} -tfstate {{ config.tfstates.platform.management.tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ config.tfstates.platform.management.tfstate }}.tfplan \ diff --git a/templates/platform/level1/subscriptions/ansible.yaml.old b/templates/platform/level1/subscriptions/ansible.yaml.old deleted file mode 100644 index 4ac3f8907..000000000 --- a/templates/platform/level1/subscriptions/ansible.yaml.old +++ /dev/null @@ -1,88 +0,0 @@ -- name: "[{{ level }}-{{ base_folder }}] Clean-up directory" - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: absent - when: config.configuration_folders.platform.cleanup_destination | bool - -- name: "[{{ level }}-{{ base_folder }}] Creates directory" - register: level1_subscriptions - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - state: directory - -- name: "[{{ level }}-{{ base_folder }}] generate configuration files." - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/*.tfvars.j2" - - "{{ level }}/{{ base_folder }}/*.md" - -# Create the subscriptions -- name: "[{{ level }}-{{ base_folder }}] Create subscriptions." - when: deploy_subscriptions | bool - shell: | - /tf/rover/rover.sh \ - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_platform.vault_uri }} \ - -lz /tf/caf/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.platform_subscriptions.tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -a apply - -- name: "[{{ level }}-{{ base_folder }}] Get latest cache folder" - set_fact: - job_cache_base_path: "/home/vscode/.terraform.cache" - -- name: "[{{ level }}-{{ base_folder }}] Get tfstate details" - register: subscription_tfstate_file_name - shell: | - az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.platform_subscriptions.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - -- debug: - msg: "{{ subscription_tfstate_file_name.stdout }}" - -- name: "[{{ level }}-{{ base_folder }}] Download tfstate details" - register: platform_subscriptions_tfstate_exists - ignore_errors: true - shell: | - az storage blob download \ - --name "{{ config.tfstates.platform.platform_subscriptions.tfstate }}" \ - --account-name "{{ subscription_tfstate_file_name.stdout }}" \ - --container-name "tfstate" \ - --auth-mode "login" \ - --file "{{ job_cache_base_path }}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}" - -- name: "[{{ level }}-{{ base_folder }}] Get platform_subscriptions details" - shell: "cat {{ job_cache_base_path }}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}" - register: platform_subscriptions - when: platform_subscriptions_tfstate_exists.rc == 0 - -- name: "[{{ level }}-{{ base_folder }}] Get platform_subscriptions json data" - when: platform_subscriptions_tfstate_exists.rc == 0 - set_fact: - platform_sub_jsondata: "{{ platform_subscriptions.stdout | from_json }}" - -- name: "[{{ level }}-{{ base_folder }}] Get subscriptions list" - when: platform_subscriptions_tfstate_exists.rc == 0 - set_fact: - platform_subscriptions_details: "{{ platform_sub_jsondata | json_query(path) }}" - vars: - path: 'outputs.objects.value.{{ config.tfstates.platform.platform_subscriptions.lz_key_name }}.subscriptions' - -- name: "[{{ level }}-{{ base_folder }}] cleanup" - when: platform_subscriptions_tfstate_exists.rc == 0 - file: - path: "{{ job_cache_base_path }}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}" - state: absent - -- debug: - msg: "Platform subscriptions - {{ platform_subscriptions_details }}" - when: platform_subscriptions_tfstate_exists.rc == 0 diff --git a/templates/platform/level1/subscriptions/landingzone.tfvars.j2.old b/templates/platform/level1/subscriptions/landingzone.tfvars.j2.old deleted file mode 100644 index fae07cba7..000000000 --- a/templates/platform/level1/subscriptions/landingzone.tfvars.j2.old +++ /dev/null @@ -1,12 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" - level = "{{ config.tfstates.platform.platform_subscriptions.level }}" - key = "{{ config.tfstates.platform.platform_subscriptions.lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.launchpad.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}" - } - } -} diff --git a/templates/platform/level1/subscriptions/readme.md b/templates/platform/level1/subscriptions/readme.md index 3aea9caab..709273ff6 100644 --- a/templates/platform/level1/subscriptions/readme.md +++ b/templates/platform/level1/subscriptions/readme.md @@ -10,14 +10,13 @@ rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terra rover \ {% if platform_subscriptions_details.eslz is defined %} {% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_platform.vault_uri }} \ + --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} {% endif %} - -lz /tf/caf/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ config.tfstates.platform.platform_subscriptions.tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ -env {{ config.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}.tfplan \ diff --git a/templates/platform/level2/ansible_deployment.yaml.old b/templates/platform/level2/ansible_deployment.yaml.old deleted file mode 100644 index c9b3967f4..000000000 --- a/templates/platform/level2/ansible_deployment.yaml.old +++ /dev/null @@ -1,29 +0,0 @@ - -- name: "{{display_name}} Load variable for deployments {{deployment}} - {{resource_folder}}" - include_vars: - name: deployments - dir: "{{config_folder}}/deployments/{{deployment}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "{{ files_matching }}" - -- name: "{{display_name}} Load variable for resources {{deployment}} - {{resource_folder}}" - include_vars: - name: resources - dir: "{{config_folder}}/deployments/{{deployment}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "{{ files_matching }}" - -- name: "{{display_name}} - Content of resources - {{deployment}}" - debug: - msg: "{{resources}}" - -- name: "{{display_name}} - {{deployment}}" - include_tasks: "{{ level }}/ansible_resource_deployment.yaml" - when: - - config.tfstates.platform[resource_folder] is defined - - resources.deployments.keys is defined - loop: "{{ resources.deployments.keys() }}" - loop_control: - loop_var: subscription_key \ No newline at end of file diff --git a/templates/platform/level2/ansible_resource_deployment.yaml.old b/templates/platform/level2/ansible_resource_deployment.yaml.old deleted file mode 100644 index cd8147542..000000000 --- a/templates/platform/level2/ansible_resource_deployment.yaml.old +++ /dev/null @@ -1,42 +0,0 @@ - -- name: "{{display_name}} - {{level}} - {{subscription_key}} - set destination paths" - set_fact: - destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{resource_folder}}/{{ deployment }}" - -- name: "{{display_name}} - {{level}} - {{subscription_key}} - Clean-up directory - {{ destination_path }}" - file: - path: "{{ destination_path }}" - state: absent - when: config.configuration_folders.asvm.cleanup_destination | default(true) | bool - -- name: "{{display_name}} - {{level}} - {{subscription_key}} - Creates directory - {{ destination_path }}" - file: - path: "{{ destination_path }}" - state: directory - -# -# landingzone -# -- name: "{{display_name}} - {{level}} - {{subscription_key}} - {{ deployment }} - landingzone.tfvars" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/landingzone.tfvars.j2" - -- name: "{{display_name}} - {{level}} - {{subscription_key}} - {{ deployment }} - Tfvars" - include_tasks: "{{ level }}/ansible_resource_type.yaml" - loop: "{{ resources.subscriptions[subscription_key].keys() }}" - loop_control: - loop_var: resource_type - - -- name: "{{display_name}} - {{level}} - {{subscription_key}} - {{ deployment }} - Overrides" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/{{resource_folder}}/*.j2" - - "{{ level }}/{{ base_folder }}/{{resource_folder}}/*.md" diff --git a/templates/platform/level2/ansible_resource_type.yaml.old b/templates/platform/level2/ansible_resource_type.yaml.old deleted file mode 100644 index 8269d046c..000000000 --- a/templates/platform/level2/ansible_resource_type.yaml.old +++ /dev/null @@ -1,7 +0,0 @@ -- name: "{{display_name}} - {{ level }} - {{subscription_key}} - {{ deployment }} - {{ resource_type }}" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ resource_template_folder }}/{{resource_type}}.tfvars.j2" diff --git a/templates/platform/level2/asvm/ansible.yaml b/templates/platform/level2/asvm/ansible.yaml index bc1a94d01..aeb7d2b6f 100644 --- a/templates/platform/level2/asvm/ansible.yaml +++ b/templates/platform/level2/asvm/ansible.yaml @@ -1,28 +1,3 @@ -# - name: "[{{ level }}-{{ base_folder }}] - Set variables" -# set_fact: -# destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - -# - name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad" -# include_vars: -# name: resources -# dir: "{{config_folder}}" -# depth: 1 -# ignore_unknown_extensions: true -# files_matching: "asvm.yaml" - -# - debug: -# msg: "{{resources}}" - -# - name: "[{{ level }}-{{ base_folder }}] Clean-up directory" -# file: -# path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" -# state: absent -# when: config.configuration_folders.platform.cleanup_destination | bool - -# - name: "[{{ level }}-{{ base_folder }}] Creates directory" -# file: -# path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" -# state: directory - name: "[{{resources.relative_destination_folder}}] Get tfstate account name" register: launchpad_storage_account @@ -90,48 +65,3 @@ - debug: msg: "{{level2_storage_account}}" verbosity: 2 - - -# # -# # resource_groups -# # -# - name: "[{{ level }}-{{ base_folder }}] - resource_groups" -# when: -# - resources.subscriptions[subscription_key].resource_groups is defined -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ resource_template_folder }}/resource_groups.tfvars.j2" - -# # -# # azuread_groups -# # -# - name: "[{{ level }}-{{ base_folder }}] - azuread_groups" -# when: -# - resources.subscriptions[subscription_key].azuread_groups is defined -# ansible.builtin.template: -# src: "{{ item }}" -# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" -# force: yes -# with_fileglob: -# - "{{ resource_template_folder }}/azuread_groups.tfvars.j2" - -# - name: "[{{ level }}-{{ base_folder }}] asvm" -# ansible.builtin.template: -# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2" -# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars" -# force: yes -# loop: -# - dynamic_secrets -# - keyvaults -# - landingzone -# - role_mappings -# - storage_accounts - -# - name: "[{{ level }}-{{ base_folder }}] launchpad - readme" -# ansible.builtin.template: -# src: "{{ level }}/{{ base_folder }}/readme.md" -# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/readme.md" -# force: yes \ No newline at end of file diff --git a/templates/platform/level2/asvm/landingzone.tfvars.j2.old b/templates/platform/level2/asvm/landingzone.tfvars.j2.old deleted file mode 100644 index 9c5443ef7..000000000 --- a/templates/platform/level2/asvm/landingzone.tfvars.j2.old +++ /dev/null @@ -1,12 +0,0 @@ -landingzone = { - backend_type = "{{ caf_terraform.asvm.backend_type | default("azurerm")}}" - global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" - level = "{{ config.tfstates.platform.asvm.level }}" - key = "{{ config.tfstates.platform.asvm.lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.management.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" - } - } -} \ No newline at end of file diff --git a/templates/platform/level2/asvm/readme.md b/templates/platform/level2/asvm/readme.md index cbd54f9b1..9f0ed82a6 100644 --- a/templates/platform/level2/asvm/readme.md +++ b/templates/platform/level2/asvm/readme.md @@ -4,15 +4,15 @@ # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.landingzones }} +git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ + --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ diff --git a/templates/platform/level2/asvm/storage_accounts.tfvars.j2.old b/templates/platform/level2/asvm/storage_accounts.tfvars.j2.old deleted file mode 100644 index 11b1bc99b..000000000 --- a/templates/platform/level2/asvm/storage_accounts.tfvars.j2.old +++ /dev/null @@ -1,54 +0,0 @@ - -storage_accounts = { - level3 = { - name = "{{ resources.subscriptions[subscription_key].storage_accounts.level3.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level3.resource_group_key }}" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - tags = { - ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. - # Only adjust the environment value at creation time - tfstate = "level3" - environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - launchpad = "launchpad" - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - caf_launchpad = "launchpad" - caf_tfstate = "level3" - ## - } - blob_properties = { - versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }} - container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }} - delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }} - } - containers = { - {{ config.tfstates.platform.asvm.workspace | default('tfstate') }} = { - name = "{{ config.tfstates.platform.asvm.workspace | default('tfstate') }}" - } - } - } - - level4 = { - name = "{{ resources.subscriptions[subscription_key].storage_accounts.level4.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level4.resource_group_key }}" - account_kind = "BlobStorage" - account_tier = "Standard" - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - tags = { - # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates. - tfstate = "level4" - environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - launchpad = "launchpad" - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" - caf_launchpad = "launchpad" - caf_tfstate = "level4" - } - blob_properties = { - versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }} - container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }} - delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }} - } - } - -} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/ansible.yaml.old b/templates/platform/level2/connectivity/ansible.yaml.old deleted file mode 100644 index c22c86eab..000000000 --- a/templates/platform/level2/connectivity/ansible.yaml.old +++ /dev/null @@ -1,95 +0,0 @@ -- name: Creates {{ base_folder }} directory structure - shell: mkdir -p "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - -- name: "[{{ level }} {{ subscription_key }}] - virtual_wans" - include_tasks: "{{ level }}/ansible_deployment.yaml" - when: - - config.tfstates.platform.virtual_wans is defined - loop: "{{ config.tfstates.platform.virtual_wans.keys() }}" - loop_control: - loop_var: deployment - vars: - files_matching: "connectivity_virtual_wan.yaml|connectivity_virtual_wan.caf.yaml" - resource_folder: virtual_wans - display_name: Virtual Wan - -- name: "[{{ level }} {{ subscription_key }}] - virtual_hubs" - include_tasks: "{{ level }}/ansible_deployment.yaml" - when: - - config.tfstates.platform.virtual_hubs is defined - loop: "{{ config.tfstates.platform.virtual_hubs.keys() }}" - loop_control: - loop_var: deployment - vars: - files_matching: "connectivity_virtual_hubs.yaml|connectivity_virtual_hubs.caf.yaml" - resource_folder: virtual_hubs - display_name: Virtual Wan - -# - name: Virtual Hubs -# include_tasks: "{{ level }}/{{ base_folder }}/virtual_hub/ansible.yaml" -# when: -# - connectivity_virtual_hub.virtual_hubs is defined -# loop: "{{ config.tfstates.platform.virtual_hubs.keys() }}" -# loop_control: -# loop_var: virtual_hub - -- name: VPN Sites - include_tasks: "{{ level }}/{{ base_folder }}/vpn_site/ansible.yaml" - when: - - connectivity_vpn_sites.vpn_sites is defined - loop: "{{ config.tfstates.platform.vpn_sites.keys() }}" - loop_control: - loop_var: site - -- name: Express Route Circuit - include_tasks: "{{ level }}/{{ base_folder }}/express_route_circuit/ansible.yaml" - when: - - connectivity_express_routes.express_route_circuits is defined - loop: "{{ config.tfstates.platform.express_route_circuits.keys() }}" - loop_control: - loop_var: circuit - -- name: Express Route Circuit Peerings - include_tasks: "{{ level }}/{{ base_folder }}/express_route_circuit_peering/ansible.yaml" - when: - - connectivity_express_routes.express_route_circuits is defined - - connectivity_express_route_peerings.express_route_circuit_peerings is defined - loop: "{{ config.tfstates.platform.express_route_circuit_peerings.keys() }}" - loop_control: - loop_var: circuit - -- name: Private DNS Zones - include_tasks: "{{ level }}/ansible_deployment.yaml" - when: - - config.tfstates.platform.private_dns is defined - loop: "{{ config.tfstates.platform.private_dns.keys() }}" - loop_control: - loop_var: deployment - vars: - files_matching: "connectivity_private_dns.yaml|connectivity_private_dns.caf.yaml" - resource_folder: private_dns - display_name: Private DNS Zones - -- name: Firewall Policies - include_tasks: "{{ level }}/ansible_deployment.yaml" - when: - - config.tfstates.platform.azurerm_firewall_policies is defined - loop: "{{ config.tfstates.platform.azurerm_firewall_policies.keys() }}" - loop_control: - loop_var: deployment - vars: - files_matching: "connectivity_firewall_policies.yaml|connectivity_firewall_policies.caf.yaml" - resource_folder: azurerm_firewall_policies - display_name: Firewall Policies - -- name: Azure Firewalls - include_tasks: "{{ level }}/ansible_deployment.yaml" - when: - - config.tfstates.platform.azurerm_firewalls is defined - loop: "{{ config.tfstates.platform.azurerm_firewalls.keys() }}" - loop_control: - loop_var: deployment - vars: - files_matching: "connectivity_firewalls.yaml|connectivity_firewalls.caf.yaml" - resource_folder: azurerm_firewalls - display_name: Azure Firewalls \ No newline at end of file diff --git a/templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old b/templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old deleted file mode 100644 index 6b633635b..000000000 --- a/templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old +++ /dev/null @@ -1,12 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" - level = "level2" - key = "{{ config.tfstates.platform.azurerm_firewall_policies[deployment].lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.management.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" - } - } -} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md b/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md index bf4d265a2..46a4ee3c4 100644 --- a/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md +++ b/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md @@ -3,7 +3,7 @@ ## Select the correct branch for the landingzones code -Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy the connectivity services +Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the connectivity services ## {{ environment }} @@ -11,15 +11,15 @@ Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.landingzones }} +git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old b/templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old deleted file mode 100644 index 6568d80d4..000000000 --- a/templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old +++ /dev/null @@ -1,18 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.virtual_hubs[deployment].lz_key_name }}" - level = "{{ config.tfstates.platform.azurerm_firewalls[deployment].level }}" - key = "{{ config.tfstates.platform.azurerm_firewalls[deployment].lz_key_name }}" - tfstates = { - # Virtual Hub - {{ config.tfstates.platform.virtual_hubs[deployment].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.virtual_hubs[deployment].tfstate }}" - } - # firewall policies - {{ config.tfstates.platform.azurerm_firewall_policies[deployment].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.azurerm_firewall_policies[deployment].tfstate }}" - } - } -} diff --git a/templates/platform/level2/connectivity/azurerm_firewalls/readme.md b/templates/platform/level2/connectivity/azurerm_firewalls/readme.md index ebf4e3f3e..098a664d3 100644 --- a/templates/platform/level2/connectivity/azurerm_firewalls/readme.md +++ b/templates/platform/level2/connectivity/azurerm_firewalls/readme.md @@ -3,7 +3,7 @@ ## Select the correct branch for the landingzones code -Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy the connectivity services +Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the connectivity services ## {{ environment }} @@ -11,15 +11,15 @@ Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.landingzones }} +git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/level2/connectivity/express_route_circuit/readme.md b/templates/platform/level2/connectivity/express_route_circuit/readme.md index a8c1fd5cf..1c60fa82c 100644 --- a/templates/platform/level2/connectivity/express_route_circuit/readme.md +++ b/templates/platform/level2/connectivity/express_route_circuit/readme.md @@ -11,7 +11,7 @@ Note you need to adjust the branch {{ connectivity_express_routes.gitops.caf_lan # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }} @@ -19,7 +19,7 @@ rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md b/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md index 0d661fa44..eff7095be 100644 --- a/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md +++ b/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md @@ -5,7 +5,7 @@ # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }} @@ -13,7 +13,7 @@ rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2.old b/templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2.old deleted file mode 100644 index cf533e078..000000000 --- a/templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2.old +++ /dev/null @@ -1,20 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}" - level = "{{ config.tfstates.platform.private_dns[deployment].level }}" - key = "{{ config.tfstates.platform.private_dns[deployment].lz_key_name }}" - tfstates = { -{% if config.tfstates.platform.azurerm_firewalls is defined %} - # Firewall - {{ config.tfstates.platform.azurerm_firewalls[deployment].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.azurerm_firewalls[deployment].tfstate }}" - } -{% endif %} - # Identity Level2 - {{ config.tfstates.platform.identity_level2[deployment].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.identity_level2[deployment].tfstate }}" - } - } -} diff --git a/templates/platform/level2/connectivity/private_dns/readme.md b/templates/platform/level2/connectivity/private_dns/readme.md index 4af38984f..64b1123f6 100644 --- a/templates/platform/level2/connectivity/private_dns/readme.md +++ b/templates/platform/level2/connectivity/private_dns/readme.md @@ -3,7 +3,7 @@ ## Select the correct branch for the landingzones code -Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy the connectivity services +Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the connectivity services ## {{ environment }} @@ -11,15 +11,15 @@ Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.landingzones }} +git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/level2/connectivity/readme.md b/templates/platform/level2/connectivity/readme.md deleted file mode 100644 index a74d2129b..000000000 --- a/templates/platform/level2/connectivity/readme.md +++ /dev/null @@ -1,151 +0,0 @@ - -# Connectivity -You have selected the vwan networking option to build your Enteprise Scale platform. The following instructions guides you through the steps to follow. - -## Select the correct branch for the landingzones code - -Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services - -{% for folder_name in folders %} -## Virtual Wan - -```bash -# login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} - -cd {{ destination_base }}/landingzones -git fetch origin -git checkout {{ config.gitops.caf_landingzone_branch }} - -rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ -{% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ folder_name }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -{% if platform_subscriptions_details is defined %} - -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ -{% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -{% endif %} - -tfstate {{ config.tfstates.platform.[folder_name].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.[folder_name].tfstate }}.tfplan \ - -a plan - -``` -{% endfor %} - -## Virtual hubs - -{% for virtual_hub in tfstates.virtual_hubs.keys() %} -### {{ virtual_hub }} - -```bash -# login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} - -cd {{ destination_base }}/landingzones -git fetch origin -git checkout {{ config.gitops.caf_landingzone_branch }} - -rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ -{% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -{% if platform_subscriptions_details is defined %} - -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ -{% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -{% endif %} - -tfstate {{ config.tfstates.platform.virtual_hubs[virtual_hub].tfstate }} \ - -log-severity ERROR \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.virtual_hubs[virtual_hub].tfstate }}.tfplan \ - -a plan - - -``` -{% endfor %} - -{% if connectivity_vpn_sites.vpn_sites is defined %} -## Virtual Hub VPN Sites - -{% for vpnsite in connectivity_vpn_sites.vpn_sites.keys() %} -### {{ vpnsite }} - -```bash -# login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} - -cd {{ destination_base }}/landingzones -git fetch origin -git checkout {{ config.gitops.caf_landingzone_branch }} - -rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ -{% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ vpnsite }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -{% if platform_subscriptions_details is defined %} - -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ -{% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -{% endif %} - -tfstate {{ config.tfstates.platform.vpn_sites[vpnsite].tfstate }} \ - -log-severity ERROR \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.vpn_sites[vpnsite].tfstate }}.tfplan \ - -a plan - - -``` -{% endfor %} -{% endif %} - -{% if tfstates.firewall_policies is defined %} -## Firewall policies - -{% for firewall_policy in tfstates.firewall_policies.keys() %} -### {{ firewall_policy }} - -```bash -# login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} - -cd {{ destination_base }}/landingzones -git fetch origin -git checkout {{ config.gitops.caf_landingzone_branch }} - -rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ -{% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/firewall_policies/{{ firewall_policy }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -{% if platform_subscriptions_details is defined %} - -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ -{% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -{% endif %} - -tfstate {{ config.tfstates.platform.firewall_policies[firewall_policy].tfstate }} \ - -log-severity ERROR \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.firewall_policies[firewall_policy].tfstate }}.tfplan \ - -a plan - - -``` -{% endfor %} -{% endif %} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/virtual_hubs/ansible.yaml.old b/templates/platform/level2/connectivity/virtual_hubs/ansible.yaml.old deleted file mode 100644 index 1ac4b4ca5..000000000 --- a/templates/platform/level2/connectivity/virtual_hubs/ansible.yaml.old +++ /dev/null @@ -1,20 +0,0 @@ -- name: Virtual_hubs {{ virtual_hub }} - Clean-up directory - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }}" - state: absent - when: - - config.configuration_folders.platform.cleanup_destination | bool - -- name: Virtual_hubs {{ virtual_hub }} - Creates directory structure - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }}" - state: directory - -- name: Virtual_hubs {{ virtual_hub }} - Tfvars - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/virtual_hub/*.j2" - - "{{ level }}/{{ base_folder }}/virtual_hub/*.md" diff --git a/templates/platform/level2/connectivity/virtual_hubs/landingzone.tfvars.j2.old b/templates/platform/level2/connectivity/virtual_hubs/landingzone.tfvars.j2.old deleted file mode 100644 index 06582d453..000000000 --- a/templates/platform/level2/connectivity/virtual_hubs/landingzone.tfvars.j2.old +++ /dev/null @@ -1,35 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}" - level = "{{ config.tfstates.platform.virtual_hubs[virtual_hub].level }}" - key = "{{ config.tfstates.platform.virtual_hubs[virtual_hub].lz_key_name }}" - tfstates = { - # Virtual WAN - {{ config.tfstates.platform.virtual_wan.lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.virtual_wan.tfstate }}" - } -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].enable_er_connections and connectivity_virtual_hub.express_route_connections[virtual_hub] is defined %} - # Express Route Circuit - {{ config.tfstates.platform.express_route_circuits[connectivity_virtual_hub.express_route_connections[virtual_hub].express_route_circuit_authorization.tfstate_key].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.express_route_circuits[connectivity_virtual_hub.express_route_connections[virtual_hub].express_route_circuit_authorization.tfstate_key].tfstate }}" - } -{% endif %} -{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].enable_er_connections and connectivity_virtual_hub.express_route_connections[virtual_hub].circuit_peering is defined %} - # Express Route Circuit Peerings - {{ config.tfstates.platform.express_route_circuit_peerings[connectivity_virtual_hub.express_route_connections[virtual_hub].circuit_peering.tfstate_key].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.express_route_circuit_peerings[connectivity_virtual_hub.express_route_connections[virtual_hub].circuit_peering.tfstate_key].tfstate }}" - } -{% endif %} - } -} - -{% if connectivity_virtual_hub.custom_variables[virtual_hub] is defined %} -custom_variables = { -{% for key, value in connectivity_virtual_hub.custom_variables[virtual_hub].items() %} - {{key}} = "{{value}}" -{% endfor %} -} -{% endif %} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/virtual_hubs/readme.md b/templates/platform/level2/connectivity/virtual_hubs/readme.md index 1284c0a47..68ac71d7d 100644 --- a/templates/platform/level2/connectivity/virtual_hubs/readme.md +++ b/templates/platform/level2/connectivity/virtual_hubs/readme.md @@ -10,15 +10,15 @@ Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.landingzones }} +git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/level2/connectivity/virtual_hubs/virtual_hubs_route_tables.tfvars.j2 b/templates/platform/level2/connectivity/virtual_hubs/virtual_hubs_route_tables.tfvars.j2 deleted file mode 100644 index c1d31f8c5..000000000 --- a/templates/platform/level2/connectivity/virtual_hubs/virtual_hubs_route_tables.tfvars.j2 +++ /dev/null @@ -1,35 +0,0 @@ -{% if connectivity_virtual_hub[virtual_hub].virtual_hub_route_tables is defined %} -virtual_hub_route_tables = { -{% for key, route_table in connectivity_virtual_hub[virtual_hub].virtual_hub_route_tables.items() %} - {{ key }} = { - name = "{{ route_table.name }}" - - virtual_hub = { - key = "{{ virtual_hub }}" - } - - # labels = ["label1"] - # routes = { - # egress_internet = { - # name = "egress-internet" - # destinations_type = "CIDR" - # destinations = ["0.0.0.0/0"] - - # # Either next_hop or next_hop_id can be used - # # - # # When using next_hop, the virtual_hub_connection must be deployed in a different landingzone. This cannot be tested in the standalone module. - # # Will be covered in the landingzone starter production configuration in future releases. - # # - # next_hop = { - # lz_key = "" # - # resource_type = "virtual_hub_connection" # Only supported value. - # resource_key = "egress-fw" - # } - # #to cather for external object - # #next_hop_id = "Azure_Resource_ID" - # } - # } - } -{% endfor %} -} -{% endif %} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/virtual_wans/readme.md b/templates/platform/level2/connectivity/virtual_wans/readme.md index 8754cc6d8..05376e5a6 100644 --- a/templates/platform/level2/connectivity/virtual_wans/readme.md +++ b/templates/platform/level2/connectivity/virtual_wans/readme.md @@ -4,15 +4,15 @@ # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.landingzones }} +git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/level2/connectivity/vpn_site/ansible.yaml b/templates/platform/level2/connectivity/vpn_site/ansible.yaml deleted file mode 100644 index 9d620b06b..000000000 --- a/templates/platform/level2/connectivity/vpn_site/ansible.yaml +++ /dev/null @@ -1,20 +0,0 @@ -- name: VPN Site {{ site }} - Clean-up directory - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }}" - state: absent - when: - - config.configuration_folders.platform.cleanup_destination | bool - -- name: VPN Site {{ site }} - Creates directory structure - file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }}" - state: directory - -- name: VPN Site {{ site }} - Tfvars - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }}/{{ item | basename | regex_replace('.j2$', '') }}" - force: yes - with_fileglob: - - "{{ level }}/{{ base_folder }}/vpn_site/*.j2" - - "{{ level }}/{{ base_folder }}/vpn_site/*.md" diff --git a/templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old b/templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old deleted file mode 100644 index 3870a6e90..000000000 --- a/templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old +++ /dev/null @@ -1,16 +0,0 @@ -landingzone = { - backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}" - level = "{{ config.tfstates.platform.vpn_sites[site].level }}" - key = "{{ config.tfstates.platform.vpn_sites[site].lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.virtual_wan.lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.virtual_wan.tfstate }}" - } - {{ config.tfstates.platform.virtual_hubs[connectivity_vpn_gateway_connections.vpn_gateway_connections[site].vpn_site.key].lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.virtual_hubs[connectivity_vpn_gateway_connections.vpn_gateway_connections[site].vpn_site.key].tfstate }}" - } - } -} \ No newline at end of file diff --git a/templates/platform/level2/connectivity/vpn_site/readme.md b/templates/platform/level2/connectivity/vpn_site/readme.md deleted file mode 100644 index 0a2e56eec..000000000 --- a/templates/platform/level2/connectivity/vpn_site/readme.md +++ /dev/null @@ -1,39 +0,0 @@ -# VPN Sites - -## Select the correct branch for the landingzones code - -Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services - - -{% for site in config.tfstates.platform.vpn_sites.keys() %} -site -```bash -# login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} - -cd {{ destination_base }}/landingzones -git fetch origin -git checkout {{ config.gitops.caf_landingzone_branch }} - -rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ -{% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -{% if platform_subscriptions_details is defined %} - -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ -{% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ -{% endif %} - -tfstate {{ config.tfstates.platform.vpn_sites[site].tfstate }} \ - -log-severity ERROR \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.vpn_sites[site].tfstate }}.tfplan \ - -a plan - - -``` -{% endfor %} diff --git a/templates/platform/level2/identity/ansible.yaml.old b/templates/platform/level2/identity/ansible.yaml.old deleted file mode 100644 index fe87923bd..000000000 --- a/templates/platform/level2/identity/ansible.yaml.old +++ /dev/null @@ -1,38 +0,0 @@ -- name: Creates {{ base_folder }} directory structure - shell: mkdir -p "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" - -- name: "[{{ level }} {{ subscription_key }}] - Azure Identity level2" - include_tasks: "{{ level }}/ansible_deployment.yaml" - when: - - config.tfstates.platform.identity_level2 is defined - loop: "{{ config.tfstates.platform.identity_level2.keys() }}" - loop_control: - loop_var: deployment - vars: - files_matching: "identity_level2.yaml|identity_level2.caf.yaml" - resource_folder: identity_level2 - display_name: Azure Identity level2 - -- name: "[{{ level }} {{ subscription_key }}] - Azure Active Directory Domain Services (AADDS) - Azure managed" - include_tasks: "{{ level }}/ansible_deployment.yaml" - when: - - config.tfstates.platform.identity_level2_aadds is defined - loop: "{{ config.tfstates.platform.identity_level2_aadds.keys() }}" - loop_control: - loop_var: deployment - vars: - files_matching: "identity_level2_aadds.yaml|identity_level2_aadds.caf.yaml" - resource_folder: identity_level2_aadds - display_name: Azure Active Directory Domain Services (AADDS Azure Managed) - -- name: "[{{ level }} {{ subscription_key }}] - Active Directory Domain Services in Virtual Machines" - include_tasks: "{{ level }}/ansible_deployment.yaml" - when: - - config.tfstates.platform.identity_level2_adds is defined - loop: "{{ config.tfstates.platform.identity_level2_adds.keys() }}" - loop_control: - loop_var: deployment - vars: - files_matching: "identity_level2_adds.yaml|identity_level2_adds.caf.yaml" - resource_folder: identity_level2_adds - display_name: Active Directory Domain Services (ADDS in VM) diff --git a/templates/platform/level2/identity/identity_level2/readme.md b/templates/platform/level2/identity/identity_level2/readme.md index 5bef01ac9..a015f470c 100644 --- a/templates/platform/level2/identity/identity_level2/readme.md +++ b/templates/platform/level2/identity/identity_level2/readme.md @@ -13,7 +13,7 @@ rover \ {% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} - -lz /tf/caf/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ diff --git a/templates/platform/level2/identity/identity_level2_aadds/readme.md b/templates/platform/level2/identity/identity_level2_aadds/readme.md index 9106bea3c..787801456 100644 --- a/templates/platform/level2/identity/identity_level2_aadds/readme.md +++ b/templates/platform/level2/identity/identity_level2_aadds/readme.md @@ -3,7 +3,7 @@ ## Select the correct branch for the landingzones code -Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy the AADDS services +Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the AADDS services ## {{ environment }} @@ -11,15 +11,15 @@ Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy # login a with a user member of the caf-platform-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.landingzones }} +git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/level2/identity/identity_level2_adds/readme.md b/templates/platform/level2/identity/identity_level2_adds/readme.md index 8325aa59d..402705e04 100644 --- a/templates/platform/level2/identity/identity_level2_adds/readme.md +++ b/templates/platform/level2/identity/identity_level2_adds/readme.md @@ -7,15 +7,15 @@ Deploy 2 domain controllers in the primary region # login a with a user member of the caf-maintainers group rover login -t {{ config.platform_identity.tenant_name }} -cd {{ destination_base }}/landingzones +cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.landingzones }} +git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} - -lz {{ destination_base }}/landingzones/caf_solution \ + -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} diff --git a/templates/platform/process_deployments.yaml b/templates/platform/process_deployments.yaml index 7aae3f269..4fda246ee 100644 --- a/templates/platform/process_deployments.yaml +++ b/templates/platform/process_deployments.yaml @@ -6,15 +6,33 @@ resources: "{{ lookup('file', '{{ file_to_process.path }}') | from_yaml }}" - set_fact: - env: "{{resources.deployments.tfstate.values() | first | default('')}}" + lz_type: "{{resources.deployments.landingzone.tfstate.keys() | first}}" -- name: "{{tfstates[tfstate]}} - Set tfstate_object" +- set_fact: + tfstate: "{{resources.deployments.landingzone.tfstate[lz_type].keys() | first}}" + env: "{{resources.deployments.landingzone.tfstate[lz_type].values() | first | default('')}}" + +- debug: + msg: + - "{{config}}" + - "{{lz_type}}" + - "{{tfstate}}" + - "{{env}}" + verbosity: 2 + + +- name: "Set tfstate_object" set_fact: - tfstate_object: '{{config.tfstates.platform[resources.deployments.tfstate.keys() | first] if env == "" else config.tfstates.platform[resources.deployments.tfstate.keys() | first][env]}}' + tfstate_object: '{{config.tfstates[lz_type][tfstate] if env == "" else config.tfstates[lz_type][tfstate][env] }}' + + +- debug: + msg: + - "{{tfstate_object}}" - name: "Including tasks process_tfstate.yaml" include_tasks: "process_tfstate.yaml" - loop: ["{{resources.deployments.tfstate.keys() | first }}"] + loop: ["{{ tfstate }}"] loop_control: loop_var: deployment vars: diff --git a/templates/platform/process_foundations.yaml b/templates/platform/process_foundations.yaml index fff4a2ccd..b5ade5c98 100644 --- a/templates/platform/process_foundations.yaml +++ b/templates/platform/process_foundations.yaml @@ -7,4 +7,5 @@ loop_control: loop_var: tfstate vars: - tfstates: "{{bootstrap[step][stage]}}" \ No newline at end of file + tfstates: "{{bootstrap[step][stage]}}" + lz_type: platform \ No newline at end of file diff --git a/templates/platform/process_stages.yaml b/templates/platform/process_stages.yaml index f2c043615..4c96e75b7 100644 --- a/templates/platform/process_stages.yaml +++ b/templates/platform/process_stages.yaml @@ -1,33 +1,39 @@ - debug: - msg: "tfstate {{tfstate}} - {{tfstates[tfstate]}}" + msg: + - "tfstate {{tfstate}} - {{tfstates[tfstate]}}" + - "{{lz_type}}" - -- name: "{{tfstates[tfstate]}} - Set env" - set_fact: - env: "{{tfstates[tfstate].values() | first | default()}}" - verbosity: 2 +- set_fact: + tfstate_key: "{{ tfstates[tfstate].keys() | first }}" + env: "{{ tfstates[tfstate].values() | first | default('') }}" -- name: "{{tfstates[tfstate]}} - Set tfstate_object" +- name: "Set tfstate_object" set_fact: - tfstate_object: '{{config.tfstates.platform[tfstates[tfstate].keys() | first] if env == "" else config.tfstates.platform[tfstates[tfstate].keys() | first][env]}}' - verbosity: 2 + tfstate_object: '{{config.tfstates[lz_type][tfstate_key] if env == "" else config.tfstates[lz_type][tfstate_key][env] }}' -- name: "{{tfstates[tfstate]}} - Set config_file" +- name: "Set config_folder" set_fact: - config_file: "{{config_folder + '/' + tfstate_object.config_file }}" + config_folder: '{{ tfstate_object.sub_template_folder | default() }}' - debug: - msg: '{{ config_file }}' + msg: + - "{{config}}" + - "{{lz_type}}" + - "{{tfstate_key}}" + - "{{env}}" + - "{{tfstate_object}}" + - "{{config_folder}}" verbosity: 2 +- set_fact: + resources: "{{ lookup('file', '{{ config_folder + \"/\" + tfstate_object.config_file }}') | from_yaml }}" + - name: "Including tasks process_tfstate.yaml" include_tasks: "process_tfstate.yaml" - loop: "{{tfstates[tfstate].keys()}}" + loop: ["{{tfstate_key}}"] loop_control: loop_var: deployment vars: - key: "{{tfstates[tfstate]}}" - resources: "{{ lookup('file', '{{ config_file }}') | from_yaml }}" - deployments: "{{ lookup('file', '{{ config_file }}') | from_yaml }}" \ No newline at end of file + config_file: "{{config_folder + '/' + tfstate_object.config_file }}" \ No newline at end of file diff --git a/templates/platform/process_subscription_resources.yaml b/templates/platform/process_subscription_resources.yaml index 3bb94c2ba..a13fafa8c 100644 --- a/templates/platform/process_subscription_resources.yaml +++ b/templates/platform/process_subscription_resources.yaml @@ -65,7 +65,7 @@ # # overrides # -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - overrides" +- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }}" ansible.builtin.template: src: "{{ item }}" dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" diff --git a/templates/platform/process_tfstate.yaml b/templates/platform/process_tfstate.yaml index acbc3ba87..3fd2e2a6f 100644 --- a/templates/platform/process_tfstate.yaml +++ b/templates/platform/process_tfstate.yaml @@ -1,15 +1,17 @@ +- debug: + msg: + - "{{lz_type}}" -- name: "Verify {{deployment}} {{key[deployment] | default()}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :" +- name: "Verify {{deployment}} {{lz_type}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :" debug: msg: - - "{{config.tfstates.platform[deployment]}}" + - "{{config.tfstates[lz_type][deployment]}}" - "resources - {{resources}}" -- name: "{{deployment}} - tfstate_object sub_template_folder and config_file - {{env}}" +- name: "{{deployment}} - tfstate_object sub_template_folder- {{env}}" debug: msg: - 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}' - - 'config_file - {{tfstate_object.config_file | default()}}' - 'tfstate_object - {{tfstate_object}}' verbosity: 2 diff --git a/templates/resources/azuread_groups.tfvars.j2 b/templates/resources/azuread_groups.tfvars.j2 index ee523c96a..d9f8cddbb 100644 --- a/templates/resources/azuread_groups.tfvars.j2 +++ b/templates/resources/azuread_groups.tfvars.j2 @@ -14,24 +14,20 @@ azuread_groups = { group_names = {{ ad_group.members.group_names | replace('None','[]') | replace('\'','\"') }} {% endif %} {% if ad_group.members.object_ids is defined %} - object_ids = {{ ad_group.members.object_ids | replace('None','[]') | replace('\'','\"') }} + object_ids = {{ ad_group.members.object_ids | string | replace('None','[]') | replace('\'','\"') }} {% endif %} {% if ad_group.members.group_keys is defined %} group_keys = {{ ad_group.members.group_keys | replace('None','[]') | replace('\'','\"') }} {% endif %} -{% if ad_group.members.service_principal_keys is defined %} - service_principal_keys = {{ ad_group.members.service_principal_keys | replace('None','[]') | replace('\'','\"') }} +{% if ad_group.members.azuread_service_principal_keys is defined %} + azuread_service_principal_keys = {{ ad_group.members.azuread_service_principal_keys | replace('None','[]') | replace('\'','\"') }} {% endif %} } {% endif %} {% if ad_group.owners is defined %} - owners = { -{% if ad_group.owners.user_principal_names is defined %} - user_principal_names = {{ ad_group.owners.user_principal_names | replace('None','[]') | replace('\'','\"') }} + owners = {{ ad_group.owners| string | replace('None','[]') | replace('\'','\"') }} {% endif %} - } -{% endif %} - prevent_duplicate_name = {{ ad_group.owners.prevent_duplicate_name | default(false) | string | lower }} + prevent_duplicate_name = {{ ad_group.owners.prevent_duplicate_name | default(true) | string | lower }} } {% endfor %} } diff --git a/templates/resources/landingzone.tfvars.j2 b/templates/resources/landingzone.tfvars.j2 index cc3ef7b07..821c6f66a 100644 --- a/templates/resources/landingzone.tfvars.j2 +++ b/templates/resources/landingzone.tfvars.j2 @@ -1,52 +1,32 @@ landingzone = { - backend_type = "{{ config.caf_terraform.launchpad.backend_type | default("azurerm") }}" -{% if config.tfstates['asvm'][subscription_key].level is defined %} - {% set level = config.tfstates['asvm'][subscription_key].level %} - level = "{{ level }}" -{% elif resources.deployments.landingzone.key.platform.values() | first %} - {% set level = config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first][resources.deployments.landingzone.key.platform.values() | first].level %} - level = "{{ level }}" -{% elif resources.deployments.landingzone is defined %} - {% set level = config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].level %} - level = "{{config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].level}}" -{% else %} - {% set level = config.tfstates['platform'][resources.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].level %} - level = "{{ level }}" -{% endif %} -{% if resources.deployments.landingzone.key.asvm is defined %} -{% for l_key, l_value in resources.deployments.landingzone.key.asvm.items() %} - key = "{{ config.tfstates['asvm'][l_key][l_value].lz_key_name}}" -{% endfor %} -{% elif resources.deployments.landingzone.key.platform.values() | first %} - key = "{{ config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first][resources.deployments.landingzone.key.platform.values() | first].lz_key_name }}" -{% elif resources.deployments.landingzone.key.platform is defined %} - key = "{{config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].lz_key_name}}" -{% else %} - key = "{{ config.tfstates['platform'][resources.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].lz_key_name }}" -{% endif %} + backend_type = "{{ tfstate_object.backend_type | default("azurerm") }}" + level = "{{ tfstate_object.level }}" + key = "{{ tfstate_object.lz_key_name }}" {% if resources.deployments.landingzone.global_settings_key.platform is defined %} {% if resources.deployments.landingzone.global_settings_key.platform.values() | first %} global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first][resources.deployments.landingzone.global_settings_key.platform.values() | first].lz_key_name }}" {% else %} global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" {% endif %} -{% elif resources.deployments[subscription_key].landingzone.global_settings_key.platform is defined %} - global_settings_key = "{{ config.tfstates['platform'][resources.deployments[subscription_key].landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" -{% elif resources.deployments[subscription_key].landingzone.global_settings_key.platform is not defined %} -{% else %} -{% for m_key, m_value in resources.deployments[subscription_key][deployment].landingzone.global_settings_key.asvm.items() %} - global_settings_key = "{{ config.tfstates['asvm'][m_key][m_value].lz_key_name }}" -{% endfor %} +{% elif resources.deployments.landingzone.global_settings_key.asvm is defined %} + global_settings_key = "{{ config.tfstates['asvm'][resources.deployments.landingzone.global_settings_key.asvm.keys() | first].lz_key_name }}" {% endif %} {% if resources.deployments.landingzone.remote_tfstates is defined %} tfstates = { {% if resources.deployments.landingzone.remote_tfstates.asvm is defined %} +{% if resources.deployments.landingzone.remote_tfstates.asvm.values() | first %} {% for a_key, a_value in resources.deployments.landingzone.remote_tfstates.asvm.items() %} {{ config.tfstates['asvm'][a_key][a_value].lz_key_name }} = { tfstate = "{{ config.tfstates['asvm'][a_key][a_value].tfstate }}" workspace = "{{ config.tfstates['asvm'][a_key].workspace }}" } {% endfor %} +{% else %} + {{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].lz_key_name }} = { + fstate = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].tfstate }}" + workspace = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].workspace | default('tfstate')}}" + } +{% endif %} {% endif %} {% if resources.deployments.landingzone.remote_tfstates.platform is defined %} {% for p_key in resources.deployments.landingzone.remote_tfstates.platform.keys() %} diff --git a/templates/resources/subscriptions.tfvars.j2 b/templates/resources/subscriptions.tfvars.j2 index f11c58513..985cad761 100644 --- a/templates/resources/subscriptions.tfvars.j2 +++ b/templates/resources/subscriptions.tfvars.j2 @@ -1,7 +1,8 @@ subscriptions = { -{% for key, value in resources.subscriptions[subscription_key].items() %} +{% for key, value in resources.subscriptions[subscription_key].subscriptions.items() %} {{ key }} = { name = "{{ value.name }}" +{% if value.subscription_id is not defined %} billing_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" enrollment_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" {% if value.management_group_suffix is defined %} @@ -16,6 +17,9 @@ subscriptions = { {{ tag_key }} = "{{ value.tags[tag_key] }}" {% endfor %} } +{% endif %} +{% else %} + subscription_id = "{{value.subscription_id}}" {% endif %} } {% endfor %} From 23503b3c6fd52294ffe398c3b5e1d4cd4fb258ce Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 16 Feb 2022 11:34:02 +0000 Subject: [PATCH 44/67] Add orion landingzone template --- .../deployments/orion_dev.yaml | 509 +++++++++++++++++ .../deployments/orion_prod.yaml | 522 ++++++++++++++++++ .../deployments/subscriptions.yaml | 31 ++ .../platform/single_subscription/README.md | 40 ++ .../single_subscription/bootstrap.yaml | 18 + .../contoso.caf.platform.yaml | 131 +++++ .../single_subscription/credentials.yaml | 433 +++++++++++++++ .../deployments/prod/asvm.yaml | 89 +++ .../prod/connectivity_firewall_policies.yaml | 34 ++ .../prod/connectivity_firewalls.yaml | 78 +++ .../prod/connectivity_private_dns.yaml | 192 +++++++ .../prod/connectivity_virtual_hubs.yaml | 52 ++ .../prod/connectivity_virtual_wan.yaml | 29 + .../deployments/prod/identity_level2.yaml | 22 + ...chetype_config_overrides.caf.platform.yaml | 328 +++++++++++ .../custom_landing_zones.caf.platform.yaml | 26 + .../single_subscription/eslz/eslz.yaml | 8 + .../eslz/lib/policy_assignments/README.md | 10 + .../policy_assignment_caf_aks_capability.json | 18 + ...olicy_assignment_es_allowed_locations.json | 18 + .../eslz/lib/policy_definitions/README.md | 10 + .../eslz/lib/policy_set_definitions/README.md | 10 + .../single_subscription/eslz/lib/readme.md | 2 + .../eslz/lib/role_definitions/README.md | 11 + .../role_definition_caf_vhub_peering.json | 27 + .../single_subscription/identity.yaml | 86 +++ .../single_subscription/launchpad.yaml | 509 +++++++++++++++++ .../single_subscription/management.yaml | 101 ++++ .../single_subscription/subscriptions.yaml | 22 + .../single_subscription/tfstates.yaml | 144 +++++ templates/platform/level3/ansible.yaml | 93 ++++ templates/platform/level3/readme.md | 30 + .../platform/level3/subscriptions/readme.md | 28 + .../storage_containers.tfvars.j2 | 16 + .../virtual_hubs_route_tables.tfvars.j2 | 35 ++ 35 files changed, 3712 insertions(+) create mode 100644 templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml create mode 100644 templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml create mode 100644 templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/README.md create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/management.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml create mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml create mode 100644 templates/platform/level3/ansible.yaml create mode 100644 templates/platform/level3/readme.md create mode 100644 templates/platform/level3/subscriptions/readme.md create mode 100644 templates/platform/level3/subscriptions/storage_containers.tfvars.j2 create mode 100644 templates/resources/virtual_hubs_route_tables.tfvars.j2 diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml new file mode 100644 index 000000000..c4e957fe5 --- /dev/null +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml @@ -0,0 +1,509 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level3/asvm/orion/dev + +deployments: + landingzone: + tfstate: + asvm: + orion_dev: + global_settings_key: + platform: + virtual_hubs: non_prod + remote_tfstates: + platform: + virtual_hubs: non_prod + azurerm_firewalls: non_prod + identity_level2: non_prod + asvm: + +subscriptions: + orion_dev: + resource_groups: + rg: + name: orion-dev + backup: + name: orion-dev-backup + networking: + name: orion-dev-networking + preparation: + name: orion-dev-preparation + modeling: + name: orion-dev-modeling + consumption: + name: orion-dev-consumption + analytics: + name: orion-dev-analytics + + virtual_networks: + vnet: + name: orion-dev + resource_group_key: networking + region_key: region1 + dns_servers_keys: + fw_prod_plinks_01: + resource_type: azurerm_firewall + lz_key: connectivity_firewalls_non_prod + key: fw_non_prod_plinks_01 + address_space: + - 10.101.200.0/23 + subnets: + databricks_preparation_egress: + name: databricks-preparation-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.200.0/26 + databricks_preparation_private: + name: databricks-preparation-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.200.64/26 + databricks_modeling_egress: + name: databricks-modeling-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.201.0/26 + databricks_modeling_private: + name: databricks-modeling-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.201.64/26 + consumption: + name: consumption + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.200.128/25 + databricks_notebooks: + name: databricks-notebooks + service_endpoints: + - Microsoft.Storage + - Microsoft.KeyVault + nsg_key: databricks_notebooks + cidr: + - 10.101.201.128/27 + private_endpoints: + name: private-endpoints + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.201.192/27 + + network_security_group_definition: + databricks_egress: + version: 1 + resource_group_key: networking + name: databricks-egress + nsg: + Inbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 5557 + destination_address_prefix: "*" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 22 + destination_address_prefix: "*" + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + 405: + name: ICMP + access: Allow + protocol: icmp + source_port_range: "*" + source_address_prefix: "*" + destination_port_range: "*" + destination_address_prefix: "*" + databricks_private: + version: 1 + resource_group_key: networking + name: databricks-private + nsg: + Inbound: + 400: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 401: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + consumption: + version: 1 + resource_group_key: networking + name: consumption + databricks_notebooks: + version: 1 + resource_group_key: networking + name: databricks-notebook + nsg: + Inbound: + 500: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 501: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 500: + name: AzureActiveDirectory + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectory" + destination_port_ranges: + - 80 + - 443 + 501: + name: AzureMachineLearning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureMachineLearning" + destination_port_ranges: + - 443 + 502: + name: AzureResourceManager + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureResourceManager" + destination_port_ranges: + - 443 + 503: + name: Storage SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "Storage.SoutheastAsia" + destination_port_ranges: + - 443 + 504: + name: AzureFrontDoor Frontend + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.Frontend" + destination_port_ranges: + - 443 + 505: + name: Container Registry SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureContainerRegistry.SoutheastAsia" + destination_port_ranges: + - 443 + 506: + name: Microsoft Container Registry SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "MicrosoftContainerRegistry.SoutheastAsia" + destination_port_ranges: + - 443 + 507: + name: Keyvault SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureKeyVault.SoutheastAsia" + destination_port_ranges: + - 443 + 508: + name: AzureFrontDoor FirstParty + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.FirstParty" + destination_port_range: "*" + + virtual_hub_connections: + vnet_to_dev: + name: vnet-orion-dev-TO-non-prod + virtual_hub: + lz_key: connectivity_virtual_hub_non_prod + key: non_prod + vnet: + vnet_key: vnet + + recovery_vaults: + asr: + name: vault-orion-dev + resource_group_key: backup + backup_policies: + vms: + default: + name: vm-default-policy + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + + keyvaults: + kv_delegated_sp: + name: oriondev0001 + resource_group_key: rg + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + landingzone_maintainers_non_prod: + lz_key: asvm + azuread_group_key: caf_ac_landingzone_maintainers_non_prod + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + kv_delegated_sp: + app_LZContributors: + azuread_service_principal_key: sp_LZContributors + secret_permissions: + - Get + + azuread_applications: + app_LZContributors: + application_name: app-asvm-orion-dev-Contributors + + azuread_service_principals: + sp_LZContributors: + azuread_application: + key: app_LZContributors + + azuread_credentials: + app_LZContributors: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + key: app_LZContributors + keyvaults: + kv_delegated_sp: + secret_prefix: sp + + azuread_credential_policies: + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 70 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + + custom_role_definitions: + contributors_extended: + name: lz-orion-dev-contributors-extended + useprefix: true + description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/virtualNetworks/join/action + + role_mapping: + custom_role_mapping: + networking: + vnet: + contributors_extended: + azuread_service_principals: + keys: + - sp_LZContributors + + built_in_role_mapping: + resource_groups: + preparation: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + modeling: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + consumption: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + analytics: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + storage_containers: + orion_prod_level3: + lz_key: orion_storage_containers + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + orion_dev_level4: + lz_key: orion_storage_containers + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml new file mode 100644 index 000000000..b3a186add --- /dev/null +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml @@ -0,0 +1,522 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level3/asvm/orion/prod + +deployments: + landingzone: + tfstate: + asvm: + orion_prod: + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + platform: + virtual_hubs: prod + azurerm_firewalls: prod + identity_level2: prod + asvm: + +subscriptions: + orion_prod: + resource_groups: + rg: + name: orion-prod + backup: + name: orion-prod-backup + networking: + name: orion-prod-networking + preparation: + name: orion-prod-preparation + modeling: + name: orion-prod-modeling + consumption: + name: orion-prod-consumption + analytics: + name: orion-prod-analytics + + virtual_networks: + vnet: + name: orion-prod + resource_group_key: networking + region_key: region1 + dns_servers_keys: + fw_prod_plinks_01: + resource_type: azurerm_firewall + lz_key: connectivity_firewalls_prod + key: fw_prod_plinks_01 + address_space: + - 10.101.8.0/23 + subnets: + databricks_preparation_egress: + name: databricks-preparation-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.8.0/26 + databricks_preparation_private: + name: databricks-preparation-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.8.64/26 + databricks_modeling_egress: + name: databricks-modeling-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.9.0/26 + databricks_modeling_private: + name: databricks-modeling-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.9.64/26 + consumption: + name: consumption + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.8.128/25 + databricks_notebooks: + name: databricks-notebooks + service_endpoints: + - Microsoft.Storage + - Microsoft.KeyVault + nsg_key: databricks_notebooks + cidr: + - 10.101.9.128/27 + private_endpoints: + name: private-endpoints + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.9.192/27 + + network_security_group_definition: + databricks_egress: + version: 1 + resource_group_key: networking + name: databricks-egress + nsg: + Inbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 5557 + destination_address_prefix: "*" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 22 + destination_address_prefix: "*" + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + 405: + name: ICMP + access: Allow + protocol: icmp + source_port_range: "*" + source_address_prefix: "*" + destination_port_range: "*" + destination_address_prefix: "*" + databricks_private: + version: 1 + resource_group_key: networking + name: databricks-private + nsg: + Inbound: + 400: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 401: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + consumption: + version: 1 + resource_group_key: networking + name: consumption + databricks_notebooks: + version: 1 + resource_group_key: networking + name: databricks-notebooks + nsg: + Inbound: + 500: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 501: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 500: + name: AzureActiveDirectory + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectory" + destination_port_ranges: + - 80 + - 443 + 501: + name: AzureMachineLearning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureMachineLearning" + destination_port_ranges: + - 443 + 502: + name: AzureResourceManager + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureResourceManager" + destination_port_ranges: + - 443 + 503: + name: Storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "Storage" + destination_port_ranges: + - 443 + 504: + name: AzureFrontDoor Frontend + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.Frontend" + destination_port_ranges: + - 443 + 505: + name: Container Registry + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureContainerRegistry" + destination_port_ranges: + - 443 + 506: + name: Microsoft Container Registry + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "MicrosoftContainerRegistry" + destination_port_ranges: + - 443 + 507: + name: Keyvault + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureKeyVault" + destination_port_ranges: + - 443 + 508: + name: AzureFrontDoor FirstParty + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.FirstParty" + destination_port_range: "*" + + virtual_hub_connections: + vnet_to_prod: + name: vnet-orion-prod-TO-prod + virtual_hub: + lz_key: connectivity_virtual_hub_prod + key: prod + vnet: + vnet_key: vnet + + recovery_vaults: + asr: + name: vault-orion-prod + resource_group_key: backup + backup_policies: + vms: + default: + name: vm-default-policy + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + + keyvaults: + kv_delegated_sp: + name: orionprod001 + resource_group_key: rg + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + landingzone_maintainers_prod: + lz_key: asvm + azuread_group_key: caf_ac_landingzone_maintainers_prod + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + kv_delegated_sp: + app_LZContributors: + azuread_service_principal_key: sp_LZContributors + secret_permissions: + - Get + + azuread_applications: + app_LZContributors: + application_name: app-asvm-orion-prod-Contributors + + azuread_service_principals: + sp_LZContributors: + azuread_application: + key: app_LZContributors + + azuread_credentials: + app_LZContributors: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + key: app_LZContributors + keyvaults: + kv_delegated_sp: + secret_prefix: sp + + azuread_credential_policies: + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 70 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + + azuread_groups_membership: + caf_prod_landingzones_dns_contributors: + azuread_service_principals: + sp_LZContributors: + group_lz_key: identity_level2 + keys: + - sp_LZContributors + caf_ac_landingzone_maintainers_prod: + azuread_service_principals: + sp_LZContributors: + group_lz_key: asvm + keys: + - sp_LZContributors + + custom_role_definitions: + contributors_extended: + name: lz-orion-prod-contributors-extended + useprefix: true + description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/virtualNetworks/join/action + + role_mapping: + custom_role_mapping: + networking: + vnet: + contributors_extended: + azuread_service_principals: + keys: + - sp_LZContributors + + built_in_role_mapping: + resource_groups: + preparation: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + modeling: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + consumption: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + analytics: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + storage_containers: + orion_prod_level3: + lz_key: orion_storage_containers + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + orion_prod_level4: + lz_key: orion_storage_containers + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml new file mode 100644 index 000000000..2715fced1 --- /dev/null +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml @@ -0,0 +1,31 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level3/asvm/orion/subscriptions + +deployments: + landingzone: + tfstate: + asvm: + subscriptions: + global_settings_key: + platform: + asvm: + remote_tfstates: + platform: + asvm: + +subscriptions: + launchpad: + subscriptions: + orion_dev: + name: orion-dev + create_alias: false + subscription_id: + + orion_prod: + name: orion-prod + create_alias: false + subscription_id: + + \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/README.md new file mode 100644 index 000000000..872e24b3d --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/README.md @@ -0,0 +1,40 @@ +# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform + + +:rocket: START HERE: [Follow the onboarding guide from](https://aztfmod.github.io/documentation/docs/enterprise-scale/landingzones/platform/org-setup) + + +For further executions or command, you can refer to the following sections + +## Commands + +### Clone the landingzone project (Terraform base code) +```bash +# Git Urls or from a fork +# https://github.com/Azure/caf-terraform-landingzones.git +git clone /tf/caf/landingzones +cd /tf/caf/landingzones +git pull +git checkout aci_network + +``` + +### Rover ignite the platform +Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps. +Rover ignite creates the tfvars and also the documentation. + +```bash +rover login -t -s + +rover ignite \ + --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ + -e base_templates_folder=/tf/caf/landingzones/templates/platform \ + -e resource_template_folder=/tf/caf/landingzones/templates/resources \ + -e config_folder=/tf/caf/definitions/single_subscription \ + -e landingzones_folder=/tf/caf/landingzones + +``` + +### Next step + +Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created. diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml new file mode 100644 index 000000000..f7666fbaa --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml @@ -0,0 +1,18 @@ +# +# Set the workflow to bootstrap the Azure platform landing zones +# +deployments: + 0: + 0: + launchpad: + 1: + launchpad_credentials: + # 2: + # subscriptions: + 3: + identity: + 4: + management: + 5: + eslz: + diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml new file mode 100644 index 000000000..dcab56fb8 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml @@ -0,0 +1,131 @@ +# cleanup_destination - recommended to clean and recreated a clean state from template. +configuration_folders: + platform: + # true: force the destination folder to be deleted and re-created before the files are created. + # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. + cleanup_destination: true + # base destination folder where rover ignite will store the tfvars files. No / at the end + destination_base_path: /tf/caf + # destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end + destination_relative_path: platform/ + + +caf_terraform: + naming_convention: + # When set to false use the CAF provider to generate names aligned to CAF guidance + # true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace. + passthrough: false + inherit_tags: false + # set: define the prefix to add to all resource names + # unset: if passthrough is set to false, generate a random prefix + prefix: cont + # if passthrough is set to false, add random suffix to name, up to the random_lenght value. + random_length: 3 + launchpad: + caf_environment: + regions: + region1: + # set the short form of the Azure region + name: southeastasia # Use the lower-case region's name, short version with no space + slug: sea + region2: + name: eastasia # Use the lower-case region's name, short version with no space + slug: ea + default_region_key: region1 + # Define the number of CAF levels to use. Recommeded is 3 for the platform. + # number_of_levels: 3 + # blob_versioning_enabled: true + # container_delete_retention_policy: 7 + # delete_retention_policy: 7 + # Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd. + subscription_id: + subscription_name: LLE-Resource Sub1 + tenant_id: + global_tags_propagated: yes + tags: + test: + + billing_subscription_role_delegations: + # true: enable this deployment. The remaining attributes are required. + # false: disable this deployment. + # azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform + # azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running: + # az ad signed-in-user show --query objectId -o tsv + # The remaining attributes are ignored: [billing_account_name, enrollment_account_name] + enable: false + # Azure Active Directory User (UPN) that is Account Owner in the EA portal + # if enable=false, set the upn of the user doing the manual deployment + azuread_user_ea_account_owner: + # see comments above to get the object_id + # + # Also set this GUID to the owner of the launchpad azuread_groups + # + azuread_user_ea_account_owner_object_id: + # Only set the following two attributes when enable=true + billing_account_name: + enrollment_account_name: + + +platform_core_setup: + enterprise_scale: + enable: true + management_group_name: + management_group_prefix: + deploy_core_landing_zones: true + enable_azure_subscription_vending_machine: true + clean_up_destination_folder: true + update_lib_folder: true + # resuse_subscriptions - do not create subscriptions through API automation. Requires the following subscription_id_overrides to be set with 4 subscriptions + # single_reuse - Deploy on a single subscription + subscription_deployment_mode: single_reuse + # Option only set if you've be given a delegated management group ID. + # Comment to deploy to deploy at the tenant root level + # root_parent_id: lab + private_lib: + version_to_deploy: v1.1.1 + v0.1.x: + caf_landingzone_branch: "2107.1" + v0.3.3: + caf_landingzone_branch: "patch.5.4.4" + v1.1.1: + caf_landingzone_branch: "aci_network" + +platform_management: + enable: true + +networking_topology: + deployment_option: virtual_wan + +platform_identity: + # Set the Azure Active Directory tenant name (primary domain name) + # has to be the default domain name (custom dns name or tenantname.onmicrosoft.com) + # check the AAD property + tenant_name: + # only service_principal supported with rover ignite at the moment + azuread_identity_mode: service_principal + enable_azuread_groups: true + enable_azuread_applications: true + # UPNs you want to add in the caf_platform_maintainers Azure AD group + # Can use user or guest accounts + # Those users will have full permissions on platform. + # Once setup, you can remove them from here or add them from + # Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts. + caf_platform_maintainers: + user_principal_names: + # - + caf_platform_contributors: + user_principal_names: + # - + +notifications: + service_health_alerts: + emails: + support1: + name: Support + email_address: + security_center_email_contact: + +gitops: + caf_landingzone_branch: "aci_network" + deployment_mode: interactive + rover_log_error: ERROR diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml new file mode 100644 index 000000000..6f69ef209 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml @@ -0,0 +1,433 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level0/credentials + +deployments: + landingzone: + tfstate: + platform: + launchpad_credentials: + global_settings_key: + platform: + launchpad: + remote_tfstates: + platform: + launchpad: + + +subscriptions: + launchpad_credentials: + resource_groups: + sp_credentials: + name: credentials + + keyvaults: + cred_ea_account_owner: + name: eaowner + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + cred_level0: + name: idl0 + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + level0: + lz_key: launchpad + azuread_group_key: level0 + secret_permissions: + - Get + cred_identity: + name: id + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + cred_management: + name: mg + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + management_azuread_group: + lz_key: launchpad + azuread_group_key: management + secret_permissions: + - Get + cred_eslz: + name: es + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + eslz_azuread_group: + lz_key: launchpad + azuread_group_key: eslz + secret_permissions: + - Get + cred_connectivity: + name: co + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + connectivity_azuread_group: + lz_key: launchpad + azuread_group_key: connectivity + secret_permissions: + - Get + cred_subscription_creation_platform: + name: scp + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + subscription_creation_platform_azuread_group: + lz_key: launchpad + azuread_group_key: subscription_creation_platform + secret_permissions: + - Get + cred_subscription_creation_landingzones: + name: scl + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + subscription_creation_platform_azuread_group: + lz_key: launchpad + azuread_group_key: subscription_creation_landingzones + secret_permissions: + - Get + cred_gitops: + name: gitops + resource_group_key: sp_credentials + purge_protection_enabled: false + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + cred_ea_account_owner: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_level0: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_identity: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_management: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_eslz: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_connectivity: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_subscription_creation_platform: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_subscription_creation_landingzones: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_gitops: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + + + azuread_applications: + gitops: + application_name: app-azure-platform-credentials-for-gitops + + azuread_service_principals: + gitops: + azuread_application: + key: gitops + + azuread_credentials: + gitops: + type: password + azuread_credential_policy_key: gitops + azuread_application: + key: gitops + keyvaults: + cred_gitops: + secret_prefix: sp + level0: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: level0 + keyvaults: + cred_level0: + secret_prefix: sp + identity: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: identity + keyvaults: + cred_identity: + secret_prefix: sp + management: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: management + keyvaults: + cred_management: + secret_prefix: sp + eslz: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: eslz + keyvaults: + cred_eslz: + secret_prefix: sp + connectivity: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: connectivity + keyvaults: + cred_connectivity: + secret_prefix: sp + subscription_creation_platform: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: subscription_creation_platform + keyvaults: + cred_subscription_creation_platform: + secret_prefix: sp + subscription_creation_landingzones: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: subscription_creation_landingzones + keyvaults: + cred_subscription_creation_landingzones: + secret_prefix: sp + + azuread_credential_policies: + gitops: + length: 250 + special: false + upper: true + number: true + expire_in_days: 360 + rotation_key0: + days: 181 + rotation_key1: + days: 300 + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 65 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml new file mode 100644 index 000000000..ae3eae00c --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml @@ -0,0 +1,89 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level2/asvm + +deployments: + landingzone: + tfstate: + platform: + asvm: + global_settings_key: + platform: + management: + remote_tfstates: + platform: + management: + +subscriptions: + launchpad: + resource_groups: + level3: + name: caf-level3 + tags: + level: level3 + level4: + name: caf-level4 + tags: + level: level4 + + storage_accounts: + level3: + name: l3 + resource_group_key: level3 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + containers: + tfstate: + name: tfstate + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: + caf_launchpad: launchpad + caf_tfstate: level3 + level4: + name: l4 + resource_group_key: level4 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: + caf_launchpad: launchpad + caf_tfstate: level4 + + keyvaults: + level3: + name: l3 + resource_group_key: level3 + level4: + name: l4 + resource_group_key: level4 + + + azuread_groups: + caf_ac_landingzone_maintainers_non_prod: + name: caf_ac_landingzone_maintainers_non_prod + + caf_ac_landingzone_maintainers_prod: + name: caf_ac_landingzone_maintainers_prod diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml new file mode 100644 index 000000000..ce09fa332 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml @@ -0,0 +1,34 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level2/connectivity/azurerm_firewall_policies/prod + +deployments: + landingzone: + tfstate: + platform: + azurerm_firewall_policies: prod + global_settings_key: + platform: + virtual_wans: prod + remote_tfstates: + platform: + virtual_wans: prod + + +subscriptions: + connectivity: + resource_groups: + firewall_policies: + name: connectivity-prod-firewall-policies + region_key: region1 + + azurerm_firewall_policies: + root: + name: "prod-root-policy" + region_key: region1 + resource_group: + key: firewall_policies + dns: + proxy_enabled: true + threat_intelligence_mode: "Alert" diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml new file mode 100644 index 000000000..680c57f8d --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml @@ -0,0 +1,78 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level2//connectivity/azurerm_firewalls/prod + +deployments: + landingzone: + tfstate: + platform: + azurerm_firewalls: prod + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + platform: + virtual_hubs: prod + azurerm_firewall_policies: prod + + +subscriptions: + connectivity: + resource_groups: + firewall_policies: + name: connectivity-prod-firewall + region_key: region1 + + + virtual_networks: + vnet: + name: vnet-connectivity-prod-fw-plinks + resource_group_key: firewall_policies + region_key: region1 + address_space: + - 10.101.61.0/24 + specialsubnets: + AzureFirewallSubnet: + name: AzureFirewallSubnet + cidr: + - 10.101.61.0/26 + + public_ip_addresses: + fw_pip1: + name: pip-prod-fw-01 + resource_group_key: firewall_policies + sku: Standard + allocation_method: Static + ip_version: IPv4 + idle_timeout_in_minutes: 4 + + azurerm_firewalls: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + resource_group_key: firewall_policies + vnet_key: vnet + sku_tier: Standard + firewall_policy: + key: root + lz_key: connectivity_firewall_policies_prod + zones: + - 1 + - 2 + - 3 + public_ips: + ip1: + name: pip1 + public_ip_key: fw_pip1 + vnet_key: vnet + subnet_key: AzureFirewallSubnet + + + virtual_hub_connections: + vnet_to_hub: + name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod + virtual_hub: + lz_key: connectivity_virtual_hub_prod + key: prod + vnet: + vnet_key: vnet \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml new file mode 100644 index 000000000..732513477 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml @@ -0,0 +1,192 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level2/connectivity/private_dns/prod + +deployments: + landingzone: + tfstate: + platform: + private_dns: prod + global_settings_key: + platform: + azurerm_firewalls: prod + remote_tfstates: + platform: + azurerm_firewalls: prod + identity_level2: prod + +subscriptions: + connectivity: + + role_mapping: + custom_role_mapping: + resource_groups: + dns_connectivity_prod: + landgingzone_extended: + azuread_groups: + lz_key: identity_level2 + keys: + - caf_prod_landingzones_dns_contributors + built_in_role_mapping: + resource_groups: + dns_connectivity_prod: + Private DNS Zone Contributor: + azuread_groups: + lz_key: identity_level2 + keys: + - caf_prod_landingzones_dns_contributors + + resource_groups: + dns_connectivity_prod: + name: dns-connectivity-prod + private_dns: + privatelink.adf.azure.com: + name: privatelink.adf.azure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.datafactory.azure.net: + name: privatelink.datafactory.azure.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.blob.core.windows.net: + name: privatelink.blob.core.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.file.core.windows.net: + name: privatelink.file.core.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.notebooks.azure.net: + name: privatelink.notebooks.azure.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.dfs.core.windows.net: + name: privatelink.dfs.core.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.vaultcore.azure.net: + name: privatelink.vaultcore.azure.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.southeastasia.azmk8s.io: + name: privatelink.southeastasia.azmk8s.io + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.azurecr.io: + name: privatelink.azurecr.io + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.southeastasia.backup.windowsazure.com: + name: privatelink.southeastasia.backup.windowsazure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.siterecovery.windowsazure.com: + name: privatelink.siterecovery.windowsazure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.servicebus.windows.net: + name: privatelink.servicebus.windows.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.api.azureml.ms: + name: privatelink.api.azureml.ms + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.monitor.azure.com: + name: privatelink.monitor.azure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.oms.opinsights.azure.com: + name: privatelink.oms.opinsights.azure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.ods.opinsights.azure.com: + name: privatelink.ods.opinsights.azure.com + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + privatelink.agentsvc.azure-automation.net: + name: privatelink.agentsvc.azure-automation.net + resource_group_key: dns_connectivity_prod + vnet_links: + fw_prod_plinks_01: + name: fw-prod-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_prod + + custom_role_definitions: + landgingzone_extended: + name: landingzone-networking-private-dns-extended + useprefix: true + description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read + - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write + + diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml new file mode 100644 index 000000000..43d9836f2 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml @@ -0,0 +1,52 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level2/connectivity/virtual_hubs/prod + +deployments: + landingzone: + tfstate: + platform: + virtual_hubs: prod + global_settings_key: + platform: + virtual_wans: prod + remote_tfstates: + platform: + virtual_wans: prod + custom_variables: + virtual_hub_lz_key: connectivity_virtual_hub_prod + # ddos_protection_plan_id: + +subscriptions: + connectivity: + virtual_hubs: + prod: + name: Production + virtual_wan: + lz_key: connectivity_virtual_wan + key: global_wan + region_key: region1 + hub_address_prefix: 10.101.51.0/24 + deploy_s2s: false + s2s_config: + name: prod + scale_unit: 1 + deploy_er: false + er_config: + name: prod + scale_units: 1 + + express_route_connections: + prod: + enable_er_connections: false + name: er-1-prod + virtual_hub: + key: prod + circuit_peering: + tfstate_key: prod + key: private_peering + express_route_circuit_authorization: + tfstate_key: prod + key: vhub-prod + diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml new file mode 100644 index 000000000..e5fd0d618 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml @@ -0,0 +1,29 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level2/connectivity/virtual_wans + +deployments: + landingzone: + tfstate: + platform: + virtual_wans: prod + global_settings_key: + platform: + management: + remote_tfstates: + platform: + management: + +subscriptions: + connectivity: + virtual_wans: + global_wan: + name: vwan + resource_group_key: global_wan + region_key: region1 + + resource_groups: + global_wan: + name: connectivity-global-wan + region_key: region1 diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml new file mode 100644 index 000000000..9ce1cf573 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml @@ -0,0 +1,22 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level2/identity/prod + +deployments: + landingzone: + tfstate: + platform: + identity_level2: prod + global_settings_key: + platform: + identity: + remote_tfstates: + platform: + identity: + +subscriptions: + identity: + azuread_groups: + caf_prod_landingzones_dns_contributors: + name: caf ac prod landingzones dns contributors \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml new file mode 100644 index 000000000..42ba8f62a --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml @@ -0,0 +1,328 @@ +archetype_definitions: + root: + archetype_id: root + policy_assignments: + Allowed-Locations: + listOfAllowedLocations: + - southeastasia # Use the lower-case region's name, short version with no space + - eastasia + Deny-RSG-Locations: + listOfAllowedLocations: + - southeastasia + - eastasia + # Set to Audit as Terraform cannot combine both in one operation yet. + Deny-Subnet-Without-Nsg: + effect: Audit + # Set to Audit as Terraform cannot combine both in one operation yet. + Deny-Subnet-Without-Udr: + effect: Audit + # Deploy-Nsg-FlowLogs: + # retention: 10 + # storageAccountResourceId: + # trafficAnalyticsInterval: 10 + # flowAnalyticsEnabled: true + # logAnalytics: + # lz_key: management + # output_key: diagnostics + # resource_type: log_analytics + # resource_key: region1 + # attribute_key: id + # More details on in the parameters in the Azure Policy definition (Azure Security Benchmark) 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 + # Change the attributes values as they are not the same. Some are DeployIfNotExist, Some Disabled, Enabled... + Deploy-ASC-Monitoring: + aadAuthenticationInSqlServerMonitoringEffect: Disabled + diskEncryptionMonitoringEffect: Disabled + encryptionOfAutomationAccountMonitoringEffect: Disabled + identityDesignateLessThanOwnersMonitoringEffect: Disabled + identityDesignateMoreThanOneOwnerMonitoringEffect: Disabled + identityEnableMFAForWritePermissionsMonitoringEffect: Disabled + identityRemoveDeprecatedAccountMonitoringEffect: Disabled + identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithReadPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithWritePermissionsMonitoringEffect: Disabled + jitNetworkAccessMonitoringEffect: Disabled + networkSecurityGroupsOnSubnetsMonitoringEffect: Disabled + sqlDbEncryptionMonitoringEffect: Disabled + sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled + sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled + sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled + sqlServerAdvancedDataSecurityMonitoringEffect: Disabled + systemUpdatesMonitoringEffect: Disabled + useRbacRulesMonitoringEffect: Disabled + vmssSystemUpdatesMonitoringEffect: Disabled + windowsDefenderExploitGuardMonitoringEffect: Disabled + Deploy-ASCDF-Config: + emailSecurityContact: + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + enableAscForKubernetes: DeployIfNotExists + enableAscForSql: DeployIfNotExists + enableAscForSqlOnVm: DeployIfNotExists + enableAscForDns: DeployIfNotExists + enableAscForArm: DeployIfNotExists + enableAscForOssDb: DeployIfNotExists + enableAscForAppServices: DeployIfNotExists + enableAscForRegistries: DeployIfNotExists + enableAscForKeyVault: DeployIfNotExists + enableAscForStorage: DeployIfNotExists + enableAscForServers: DeployIfNotExists + Deploy-AzActivity-Log: + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-LX-Arc-Monitoring: + Deploy-Resource-Diag: + profileName: eslz-diagnostic-log + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-WS-Arc-Monitoring: + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-VM-Monitoring: + logAnalytics_1: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-VMSS-Monitoring: + logAnalytics_1: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + policy_definitions: + Append-AppService-httpsonly: + Append-AppService-latestTLS: + Append-KV-SoftDelete: + Append-Redis-disableNonSslPort: + Append-Redis-sslEnforcement: + Audit-MachineLearning-PrivateEndpointId: + Deny-AA-child-resources: + Deny-AppGW-Without-WAF: + Deny-AppServiceApiApp-http: + Deny-AppServiceFunctionApp-http: + Deny-AppServiceWebApp-http: + Deny-Databricks-NoPublicIp: + Deny-Databricks-Sku: + Deny-Databricks-VirtualNetwork: + Deny-MachineLearning-Aks: + Deny-MachineLearning-Compute-SubnetId: + Deny-MachineLearning-Compute-VmSize: + Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess: + Deny-MachineLearning-ComputeCluster-Scale: + Deny-MachineLearning-HbiWorkspace: + Deny-MachineLearning-PublicAccessWhenBehindVnet: + Deny-MachineLearning-PublicNetworkAccess: + Deny-MySql-http: + Deny-PostgreSql-http: + Deny-Private-DNS-Zones: + Deny-PublicEndpoint-MariaDB: + Deny-PublicIP: + Deny-RDP-From-Internet: + Deny-Redis-http: + Deny-Sql-minTLS: + Deny-SqlMi-minTLS: + Deny-Storage-minTLS: + Deny-Subnet-Without-Nsg: + Deny-Subnet-Without-Udr: + Deny-VNET-Peer-Cross-Sub: + Deny-VNet-Peering: + Deploy-ASC-SecurityContacts: + Deploy-Budget: + Deploy-Custom-Route-Table: + Deploy-DDoSProtection: + Deploy-Diagnostics-AA: + Deploy-Diagnostics-ACI: + Deploy-Diagnostics-ACR: + Deploy-Diagnostics-AnalysisService: + Deploy-Diagnostics-ApiForFHIR: + Deploy-Diagnostics-APIMgmt: + Deploy-Diagnostics-ApplicationGateway: + Deploy-Diagnostics-CDNEndpoints: + Deploy-Diagnostics-CognitiveServices: + Deploy-Diagnostics-CosmosDB: + Deploy-Diagnostics-Databricks: + Deploy-Diagnostics-DataExplorerCluster: + Deploy-Diagnostics-DataFactory: + Deploy-Diagnostics-DLAnalytics: + Deploy-Diagnostics-EventGridSub: + Deploy-Diagnostics-EventGridSystemTopic: + Deploy-Diagnostics-EventGridTopic: + Deploy-Diagnostics-ExpressRoute: + Deploy-Diagnostics-Firewall: + Deploy-Diagnostics-FrontDoor: + Deploy-Diagnostics-Function: + Deploy-Diagnostics-HDInsight: + Deploy-Diagnostics-iotHub: + Deploy-Diagnostics-LoadBalancer: + Deploy-Diagnostics-LogicAppsISE: + Deploy-Diagnostics-MariaDB: + Deploy-Diagnostics-MediaService: + Deploy-Diagnostics-MlWorkspace: + Deploy-Diagnostics-MySQL: + Deploy-Diagnostics-NetworkSecurityGroups: + Deploy-Diagnostics-NIC: + Deploy-Diagnostics-PostgreSQL: + Deploy-Diagnostics-PowerBIEmbedded: + Deploy-Diagnostics-RedisCache: + Deploy-Diagnostics-Relay: + Deploy-Diagnostics-SignalR: + Deploy-Diagnostics-SQLElasticPools: + Deploy-Diagnostics-SQLMI: + Deploy-Diagnostics-TimeSeriesInsights: + Deploy-Diagnostics-TrafficManager: + Deploy-Diagnostics-VirtualNetwork: + Deploy-Diagnostics-VM: + Deploy-Diagnostics-VMSS: + Deploy-Diagnostics-VNetGW: + Deploy-Diagnostics-WebServerFarm: + Deploy-Diagnostics-Website: + Deploy-Diagnostics-WVDAppGroup: + Deploy-Diagnostics-WVDHostPools: + Deploy-Diagnostics-WVDWorkspace: + Deploy-FirewallPolicy: + Deploy-MySQL-sslEnforcement: + Deploy-Nsg-FlowLogs-to-LA: + Deploy-Nsg-FlowLogs: + Deploy-PostgreSQL-sslEnforcement: + Deploy-Sql-AuditingSettings: + Deploy-SQL-minTLS: + Deploy-Sql-SecurityAlertPolicies: + Deploy-Sql-Tde: + Deploy-Sql-vulnerabilityAssessments: + Deploy-SqlMi-minTLS: + Deploy-Storage-sslEnforcement: + Deploy-Windows-DomainJoin: + policy_set_definitions: + Deny-PublicPaaSEndpoints: + Deploy-ASCDF-Config: + Deploy-Diagnostics-LogAnalytics: + Deploy-Sql-Security: + Enforce-Encryption-CMK: + Enforce-EncryptTransit: + remediation: + policy: + policy_set_definitions: + # policyDefinitionReferenceId = https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/c7958266bd227e52dc1a3468e8c881633bc1b373/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json#L766 + # /providers/microsoft.management/managementgroups/contlle/providers/microsoft.authorization/policyassignments/deploy-resource-diag + Deploy-Diagnostics-LogAnalytics: + - ExpressRouteDeployDiagnosticLogDeployLogAnalytics + - FirewallDeployDiagnosticLogDeployLogAnalytics + - KeyVaultDeployDiagnosticLogDeployLogAnalytics + - LoadBalancerDeployDiagnosticLogDeployLogAnalytics + - NetworkNICDeployDiagnosticLogDeployLogAnalytics + - NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics + - NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics + - RecoveryVaultDeployDiagnosticLogDeployLogAnalytics + - storageaccountdeploydiagnosticlogdeployloganalytics + - VirtualNetworkDeployDiagnosticLogDeployLogAnalytics + - VNetGWDeployDiagnosticLogDeployLogAnalytics + Deploy-ASCDF-Config: + - defenderForOssDb + - defenderForVM + - defenderForSqlServerVirtualMachines + - defenderForAppServices + - defenderForStorageAccounts + - defenderForKubernetesService + - defenderForContainerRegistry + - defenderForKeyVaults + - defenderForDns + - defenderForArm + - defenderForSqlPaas + - securityEmailContact + - ascExport + landing-zones: + archetype_id: landing-zones + policy_assignments: + Deny-IP-Forwarding: + Deny-Priv-Containers-AKS: + Deny-Priv-Escalation-AKS: + Deny-RDP-From-Internet: + Deny-Storage-http: + Deploy-AKS-Policy: + Deploy-SQL-DB-Auditing: + Deploy-SQL-Threat: + Enable-DDoS-VNET: + Enforce-AKS-HTTPS: + Enforce-TLS-SSL: + # Deploy-Windows-DomainJoin: + # domainFQDN: aadds-xl.co.id + + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - subscription_creation_landingzones + connectivity: + archetype_id: platform_connectivity + policy_assignments: + Enable-DDoS-VNET: + role_definitions: + CAF-network-vhub-peering: + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - connectivity + # Make sure you replace with the Management Group ID in UPPER CASE + '[-CONNECTIVITY] CAF-network-vhub-peering': + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - subscription_creation_landingzones + - identity + - management + management: + archetype_id: platform_management + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - management + identity: + archetype_id: platform_identity + policy_assignments: + Deny-RDP-From-Internet: + Deny-Public-IP: + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - identity + decommissioned: + archetype_id: platform_decommissioned + platform: + archetype_id: platform + sandboxes: + archetype_id: platform_sandboxes \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml new file mode 100644 index 000000000..6ae8db0c4 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml @@ -0,0 +1,26 @@ +archetype_definitions: + corp: + display_name: Corp + archetype_id: landingzone_corp + parent_management_group_id: landing-zones + subscription_ids: + online: + display_name: Online + archetype_id: landingzone_online + parent_management_group_id: landing-zones + subscription_ids: + corp-prod: + display_name: Production + archetype_id: landingzone_prod + parent_management_group_id: corp + subscription_ids: + corp-non-prod: + display_name: Non Production + archetype_id: landingzone_non_prod + parent_management_group_id: corp + subscription_ids: + online-web: + display_name: Non Production + archetype_id: landingzone_online_web + parent_management_group_id: online + subscription_ids: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml new file mode 100644 index 000000000..a8dc8b3d1 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml @@ -0,0 +1,8 @@ +gitops: + landingzones: aci_network + +relative_destination_folder: level1/eslz + +# Keep the following to allow rover ignite to process the deployment. +subscriptions: + launchpad: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md new file mode 100644 index 000000000..def2a5a6d --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy assignments + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json new file mode 100644 index 000000000..789acde60 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json @@ -0,0 +1,18 @@ +{ + "name": "aks-capability", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)", + "displayName": "Kubernetes cluster containers should only use allowed capabilities.", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "scope": "${current_scope_resource_id}", + "enforcementMode": true + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json new file mode 100644 index 000000000..bce0689ad --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json @@ -0,0 +1,18 @@ +{ + "name": "Allowed-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "displayName": "Limit allowed locations for Resources", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "scope": "${current_scope_resource_id}", + "enforcementMode": null + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md new file mode 100644 index 000000000..e47f922fd --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md new file mode 100644 index 000000000..c09d2c016 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy set definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md new file mode 100644 index 000000000..f3f823e56 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md @@ -0,0 +1,2 @@ +# Custom ESLZ library +In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance. \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md new file mode 100644 index 000000000..2230928aa --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md @@ -0,0 +1,11 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + + +# List of the default role defitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json new file mode 100644 index 000000000..19523d87b --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json @@ -0,0 +1,27 @@ +{ + "name": "48ec94a9-9a14-488d-928d-5e73f96b335c", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "CAF-network-vhub-peering", + "description": "Authorize vnet peerings to the vhub and DDOS to be deployed by policy.", + "type": "customRole", + "permissions": [ + { + "actions": [ + "Microsoft.Network/ddosProtectionPlans/join/action", + "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*", + "Microsoft.Network/virtualHubs/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [ + ], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [ + "${current_scope_resource_id}" + ] + } +} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml new file mode 100644 index 000000000..fcd494b62 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml @@ -0,0 +1,86 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level1/identity + +deployments: + landingzone: + tfstate: + platform: + identity: + global_settings_key: + platform: + launchpad: + remote_tfstates: + platform: + launchpad: + +subscriptions: + identity: + resource_groups: + management: + name: management + alerts: + name: alerts + + service_health_alerts: + enable_service_health_alerts: true + name: alerts + shortname: HealthAlerts + resource_group_key: alerts + action_group_name: actiongrp + email_alert_settings: + support1: + name: email_alert_support1 + email_address: + use_common_alert_schema: false + + recovery_vaults: + asr: + name: asr + resource_group_key: management + soft_delete_enabled: true + backup_policies: + vms: + default: + name: vm-default-policy + # Default to UTC + # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + retention_weekly: + count: 2 + weekdays: + - Sunday + retention_monthly: + count: 2 + weeks: + - First + weekdays: + - Sunday + retention_yearly: + count: 1 + weeks: + - First + months: + - January + weekdays: + - Sunday + + +# Bring here you existing active directory security groups. +# Those are the groups you will inject to RBAC in the Enterprise Scale deployment. +# Note Terraform will create a new Azure AD group and add the existing as a member +# +# level1: +# azuread_groups: +# network_ops_team: +# name: netops +# members: +# # Set the list of the existing groups +# objects_ids: +# - existing_azure_ad_group_object_id diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml new file mode 100644 index 000000000..4f5eedc1e --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml @@ -0,0 +1,509 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level0/launchpad + +deployments: + landingzone: + tfstate: + platform: + launchpad: + + +subscriptions: + launchpad: + resource_groups: + level0: + name: caf-level0 + level1: + name: caf-level1 + level2: + name: caf-level2 + + storage_accounts: + level0: + name: l0 + resource_group_key: level0 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + containers: + tfstate: + name: tfstate + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: + caf_launchpad: launchpad + caf_tfstate: level0 + level1: + name: l1 + resource_group_key: level1 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + containers: + tfstate: + name: tfstate + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: + caf_launchpad: launchpad + caf_tfstate: level1 + level2: + name: l2 + resource_group_key: level2 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + containers: + tfstate: + name: tfstate + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: + caf_launchpad: launchpad + caf_tfstate: level2 + + role_mapping: + built_in_role_mapping: + management_group: + # if you are using a root_parent_id, replace the following root by the root_parent_id value + root: + User Access Administrator: + azuread_groups: + keys: + - level0 + Management Group Contributor: + azuread_groups: + keys: + - eslz + - caf_platform_maintainers + Owner: + azuread_groups: + keys: + - eslz + - caf_platform_maintainers + - connectivity # only when deploying in single subscription + - identity # only when deploying in single subscription + - management # only when deploying in single subscription + Reader: + azuread_groups: + keys: + - caf_platform_contributors + subscriptions: + logged_in_subscription: + Owner: + azuread_groups: + keys: + - level0 + - subscription_creation_platform + - caf_platform_maintainers + Reader: + azuread_groups: + keys: + - identity + resource_groups: + level0: + Reader: + azuread_groups: + keys: + - identity + - subscription_creation_platform + - caf_platform_contributors + level1: + Reader: + azuread_groups: + keys: + - identity + - management + - eslz + - subscription_creation_platform + - caf_platform_contributors + level2: + Reader: + azuread_groups: + keys: + - identity + - management + - connectivity + - subscription_creation_platform + - caf_platform_contributors + + storage_accounts: + level0: + Storage Blob Data Contributor: + azuread_groups: + keys: + - level0 + - identity + - caf_platform_maintainers + Storage Blob Data Reader: + azuread_groups: + keys: + - management + - eslz + - subscription_creation_platform + - caf_platform_contributors + level1: + Storage Blob Data Contributor: + azuread_groups: + keys: + - caf_platform_maintainers + - identity + - management + - eslz + - subscription_creation_platform + Storage Blob Data Reader: + azuread_groups: + keys: + - connectivity + - caf_platform_contributors + - level0 + level2: + Storage Blob Data Contributor: + azuread_groups: + keys: + - identity + - connectivity + - management + - caf_platform_maintainers + - level0 + Storage Blob Data Reader: + azuread_groups: + keys: + - subscription_creation_landingzones + - caf_platform_contributors + + keyvaults: + level0: + name: l0 + sku_name: premium + resource_group_key: level0 + level1: + name: l1 + sku_name: premium + resource_group_key: level1 + level2: + name: l2 + sku_name: premium + resource_group_key: level2 + + keyvault_access_policies: + level0: + sp_level0: + azuread_group_key: level0 + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity: + azuread_group_key: identity + secret_permissions: + - Get + level1: + sp_level0: + azuread_group_key: level0 + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity: + azuread_group_key: identity + secret_permissions: + - Get + management: + azuread_group_key: management + secret_permissions: + - Get + eslz: + azuread_group_key: eslz + secret_permissions: + - Get + subscription_creation_platform: + azuread_group_key: subscription_creation_platform + secret_permissions: + - Get + level2: + sp_level0: + azuread_group_key: level0 + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity: + azuread_group_key: identity + secret_permissions: + - Get + management: + azuread_group_key: management + secret_permissions: + - Get + connectivity: + azuread_group_key: connectivity + secret_permissions: + - Get + subscription_creation_platform: + azuread_group_key: subscription_creation_platform + secret_permissions: + - Get + + azuread_applications: + level0: + application_name: sp-caf-level0 + identity: + application_name: sp-caf-identity + management: + application_name: sp-caf-management + eslz: + application_name: sp-caf-eslz + connectivity: + application_name: sp-caf-connectivity + subscription_creation_platform: + application_name: sp-caf-subscription_creation_platform + subscription_creation_landingzones: + application_name: sp-caf-subscription_creation_landingzones + + azuread_service_principals: + # Manage the deployment of the level0 + level0: + azuread_application: + key: level0 + # Manage the deployment of Enterprise Scale + eslz: + azuread_application: + key: eslz + # Manage the deployment of the connectivity services + connectivity: + azuread_application: + key: connectivity + # Manage the deployment of the shared services + management: + azuread_application: + key: management + # Manage the deployment of the identity services + identity: + azuread_application: + key: identity + # Has delegation to create platform subscriptions + subscription_creation_platform: + azuread_application: + key: subscription_creation_platform + # Has delegation to create landingzone subscriptions + subscription_creation_landingzones: + azuread_application: + key: subscription_creation_landingzones + + azuread_api_permissions: + level0: + microsoft_graph: + resource_app_id: 00000003-0000-0000-c000-000000000000 + resource_access: + AppRoleAssignment_ReadWrite_All: + id: 06b708a9-e830-4db3-a914-8e69da51d44f + type: Role + DelegatedPermissionGrant_ReadWrite_All: + id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a + type: Role + DelegatedPermissionGrant_ReadWrite_All: + id: 18a4783c-866b-4cc7-a460-3d5e5662c884 + type: Role + identity: + active_directory_graph: + resource_app_id: 00000002-0000-0000-c000-000000000000 + resource_access: + Application_ReadWrite_OwnedBy: + id: 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7 + type: Role + Directory_ReadWrite_All: + id: 78c8a3c8-a07e-4b9e-af1b-b5ccab50a175 + type: Role + microsoft_graph: + resource_app_id: 00000003-0000-0000-c000-000000000000 + resource_access: + AppRoleAssignment_ReadWrite_All: + id: 06b708a9-e830-4db3-a914-8e69da51d44f + type: Role + DelegatedPermissionGrant_ReadWrite_All: + id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a + type: Role + GroupReadWriteAll: + id: 62a82d76-70ea-41e2-9197-370581804d09 + type: Role + RoleManagement_ReadWrite_Directory: + id: 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 + type: Role + + azuread_roles: + azuread_service_principals: + level0: + roles: + - Privileged Role Administrator + - Application Administrator + - Groups Administrator + identity: + roles: + - User Administrator + - Application Administrator + - Groups Administrator + subscription_creation_landingzones: + roles: + - Application Administrator + - Groups Administrator + + dynamic_keyvault_secrets: + level0: + subscription_id: + output_key: client_config + attribute_key: subscription_id + secret_name: subscription-id + tenant_id: + output_key: client_config + attribute_key: tenant_id + secret_name: tenant-id + level1: + lower_stg: + output_key: storage_accounts + resource_key: level0 + attribute_key: name + secret_name: lower-storage-account-name + lower_rg: + output_key: resource_groups + resource_key: level0 + attribute_key: name + secret_name: lower-resource-group-name + subscription_id: + output_key: client_config + attribute_key: subscription_id + secret_name: subscription-id + tenant_id: + output_key: client_config + attribute_key: tenant_id + secret_name: tenant-id + level2: + lower_stg: + output_key: storage_accounts + resource_key: level1 + attribute_key: name + secret_name: lower-storage-account-name + lower_rg: + output_key: resource_groups + resource_key: level1 + attribute_key: name + secret_name: lower-resource-group-name + subscription_id: + output_key: client_config + attribute_key: subscription_id + secret_name: subscription-id + tenant_id: + output_key: client_config + attribute_key: tenant_id + secret_name: tenant-id + + azuread_groups: + caf_platform_maintainers: + name: caf-platform-maintainers + description: High privileged group to run all CAF deployments from vscode. Can be used to bootstrap or troubleshoot deployments. + prevent_duplicate_name: true + owners: + - + caf_platform_contributors: + name: caf-platform-contributors + description: Can only execute terraform plans for level1 and level2. They can test platform improvements and propose PR. + prevent_duplicate_name: true + owners: + - + level0: + name: caf-level0 + prevent_duplicate_name: true + owners: + - + members: + azuread_service_principal_keys: + - level0 + eslz: + name: caf-eslz + prevent_duplicate_name: true + owners: + - + members: + azuread_service_principal_keys: + - eslz + identity: + name: caf-identity + prevent_duplicate_name: true + owners: + - + members: + azuread_service_principal_keys: + - identity + management: + name: caf-management + prevent_duplicate_name: true + owners: + - + members: + azuread_service_principal_keys: + - management + connectivity: + name: caf-connectivity + prevent_duplicate_name: true + owners: + - + members: + azuread_service_principal_keys: + - connectivity + subscription_creation_platform: + name: caf-subscription_creation_platform + prevent_duplicate_name: true + owners: + - + members: + azuread_service_principal_keys: + - subscription_creation_platform + subscription_creation_landingzones: + name: caf-subscription_creation_landingzones + prevent_duplicate_name: true + owners: + - + members: + azuread_service_principal_keys: + - subscription_creation_landingzones + # object_ids: + # - 746f54dc-285b-454b-8c55-3d499be91e1f + diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/management.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/management.yaml new file mode 100644 index 000000000..37116aea2 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/management.yaml @@ -0,0 +1,101 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level1/management + +deployments: + landingzone: + tfstate: + platform: + management: + global_settings_key: + platform: + launchpad: + remote_tfstates: + platform: + launchpad: + +subscriptions: + management: + resource_groups: + management: + name: management + alerts: + name: alerts + + diagnostic_log_analytics: + # if you change this key you also need to change it in the ESLZ deployment + # eslz/archetype_config_overrides.caf.platform.yaml + # eslz/custom_landing_zones.caf.platform.yaml + region1: + name: logre1 + resource_group_key: management + + monitor_action_groups: + networking_operations: + action_group_name: Networking Operations + resource_group_key: alerts + shortname: netops + arm_role_alert: + contributors: + name: Monitoring Contributor + role_name: Monitoring Contributor + use_common_alert_schema: false + email_receiver: + noc: + name: email_alert_support1 + email_address: + use_common_alert_schema: false + + service_health_alerts: + enable_service_health_alerts: true + name: alerts + shortname: HealthAlerts + resource_group_key: alerts + action_group_name: actiongrp + email_alert_settings: + support1: + name: email_alert_support1 + email_address: + use_common_alert_schema: false + + automation_accounts: + account1: + name: automationAccount1 + resource_group_key: management + + recovery_vaults: + asr: + name: asr + resource_group_key: management + soft_delete_enabled: true + backup_policies: + vms: + default: + name: vm-default-policy + # Default to UTC + # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + retention_weekly: + count: 2 + weekdays: + - Sunday + retention_monthly: + count: 2 + weeks: + - First + weekdays: + - Sunday + retention_yearly: + count: 1 + weeks: + - First + months: + - January + weekdays: + - Sunday diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml new file mode 100644 index 000000000..70fba14b7 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml @@ -0,0 +1,22 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level1/subscriptions + +deployments: + landingzone: + tfstate: + platform: + subscriptions: + +subscriptions: + launchpad: + subscriptions: + launchpad: + subscription_id: + identity: + subscription_id: + connectivity: + subscription_id: + management: + subscription_id: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml new file mode 100644 index 000000000..a5c8d0546 --- /dev/null +++ b/templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml @@ -0,0 +1,144 @@ +tfstates: + platform: + ### Level0 ### + launchpad: + lz_key_name: launchpad + tfstate: caf_launchpad.tfstate + workspace: tfstate + level: level0 + identity_aad_key: cred_level0 + config_file: launchpad.yaml + sub_template_folder: level0/launchpad + yaml: level0/launchpad/ansible.yaml + launchpad_credentials: + lz_key_name: launchpad_credentials_rotation + tfstate: launchpad_credentials_rotation.tfstate + level: level0 + identity_aad_key: cred_identity + config_file: credentials.yaml + sub_template_folder: level0/credentials + + ### Level1 ### + management: + lz_key_name: management + tfstate: management.tfstate + level: level1 + identity_aad_key: cred_management + config_file: management.yaml + identity: + lz_key_name: identity + tfstate: identity.tfstate + level: level1 + identity_aad_key: cred_identity + config_file: identity.yaml + sub_template_folder: level1/identity + eslz: + lz_key_name: eslz + tfstate: eslz.tfstate + level: level1 + identity_aad_key: cred_eslz + config_file: eslz/eslz.yaml + sub_template_folder: level1/eslz + yaml: level1/eslz/ansible.yaml + platform_subscriptions: + lz_key_name: platform_subscriptions + tfstate: platform_subscriptions.tfstate + level: level1 + identity_aad_key: cred_subscription_creation_platform + config_file: subscriptions.yaml + sub_template_folder: level1/subscriptions + + ## Level2 ## + identity_level2: + prod: + lz_key_name: identity_level2 + tfstate: identity_level2.tfstate + level: level2 + identity_aad_key: cred_identity + non_prod: + lz_key_name: identity_level2 + tfstate: identity_level2_non_prod.tfstate + level: level2 + identity_aad_key: cred_identity + + identity_level2_aadds: + prod: + lz_key_name: identity_level2_aadds + tfstate: identity_level2_aadds.tfstate + level: + identity_aad_key: cred_identity + + virtual_wans: + prod: + lz_key_name: connectivity_virtual_wan + tfstate: connectivity_virtual_wan.tfstate + level: level2 + identity_aad_key: cred_connectivity + + virtual_hubs: + prod: + lz_key_name: connectivity_virtual_hub_prod + tfstate: connectivity_virtual_hub_prod.tfstate + workspace: tfstate + level: level2 + identity_aad_key: cred_connectivity + non_prod: + lz_key_name: connectivity_virtual_hub_non_prod + tfstate: connectivity_virtual_hub_non_prod.tfstate + workspace: tfstate + level: level2 + identity_aad_key: cred_connectivity + + azurerm_firewalls: + prod: + lz_key_name: connectivity_firewalls_prod + tfstate: connectivity_firewalls_prod.tfstate + level: level2 + identity_aad_key: cred_connectivity + non_prod: + lz_key_name: connectivity_firewalls_non_prod + tfstate: connectivity_firewalls_non_prod.tfstate + level: level2 + identity_aad_key: cred_connectivity + + azurerm_firewall_policies: + prod: + lz_key_name: connectivity_firewall_policies_prod + tfstate: connectivity_firewall_policies_prod.tfstate + level: level2 + identity_aad_key: cred_connectivity + non_prod: + lz_key_name: connectivity_firewall_policies_non_prod + tfstate: connectivity_firewall_policies_non_prod.tfstate + level: level2 + identity_aad_key: cred_connectivity + + private_dns: + prod: + lz_key_name: connectivity_private_dns_prod + tfstate: connectivity_private_dns_prod.tfstate + level: level2 + identity_aad_key: cred_connectivity + non_prod: + lz_key_name: connectivity_private_dns_non_prod + tfstate: connectivity_private_dns_non_prod.tfstate + level: level2 + identity_aad_key: cred_connectivity + + vpn_sites: + prod: + lz_key_name: connectivity_vpn_sites_prod + tfstate: connectivity_vpn_sites_prod.tfstate + sub_template_folder: level2/connectivity + level: level2 + identity_aad_key: cred_connectivity + + asvm: + lz_key_name: asvm + tfstate: asvm_subscription_vending_machine.tfstate + level: level2 + identity_aad_key: cred_level0 + sub_template_folder: level2/asvm + yaml: level2/asvm/ansible.yaml + rover_ignite_dependencies: + - launchpad diff --git a/templates/platform/level3/ansible.yaml b/templates/platform/level3/ansible.yaml new file mode 100644 index 000000000..58e5c1ee6 --- /dev/null +++ b/templates/platform/level3/ansible.yaml @@ -0,0 +1,93 @@ +- name: "Creates cache directory" + file: + path: "~/.terraform.cache/launchpad" + state: directory + +- name: "[{{ level }}-{{ subscription_key }}] Get tfstate account name" + register: launchpad_storage_account + shell: | + az storage account list \ + --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + +- name: "[{{ level }}-{{ subscription_key }}] Get credentials tfstate details" + register: credentials_tfstate_exists + ignore_errors: true + shell: | + az storage blob download \ + --name "{{ config.tfstates.platform.launchpad_credentials.tfstate }}" \ + --account-name "{{ launchpad_storage_account.stdout }}" \ + --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --auth-mode "login" \ + --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + +- name: "[{{ level }}-{{ subscription_key }}] Get launchpad_credentials details" + shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + register: launchpad_credentials + +- name: "[{{ level }}-{{ subscription_key }}] Get launchpad_credentials json data" + set_fact: + credjsondata: "{{ launchpad_credentials.stdout | from_json }}" + +- name: "[{{ level }}-{{ subscription_key }}] set keyvaults" + set_fact: + keyvaults: "{{ credjsondata | json_query(path) }}" + vars: + path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults' + +- name: "[{{ level }}-{{ subscription_key }}] cleanup" + file: + path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + state: absent + + +# +# Get landingzones subscriptions +# + +- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - launchpad level3" + register: storage_account_level3 + shell: | + az storage account list \ + --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='level3' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r + +- debug: + msg: "{{storage_account_level3.stdout}}" + +- name: "[{{ level }}-{{ subscription_key }}] Get credentials tfstate details" + register: landingzones_subscriptions + ignore_errors: true + shell: | + az storage blob download \ + --name "{{ config.tfstates.asvm.subscriptions.tfstate }}" \ + --account-name "{{ storage_account_level3.stdout|from_json|json_query('name') }}" \ + --container-name "{{ config.tfstates.asvm.subscriptions.workspace | default('tfstate') }}" \ + --auth-mode "login" \ + --file "~/.terraform.cache/launchpad/{{ config.tfstates.asvm.subscriptions.tfstate }}" + +- name: "[{{ level }}-{{ subscription_key }}] Get subscription_creation_landingzones details" + when: + - landingzones_subscriptions.rc == 0 + shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.asvm.subscriptions.tfstate }}" + register: landingzones_tfstate + +- debug: + msg: "{{landingzones_tfstate.stdout | from_json }}" + +- name: "[{{ level }}-{{ subscription_key }}] Get landingzone json data" + when: + - landingzones_subscriptions.rc == 0 + set_fact: + scljsondata: "{{ landingzones_tfstate.stdout | from_json }}" + +- name: "[{{ level }}-{{ subscription_key }}] Get landingzone subscription ids" + when: + - landingzones_subscriptions.rc == 0 + set_fact: + asvm_subscriptions_details: "{{ scljsondata | json_query(path) }}" + vars: + path: 'outputs.objects.value.{{config.tfstates.asvm.subscriptions.lz_key_name}}.subscriptions' + +- debug: + msg: "{{asvm_subscriptions_details}}" \ No newline at end of file diff --git a/templates/platform/level3/readme.md b/templates/platform/level3/readme.md new file mode 100644 index 000000000..243fc4edc --- /dev/null +++ b/templates/platform/level3/readme.md @@ -0,0 +1,30 @@ + +```bash +rover login -t {{ config.platform_identity.tenant_name }} + +unset ARM_SKIP_PROVIDER_REGISTRATION + +cd {{landingzones_folder}} +git pull +git checkout {{ resources.gitops.caf_landingzone_branch }} + +rover \ +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} + --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \ +{% endif %} + -lz {{landingzones_folder}}/caf_solution \ + -var-folder {{ destination_path }} \ + -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ +{% if asvm_subscriptions_details[subscription_key].subscription_id is defined %} + -target_subscription {{ asvm_subscriptions_details[subscription_key].subscription_id }} \ +{% endif %} + -tfstate {{ tfstate_object.tfstate }} \ + --workspace {{ tfstate_object.workspace }} \ + -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -level {{ level }} \ + -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ + -a plan + +rover logout + +``` diff --git a/templates/platform/level3/subscriptions/readme.md b/templates/platform/level3/subscriptions/readme.md new file mode 100644 index 000000000..8315be69c --- /dev/null +++ b/templates/platform/level3/subscriptions/readme.md @@ -0,0 +1,28 @@ + +### Create storage containers for the landingzone + +```bash +rover login -t {{ config.platform_identity.tenant_name }} + +cd {{landingzones_folder}} +git pull +git checkout {{ resources.gitops.caf_landingzone_branch }} + +rover \ +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} + --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \ +{% endif %} + -lz {{landingzones_folder}}/caf_solution \ + -var-folder {{ destination_path }} \ + -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{config.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ tfstate_object.tfstate }} \ + --workspace {{ tfstate_object.workspace | default('tfstate') }} \ + -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -level {{ level }} \ + -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ + -a plan + +rover logout + +``` diff --git a/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 b/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 new file mode 100644 index 000000000..963808f8d --- /dev/null +++ b/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 @@ -0,0 +1,16 @@ +storage_containers = { +{% for key in resources.subscriptions[subscription_key].subscriptions.keys() %} + {{ key }}_level3 = { + name = "{{ config.tfstates.asvm[key].workspace }}" + storage_account = { + name = "{{storage_account_level3.stdout|from_json|json_query('name')}}" + } + } + {{ key }}_level4 = { + name = "{{ config.tfstates.asvm[key].workspace }}" + storage_account = { + name = "{{storage_account_level4.stdout|from_json|json_query('name')}}" + } + } +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/virtual_hubs_route_tables.tfvars.j2 b/templates/resources/virtual_hubs_route_tables.tfvars.j2 new file mode 100644 index 000000000..c1d31f8c5 --- /dev/null +++ b/templates/resources/virtual_hubs_route_tables.tfvars.j2 @@ -0,0 +1,35 @@ +{% if connectivity_virtual_hub[virtual_hub].virtual_hub_route_tables is defined %} +virtual_hub_route_tables = { +{% for key, route_table in connectivity_virtual_hub[virtual_hub].virtual_hub_route_tables.items() %} + {{ key }} = { + name = "{{ route_table.name }}" + + virtual_hub = { + key = "{{ virtual_hub }}" + } + + # labels = ["label1"] + # routes = { + # egress_internet = { + # name = "egress-internet" + # destinations_type = "CIDR" + # destinations = ["0.0.0.0/0"] + + # # Either next_hop or next_hop_id can be used + # # + # # When using next_hop, the virtual_hub_connection must be deployed in a different landingzone. This cannot be tested in the standalone module. + # # Will be covered in the landingzone starter production configuration in future releases. + # # + # next_hop = { + # lz_key = "" # + # resource_type = "virtual_hub_connection" # Only supported value. + # resource_key = "egress-fw" + # } + # #to cather for external object + # #next_hop_id = "Azure_Resource_ID" + # } + # } + } +{% endfor %} +} +{% endif %} \ No newline at end of file From c460312280abf3ea98fcd513af80c488123452ee Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 16 Feb 2022 22:44:24 +0800 Subject: [PATCH 45/67] Update subscription_name --- .../platform/single_subscription/contoso.caf.platform.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml index dcab56fb8..44f500fed 100644 --- a/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml +++ b/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml @@ -32,14 +32,14 @@ caf_terraform: name: eastasia # Use the lower-case region's name, short version with no space slug: ea default_region_key: region1 - # Define the number of CAF levels to use. Recommeded is 3 for the platform. + # Define the number of CAF levels to use. Recommended is 3 for the platform. # number_of_levels: 3 # blob_versioning_enabled: true # container_delete_retention_policy: 7 # delete_retention_policy: 7 # Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd. subscription_id: - subscription_name: LLE-Resource Sub1 + subscription_name: tenant_id: global_tags_propagated: yes tags: From d81ff2c278c087fea68ec590611ebd74c7d90158 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 16 Feb 2022 15:36:40 +0000 Subject: [PATCH 46/67] Udpate orion --- .../deployments/orion_dev.yaml | 6 ++- .../deployments/orion_prod.yaml | 6 ++- .../deployments/subscriptions.yaml | 4 +- .../contoso/asvm/orion-landingzone/readme.md | 2 +- .../single_subscription/credentials.yaml | 27 ++++++++++++ .../platform/level2/asvm/keyvaults.tfvars.j2 | 6 +++ templates/platform/level3/ansible.yaml | 44 +++---------------- templates/platform/level3/readme.md | 4 +- .../platform/level3/subscriptions/readme.md | 4 +- templates/resources/keyvaults.tfvars.j2 | 8 +++- templates/resources/landingzone.tfvars.j2 | 2 +- 11 files changed, 62 insertions(+), 51 deletions(-) diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml index c4e957fe5..5d411142e 100644 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml @@ -12,6 +12,8 @@ deployments: platform: virtual_hubs: non_prod remote_tfstates: + asvm: + subscriptions: platform: virtual_hubs: non_prod azurerm_firewalls: non_prod @@ -495,13 +497,13 @@ subscriptions: - sp_LZContributors storage_containers: orion_prod_level3: - lz_key: orion_storage_containers + lz_key: orion_subscriptions Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors orion_dev_level4: - lz_key: orion_storage_containers + lz_key: orion_subscriptions Storage Blob Data Contributor: azuread_service_principals: keys: diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml index b3a186add..2e92f9b04 100644 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml @@ -12,6 +12,8 @@ deployments: platform: virtual_hubs: prod remote_tfstates: + asvm: + subscriptions: platform: virtual_hubs: prod azurerm_firewalls: prod @@ -509,13 +511,13 @@ subscriptions: - sp_LZContributors storage_containers: orion_prod_level3: - lz_key: orion_storage_containers + lz_key: orion_subscriptions Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors orion_prod_level4: - lz_key: orion_storage_containers + lz_key: orion_subscriptions Storage Blob Data Contributor: azuread_service_principals: keys: diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml index 2715fced1..570ca1ff0 100644 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml @@ -21,11 +21,11 @@ subscriptions: orion_dev: name: orion-dev create_alias: false - subscription_id: + subscription_id: dbf68ed2-d840-4e8d-a3b9-2fcf8e05ad2b orion_prod: name: orion-prod create_alias: false - subscription_id: + subscription_id: dbf68ed2-d840-4e8d-a3b9-2fcf8e05ad2b \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md b/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md index 3b2cc9d0c..71db174b6 100644 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md @@ -9,7 +9,7 @@ rover ignite \ -e base_templates_folder=/tf/caf/landingzones/templates/platform \ -e resource_template_folder=/tf/caf/landingzones/templates/resources \ -e config_folder=/tf/caf/definitions/asvm/orion-landingzone \ - -e config_folder_platform=/tf/caf/definitions/single_subscription \ + -e config_folder_platform=/tf/caf/definitions \ -e landingzones_folder=/tf/caf/landingzones diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml index 6f69ef209..5c0f3481d 100644 --- a/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml +++ b/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml @@ -27,6 +27,9 @@ subscriptions: name: eaowner resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_ea_account_owner creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -52,6 +55,9 @@ subscriptions: name: idl0 resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_level0 creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -82,6 +88,9 @@ subscriptions: name: id resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_identity creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -107,6 +116,9 @@ subscriptions: name: mg resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_management creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -137,6 +149,9 @@ subscriptions: name: es resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_eslz creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -167,6 +182,9 @@ subscriptions: name: co resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_connectivity creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -197,6 +215,9 @@ subscriptions: name: scp resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_subscription_creation_platform creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -227,6 +248,9 @@ subscriptions: name: scl resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_subscription_creation_landingzones creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -257,6 +281,9 @@ subscriptions: name: gitops resource_group_key: sp_credentials purge_protection_enabled: false + tags: + caf_environment: contoso + caf_identity_aad_key: cred_gitops creation_policies: caf_platform_maintainers: lz_key: launchpad diff --git a/templates/platform/level2/asvm/keyvaults.tfvars.j2 b/templates/platform/level2/asvm/keyvaults.tfvars.j2 index 8a2d656f8..f9a6f9fc6 100644 --- a/templates/platform/level2/asvm/keyvaults.tfvars.j2 +++ b/templates/platform/level2/asvm/keyvaults.tfvars.j2 @@ -11,6 +11,7 @@ keyvaults = { creation_policies = { {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if launchpad_azuread_groups is defined %} subscription_creation_landingzones = { object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" secret_permissions = ["Get"] @@ -24,6 +25,7 @@ keyvaults = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } {% endif %} +{% endif %} {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy @@ -46,10 +48,12 @@ keyvaults = { creation_policies = { {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if launchpad_azuread_groups is defined %} subscription_creation_landingzones = { object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" secret_permissions = ["Get"] } +{% endif %} caf_ac_landingzone_maintainers_non_prod = { azuread_group_key = "caf_ac_landingzone_maintainers_non_prod" secret_permissions = ["Get"] @@ -58,6 +62,7 @@ keyvaults = { azuread_group_key = "caf_ac_landingzone_maintainers_prod" secret_permissions = ["Get"] } +{% if launchpad_azuread_groups is defined %} level0 = { object_id = "{{launchpad_azuread_groups.level0.id}}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -67,6 +72,7 @@ keyvaults = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } {% endif %} +{% endif %} {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy diff --git a/templates/platform/level3/ansible.yaml b/templates/platform/level3/ansible.yaml index 58e5c1ee6..30473753e 100644 --- a/templates/platform/level3/ansible.yaml +++ b/templates/platform/level3/ansible.yaml @@ -1,45 +1,13 @@ -- name: "Creates cache directory" - file: - path: "~/.terraform.cache/launchpad" - state: directory -- name: "[{{ level }}-{{ subscription_key }}] Get tfstate account name" - register: launchpad_storage_account +- name: "[{{ level }}-{{ subscription_key }}] Get asvm keyvault credentials name" + register: keyvault_scl shell: | - az storage account list \ + az keyvault list \ --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - -- name: "[{{ level }}-{{ subscription_key }}] Get credentials tfstate details" - register: credentials_tfstate_exists - ignore_errors: true - shell: | - az storage blob download \ - --name "{{ config.tfstates.platform.launchpad_credentials.tfstate }}" \ - --account-name "{{ launchpad_storage_account.stdout }}" \ - --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ - --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - -- name: "[{{ level }}-{{ subscription_key }}] Get launchpad_credentials details" - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - register: launchpad_credentials - -- name: "[{{ level }}-{{ subscription_key }}] Get launchpad_credentials json data" - set_fact: - credjsondata: "{{ launchpad_credentials.stdout | from_json }}" - -- name: "[{{ level }}-{{ subscription_key }}] set keyvaults" - set_fact: - keyvaults: "{{ credjsondata | json_query(path) }}" - vars: - path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults' - -- name: "[{{ level }}-{{ subscription_key }}] cleanup" - file: - path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" - state: absent + --query "[?tags.caf_identity_aad_key=='cred_subscription_creation_landingzones' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r --arg http "https://" --arg suffix ".vault.azure.net/" '$http + (.name) + $suffix' +- debug: + msg: "{{keyvault_scl.stdout}}" # # Get landingzones subscriptions diff --git a/templates/platform/level3/readme.md b/templates/platform/level3/readme.md index 243fc4edc..59849c77c 100644 --- a/templates/platform/level3/readme.md +++ b/templates/platform/level3/readme.md @@ -9,8 +9,8 @@ git pull git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \ +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} + --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \ {% endif %} -lz {{landingzones_folder}}/caf_solution \ -var-folder {{ destination_path }} \ diff --git a/templates/platform/level3/subscriptions/readme.md b/templates/platform/level3/subscriptions/readme.md index 8315be69c..bf78079dd 100644 --- a/templates/platform/level3/subscriptions/readme.md +++ b/templates/platform/level3/subscriptions/readme.md @@ -9,8 +9,8 @@ git pull git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} - --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \ +{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} + --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \ {% endif %} -lz {{landingzones_folder}}/caf_solution \ -var-folder {{ destination_path }} \ diff --git a/templates/resources/keyvaults.tfvars.j2 b/templates/resources/keyvaults.tfvars.j2 index 7eb353ee2..6608276c3 100644 --- a/templates/resources/keyvaults.tfvars.j2 +++ b/templates/resources/keyvaults.tfvars.j2 @@ -22,7 +22,13 @@ keyvaults = { {% if keyvault.soft_delete_retention_days is defined %} soft_delete_retention_days = {{ keyvault.soft_delete_retention_days }} {% endif %} - +{% if keyvault.tags is defined %} + tags = { +{% for tag_key, tag_value in keyvault.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} creation_policies = { {% if config.platform_identity is defined %} {% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} diff --git a/templates/resources/landingzone.tfvars.j2 b/templates/resources/landingzone.tfvars.j2 index 821c6f66a..e2e330985 100644 --- a/templates/resources/landingzone.tfvars.j2 +++ b/templates/resources/landingzone.tfvars.j2 @@ -23,7 +23,7 @@ landingzone = { {% endfor %} {% else %} {{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].lz_key_name }} = { - fstate = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].tfstate }}" + tfstate = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].tfstate }}" workspace = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].workspace | default('tfstate')}}" } {% endif %} From 993d361287780ba2bdb15ffa89d89b28f063aefa Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 16 Feb 2022 15:38:42 +0000 Subject: [PATCH 47/67] Udpate tags --- .../asvm/orion-landingzone/deployments/subscriptions.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml index 570ca1ff0..2715fced1 100644 --- a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml +++ b/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml @@ -21,11 +21,11 @@ subscriptions: orion_dev: name: orion-dev create_alias: false - subscription_id: dbf68ed2-d840-4e8d-a3b9-2fcf8e05ad2b + subscription_id: orion_prod: name: orion-prod create_alias: false - subscription_id: dbf68ed2-d840-4e8d-a3b9-2fcf8e05ad2b + subscription_id: \ No newline at end of file From ad8e6e9f2b592bc181f8fcd92be52c90b7c93c73 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 16 Feb 2022 15:40:52 +0000 Subject: [PATCH 48/67] Add --- .../single_subscription/credentials.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml index 5c0f3481d..b32dda92f 100644 --- a/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml +++ b/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml @@ -28,7 +28,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_ea_account_owner creation_policies: caf_platform_maintainers: @@ -56,7 +56,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_level0 creation_policies: caf_platform_maintainers: @@ -89,7 +89,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_identity creation_policies: caf_platform_maintainers: @@ -117,7 +117,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_management creation_policies: caf_platform_maintainers: @@ -150,7 +150,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_eslz creation_policies: caf_platform_maintainers: @@ -183,7 +183,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_connectivity creation_policies: caf_platform_maintainers: @@ -216,7 +216,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_subscription_creation_platform creation_policies: caf_platform_maintainers: @@ -249,7 +249,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_subscription_creation_landingzones creation_policies: caf_platform_maintainers: @@ -282,7 +282,7 @@ subscriptions: resource_group_key: sp_credentials purge_protection_enabled: false tags: - caf_environment: contoso + caf_environment: caf_identity_aad_key: cred_gitops creation_policies: caf_platform_maintainers: From d354195d59c12dea7857b9efa74d88594b9c0eaa Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 16 Feb 2022 16:23:51 +0000 Subject: [PATCH 49/67] Fix missing asvm permissions in template in single sub --- .../contoso/platform/single_subscription/launchpad.yaml | 1 + templates/resources/subscriptions.tfvars.j2 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml index 4f5eedc1e..c635c8ab1 100644 --- a/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml +++ b/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml @@ -113,6 +113,7 @@ subscriptions: - connectivity # only when deploying in single subscription - identity # only when deploying in single subscription - management # only when deploying in single subscription + - subscription_creation_landingzones # # only when deploying in single subscription Reader: azuread_groups: keys: diff --git a/templates/resources/subscriptions.tfvars.j2 b/templates/resources/subscriptions.tfvars.j2 index 985cad761..c304679f0 100644 --- a/templates/resources/subscriptions.tfvars.j2 +++ b/templates/resources/subscriptions.tfvars.j2 @@ -2,6 +2,9 @@ subscriptions = { {% for key, value in resources.subscriptions[subscription_key].subscriptions.items() %} {{ key }} = { name = "{{ value.name }}" +{% if value.create_alias is defined %} + create_alias = {% value.create_alias | lower%} +{% endif %} {% if value.subscription_id is not defined %} billing_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" enrollment_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" From 43e09b5efb63889ce081872de89ff81c570217bc Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Wed, 16 Feb 2022 23:15:06 +0000 Subject: [PATCH 50/67] Patch asvm jinja template --- templates/resources/subscriptions.tfvars.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/resources/subscriptions.tfvars.j2 b/templates/resources/subscriptions.tfvars.j2 index c304679f0..034a6bf70 100644 --- a/templates/resources/subscriptions.tfvars.j2 +++ b/templates/resources/subscriptions.tfvars.j2 @@ -3,7 +3,7 @@ subscriptions = { {{ key }} = { name = "{{ value.name }}" {% if value.create_alias is defined %} - create_alias = {% value.create_alias | lower%} + create_alias = {{ value.create_alias | lower}} {% endif %} {% if value.subscription_id is not defined %} billing_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" From 85c742945d11414319b25b63ab16e74d2416c471 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 23 Feb 2022 08:44:40 +0000 Subject: [PATCH 51/67] Update module to 5.5.3 --- caf_launchpad/dynamic_secrets.tf | 2 +- caf_launchpad/landingzone.tf | 6 +++--- caf_solution/dynamic_secrets.tf | 2 +- caf_solution/landingzone.tf | 6 +++--- caf_solution/vm_extensions.tf | 10 +++++----- caf_solution/vmss_extensions.tf | 4 ++-- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/caf_launchpad/dynamic_secrets.tf b/caf_launchpad/dynamic_secrets.tf index 278997136..a13d1961a 100644 --- a/caf_launchpad/dynamic_secrets.tf +++ b/caf_launchpad/dynamic_secrets.tf @@ -1,7 +1,7 @@ module "dynamic_keyvault_secrets" { source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "5.5.1" + version = "5.5.3" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master" diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf index 6ae4b304b..7d191c34c 100644 --- a/caf_launchpad/landingzone.tf +++ b/caf_launchpad/landingzone.tf @@ -1,9 +1,9 @@ module "launchpad" { - # source = "aztfmod/caf/azurerm" - # version = "5.5.1" + source = "aztfmod/caf/azurerm" + version = "5.5.3" - source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" + # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" # source = "../../aztfmod" providers = { diff --git a/caf_solution/dynamic_secrets.tf b/caf_solution/dynamic_secrets.tf index e5185523b..d056dcb68 100644 --- a/caf_solution/dynamic_secrets.tf +++ b/caf_solution/dynamic_secrets.tf @@ -1,6 +1,6 @@ module "dynamic_keyvault_secrets" { source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "5.5.1" + version = "5.5.3" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master" diff --git a/caf_solution/landingzone.tf b/caf_solution/landingzone.tf index 369bdca62..312fab722 100644 --- a/caf_solution/landingzone.tf +++ b/caf_solution/landingzone.tf @@ -1,8 +1,8 @@ module "solution" { - # source = "aztfmod/caf/azurerm" - # version = "5.5.1" + source = "aztfmod/caf/azurerm" + version = "5.5.3" - source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" + # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" # source = "../../aztfmod" providers = { diff --git a/caf_solution/vm_extensions.tf b/caf_solution/vm_extensions.tf index 9bb84b770..f240f6bd9 100644 --- a/caf_solution/vm_extensions.tf +++ b/caf_solution/vm_extensions.tf @@ -4,7 +4,7 @@ module "vm_extension_monitoring_agent" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.3" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -26,7 +26,7 @@ module "vm_extension_monitoring_agent" { module "vm_extension_diagnostics" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.3" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -51,7 +51,7 @@ module "vm_extension_diagnostics" { module "vm_extension_microsoft_azure_domainjoin" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.3" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -71,7 +71,7 @@ module "vm_extension_microsoft_azure_domainjoin" { module "vm_extension_session_host_dscextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.3" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -93,7 +93,7 @@ module "vm_extension_session_host_dscextension" { module "vm_extension_custom_scriptextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.3" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" diff --git a/caf_solution/vmss_extensions.tf b/caf_solution/vmss_extensions.tf index e82ecf21d..3dba38e60 100644 --- a/caf_solution/vmss_extensions.tf +++ b/caf_solution/vmss_extensions.tf @@ -1,6 +1,6 @@ module "vmss_extension_microsoft_azure_domainjoin" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_scale_set_extensions" - version = "5.5.1" + version = "5.5.3" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_scale_set_extensions?ref=master" @@ -21,7 +21,7 @@ module "vmss_extension_microsoft_azure_domainjoin" { module "vmss_extension_custom_scriptextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_scale_set_extensions" - version = "5.5.1" + version = "5.5.3" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_scale_set_extensions?ref=master" From 833d4518b79e9ff433d173d78abd2b6550cb3af2 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Fri, 25 Feb 2022 06:37:19 +0000 Subject: [PATCH 52/67] Update to rover feb 2022 --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/landingzones-tf100.yml | 10 +++++----- .github/workflows/landingzones-tf15.yml | 10 +++++----- rover_on_ssh_host.yml | 2 +- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index ce4d97d6d..5f6c5efea 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.1.3-2201.2106 + image: aztfmod/rover:1.1.6-2202.2503 user: vscode labels: diff --git a/.github/workflows/landingzones-tf100.yml b/.github/workflows/landingzones-tf100.yml index ed53e56d1..a38e9363b 100644 --- a/.github/workflows/landingzones-tf100.yml +++ b/.github/workflows/landingzones-tf100.yml @@ -39,7 +39,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:1.1.3-2201.2106 + image: aztfmod/rover:1.1.6-2202.2503 options: --user 0 steps: @@ -92,7 +92,7 @@ jobs: ] container: - image: aztfmod/rover:1.1.3-2201.2106 + image: aztfmod/rover:1.1.6-2202.2503 options: --user 0 steps: @@ -135,7 +135,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:1.1.3-2201.2106 + image: aztfmod/rover:1.1.6-2202.2503 options: --user 0 steps: @@ -186,7 +186,7 @@ jobs: ] container: - image: aztfmod/rover:1.1.3-2201.2106 + image: aztfmod/rover:1.1.6-2202.2503 options: --user 0 steps: @@ -228,7 +228,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:1.1.3-2201.2106 + image: aztfmod/rover:1.1.6-2202.2503 options: --user 0 steps: diff --git a/.github/workflows/landingzones-tf15.yml b/.github/workflows/landingzones-tf15.yml index 4722c3c46..81af3e1aa 100644 --- a/.github/workflows/landingzones-tf15.yml +++ b/.github/workflows/landingzones-tf15.yml @@ -33,7 +33,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.15.5-2201.2106 + image: aztfmod/rover:0.15.5-2202.2503 options: --user 0 steps: @@ -86,7 +86,7 @@ jobs: ] container: - image: aztfmod/rover:0.15.5-2201.2106 + image: aztfmod/rover:0.15.5-2202.2503 options: --user 0 steps: @@ -129,7 +129,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.15.5-2201.2106 + image: aztfmod/rover:0.15.5-2202.2503 options: --user 0 steps: @@ -180,7 +180,7 @@ jobs: ] container: - image: aztfmod/rover:0.15.5-2201.2106 + image: aztfmod/rover:0.15.5-2202.2503 options: --user 0 steps: @@ -222,7 +222,7 @@ jobs: random_length: ['5'] container: - image: aztfmod/rover:0.15.5-2201.2106 + image: aztfmod/rover:0.15.5-2202.2503 options: --user 0 steps: diff --git a/rover_on_ssh_host.yml b/rover_on_ssh_host.yml index 958a7824b..ea73d966f 100644 --- a/rover_on_ssh_host.yml +++ b/rover_on_ssh_host.yml @@ -11,7 +11,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:1.1.3-2201.2106 + image: aztfmod/rover:1.1.6-2202.2503 user: vscode From 4efffaab44fac378475842e17dad49725fcf6774 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 28 Feb 2022 02:02:30 +0000 Subject: [PATCH 53/67] Update template generator for feb release --- caf_launchpad/landingzone.tf | 5 +- caf_solution/landingzone.tf | 4 +- .../platform/create_subscriptions/README.md | 31 -- .../platform/create_subscriptions/asvm.yaml | 38 -- .../connectivity_express_routes.yaml | 39 -- .../connectivity_virtual_hub.yaml | 67 --- .../connectivity_virtual_wan.yaml | 19 - .../contoso.caf.platform.yaml | 132 ----- .../connectivity_firewall_policies.yaml | 34 -- .../non_prod/connectivity_firewalls.yaml | 77 --- .../non_prod/connectivity_private_dns.yaml | 189 ------- .../prod/connectivity_firewall_policies.yaml | 34 -- .../prod/connectivity_firewalls.yaml | 78 --- .../prod/connectivity_private_dns.yaml | 191 ------- .../deployments/prod/identity_level2.yaml | 64 --- .../prod/identity_level2_adds.yaml | 398 ------------- ...chetype_config_overrides.caf.platform.yaml | 310 ----------- .../custom_landing_zones.caf.platform.yaml | 31 -- .../eslz/lib/policy_assignments/README.md | 10 - .../policy_assignment_caf_aks_capability.json | 18 - ...olicy_assignment_es_allowed_locations.json | 18 - .../eslz/lib/policy_definitions/README.md | 10 - .../eslz/lib/policy_set_definitions/README.md | 10 - .../create_subscriptions/eslz/lib/readme.md | 2 - .../eslz/lib/role_definitions/README.md | 11 - .../role_definition_caf_vhub_peering.json | 27 - .../create_subscriptions/identity.yaml | 69 --- .../create_subscriptions/launchpad.yaml | 37 -- .../launchpad_credentials.yaml | 415 -------------- .../create_subscriptions/management.yaml | 84 --- .../create_subscriptions/subscriptions.yaml | 16 - .../create_subscriptions/tfstates.yaml | 148 ----- .../platform/reuse_subscriptions/README.md | 37 -- .../platform/reuse_subscriptions/asvm.yaml | 38 -- .../contoso.caf.platform.yaml | 132 ----- .../connectivity_firewall_policies.yaml | 34 -- .../non_prod/connectivity_firewalls.yaml | 78 --- .../non_prod/connectivity_private_dns.yaml | 189 ------- .../non_prod/connectivity_virtual_hubs.yaml | 54 -- .../prod/connectivity_firewall_policies.yaml | 33 -- .../prod/connectivity_firewalls.yaml | 78 --- .../prod/connectivity_private_dns.yaml | 191 ------- .../prod/connectivity_virtual_hubs.yaml | 53 -- .../prod/connectivity_virtual_wan.yaml | 29 - .../deployments/prod/identity_level2.yaml | 13 - .../eslz/lib/policy_assignments/README.md | 10 - .../policy_assignment_caf_aks_capability.json | 18 - ...olicy_assignment_es_allowed_locations.json | 18 - .../eslz/lib/policy_definitions/README.md | 10 - .../eslz/lib/policy_set_definitions/README.md | 10 - .../reuse_subscriptions/eslz/lib/readme.md | 2 - .../eslz/lib/role_definitions/README.md | 11 - .../role_definition_caf_vhub_peering.json | 27 - .../reuse_subscriptions/identity.yaml | 69 --- .../reuse_subscriptions/launchpad.yaml | 40 -- .../launchpad_credentials.yaml | 415 -------------- .../reuse_subscriptions/management.yaml | 84 --- .../reuse_subscriptions/tfstates.yaml | 105 ---- .../platform/single_subscription/README.md | 40 -- .../single_subscription/bootstrap.yaml | 18 - .../single_subscription/credentials.yaml | 460 --------------- .../deployments/prod/asvm.yaml | 89 --- .../prod/connectivity_firewall_policies.yaml | 34 -- .../prod/connectivity_firewalls.yaml | 78 --- .../prod/connectivity_private_dns.yaml | 192 ------- .../prod/connectivity_virtual_hubs.yaml | 52 -- .../prod/connectivity_virtual_wan.yaml | 29 - .../deployments/prod/identity_level2.yaml | 22 - ...chetype_config_overrides.caf.platform.yaml | 328 ----------- .../custom_landing_zones.caf.platform.yaml | 26 - .../single_subscription/eslz/eslz.yaml | 8 - .../eslz/lib/policy_assignments/README.md | 10 - .../policy_assignment_caf_aks_capability.json | 18 - ...olicy_assignment_es_allowed_locations.json | 18 - .../eslz/lib/policy_definitions/README.md | 10 - .../eslz/lib/policy_set_definitions/README.md | 10 - .../single_subscription/eslz/lib/readme.md | 2 - .../eslz/lib/role_definitions/README.md | 11 - .../role_definition_caf_vhub_peering.json | 27 - .../single_subscription/identity.yaml | 86 --- .../single_subscription/launchpad.yaml | 510 ----------------- .../single_subscription/management.yaml | 101 ---- .../single_subscription/subscriptions.yaml | 22 - .../single_subscription/tfstates.yaml | 144 ----- .../platform/IP Address Plan.xlsx | Bin templates/platform/ansible.yaml | 99 ---- templates/platform/ansible/ansible.yaml | 99 ++++ .../platform/ansible/load_deployments.yaml | 44 ++ .../ansible/load_deployments_env.yaml | 31 ++ .../ansible/load_deployments_eslz.yaml | 57 ++ .../platform/ansible/process_deployments.yaml | 38 ++ .../{ => ansible}/process_foundations.yaml | 0 .../{ => ansible}/process_resources.yaml | 4 +- .../platform/ansible/process_stages.yaml | 40 ++ .../process_subscription_resources.yaml | 31 +- .../{ => ansible}/process_tfstate.yaml | 8 +- templates/platform/ansible/walk-through.yaml | 117 ++++ .../asvm/orion-landingzone/config.asvm.yaml | 0 .../deployments/orion_dev.yaml | 0 .../deployments/orion_prod.yaml | 0 .../deployments/subscriptions.yaml | 0 .../asvm/orion-landingzone/readme.md | 0 .../asvm/orion-landingzone/tfstates.asvm.yaml | 0 .../platform/eslz_single_subscription.yaml | 171 ++++++ templates/platform/generic/readme.md | 10 +- templates/platform/level0/README.md | 2 +- .../ansible.yaml | 12 +- .../landingzone.tfvars.j2 | 10 +- .../readme.md | 20 +- .../subscription_creation_roles.tfvars.j2 | 8 +- .../credentials/dynamic_secrets.tfvars.j2 | 2 +- .../level0/credentials/landingzone.tfvars.j2 | 10 +- .../platform/level0/credentials/readme.md | 32 +- .../credentials/role_mappings.tfvars.j2 | 4 +- .../platform/level0/launchpad/ansible.yaml | 68 ++- .../launchpad/azuread_group_members.tfvars.j2 | 22 +- .../launchpad/global_settings.tfvars.j2 | 20 +- .../level0/launchpad/keyvaults.tfvars.j2 | 48 +- templates/platform/level0/launchpad/readme.md | 75 ++- templates/platform/level1/eslz/ansible.yaml | 41 +- .../level1/eslz/enterprise_scale.tfvars.j2 | 14 +- .../level1/eslz/landingzone.tfvars.j2 | 26 - .../archetype_config_overrides.tfvars.j2 | 14 +- .../lib/v0.1.x/custom_landing_zones.tfvars.j2 | 8 +- .../lib/v0.3.3/archetype_config_overrides.old | 66 +-- .../archetype_config_overrides.tfvars.j2 | 4 +- .../lib/v0.3.3/custom_landing_zones.tfvars.j2 | 8 +- ...chetype_config_overrides.caf.platform.yaml | 76 ++- .../archetype_config_overrides.tfvars.j2 | 10 +- .../archetype_definition_template.json.j2 | 16 +- .../custom_landing_zone_template.json.j2 | 16 +- .../custom_landing_zones.caf.platform.yaml | 0 .../lib/v1.1.1/custom_landing_zones.tfvars.j2 | 12 +- ...cy_assignment_caf_deploy_nsg_flowlogs.json | 18 + ...cy_definition_caf_deploy_nsg_flowlogs.json | 228 ++++++++ templates/platform/level1/eslz/readme.md | 18 +- .../eslz/subscription_id_overrides.tfvars.j2 | 50 +- templates/platform/level1/identity/readme.md | 18 +- .../platform/level1/management/readme.md | 20 +- .../platform/level1/subscriptions/readme.md | 16 +- .../subscriptions/subscriptions.tfvars.j2 | 38 -- templates/platform/level2/asvm/ansible.yaml | 34 +- .../platform/level2/asvm/keyvaults.tfvars.j2 | 26 +- templates/platform/level2/asvm/readme.md | 14 +- .../level2/asvm/role_mappings.tfvars.j2 | 12 +- .../azurerm_firewall_policies/readme.md | 14 +- .../connectivity/azurerm_firewalls/readme.md | 14 +- .../express_route_circuit/ansible.yaml | 10 +- .../landingzone.tfvars.j2 | 10 +- .../express_route_circuit/readme.md | 16 +- .../ansible.yaml | 10 +- .../landingzone.tfvars.j2 | 10 +- .../express_route_circuit_peering/readme.md | 16 +- .../level2/connectivity/private_dns/readme.md | 14 +- .../connectivity/virtual_hubs/readme.md | 16 +- .../connectivity/virtual_wans/readme.md | 14 +- .../level2/identity/identity_level2/readme.md | 14 +- .../identity/identity_level2_aadds/readme.md | 14 +- .../identity/identity_level2_adds/readme.md | 14 +- templates/platform/level3/ansible.yaml | 18 +- templates/platform/level3/readme.md | 8 +- .../platform/level3/subscriptions/readme.md | 10 +- .../storage_containers.tfvars.j2 | 4 +- templates/platform/pipelines/README.md | 2 +- templates/platform/pipelines/demo.yaml | 10 +- .../platform/pipelines/symphony_e2e.yaml | 20 +- templates/platform/process_deployments.yaml | 39 -- templates/platform/process_stages.yaml | 39 -- templates/platform/readme.md | 12 +- templates/platform/services/README.md | 41 ++ templates/platform/services/asvm.yaml | 101 ++++ .../connectivity_express_route_peerings.yaml | 0 .../services/connectivity_express_routes.yaml | 22 + .../connectivity_firewall_policies.yaml | 44 ++ .../services/connectivity_firewalls.yaml | 88 +++ .../services/connectivity_private_dns.yaml | 88 +++ .../services/connectivity_virtual_hubs.yaml | 63 +++ ...onnectivity_virtual_hubs_route_tables.yaml | 47 ++ .../services/connectivity_virtual_wans.yaml | 39 ++ .../connectivity_vpn_gateway_connections.yaml | 27 +- .../services}/connectivity_vpn_sites.yaml | 0 templates/platform/services/eslz.yaml | 38 ++ templates/platform/services/identity.yaml | 68 +++ .../platform/services/identity_level2.yaml | 33 ++ .../services}/identity_level2_aadds.yaml | 2 +- .../services/identity_level2_adds.yaml | 407 ++++++++++++++ ...nchpad_azuread_sp_single_subscription.yaml | 522 ++++++++++++++++++ .../launchpad_credentials_azuread_sp.yaml | 470 ++++++++++++++++ templates/platform/services/management.yaml | 93 ++++ .../platform/services/subscriptions.yaml | 35 ++ .../services/template.caf.platform.yaml} | 99 ++-- templates/platform/services/tfstates.yaml | 28 + templates/platform/walk-through-single.yaml | 53 ++ templates/readme.md | 3 + .../active_directory_domain_service.tfvars.j2 | 2 +- ...ctory_domain_service_replica_set.tfvars.j2 | 2 +- .../resources/automation_accounts.tfvars.j2 | 2 +- .../azuread_api_permissions.tfvars.j2 | 2 +- .../resources/azuread_applications.tfvars.j2 | 2 +- .../azuread_credential_policies.tfvars.j2 | 2 +- .../resources/azuread_credentials.tfvars.j2 | 2 +- templates/resources/azuread_groups.tfvars.j2 | 2 +- .../azuread_groups_membership.tfvars.j2 | 2 +- templates/resources/azuread_roles.tfvars.j2 | 2 +- .../azuread_service_principals.tfvars.j2 | 2 +- .../azurerm_firewall_policies.tfvars.j2 | 6 +- .../resources/azurerm_firewalls.tfvars.j2 | 2 +- .../resources/container_groups.tfvars.j2 | 6 +- .../custom_role_definitions.tfvars.j2 | 2 +- templates/resources/ddos_services.tfvars.j2 | 2 +- .../diagnostic_log_analytics.tfvars.j2 | 12 +- .../diagnostic_storage_accounts.tfvars.j2 | 48 +- .../diagnostics_destinations.tfvars.j2 | 10 +- .../dynamic_keyvault_secrets.tfvars.j2 | 2 +- .../dynamic_keyvault_secrets.tfvars.j2.old | 12 - .../express_route_connections.tfvars.j2 | 2 +- templates/resources/global_settings.tfvars.j2 | 22 +- .../keyvault_access_policies.tfvars.j2 | 2 +- templates/resources/keyvaults.tfvars.j2 | 12 +- templates/resources/landingzone.tfvars.j2 | 54 +- .../resources/managed_identities.tfvars.j2 | 2 +- .../resources/monitor_action_groups.tfvars.j2 | 2 +- .../resources/network_profiles.tfvars.j2 | 2 +- ...etwork_security_group_definition.tfvars.j2 | 2 +- templates/resources/private_dns.tfvars.j2 | 2 +- .../resources/public_ip_addresses.tfvars.j2 | 2 +- templates/resources/recovery_vaults.tfvars.j2 | 4 +- templates/resources/resource_groups.tfvars.j2 | 4 +- templates/resources/role_mapping.tfvars.j2 | 2 +- templates/resources/servicehealth.tfvars.j2 | 16 +- .../resources/storage_accounts.tfvars.j2 | 2 +- templates/resources/subscriptions.tfvars.j2 | 20 +- .../virtual_hub_connections.tfvars.j2 | 2 +- .../virtual_hub_route_tables.tfvars.j2 | 37 ++ templates/resources/virtual_hubs.tfvars.j2 | 38 +- .../virtual_hubs_route_tables.tfvars.j2 | 35 -- .../resources/virtual_machines.tfvars.j2 | 2 +- .../resources/virtual_networks.tfvars.j2 | 2 +- templates/resources/virtual_wans.tfvars.j2 | 2 +- .../vpn_gateway_connections.tfvars.j2 | 2 +- templates/resources/vpn_sites.tfvars.j2 | 2 +- 241 files changed, 3991 insertions(+), 7790 deletions(-) delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/asvm.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_routes.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_hub.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_wan.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/contoso.caf.platform.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewalls.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_private_dns.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewall_policies.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewalls.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_private_dns.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_adds.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/custom_landing_zones.caf.platform.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_set_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/readme.md delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/identity.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad_credentials.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/management.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/subscriptions.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/create_subscriptions/tfstates.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/management.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml delete mode 100644 templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml rename templates/{enterprise-scale/contoso => }/platform/IP Address Plan.xlsx (100%) delete mode 100644 templates/platform/ansible.yaml create mode 100644 templates/platform/ansible/ansible.yaml create mode 100644 templates/platform/ansible/load_deployments.yaml create mode 100644 templates/platform/ansible/load_deployments_env.yaml create mode 100644 templates/platform/ansible/load_deployments_eslz.yaml create mode 100644 templates/platform/ansible/process_deployments.yaml rename templates/platform/{ => ansible}/process_foundations.yaml (100%) rename templates/platform/{ => ansible}/process_resources.yaml (77%) create mode 100644 templates/platform/ansible/process_stages.yaml rename templates/platform/{ => ansible}/process_subscription_resources.yaml (55%) rename templates/platform/{ => ansible}/process_tfstate.yaml (58%) create mode 100644 templates/platform/ansible/walk-through.yaml rename templates/{enterprise-scale/contoso => platform}/asvm/orion-landingzone/config.asvm.yaml (100%) rename templates/{enterprise-scale/contoso => platform}/asvm/orion-landingzone/deployments/orion_dev.yaml (100%) rename templates/{enterprise-scale/contoso => platform}/asvm/orion-landingzone/deployments/orion_prod.yaml (100%) rename templates/{enterprise-scale/contoso => platform}/asvm/orion-landingzone/deployments/subscriptions.yaml (100%) rename templates/{enterprise-scale/contoso => platform}/asvm/orion-landingzone/readme.md (100%) rename templates/{enterprise-scale/contoso => platform}/asvm/orion-landingzone/tfstates.asvm.yaml (100%) create mode 100644 templates/platform/eslz_single_subscription.yaml delete mode 100644 templates/platform/level1/eslz/landingzone.tfvars.j2 rename templates/{enterprise-scale/contoso/platform/reuse_subscriptions/eslz => platform/level1/eslz/lib/v1.1.1}/archetype_config_overrides.caf.platform.yaml (83%) rename templates/{enterprise-scale/contoso/platform/reuse_subscriptions/eslz => platform/level1/eslz/lib/v1.1.1}/custom_landing_zones.caf.platform.yaml (100%) create mode 100644 templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json create mode 100644 templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json delete mode 100644 templates/platform/level1/subscriptions/subscriptions.tfvars.j2 delete mode 100644 templates/platform/process_deployments.yaml delete mode 100644 templates/platform/process_stages.yaml create mode 100644 templates/platform/services/README.md create mode 100644 templates/platform/services/asvm.yaml rename templates/{enterprise-scale/contoso/platform/create_subscriptions => platform/services}/connectivity_express_route_peerings.yaml (100%) create mode 100644 templates/platform/services/connectivity_express_routes.yaml create mode 100644 templates/platform/services/connectivity_firewall_policies.yaml create mode 100644 templates/platform/services/connectivity_firewalls.yaml create mode 100644 templates/platform/services/connectivity_private_dns.yaml create mode 100644 templates/platform/services/connectivity_virtual_hubs.yaml create mode 100644 templates/platform/services/connectivity_virtual_hubs_route_tables.yaml create mode 100644 templates/platform/services/connectivity_virtual_wans.yaml rename templates/{enterprise-scale/contoso/platform/create_subscriptions => platform/services}/connectivity_vpn_gateway_connections.yaml (50%) rename templates/{enterprise-scale/contoso/platform/create_subscriptions => platform/services}/connectivity_vpn_sites.yaml (100%) create mode 100644 templates/platform/services/eslz.yaml create mode 100644 templates/platform/services/identity.yaml create mode 100644 templates/platform/services/identity_level2.yaml rename templates/{enterprise-scale/contoso/platform/create_subscriptions/deployments/prod => platform/services}/identity_level2_aadds.yaml (99%) create mode 100644 templates/platform/services/identity_level2_adds.yaml create mode 100644 templates/platform/services/launchpad_azuread_sp_single_subscription.yaml create mode 100644 templates/platform/services/launchpad_credentials_azuread_sp.yaml create mode 100644 templates/platform/services/management.yaml create mode 100644 templates/platform/services/subscriptions.yaml rename templates/{enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml => platform/services/template.caf.platform.yaml} (61%) create mode 100644 templates/platform/services/tfstates.yaml create mode 100644 templates/platform/walk-through-single.yaml delete mode 100644 templates/resources/dynamic_keyvault_secrets.tfvars.j2.old create mode 100644 templates/resources/virtual_hub_route_tables.tfvars.j2 delete mode 100644 templates/resources/virtual_hubs_route_tables.tfvars.j2 diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf index 6ae4b304b..7b5aaf7f0 100644 --- a/caf_launchpad/landingzone.tf +++ b/caf_launchpad/landingzone.tf @@ -1,9 +1,8 @@ module "launchpad" { # source = "aztfmod/caf/azurerm" - # version = "5.5.1" + # version = "~> 5.5.1" - - source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" + source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=AL-azurerm2931" # source = "../../aztfmod" providers = { diff --git a/caf_solution/landingzone.tf b/caf_solution/landingzone.tf index 369bdca62..32088c277 100644 --- a/caf_solution/landingzone.tf +++ b/caf_solution/landingzone.tf @@ -1,8 +1,8 @@ module "solution" { # source = "aztfmod/caf/azurerm" - # version = "5.5.1" + # version = "~> 5.5.1" - source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" + source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=AL-azurerm2931" # source = "../../aztfmod" providers = { diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/README.md deleted file mode 100644 index 078d70a4d..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/README.md +++ /dev/null @@ -1,31 +0,0 @@ -# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform - - -## Commands - -### clone the landingzone project (Terraform base code) -```bash -cd /tf/caf/landingzones -git pull -git checkout aci_network - -``` - -### Rover ignite the platform -Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps. -Rover ignite creates the tfvars and also the documentation. - -```bash -rover login -t tenantname -s - -rover ignite \ - --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ - -e base_templates_folder=/tf/caf/landingzones/templates/platform \ - -e resource_template_folder=/tf/caf/landingzones/templates/resources \ - -e config_folder=/tf/caf/orgs/contoso/platform - -``` - -### Next step - -Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created. \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/asvm.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/asvm.yaml deleted file mode 100644 index 8641c70b8..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/asvm.yaml +++ /dev/null @@ -1,38 +0,0 @@ -gitops: - landingzones: aci_network - -subscriptions: - asvm: - resource_groups: - level3: - name: caf-level3 - tags: - level: level3 - level4: - name: caf-level4 - tags: - level: level4 - - storage_accounts: - level3: - name: l3 - resource_group_key: level3 - level4: - name: l4 - resource_group_key: level4 - - keyvaults: - level3: - name: l3 - resource_group_key: level3 - level4: - name: l4 - resource_group_key: level4 - - - azuread_groups: - caf_ac_landingzone_maintainers_non_prod: - name: caf_ac_landingzone_maintainers_non_prod - - caf_ac_landingzone_maintainers_prod: - name: caf_ac_landingzone_maintainers_prod diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_routes.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_routes.yaml deleted file mode 100644 index f90bd43e3..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_routes.yaml +++ /dev/null @@ -1,39 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -express_route_circuits: - prod: - name: er-1-prod - resource_group_key: prod - service_provider_name: XL Axiata - peering_location: Jakarta - tier: Standard - family: MeteredData - bandwidth_in_mbps: 50 - non_prod: - name: er-1-nonprod - resource_group_key: non_prod - service_provider_name: XL Axiata - peering_location: Jakarta - tier: Standard - family: MeteredData - bandwidth_in_mbps: 50 - -express_route_circuit_authorizations: - prod: - vhub-prod: - name: er-auth-vhub-prod - resource_group_key: prod - non_prod: - vhub-non-prod: - name: er-auth-vhub-non-prod - resource_group_key: dev - - -resource_groups: - prod: - name: connectivity-express-route-prod - region_key: region1 - non_prod: - name: connectivity-express-route-non-prod - region_key: region1 diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_hub.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_hub.yaml deleted file mode 100644 index 5ca7fccff..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_hub.yaml +++ /dev/null @@ -1,67 +0,0 @@ -custom_variables: - prod: - virtual_hub_lz_key: connectivity_virtual_hub_prod - # ddos_protection_plan_id: put ddos plan resource id - non_prod: - virtual_hub_lz_key: connectivity_virtual_hub_non_prod - # ddos_protection_plan_id: put ddos plan resource id - -virtual_hubs: - prod: - name: Production - virtual_wan: - lz_key: virtual_wan - key: global_wan - region_key: region1 - hub_address_prefix: - deploy_s2s: false - s2s_config: - name: prod - scale_unit: 1 - deploy_er: false - enable_er_connections: false - er_config: - name: prod - scale_units: 1 - - non_prod: - name: Non Production - virtual_wan: - lz_key: virtual_wan - key: global_wan - region_key: region1 - hub_address_prefix: - deploy_s2s: false - s2s_config: - name: non-prod - scale_unit: 1 - deploy_er: false - enable_er_connections: false - er_config: - name: non-prod - scale_units: 1 - - -express_route_connections: - prod: - name: erc-er-1-prod - virtual_hub: - key: prod - circuit_peering: - tfstate_key: prod - key: private_peering - express_route_circuit_authorization: - tfstate_key: prod - key: vhub-prod - - non_prod: - name: er-1-non-prod - virtual_hub: - key: non_prod - circuit_peering: - tfstate_key: non_prod - key: private_peering - express_route_circuit_authorization: - tfstate_key: non_prod - key: vhub-non-prod - diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_wan.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_wan.yaml deleted file mode 100644 index 13ecd14df..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_wan.yaml +++ /dev/null @@ -1,19 +0,0 @@ -virtual_wans: - global_wan: - name: vwan - resource_group_key: global_wan - region_key: region1 - -resource_groups: - global_wan: - name: connectivity-global-wan - region_key: region1 - ddos_services: - name: connectivity-ddos - region_key: region1 - -ddos_services: - region1: - name: ddos-re1 - region_key: region1 - resource_group_key: ddos_services diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/contoso.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/contoso.caf.platform.yaml deleted file mode 100644 index b6c1204cb..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/contoso.caf.platform.yaml +++ /dev/null @@ -1,132 +0,0 @@ -caf_terraform: - naming_convention: - # When set to false use the CAF provider to generate names aligned to CAF guidance - # true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace. - passthrough: false - inherit_tags: false - # set: define the prefix to add to all resource names - # unset: if passthrough is set to false, generate a random prefix - prefix: cont - # if passthrough is set to false, add random suffix to name, up to the random_lenght value. - random_length: 5 - launchpad: - caf_environment: contoso - account_replication_type: GRS - regions: - region1: - # set the short form of the Azure region - name: southeastasia # Use the lower-case region's name, short version with no space - slug: sea - region2: - name: eastasia # Use the lower-case region's name, short version with no space - slug: ea - default_region_key: region1 - # Define the number of CAF levels to use. Recommeded is 3 for the platform. - number_of_levels: 3 - blob_versioning_enabled: true - container_delete_retention_policy: 7 - delete_retention_policy: 7 - # Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd. - subscription_id: - subscription_name: contoso-caf-launchpad - tenant_id: - # Global tags - tags: - application_owner: sre - - billing_subscription_role_delegations: - # true: enable this deployment. The remaining attributes are required. - # false: disable this deployment. - # azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform - # azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running: - # az ad signed-in-user show --query objectId -o tsv - # The remaining attributes are ignored: [billing_account_name, enrollment_account_name] - enable: false - # Azure Active Directory User (UPN) that is Account Owner in the EA portal - # if enable=false, set the upn of the user doing the manual deployment - azuread_user_ea_account_owner: - # see comments above to get the object_id - azuread_user_ea_account_owner_object_id: - # Only set the following two attributes when enable=true - billing_account_name: - enrollment_account_name: - -# cleanup_destination - recommended to clean and recreated a clean state from template. -configuration_folders: - platform: - # true: force the destination folder to be deleted and re-created before the files are created. - # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. - cleanup_destination: true - # base destination folder where rover ignite will store the tfvars files. No / at the end - destination_base_path: /tf/caf - # destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end - destination_relative_path: configuration/contoso/platform - - -platform_core_setup: - sku: - keyvault: standard - enterprise_scale: - enable: true - scenario: contoso - model: demo - management_group_name: "Contoso Industries" - management_group_prefix: contoso - deploy_core_landing_zones: true - enable_azure_subscription_vending_machine: true - clean_up_destination_folder: false - update_lib_folder: true - subscription_deployment_mode: dedicated_new - private_lib: - version_to_deploy: v1.1.1 - v0.1.x: - caf_landingzone_branch: "2107.1" - v0.3.3: - caf_landingzone_branch: "patch.5.4.4" - v1.1.1: - caf_landingzone_branch: "aci_network" - # subscription_id_overrides: - # decommissioned: - # - guid1 - # connectivity: - # - guid2 - # - guid3 - # management: - # - guid4 - # identity: - # - -platform_management: - enable: true - -networking_topology: - deployment_option: virtual_wan - -platform_identity: - # Set the Azure Active Directory tenant name (primary domain name) - # has to be the default domain name (custom dns name or tenantname.onmicrosoft.com) - # check the AAD property - tenant_name: - # Supported values - # - service_principal - # - logged_in_user - azuread_identity_mode: service_principal - # UPNs you want to add in the caf_platform_maintainers Azure AD group - # Can use user or guest accounts - # Those users will have full permissions on platform. - # Once setup, you can remove them from here or add them from - # Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts. - caf_platform_maintainers: - - - -notifications: - service_health_alerts: - emails: - support1: - name: - email_address: - security_center_email_contact: - -gitops: - caf_landingzone_branch: "aci_network" - deployment_mode: interactive - rover_log_error: ERROR diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml deleted file mode 100644 index d1a6f3215..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml +++ /dev/null @@ -1,34 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - landingzone: - key: - platform: - private_dns: non_prod - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: - asvm: - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-non-prod-firewall-policies - region_key: region1 - - azurerm_firewall_policies: - root: - name: "non-prod-root-policy" - region_key: region1 - resource_group: - key: firewall_policies - dns: - proxy_enabled: true - threat_intelligence_mode: "Alert" - diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewalls.yaml deleted file mode 100644 index 7541b5e4d..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewalls.yaml +++ /dev/null @@ -1,77 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - landingzone: - key: - platform: - azurerm_firewalls: non_prod - global_settings_key: - platform: - virtual_hubs: non_prod - remote_tfstates: - platform: - virtual_hubs: non_prod - azurerm_firewall_policies: non_prod - - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-non-prod-firewall - region_key: region1 - - - virtual_networks: - vnet: - name: vnet-connectivity-non-prod-fw-plinks - resource_group_key: firewall_policies - region_key: region1 - address_space: - - 10.201.61.0/24 - specialsubnets: - AzureFirewallSubnet: - name: AzureFirewallSubnet - cidr: - - 10.201.61.0/26 - - public_ip_addresses: - fw_pip1: - name: pip-non-prod-fw-01 - resource_group_key: firewall_policies - sku: Standard - allocation_method: Static - ip_version: IPv4 - idle_timeout_in_minutes: 4 - - azurerm_firewalls: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - resource_group_key: firewall_policies - vnet_key: vnet - sku_tier: Standard - firewall_policy: - key: root - lz_key: connectivity_firewall_policies_non_prod - zones: - - 1 - - 2 - - 3 - public_ips: - ip1: - name: pip1 - public_ip_key: fw_pip1 - vnet_key: vnet - subnet_key: AzureFirewallSubnet - - - virtual_hub_connections: - vnet_to_hub: - name: vnet-connectivity-non-prod-fw-plinks-TO-vhub-non_prod - virtual_hub: - lz_key: connectivity_virtual_hub_non_prod - key: non_prod - vnet: - vnet_key: vnet \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_private_dns.yaml deleted file mode 100644 index f9d14ec38..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_private_dns.yaml +++ /dev/null @@ -1,189 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - landingzone: - key: - platform: - private_dns: non_prod - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: - asvm: - - -subscriptions: - connectivity: - resource_groups: - dns_connectivity_non_prod: - name: dns-connectivity-non-prod - private_dns: - privatelink.adf.azure.com: - name: privatelink.adf.azure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.datafactory.azure.net: - name: privatelink.datafactory.azure.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.blob.core.windows.net: - name: privatelink.blob.core.windows.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.file.core.windows.net: - name: privatelink.file.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.notebooks.azure.net: - name: privatelink.notebooks.azure.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.dfs.core.windows.net: - name: privatelink.dfs.core.windows.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.vaultcore.azure.net: - name: privatelink.vaultcore.azure.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.southeastasia.azmk8s.io: - name: privatelink.southeastasia.azmk8s.io - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.azurecr.io: - name: privatelink.azurecr.io - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.southeastasia.backup.windowsazure.com: - name: privatelink.southeastasia.backup.windowsazure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.siterecovery.windowsazure.com: - name: privatelink.siterecovery.windowsazure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.servicebus.windows.net: - name: privatelink.servicebus.windows.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.api.azureml.ms: - name: privatelink.api.azureml.ms - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.monitor.azure.com: - name: privatelink.monitor.azure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.oms.opinsights.non_prod.com: - name: privatelink.oms.opinsights.azure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.ods.opinsights.azure.com: - name: privatelink.ods.opinsights.azure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.agentsvc.azure-automation.net: - name: privatelink.agentsvc.azure-automation.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - - custom_role_definitions: - landgingzone_extended: - name: landingzone-networking-non-prod-private-dns-extended - useprefix: true - description: "(non-prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write - - role_mapping: - custom_role_mapping: - resource_groups: - dns_connectivity_prod: - landgingzone_extended: - azuread_groups: - lz_key: identity_level2 - keys: - - caf_non_prod_landingzones_dns_contributors - built_in_role_mapping: - resource_groups: - dns_connectivity_non_prod: - Private DNS Zone Contributor: - azuread_groups: - lz_key: identity_level2 - keys: - - caf_non_prod_landingzones_dns_contributors diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewall_policies.yaml deleted file mode 100644 index 1b3d47aa8..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewall_policies.yaml +++ /dev/null @@ -1,34 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - prod: - landingzone: - key: - platform: - private_dns: prod - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: - asvm: - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-prod-firewall-policies - region_key: region1 - - azurerm_firewall_policies: - root: - name: "prod-root-policy" - region_key: region1 - resource_group: - key: firewall_policies - dns: - proxy_enabled: true - threat_intelligence_mode: "Alert" diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewalls.yaml deleted file mode 100644 index 601b2972a..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewalls.yaml +++ /dev/null @@ -1,78 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - prod: - landingzone: - key: - platform: - azurerm_firewalls: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - virtual_hubs: prod - azurerm_firewall_policies: prod - - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-prod-firewall - region_key: region1 - - - virtual_networks: - vnet: - name: vnet-connectivity-prod-fw-plinks - resource_group_key: firewall_policies - region_key: region1 - address_space: - - 10.101.61.0/24 - specialsubnets: - AzureFirewallSubnet: - name: AzureFirewallSubnet - cidr: - - 10.101.61.0/26 - - public_ip_addresses: - fw_pip1: - name: pip-prod-fw-01 - resource_group_key: firewall_policies - sku: Standard - allocation_method: Static - ip_version: IPv4 - idle_timeout_in_minutes: 4 - - azurerm_firewalls: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - resource_group_key: firewall_policies - vnet_key: vnet - sku_tier: Standard - firewall_policy: - key: root - lz_key: connectivity_firewall_policies_prod - zones: - - 1 - - 2 - - 3 - public_ips: - ip1: - name: pip1 - public_ip_key: fw_pip1 - vnet_key: vnet - subnet_key: AzureFirewallSubnet - - - virtual_hub_connections: - vnet_to_hub: - name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod - virtual_hub: - lz_key: connectivity_virtual_hub_prod - key: prod - vnet: - vnet_key: vnet \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_private_dns.yaml deleted file mode 100644 index 53e896c2c..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_private_dns.yaml +++ /dev/null @@ -1,191 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - prod: - landingzone: - key: - platform: - private_dns: prod - global_settings_key: - platform: - virtual_wan: - remote_tfstates: - platform: - virtual_wan: - azurerm_firewalls: prod - identity_level2: prod - -subscriptions: - connectivity: - resource_groups: - dns_connectivity_prod: - name: dns-connectivity-prod - private_dns: - privatelink.adf.azure.com: - name: privatelink.adf.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.datafactory.azure.net: - name: privatelink.datafactory.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.blob.core.windows.net: - name: privatelink.blob.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.file.core.windows.net: - name: privatelink.file.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.notebooks.azure.net: - name: privatelink.notebooks.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.dfs.core.windows.net: - name: privatelink.dfs.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.vaultcore.azure.net: - name: privatelink.vaultcore.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.southeastasia.azmk8s.io: - name: privatelink.southeastasia.azmk8s.io - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.azurecr.io: - name: privatelink.azurecr.io - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.southeastasia.backup.windowsazure.com: - name: privatelink.southeastasia.backup.windowsazure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.siterecovery.windowsazure.com: - name: privatelink.siterecovery.windowsazure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.servicebus.windows.net: - name: privatelink.servicebus.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.api.azureml.ms: - name: privatelink.api.azureml.ms - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.monitor.azure.com: - name: privatelink.monitor.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.oms.opinsights.azure.com: - name: privatelink.oms.opinsights.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.ods.opinsights.azure.com: - name: privatelink.ods.opinsights.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.agentsvc.azure-automation.net: - name: privatelink.agentsvc.azure-automation.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - - custom_role_definitions: - landgingzone_extended: - name: landingzone-networking-private-dns-extended - useprefix: true - description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write - - role_mapping: - custom_role_mapping: - resource_groups: - dns_connectivity_prod: - landgingzone_extended: - azuread_groups: - lz_key: identity_level2 - keys: - - caf_prod_landingzones_dns_contributors - built_in_role_mapping: - resource_groups: - dns_connectivity_prod: - Private DNS Zone Contributor: - azuread_groups: - lz_key: identity_level2 - keys: - - caf_prod_landingzones_dns_contributors - diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2.yaml deleted file mode 100644 index f888e06c4..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2.yaml +++ /dev/null @@ -1,64 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - identity: - prod: - landingzone: - key: - platform: - identity_level2: prod - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: - -subscriptions: - identity: - resource_groups: - management: - name: management - - azuread_groups: - caf_non_prod_landingzones_dns_contributors: - name: caf ac non_prod landingzones dns contributors - caf_prod_landingzones_dns_contributors: - name: caf ac prod landingzones dns contributors - - recovery_vaults: - asr: - name: asr - resource_group_key: management - soft_delete_enabled: true - backup_policies: - vms: - default: - name: vm-default-policy - # Default to UTC - # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - retention_weekly: - count: 2 - weekdays: - - Sunday - retention_monthly: - count: 2 - weeks: - - First - weekdays: - - Sunday - retention_yearly: - count: 1 - weeks: - - First - months: - - January - weekdays: - - Sunday \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_adds.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_adds.yaml deleted file mode 100644 index 0dbe19965..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_adds.yaml +++ /dev/null @@ -1,398 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - identity: - prod: - landingzone: - key: - platform: - identity_level2_adds: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - management: - virtual_hubs: prod - identity_level2: prod - - -subscriptions: - identity: - resource_groups: - rg: - name: identity-prod-adds - region_key: region1 - - virtual_networks: - vnet: - name: vnet-identity-prod-adds - resource_group_key: rg - region_key: region1 - address_space: - - 10.10.100.0/27 - dns_servers: - - 10.10.100.4 - - 10.10.100.5 - subnets: - adds: - name: snet-adds - cidr: - - 10.10.100.0/28 - nsg_key: adds_re1 - management: - name: snet-adds-management - cidr: - - 10.10.100.16/28 - - keyvaults: - adds_credentials: - name: addskv - resource_group_key: rg - sku_name: premium - purge_protection_enabled: false - creation_policies: - logged_in_user: - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - dynamic_keyvault_secrets: - adds_credentials: - vmadmin-username: - secret_name: vmadmin-username - value: vmadmin - vmadmin-password: - secret_name: vmadmin-password - value: Very@Str5ngP!44w0rdToChaNge# - - virtual_machines: - adds1: - resource_group: - key: rg - region: region1 - os_type: windows - keyvault_key: adds_credentials - backup: - vault_key: asr - policy_key: default - lz_key: identity_level2 - - virtual_machine_settings: - windows: - computer_name: adds1 - name: adds1 - admin_password_key: vmadmin-password - admin_username_key: vmadmin-username - network_interface_keys: - - nic0 - provision_vm_agent: true - size: Standard_F2 - zone: 1 - os_disk: - name: adds1-os - caching: ReadWrite - storage_account_type: Standard_LRS - disk_size_gb: 128 - # identity: - # type: SystemAssigned, UserAssigned - # managed_identity_keys: - # - id1 - # remote: - # lz_key_name1: - # managed_identity_keys: - # - id2 - # - id3 - # lz_key_name2: - # managed_identity_keys: - # - id4 - # - id5 - - # custom_image_id: - - source_image_reference: - publisher: MicrosoftWindowsServer - offer: WindowsServer - sku: 2019-Datacenter - version: latest - - data_disks: - lun1: - name: adds1-data1 - lun: "1" - caching: None - storage_account_type: Standard_LRS - create_option: Empty - disk_size_gb: 10 - zones: - - "1" - - networking_interfaces: - nic0: - name: 0 - vnet_key: vnet - subnet_key: adds - enable_ip_forwarding: false - internal_dns_name_label: adds1-nic0 - private_ip_address_allocation: Static - private_ip_address: 10.10.100.4 - primary: true - tags: - adds: "ok" - dns_servers: - # - Set on-prem dns - - 10.10.100.5 - network_security_group: - key: adds_re1 - # ip_configurations: - # conf2: - # name: 0-conf - # vnet_key: vnet - # subnet_key: management - # enable_ip_forwarding: false - # private_ip_address_allocation: Static - # private_ip_address: 10.10.100.20 - - adds2: - resource_group: - key: rg - region: region1 - os_type: windows - keyvault_key: adds_credentials - backup: - vault_key: asr - policy_key: default - lz_key: identity_level2 - - virtual_machine_settings: - windows: - computer_name: adds2 - name: adds2 - admin_password_key: vmadmin-password - admin_username_key: vmadmin-username - network_interface_keys: - - nic0 - provision_vm_agent: true - size: Standard_F2 - zone: 2 - os_disk: - name: adds2-os - caching: ReadWrite - storage_account_type: Standard_LRS - disk_size_gb: 128 - # identity: - # type: SystemAssigned, UserAssigned - # managed_identity_keys: - # - id1 - # remote: - # lz_key_name1: - # managed_identity_keys: - # - id2 - # - id3 - # lz_key_name2: - # managed_identity_keys: - # - id4 - # - id5 - - - source_image_reference: - publisher: MicrosoftWindowsServer - offer: WindowsServer - sku: 2019-Datacenter - version: latest - - data_disks: - lun1: - name: adds2-data1 - lun: "1" - storage_account_type: Standard_LRS - create_option: Empty - disk_size_gb: 10 - zones: - - "2" - - networking_interfaces: - nic0: - name: 0 - vnet_key: vnet - subnet_key: adds - enable_ip_forwarding: false - internal_dns_name_label: adds2-nic0 - private_ip_address_allocation: Static - private_ip_address: 10.10.100.5 - primary: true - tags: - adds: "ok" - dns_servers: - # - Set on-prem ADDS dns - - 10.10.100.4 - network_security_group: - key: adds_re1 - # ip_configurations: - # conf2: - # name: 0-conf - # vnet_key: vnet - # subnet_key: management - # enable_ip_forwarding: false - # private_ip_address_allocation: Static - # private_ip_address: 10.10.100.21 - - virtual_hub_connections: - vnet_to_hub: - name: vnet-identity-prod-adds-TO-vhub-prod - virtual_hub: - lz_key: connectivity_virtual_hub_prod - key: prod - vnet: - vnet_key: vnet - - network_security_group_definition: - adds_re1: - version: 1 - resource_group_key: rg - region: region1 - name: nsg-adds-re1 - # Reference - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts - # following is for Windows Server 2008 and later - nsg: - Inbound: - 400: - name: W32Time. - access: Allow - protocol: udp - source_address_prefix: "VirtualNetwork" - # source_address_prefixes: - # - on-prem CIDR for ADDS - source_port_range: "49152-65535" - destination_port_range: "123" - destination_address_prefix: "*" - 401: - name: RPC Endpoint Mapper. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "135" - destination_address_prefix: "*" - 402: - name: Kerberos password change tcp. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "464" - destination_address_prefix: "*" - 403: - name: Kerberos password change udp. - access: Allow - protocol: udp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "464" - destination_address_prefix: "*" - 404: - name: RPC for LSA, SAM, NetLogon. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "49152-65535" - destination_address_prefix: "*" - 405: - name: LDAP-tcp. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "389" - destination_address_prefix: "*" - 406: - name: LDAP-udp. - access: Allow - protocol: udp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "389" - destination_address_prefix: "*" - 407: - name: LDAP SSL. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "636" - destination_address_prefix: "*" - 408: - name: LDAP GC. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "3268" - destination_address_prefix: "*" - 409: - name: LDAP GC SSL. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "3269" - destination_address_prefix: "*" - 410: - name: DNS tcp. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_ranges: - - "53" - - "49152-65535" - destination_port_range: "53" - destination_address_prefix: "*" - 411: - name: DNS udp. - access: Allow - protocol: udp - source_address_prefix: "VirtualNetwork" - source_port_ranges: - - "53" - - "49152-65535" - destination_port_range: "53" - destination_address_prefix: "*" - 412: - name: Kerberos tcp. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "88" - destination_address_prefix: "*" - 413: - name: Kerberos udp. - access: Allow - protocol: udp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "88" - destination_address_prefix: "*" - 414: - name: SMB. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "445" - destination_address_prefix: "*" - # Adjust the following based on your RPC custom ports configuration - 415: - name: FRS RPC. - access: Allow - protocol: tcp - source_address_prefix: "VirtualNetwork" - source_port_range: "49152-65535" - destination_port_range: "49152-65535" - destination_address_prefix: "*" \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml deleted file mode 100644 index cfc8c8e14..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml +++ /dev/null @@ -1,310 +0,0 @@ -archetype_definitions: - root: - archetype_id: root - policy_assignments: - Allowed-Locations: - listOfAllowedLocations: - - southeastasia # Use the lower-case region's name, short version with no space - - eastasia - Deny-RSG-Locations: - listOfAllowedLocations: - - southeastasia - - eastasia - # Set to Audit as Terraform cannot combine both in one operation yet. - Deny-Subnet-Without-Nsg: - effect: Audit - # Set to Audit as Terraform cannot combine both in one operation yet. - Deny-Subnet-Without-Udr: - effect: Audit - # More details on in the parameters in the Azure Policy definition (Azure Security Benchmark) 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 - # Change the attributes values as they are not the same. Some are DeployIfNotExist, Some Disabled, Enabled... - Deploy-ASC-Monitoring: - aadAuthenticationInSqlServerMonitoringEffect: Disabled - diskEncryptionMonitoringEffect: Disabled - encryptionOfAutomationAccountMonitoringEffect: Disabled - identityDesignateLessThanOwnersMonitoringEffect: Disabled - identityDesignateMoreThanOneOwnerMonitoringEffect: Disabled - identityEnableMFAForWritePermissionsMonitoringEffect: Disabled - identityRemoveDeprecatedAccountMonitoringEffect: Disabled - identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect: Disabled - identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect: Disabled - identityRemoveExternalAccountWithReadPermissionsMonitoringEffect: Disabled - identityRemoveExternalAccountWithWritePermissionsMonitoringEffect: Disabled - jitNetworkAccessMonitoringEffect: Disabled - networkSecurityGroupsOnSubnetsMonitoringEffect: Disabled - sqlDbEncryptionMonitoringEffect: Disabled - sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled - sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled - sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled - sqlServerAdvancedDataSecurityMonitoringEffect: Disabled - systemUpdatesMonitoringEffect: Disabled - useRbacRulesMonitoringEffect: Disabled - vmssSystemUpdatesMonitoringEffect: Disabled - windowsDefenderExploitGuardMonitoringEffect: Disabled - Deploy-ASCDF-Config: - emailSecurityContact: - logAnalytics: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - enableAscForKubernetes: DeployIfNotExists - enableAscForSql: DeployIfNotExists - enableAscForSqlOnVm: DeployIfNotExists - enableAscForDns: DeployIfNotExists - enableAscForArm: DeployIfNotExists - enableAscForOssDb: DeployIfNotExists - enableAscForAppServices: DeployIfNotExists - enableAscForRegistries: DeployIfNotExists - enableAscForKeyVault: DeployIfNotExists - enableAscForStorage: DeployIfNotExists - enableAscForServers: DeployIfNotExists - Deploy-AzActivity-Log: - logAnalytics: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - Deploy-LX-Arc-Monitoring: - Deploy-Resource-Diag: - profileName: eslz-diagnostic-log - logAnalytics: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - Deploy-WS-Arc-Monitoring: - logAnalytics: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - Deploy-VM-Monitoring: - logAnalytics_1: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - Deploy-VMSS-Monitoring: - logAnalytics_1: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - policy_definitions: - Append-AppService-httpsonly: - Append-AppService-latestTLS: - Append-KV-SoftDelete: - Append-Redis-disableNonSslPort: - Append-Redis-sslEnforcement: - Audit-MachineLearning-PrivateEndpointId: - Deny-AA-child-resources: - Deny-AppGW-Without-WAF: - Deny-AppServiceApiApp-http: - Deny-AppServiceFunctionApp-http: - Deny-AppServiceWebApp-http: - Deny-Databricks-NoPublicIp: - Deny-Databricks-Sku: - Deny-Databricks-VirtualNetwork: - Deny-MachineLearning-Aks: - Deny-MachineLearning-Compute-SubnetId: - Deny-MachineLearning-Compute-VmSize: - Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess: - Deny-MachineLearning-ComputeCluster-Scale: - Deny-MachineLearning-HbiWorkspace: - Deny-MachineLearning-PublicAccessWhenBehindVnet: - Deny-MachineLearning-PublicNetworkAccess: - Deny-MySql-http: - Deny-PostgreSql-http: - Deny-Private-DNS-Zones: - Deny-PublicEndpoint-MariaDB: - Deny-PublicIP: - Deny-RDP-From-Internet: - Deny-Redis-http: - Deny-Sql-minTLS: - Deny-SqlMi-minTLS: - Deny-Storage-minTLS: - Deny-Subnet-Without-Nsg: - Deny-Subnet-Without-Udr: - Deny-VNET-Peer-Cross-Sub: - Deny-VNet-Peering: - Deploy-ASC-SecurityContacts: - Deploy-Budget: - Deploy-Custom-Route-Table: - Deploy-DDoSProtection: - Deploy-Diagnostics-AA: - Deploy-Diagnostics-ACI: - Deploy-Diagnostics-ACR: - Deploy-Diagnostics-AnalysisService: - Deploy-Diagnostics-ApiForFHIR: - Deploy-Diagnostics-APIMgmt: - Deploy-Diagnostics-ApplicationGateway: - Deploy-Diagnostics-CDNEndpoints: - Deploy-Diagnostics-CognitiveServices: - Deploy-Diagnostics-CosmosDB: - Deploy-Diagnostics-Databricks: - Deploy-Diagnostics-DataExplorerCluster: - Deploy-Diagnostics-DataFactory: - Deploy-Diagnostics-DLAnalytics: - Deploy-Diagnostics-EventGridSub: - Deploy-Diagnostics-EventGridSystemTopic: - Deploy-Diagnostics-EventGridTopic: - Deploy-Diagnostics-ExpressRoute: - Deploy-Diagnostics-Firewall: - Deploy-Diagnostics-FrontDoor: - Deploy-Diagnostics-Function: - Deploy-Diagnostics-HDInsight: - Deploy-Diagnostics-iotHub: - Deploy-Diagnostics-LoadBalancer: - Deploy-Diagnostics-LogicAppsISE: - Deploy-Diagnostics-MariaDB: - Deploy-Diagnostics-MediaService: - Deploy-Diagnostics-MlWorkspace: - Deploy-Diagnostics-MySQL: - Deploy-Diagnostics-NetworkSecurityGroups: - Deploy-Diagnostics-NIC: - Deploy-Diagnostics-PostgreSQL: - Deploy-Diagnostics-PowerBIEmbedded: - Deploy-Diagnostics-RedisCache: - Deploy-Diagnostics-Relay: - Deploy-Diagnostics-SignalR: - Deploy-Diagnostics-SQLElasticPools: - Deploy-Diagnostics-SQLMI: - Deploy-Diagnostics-TimeSeriesInsights: - Deploy-Diagnostics-TrafficManager: - Deploy-Diagnostics-VirtualNetwork: - Deploy-Diagnostics-VM: - Deploy-Diagnostics-VMSS: - Deploy-Diagnostics-VNetGW: - Deploy-Diagnostics-WebServerFarm: - Deploy-Diagnostics-Website: - Deploy-Diagnostics-WVDAppGroup: - Deploy-Diagnostics-WVDHostPools: - Deploy-Diagnostics-WVDWorkspace: - Deploy-FirewallPolicy: - Deploy-MySQL-sslEnforcement: - Deploy-Nsg-FlowLogs-to-LA: - Deploy-Nsg-FlowLogs: - Deploy-PostgreSQL-sslEnforcement: - Deploy-Sql-AuditingSettings: - Deploy-SQL-minTLS: - Deploy-Sql-SecurityAlertPolicies: - Deploy-Sql-Tde: - Deploy-Sql-vulnerabilityAssessments: - Deploy-SqlMi-minTLS: - Deploy-Storage-sslEnforcement: - Deploy-Windows-DomainJoin: - policy_set_definitions: - Deny-PublicPaaSEndpoints: - Deploy-ASCDF-Config: - Deploy-Diagnostics-LogAnalytics: - Deploy-Sql-Security: - Enforce-Encryption-CMK: - Enforce-EncryptTransit: - remediation: - policy: - policy_set_definitions: - # policyDefinitionReferenceId = https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/c7958266bd227e52dc1a3468e8c881633bc1b373/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json#L766 - # /providers/microsoft.management/managementgroups/contlle/providers/microsoft.authorization/policyassignments/deploy-resource-diag - Deploy-Diagnostics-LogAnalytics: - - ExpressRouteDeployDiagnosticLogDeployLogAnalytics - - FirewallDeployDiagnosticLogDeployLogAnalytics - - KeyVaultDeployDiagnosticLogDeployLogAnalytics - - LoadBalancerDeployDiagnosticLogDeployLogAnalytics - - NetworkNICDeployDiagnosticLogDeployLogAnalytics - - NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics - - NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics - - RecoveryVaultDeployDiagnosticLogDeployLogAnalytics - - storageaccountdeploydiagnosticlogdeployloganalytics - - VirtualNetworkDeployDiagnosticLogDeployLogAnalytics - - VNetGWDeployDiagnosticLogDeployLogAnalytics - Deploy-ASCDF-Config: - - defenderForOssDb - - defenderForVM - - defenderForSqlServerVirtualMachines - - defenderForAppServices - - defenderForStorageAccounts - - defenderForKubernetesService - - defenderForContainerRegistry - - defenderForKeyVaults - - defenderForDns - - defenderForArm - - defenderForSqlPaas - - securityEmailContact - - ascExport - landing-zones: - archetype_id: landing-zones - policy_assignments: - Deny-IP-Forwarding: - Deny-Priv-Containers-AKS: - Deny-Priv-Escalation-AKS: - Deny-RDP-From-Internet: - Deny-Storage-http: - Deploy-AKS-Policy: - Deploy-SQL-DB-Auditing: - Deploy-SQL-Threat: - Enable-DDoS-VNET: - Enforce-AKS-HTTPS: - Enforce-TLS-SSL: - archetype_config: - access_control: - Owner: - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - subscription_creation_landingzones - connectivity: - archetype_id: platform_connectivity - policy_assignments: - Enable-DDoS-VNET: - role_definitions: - CAF-network-vhub-peering: - archetype_config: - access_control: - Owner: - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - connectivity - '[-CONNECTIVITY] CAF-network-vhub-peering': - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - subscription_creation_landingzones - management: - archetype_id: platform_management - archetype_config: - access_control: - Owner: - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - management - identity: - archetype_id: platform_identity - policy_assignments: - Deny-RDP-From-Internet: - archetype_config: - access_control: - Owner: - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - identity - decommissioned: - archetype_id: platform_decommissioned - platform: - archetype_id: platform - sandboxes: - archetype_id: platform_sandboxes \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/custom_landing_zones.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/custom_landing_zones.caf.platform.yaml deleted file mode 100644 index 93a921f59..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/custom_landing_zones.caf.platform.yaml +++ /dev/null @@ -1,31 +0,0 @@ -archetype_definitions: - corp: - display_name: Corp - archetype_id: landingzone_corp - parent_management_group_id: landing-zones - # subscription_ids: - # policy_assignments: - online: - display_name: Online - archetype_id: landingzone_online - parent_management_group_id: landing-zones - # subscription_ids: - # policy_assignments: - corp-prod: - display_name: Production - archetype_id: landingzone_prod - parent_management_group_id: corp - # subscription_ids: - # policy_assignments: - corp-non-prod: - display_name: Non Production - archetype_id: landingzone_non_prod - parent_management_group_id: corp - # subscription_ids: - # policy_assignments: - online-web: - display_name: Non Production - archetype_id: landingzone_online_web - parent_management_group_id: online - # subscription_ids: - # policy_assignments: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/README.md deleted file mode 100644 index def2a5a6d..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy assignments - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json deleted file mode 100644 index 789acde60..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "aks-capability", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)", - "displayName": "Kubernetes cluster containers should only use allowed capabilities.", - "notScopes": [], - "parameters": {}, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", - "scope": "${current_scope_resource_id}", - "enforcementMode": true - }, - "location": "${default_location}", - "identity": { - "type": "None" - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json deleted file mode 100644 index bce0689ad..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "Allowed-Locations", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Specifies the allowed locations (regions) where Resources can be deployed.", - "displayName": "Limit allowed locations for Resources", - "notScopes": [], - "parameters": {}, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "scope": "${current_scope_resource_id}", - "enforcementMode": null - }, - "location": "${default_location}", - "identity": { - "type": "None" - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_definitions/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_definitions/README.md deleted file mode 100644 index e47f922fd..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_definitions/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_set_definitions/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_set_definitions/README.md deleted file mode 100644 index c09d2c016..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_set_definitions/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy set definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/readme.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/readme.md deleted file mode 100644 index 187ef6e20..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/readme.md +++ /dev/null @@ -1,2 +0,0 @@ -# Custom ESLZ library -In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance. \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/README.md b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/README.md deleted file mode 100644 index 2230928aa..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/README.md +++ /dev/null @@ -1,11 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - - -# List of the default role defitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json b/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json deleted file mode 100644 index 5a87be3b6..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "name": "48ec94a9-9a14-488d-928d-5e73f96b335c", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2018-01-01-preview", - "properties": { - "roleName": "CAF-network-vhub-peering", - "description": "Authorize vnet peerings to the vhub.", - "type": "customRole", - "permissions": [ - { - "actions": [ - "Microsoft.Network/ddosProtectionPlans/join/action", - "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*", - "Microsoft.Network/virtualHubs/read", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [ - ], - "dataActions": [], - "notDataActions": [] - } - ], - "assignableScopes": [ - "${current_scope_resource_id}" - ] - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/identity.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/identity.yaml deleted file mode 100644 index aa201e898..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/identity.yaml +++ /dev/null @@ -1,69 +0,0 @@ -subscriptions: - identity: - resource_groups: - management: - name: management - alerts: - name: alerts - - service_health_alerts: - enable_service_health_alerts: true - name: alerts - shortname: HealthAlerts - resource_group_key: alerts - action_group_name: actiongrp - email_alert_settings: - support1: - name: email_alert_support1 - email_address: lalesle@microsoft.com - use_common_alert_schema: false - - recovery_vaults: - asr: - name: asr - resource_group_key: management - soft_delete_enabled: true - backup_policies: - vms: - default: - name: vm-default-policy - # Default to UTC - # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - retention_weekly: - count: 2 - weekdays: - - Sunday - retention_monthly: - count: 2 - weeks: - - First - weekdays: - - Sunday - retention_yearly: - count: 1 - weeks: - - First - months: - - January - weekdays: - - Sunday - - -# Bring here you existing active directory security groups. -# Those are the groups you will inject to RBAC in the Enterprise Scale deployment. -# Note Terraform will create a new Azure AD group and add the existing as a member -# -# level1: -# azuread_groups: -# network_ops_team: -# name: netops -# members: -# # Set the list of the existing groups -# objects_ids: -# - existing_azure_ad_group_object_id diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad.yaml deleted file mode 100644 index c9cf11fea..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad.yaml +++ /dev/null @@ -1,37 +0,0 @@ -subscriptions: - launchpad: - resource_groups: - level0: - name: caf-level0 - tags: - level: level0 - level1: - name: caf-level1 - tags: - level: level1 - level2: - name: caf-level2 - tags: - level: level2 - - storage_accounts: - level0: - name: l0 - resource_group_key: level0 - level1: - name: l1 - resource_group_key: level1 - level2: - name: l2 - resource_group_key: level2 - - keyvaults: - level0: - name: l0 - resource_group_key: level0 - level1: - name: l1 - resource_group_key: level1 - level2: - name: l2 - resource_group_key: level2 diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad_credentials.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad_credentials.yaml deleted file mode 100644 index 7d843436b..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad_credentials.yaml +++ /dev/null @@ -1,415 +0,0 @@ -subscriptions: - launchpad_credentials: - resource_groups: - sp_credentials: - name: credentials - - keyvaults: - cred_ea_account_owner: - name: eaowner - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - cred_level0: - name: idl0 - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - level0: - lz_key: launchpad - azuread_group_key: level0 - secret_permissions: - - Get - cred_identity: - name: id - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - cred_management: - name: mg - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - management_azuread_group: - lz_key: launchpad - azuread_group_key: management - secret_permissions: - - Get - cred_eslz: - name: es - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - eslz_azuread_group: - lz_key: launchpad - azuread_group_key: eslz - secret_permissions: - - Get - cred_connectivity: - name: co - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - connectivity_azuread_group: - lz_key: launchpad - azuread_group_key: connectivity - secret_permissions: - - Get - cred_subscription_creation_platform: - name: scp - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - subscription_creation_platform_azuread_group: - lz_key: launchpad - azuread_group_key: subscription_creation_platform - secret_permissions: - - Get - cred_subscription_creation_landingzones: - name: scl - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - subscription_creation_platform_azuread_group: - lz_key: launchpad - azuread_group_key: subscription_creation_landingzones - secret_permissions: - - Get - cred_gitops: - name: gitops - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - cred_ea_account_owner: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_level0: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_identity: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_management: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_eslz: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_connectivity: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_subscription_creation_platform: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_subscription_creation_landingzones: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_gitops: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - - - azuread_applications: - gitops: - application_name: app-azure-platform-credentials-for-gitops - - azuread_service_principals: - gitops: - azuread_application: - key: gitops - - azuread_credentials: - gitops: - type: password - azuread_credential_policy_key: gitops - azuread_application: - key: gitops - keyvaults: - cred_gitops: - secret_prefix: sp - level0: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: level0 - keyvaults: - cred_level0: - secret_prefix: sp - identity: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: identity - keyvaults: - cred_identity: - secret_prefix: sp - management: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: management - keyvaults: - cred_management: - secret_prefix: sp - eslz: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: eslz - keyvaults: - cred_eslz: - secret_prefix: sp - connectivity: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: connectivity - keyvaults: - cred_connectivity: - secret_prefix: sp - subscription_creation_platform: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: subscription_creation_platform - keyvaults: - cred_subscription_creation_platform: - secret_prefix: sp - subscription_creation_landingzones: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: subscription_creation_landingzones - keyvaults: - cred_subscription_creation_landingzones: - secret_prefix: sp - - azuread_credential_policies: - gitops: - length: 250 - special: false - upper: true - number: true - expire_in_days: 360 - rotation_key0: - days: 181 - rotation_key1: - days: 300 - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 65 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/management.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/management.yaml deleted file mode 100644 index 2532e9eca..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/management.yaml +++ /dev/null @@ -1,84 +0,0 @@ -subscriptions: - management: - resource_groups: - management: - name: management - alerts: - name: alerts - - diagnostic_log_analytics: - # if you change this key you also need to change it in the ESLZ deployment - # eslz/archetype_config_overrides.caf.platform.yaml - # eslz/custom_landing_zones.caf.platform.yaml - region1: - name: logre1 - resource_group_key: management - - monitor_action_groups: - networking_operations: - resource_group_key: management - action_group_name: Networking Operations - shortname: netops - arm_role_alert: - contributors: - name: Monitoring Contributor - role_name: Monitoring Contributor - use_common_alert_schema: false - email_receiver: - noc: - name: email_alert_support1 - email_address: - use_common_alert_schema: false - - service_health_alerts: - enable_service_health_alerts: true - name: alerts - shortname: HealthAlerts - resource_group_key: alerts - action_group_name: actiongrp - email_alert_settings: - support1: - name: email_alert_support1 - email_address: - use_common_alert_schema: false - - automation_accounts: - account1: - name: automationAccount1 - resource_group_key: management - - recovery_vaults: - asr: - name: asr - resource_group_key: management - soft_delete_enabled: true - backup_policies: - vms: - default: - name: vm-default-policy - # Default to UTC - # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - retention_weekly: - count: 2 - weekdays: - - Sunday - retention_monthly: - count: 2 - weeks: - - First - weekdays: - - Sunday - retention_yearly: - count: 1 - weeks: - - First - months: - - January - weekdays: - - Sunday diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/subscriptions.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/subscriptions.yaml deleted file mode 100644 index 66b633780..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/subscriptions.yaml +++ /dev/null @@ -1,16 +0,0 @@ -platform_subscriptions: - management: - alias: "management" - name: "-management" - # Do not set the subscription_id when using the automated subscripiton creation - # In that case delete the following attribute. - # When re-using an existing subscripiton, set the GUID of the subscripiton. - subscription_id: - identity: - alias: "identity" - name: "-identity" - subscription_id: - connectivity: - alias: "connectivity" - name: "-connectivity" - subscription_id: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/tfstates.yaml b/templates/enterprise-scale/contoso/platform/create_subscriptions/tfstates.yaml deleted file mode 100644 index a85b401da..000000000 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/tfstates.yaml +++ /dev/null @@ -1,148 +0,0 @@ -tfstates: - platform: - ### Level0 ### - launchpad: - lz_key_name: launchpad - tfstate: caf_launchpad.tfstate - workspace: tfstate - base_config_path: launchpad - level: level0 - billing_subscription_role_delegations: - lz_key_name: billing_subscription_role_delegations - tfstate: billing_subscription_role_delegations.tfstate - base_config_path: billing_subscription_role_delegations - level: level0 - launchpad_credentials: - lz_key_name: launchpad_credentials_rotation - tfstate: launchpad_credentials_rotation.tfstate - base_config_path: credentials - level: level0 - - ### Level1 ### - management: - lz_key_name: management - tfstate: management.tfstate - base_config_path: management - level: level1 - identity: - lz_key_name: identity - tfstate: identity.tfstate - base_config_path: identity - level: level1 - eslz: - lz_key_name: eslz - tfstate: eslz.tfstate - base_config_path: eslz - level: level1 - platform_subscriptions: - lz_key_name: platform_subscriptions - tfstate: platform_subscriptions.tfstate - base_config_path: subscriptions - level: level1 - - ## Level2 ## - identity_level2: - prod: - lz_key_name: identity_level2 - tfstate: identity_level2.tfstate - level: level2 - non_prod: - lz_key_name: identity_level2 - tfstate: identity_level2.tfstate - level: level2 - - identity_level2_aadds: - prod: - lz_key_name: identity_level2_aadds - tfstate: identity_level2_aadds.tfstate - level: level2 - - virtual_wan: - lz_key_name: connectivity_virtual_wan - tfstate: connectivity_virtual_wan.tfstate - base_config_path: connectivity/virtual_wan - level: level2 - - virtual_hubs: - prod: - lz_key_name: connectivity_virtual_hub_prod - tfstate: connectivity_virtual_hub_prod.tfstate - workspace: tfstate - base_config_path: connectivity/virtual_hub - level: level2 - non_prod: - lz_key_name: connectivity_virtual_hub_non_prod - tfstate: connectivity_virtual_hub_non_prod.tfstate - workspace: tfstate - base_config_path: connectivity/virtual_hub - level: level2 - - vpn_sites: - prod: - lz_key_name: connectivity_vpn_sites_prod - tfstate: connectivity_vpn_sites_prod.tfstate - base_config_path: connectivity/vpn_sites - level: level2 - non_prod: - lz_key_name: connectivity_vpn_sites_non_prod - tfstate: connectivity_vpn_sites_non_prod.tfstate - base_config_path: connectivity/vpn_sites - level: level2 - - express_route_circuits: - prod: - lz_key_name: connectivity_express_route_prod - tfstate: connectivity_express_route_prod.tfstate - base_config_path: connectivity/express_route - level: level2 - non_prod: - lz_key_name: connectivity_express_route_non_prod - tfstate: connectivity_express_route_non_prod.tfstate - base_config_path: connectivity/express_route - level: level2 - - express_route_circuit_peerings: - prod: - lz_key_name: connectivity_express_route_peerings_prod - tfstate: connectivity_express_route_peerings_prod.tfstate - level: level2 - non_prod: - lz_key_name: connectivity_express_route_peerings_non_prod - tfstate: connectivity_express_route_peerings_non_prod.tfstate - level: level2 - - azurerm_firewalls: - prod: - lz_key_name: connectivity_firewalls_prod - tfstate: connectivity_firewalls_prod.tfstate - level: level2 - non_prod: - lz_key_name: connectivity_firewalls_non_prod - tfstate: connectivity_firewalls_non_prod.tfstate - level: level2 - - azurerm_firewall_policies: - prod: - lz_key_name: connectivity_firewall_policies_prod - tfstate: connectivity_firewall_policies_prod.tfstate - level: level2 - non_prod: - lz_key_name: connectivity_firewall_policies_non_prod - tfstate: connectivity_firewall_policies_non_prod.tfstate - level: level2 - - private_dns: - prod: - lz_key_name: connectivity_private_dns_prod - tfstate: connectivity_private_dns_prod.tfstate - level: level2 - non_prod: - lz_key_name: connectivity_private_dns_non_prod - tfstate: connectivity_private_dns_non_prod.tfstate - level: level2 - - - asvm: - lz_key_name: asvm - tfstate: asvm_subscription_vending_machine.tfstate - level: level2 diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md deleted file mode 100644 index a2fb0beb8..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform - - -:rocket: START HERE: [Follow the onboarding guide from](https://aztfmod.github.io/documentation/docs/enterprise-scale/landingzones/platform/org-setup) - - -For further executions or command, you can refer to the following sections - -## Commands - -### Clone the landingzone project (Terraform base code) -```bash -git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/landingzones -cd /tf/caf/landingzones -git pull -git checkout aci_network - -``` - -### Rover ignite the platform -Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps. -Rover ignite creates the tfvars and also the documentation. - -```bash -rover login -t tenantname -s - -rover ignite \ - --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ - -e base_templates_folder=/tf/caf/landingzones/templates/platform \ - -e resource_template_folder=/tf/caf/landingzones/templates/resources \ - -e config_folder=/tf/caf/definitions/platform - -``` - -### Next step - -Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created. diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml deleted file mode 100644 index bdb1a5876..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml +++ /dev/null @@ -1,38 +0,0 @@ -gitops: - landingzones: aci_network - -subscriptions: - asvm: - resource_groups: - level3: - name: caf-level3 - tags: - level: level3 - level4: - name: caf-level4 - tags: - level: level4 - - storage_accounts: - level3: - name: l3 - resource_group_key: level3 - level4: - name: l4 - resource_group_key: level4 - - keyvaults: - level3: - name: l3 - resource_group_key: level3 - level4: - name: l4 - resource_group_key: level4 - - - # azuread_groups: - # caf_ac_landingzone_maintainers_non_prod: - # name: caf_ac_landingzone_maintainers_non_prod - - # caf_ac_landingzone_maintainers_prod: - # name: caf_ac_landingzone_maintainers_prod diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml deleted file mode 100644 index c01e14308..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml +++ /dev/null @@ -1,132 +0,0 @@ -caf_terraform: - naming_convention: - # When set to false use the CAF provider to generate names aligned to CAF guidance - # true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace. - passthrough: false - inherit_tags: false - # set: define the prefix to add to all resource names - # unset: if passthrough is set to false, generate a random prefix - prefix: cont - # if passthrough is set to false, add random suffix to name, up to the random_lenght value. - random_length: 5 - launchpad: - caf_environment: - account_replication_type: GRS - regions: - region1: - # set the short form of the Azure region - name: southeastasia # Use the lower-case region's name, short version with no space - slug: sea - region2: - name: eastasia # Use the lower-case region's name, short version with no space - slug: ea - default_region_key: region1 - # Define the number of CAF levels to use. Recommeded is 3 for the platform. - number_of_levels: 3 - blob_versioning_enabled: true - container_delete_retention_policy: 7 - delete_retention_policy: 7 - # Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd. - subscription_id: - subscription_name: - tenant_id: - global_tags_propagated: yes - tags: - test: - date: - - billing_subscription_role_delegations: - # true: enable this deployment. The remaining attributes are required. - # false: disable this deployment. - # azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform - # azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running: - # az ad signed-in-user show --query objectId -o tsv - # The remaining attributes are ignored: [billing_account_name, enrollment_account_name] - enable: false - # Azure Active Directory User (UPN) that is Account Owner in the EA portal - # if enable=false, set the upn of the user doing the manual deployment - azuread_user_ea_account_owner: - # see comments above to get the object_id - azuread_user_ea_account_owner_object_id: - # Only set the following two attributes when enable=true - billing_account_name: - enrollment_account_name: - -# cleanup_destination - recommended to clean and recreated a clean state from template. -configuration_folders: - platform: - # true: force the destination folder to be deleted and re-created before the files are created. - # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. - cleanup_destination: true - # base destination folder where rover ignite will store the tfvars files. No / at the end - destination_base_path: /tf/caf - # destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end - destination_relative_path: configuration/contoso/platform - - -platform_core_setup: - enterprise_scale: - enable: true - management_group_name: - management_group_prefix: - deploy_core_landing_zones: true - enable_azure_subscription_vending_machine: true - clean_up_destination_folder: false - update_lib_folder: true - # resuse_subscriptions - do not create subscriptions through API automation. Requires the following subscription_id_overrides to be set with 4 subscriptions - subscription_deployment_mode: reuse_subscriptions - # Option only set if you've be given a delegated management group ID. - # Comment to deploy to deploy at the tenant root level - root_parent_id: lab - private_lib: - version_to_deploy: v1.1.1 - v0.1.x: - caf_landingzone_branch: "2107.1" - v0.3.3: - caf_landingzone_branch: "patch.5.4.4" - v1.1.1: - caf_landingzone_branch: "aci_network" - subscription_id_overrides: - connectivity: - - - management: - - # launchpad - - - identity: - - - -platform_management: - enable: true - -networking_topology: - deployment_option: virtual_wan - -platform_identity: - # Set the Azure Active Directory tenant name (primary domain name) - # has to be the default domain name (custom dns name or tenantname.onmicrosoft.com) - # check the AAD property - tenant_name: terraformdev.onmicrosoft.com - # only service_principal supported with rover ignite at the moment - azuread_identity_mode: logged_in_user - # UPNs you want to add in the caf_platform_maintainers Azure AD group - # Can use user or guest accounts - # Those users will have full permissions on platform. - # Once setup, you can remove them from here or add them from - # Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts. - caf_platform_maintainers: - - - caf_platform_contributors: - - - -notifications: - service_health_alerts: - emails: - support1: - name: - email_address: - security_center_email_contact: - -gitops: - caf_landingzone_branch: "aci_network" - deployment_mode: interactive - rover_log_error: ERROR diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml deleted file mode 100644 index 529eb6662..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml +++ /dev/null @@ -1,34 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - non_prod: - landingzone: - key: - platform: - azurerm_firewall_policies: non_prod - global_settings_key: - platform: - azurerm_firewalls: non_prod - remote_tfstates: - platform: - azurerm_firewalls: non_prod - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-non-prod-firewall-policies - region_key: region1 - - azurerm_firewall_policies: - root: - name: "non-prod-root-policy" - region_key: region1 - resource_group: - key: firewall_policies - dns: - proxy_enabled: true - threat_intelligence_mode: "Alert" - diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml deleted file mode 100644 index f2a165cdd..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml +++ /dev/null @@ -1,78 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - non_prod: - landingzone: - key: - platform: - azurerm_firewalls: non_prod - global_settings_key: - platform: - virtual_hubs: non_prod - remote_tfstates: - platform: - virtual_hubs: non_prod - azurerm_firewall_policies: non_prod - - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-non-prod-firewall - region_key: region1 - - - virtual_networks: - vnet: - name: vnet-connectivity-non-prod-fw-plinks - resource_group_key: firewall_policies - region_key: region1 - address_space: - - 10.101.61.0/24 - specialsubnets: - AzureFirewallSubnet: - name: AzureFirewallSubnet - cidr: - - 10.101.61.0/26 - - public_ip_addresses: - fw_pip1: - name: pip-non-prod-fw-01 - resource_group_key: firewall_policies - sku: Standard - allocation_method: Static - ip_version: IPv4 - idle_timeout_in_minutes: 4 - - azurerm_firewalls: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - resource_group_key: firewall_policies - vnet_key: vnet - sku_tier: Standard - firewall_policy: - key: root - lz_key: connectivity_firewall_policies_non_prod - zones: - - 1 - - 2 - - 3 - public_ips: - ip1: - name: pip1 - public_ip_key: fw_pip1 - vnet_key: vnet - subnet_key: AzureFirewallSubnet - - - virtual_hub_connections: - vnet_to_hub: - name: vnet-connectivity-non-prod-fw-plinks-TO-vhub-non_prod - virtual_hub: - lz_key: connectivity_virtual_hub_non_prod - key: non_prod - vnet: - vnet_key: vnet \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml deleted file mode 100644 index d1d3b4f22..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml +++ /dev/null @@ -1,189 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - non_prod: - landingzone: - key: - platform: - private_dns: non_prod - global_settings_key: - platform: - virtual_hubs: non_prod - remote_tfstates: - platform: - virtual_hubs: non_prod - - -subscriptions: - connectivity: - resource_groups: - dns_connectivity_non_prod: - name: dns-connectivity-non-prod - private_dns: - privatelink.adf.azure.com: - name: privatelink.adf.azure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.datafactory.azure.net: - name: privatelink.datafactory.azure.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.blob.core.windows.net: - name: privatelink.blob.core.windows.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.file.core.windows.net: - name: privatelink.file.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.notebooks.azure.net: - name: privatelink.notebooks.azure.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.dfs.core.windows.net: - name: privatelink.dfs.core.windows.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.vaultcore.azure.net: - name: privatelink.vaultcore.azure.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.southeastasia.azmk8s.io: - name: privatelink.southeastasia.azmk8s.io - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.azurecr.io: - name: privatelink.azurecr.io - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.southeastasia.backup.windowsazure.com: - name: privatelink.southeastasia.backup.windowsazure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.siterecovery.windowsazure.com: - name: privatelink.siterecovery.windowsazure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.servicebus.windows.net: - name: privatelink.servicebus.windows.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.api.azureml.ms: - name: privatelink.api.azureml.ms - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.monitor.azure.com: - name: privatelink.monitor.azure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.oms.opinsights.non_prod.com: - name: privatelink.oms.opinsights.azure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.ods.opinsights.azure.com: - name: privatelink.ods.opinsights.azure.com - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - privatelink.agentsvc.azure-automation.net: - name: privatelink.agentsvc.azure-automation.net - resource_group_key: dns_connectivity_non_prod - vnet_links: - fw_non_prod_plinks_01: - name: fw-non-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_non_prod - - custom_role_definitions: - landgingzone_extended: - name: landingzone-networking-non-prod-private-dns-extended - useprefix: true - description: "(non-prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write - - # role_mapping: - # custom_role_mapping: - # resource_groups: - # dns_connectivity_prod: - # landgingzone_extended: - # azuread_groups: - # lz_key: identity_level2 - # keys: - # - caf_non_prod_landingzones_dns_contributors - # built_in_role_mapping: - # resource_groups: - # dns_connectivity_non_prod: - # Private DNS Zone Contributor: - # azuread_groups: - # lz_key: identity_level2 - # keys: - # - caf_non_prod_landingzones_dns_contributors diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml deleted file mode 100644 index 2159b3fca..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml +++ /dev/null @@ -1,54 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - non_prod: - landingzone: - key: - platform: - virtual_hubs: non_prod - global_settings_key: - platform: - virtual_wans: prod - remote_tfstates: - platform: - virtual_wans: prod - - custom_variables: - virtual_hub_lz_key: connectivity_virtual_hub_non_prod - # ddos_protection_plan_id: - -subscriptions: - connectivity: - virtual_hubs: - non_prod: - name: non_production - virtual_wan: - lz_key: virtual_wan - key: global_wan - region_key: region1 - hub_address_prefix: 10.201.51.0/24 - deploy_s2s: false - s2s_config: - name: non_prod - scale_unit: 1 - deploy_er: false - er_config: - name: non_prod - scale_units: 1 - - - express_route_connections: - non_prod: - enable_er_connections: true - name: er-1-non_prod - virtual_hub: - key: non_prod - circuit_peering: - tfstate_key: non_prod - key: private_peering - express_route_circuit_authorization: - tfstate_key: non_prod - key: vhub-non_prod - diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml deleted file mode 100644 index aba52746b..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml +++ /dev/null @@ -1,33 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - prod: - landingzone: - key: - platform: - azurerm_firewall_policies: prod - global_settings_key: - platform: - azurerm_firewalls: prod - remote_tfstates: - platform: - azurerm_firewalls: prod - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-prod-firewall-policies - region_key: region1 - - azurerm_firewall_policies: - root: - name: "prod-root-policy" - region_key: region1 - resource_group: - key: firewall_policies - dns: - proxy_enabled: true - threat_intelligence_mode: "Alert" diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml deleted file mode 100644 index 601b2972a..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml +++ /dev/null @@ -1,78 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - prod: - landingzone: - key: - platform: - azurerm_firewalls: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - virtual_hubs: prod - azurerm_firewall_policies: prod - - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-prod-firewall - region_key: region1 - - - virtual_networks: - vnet: - name: vnet-connectivity-prod-fw-plinks - resource_group_key: firewall_policies - region_key: region1 - address_space: - - 10.101.61.0/24 - specialsubnets: - AzureFirewallSubnet: - name: AzureFirewallSubnet - cidr: - - 10.101.61.0/26 - - public_ip_addresses: - fw_pip1: - name: pip-prod-fw-01 - resource_group_key: firewall_policies - sku: Standard - allocation_method: Static - ip_version: IPv4 - idle_timeout_in_minutes: 4 - - azurerm_firewalls: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - resource_group_key: firewall_policies - vnet_key: vnet - sku_tier: Standard - firewall_policy: - key: root - lz_key: connectivity_firewall_policies_prod - zones: - - 1 - - 2 - - 3 - public_ips: - ip1: - name: pip1 - public_ip_key: fw_pip1 - vnet_key: vnet - subnet_key: AzureFirewallSubnet - - - virtual_hub_connections: - vnet_to_hub: - name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod - virtual_hub: - lz_key: connectivity_virtual_hub_prod - key: prod - vnet: - vnet_key: vnet \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml deleted file mode 100644 index c58281dd4..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml +++ /dev/null @@ -1,191 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - prod: - landingzone: - key: - platform: - private_dns: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - virtual_hubs: prod - -subscriptions: - connectivity: - - # role_mapping: - # custom_role_mapping: - # resource_groups: - # dns_connectivity_prod: - # landgingzone_extended: - # azuread_groups: - # lz_key: identity_level2 - # keys: - # - caf_prod_landingzones_dns_contributors - # built_in_role_mapping: - # resource_groups: - # dns_connectivity_prod: - # Private DNS Zone Contributor: - # azuread_groups: - # lz_key: identity_level2 - # keys: - # - caf_prod_landingzones_dns_contributors - - resource_groups: - dns_connectivity_prod: - name: dns-connectivity-prod - private_dns: - privatelink.adf.azure.com: - name: privatelink.adf.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.datafactory.azure.net: - name: privatelink.datafactory.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.blob.core.windows.net: - name: privatelink.blob.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.file.core.windows.net: - name: privatelink.file.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.notebooks.azure.net: - name: privatelink.notebooks.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.dfs.core.windows.net: - name: privatelink.dfs.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.vaultcore.azure.net: - name: privatelink.vaultcore.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.southeastasia.azmk8s.io: - name: privatelink.southeastasia.azmk8s.io - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.azurecr.io: - name: privatelink.azurecr.io - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.southeastasia.backup.windowsazure.com: - name: privatelink.southeastasia.backup.windowsazure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.siterecovery.windowsazure.com: - name: privatelink.siterecovery.windowsazure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.servicebus.windows.net: - name: privatelink.servicebus.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.api.azureml.ms: - name: privatelink.api.azureml.ms - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.monitor.azure.com: - name: privatelink.monitor.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.oms.opinsights.azure.com: - name: privatelink.oms.opinsights.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.ods.opinsights.azure.com: - name: privatelink.ods.opinsights.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.agentsvc.azure-automation.net: - name: privatelink.agentsvc.azure-automation.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - - custom_role_definitions: - landgingzone_extended: - name: landingzone-networking-private-dns-extended - useprefix: true - description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write - - diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml deleted file mode 100644 index 61c6aa203..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml +++ /dev/null @@ -1,53 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - prod: - landingzone: - key: - platform: - virtual_hubs: prod - global_settings_key: - platform: - virtual_wans: prod - remote_tfstates: - platform: - virtual_wans: prod - - custom_variables: - virtual_hub_lz_key: connectivity_virtual_hub_prod - # ddos_protection_plan_id: - -subscriptions: - connectivity: - virtual_hubs: - prod: - name: Production - virtual_wan: - lz_key: virtual_wan - key: global_wan - region_key: region1 - hub_address_prefix: 10.101.51.0/24 - deploy_s2s: false - s2s_config: - name: prod - scale_unit: 1 - deploy_er: false - er_config: - name: prod - scale_units: 1 - - express_route_connections: - prod: - enable_er_connections: false - name: erc-er-1-prod - virtual_hub: - key: prod - circuit_peering: - tfstate_key: prod - key: private_peering - express_route_circuit_authorization: - tfstate_key: prod - key: vhub-prod - diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml deleted file mode 100644 index 3d51a61ab..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml +++ /dev/null @@ -1,29 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - connectivity: - prod: - landingzone: - key: - platform: - virtual_wans: prod - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: - -subscriptions: - connectivity: - virtual_wans: - global_wan: - name: vwan - resource_group_key: global_wan - region_key: region1 - - resource_groups: - global_wan: - name: connectivity-global-wan - region_key: region1 diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml deleted file mode 100644 index f9177405d..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml +++ /dev/null @@ -1,13 +0,0 @@ -gitops: - landingzones: aci_network - -deployments: - identity: - -subscriptions: - identity: - azuread_groups: - caf_non_prod_landingzones_dns_contributors: - name: caf ac non_prod landingzones dns contributors - caf_prod_landingzones_dns_contributors: - name: caf ac prod landingzones dns contributors \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md deleted file mode 100644 index def2a5a6d..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy assignments - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json deleted file mode 100644 index 789acde60..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "aks-capability", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)", - "displayName": "Kubernetes cluster containers should only use allowed capabilities.", - "notScopes": [], - "parameters": {}, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", - "scope": "${current_scope_resource_id}", - "enforcementMode": true - }, - "location": "${default_location}", - "identity": { - "type": "None" - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json deleted file mode 100644 index bce0689ad..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "Allowed-Locations", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Specifies the allowed locations (regions) where Resources can be deployed.", - "displayName": "Limit allowed locations for Resources", - "notScopes": [], - "parameters": {}, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "scope": "${current_scope_resource_id}", - "enforcementMode": null - }, - "location": "${default_location}", - "identity": { - "type": "None" - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md deleted file mode 100644 index e47f922fd..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md deleted file mode 100644 index c09d2c016..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy set definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md deleted file mode 100644 index f3f823e56..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md +++ /dev/null @@ -1,2 +0,0 @@ -# Custom ESLZ library -In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance. \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md deleted file mode 100644 index 2230928aa..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md +++ /dev/null @@ -1,11 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - - -# List of the default role defitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json deleted file mode 100644 index 19523d87b..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "name": "48ec94a9-9a14-488d-928d-5e73f96b335c", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2018-01-01-preview", - "properties": { - "roleName": "CAF-network-vhub-peering", - "description": "Authorize vnet peerings to the vhub and DDOS to be deployed by policy.", - "type": "customRole", - "permissions": [ - { - "actions": [ - "Microsoft.Network/ddosProtectionPlans/join/action", - "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*", - "Microsoft.Network/virtualHubs/read", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [ - ], - "dataActions": [], - "notDataActions": [] - } - ], - "assignableScopes": [ - "${current_scope_resource_id}" - ] - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml deleted file mode 100644 index 6285e6da3..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml +++ /dev/null @@ -1,69 +0,0 @@ -subscriptions: - identity: - resource_groups: - management: - name: management - alerts: - name: alerts - - service_health_alerts: - enable_service_health_alerts: true - name: alerts - shortname: HealthAlerts - resource_group_key: alerts - action_group_name: actiongrp - email_alert_settings: - support1: - name: email_alert_support1 - email_address: lalesle@microsoft.com - use_common_alert_schema: false - - recovery_vaults: - asr: - name: asr - resource_group_key: management - soft_delete_enabled: true - backup_policies: - vms: - default: - name: vm-default-policy - # Default to UTC - # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - retention_weekly: - count: 2 - weekdays: - - Sunday - retention_monthly: - count: 2 - weeks: - - First - weekdays: - - Sunday - retention_yearly: - count: 1 - weeks: - - First - months: - - January - weekdays: - - Sunday - - -# Bring here you existing active directory security groups. -# Those are the groups you will inject to RBAC in the Enterprise Scale deployment. -# Note Terraform will create a new Azure AD group and add the existing as a member -# -# level1: -# azuread_groups: -# network_ops_team: -# name: netops -# members: -# # Set the list of the existing groups -# objects_ids: -# - existing_azure_ad_group_object_id diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml deleted file mode 100644 index 2dcd971f2..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml +++ /dev/null @@ -1,40 +0,0 @@ -subscriptions: - launchpad: - resource_groups: - level0: - name: caf-level0 - tags: - level: level0 - level1: - name: caf-level1 - tags: - level: level1 - level2: - name: caf-level2 - tags: - level: level2 - - storage_accounts: - level0: - name: l0 - resource_group_key: level0 - level1: - name: l1 - resource_group_key: level1 - level2: - name: l2 - resource_group_key: level2 - - keyvaults: - level0: - name: l0 - sku_name: premium - resource_group_key: level0 - level1: - name: l1 - sku_name: premium - resource_group_key: level1 - level2: - name: l2 - sku_name: premium - resource_group_key: level2 diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml deleted file mode 100644 index 7d843436b..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml +++ /dev/null @@ -1,415 +0,0 @@ -subscriptions: - launchpad_credentials: - resource_groups: - sp_credentials: - name: credentials - - keyvaults: - cred_ea_account_owner: - name: eaowner - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - cred_level0: - name: idl0 - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - level0: - lz_key: launchpad - azuread_group_key: level0 - secret_permissions: - - Get - cred_identity: - name: id - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - cred_management: - name: mg - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - management_azuread_group: - lz_key: launchpad - azuread_group_key: management - secret_permissions: - - Get - cred_eslz: - name: es - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - eslz_azuread_group: - lz_key: launchpad - azuread_group_key: eslz - secret_permissions: - - Get - cred_connectivity: - name: co - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - connectivity_azuread_group: - lz_key: launchpad - azuread_group_key: connectivity - secret_permissions: - - Get - cred_subscription_creation_platform: - name: scp - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - subscription_creation_platform_azuread_group: - lz_key: launchpad - azuread_group_key: subscription_creation_platform - secret_permissions: - - Get - cred_subscription_creation_landingzones: - name: scl - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - subscription_creation_platform_azuread_group: - lz_key: launchpad - azuread_group_key: subscription_creation_landingzones - secret_permissions: - - Get - cred_gitops: - name: gitops - resource_group_key: sp_credentials - purge_protection_enabled: false - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - cred_ea_account_owner: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_level0: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_identity: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_management: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_eslz: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_connectivity: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_subscription_creation_platform: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_subscription_creation_landingzones: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_gitops: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - - - azuread_applications: - gitops: - application_name: app-azure-platform-credentials-for-gitops - - azuread_service_principals: - gitops: - azuread_application: - key: gitops - - azuread_credentials: - gitops: - type: password - azuread_credential_policy_key: gitops - azuread_application: - key: gitops - keyvaults: - cred_gitops: - secret_prefix: sp - level0: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: level0 - keyvaults: - cred_level0: - secret_prefix: sp - identity: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: identity - keyvaults: - cred_identity: - secret_prefix: sp - management: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: management - keyvaults: - cred_management: - secret_prefix: sp - eslz: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: eslz - keyvaults: - cred_eslz: - secret_prefix: sp - connectivity: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: connectivity - keyvaults: - cred_connectivity: - secret_prefix: sp - subscription_creation_platform: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: subscription_creation_platform - keyvaults: - cred_subscription_creation_platform: - secret_prefix: sp - subscription_creation_landingzones: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: subscription_creation_landingzones - keyvaults: - cred_subscription_creation_landingzones: - secret_prefix: sp - - azuread_credential_policies: - gitops: - length: 250 - special: false - upper: true - number: true - expire_in_days: 360 - rotation_key0: - days: 181 - rotation_key1: - days: 300 - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 65 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml deleted file mode 100644 index 1ff5c8e52..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml +++ /dev/null @@ -1,84 +0,0 @@ -subscriptions: - management: - resource_groups: - management: - name: management - alerts: - name: alerts - - diagnostic_log_analytics: - # if you change this key you also need to change it in the ESLZ deployment - # eslz/archetype_config_overrides.caf.platform.yaml - # eslz/custom_landing_zones.caf.platform.yaml - region1: - name: logre1 - resource_group_key: management - - monitor_action_groups: - networking_operations: - action_group_name: Networking Operations - resource_group_key: alerts - shortname: netops - arm_role_alert: - contributors: - name: Monitoring Contributor - role_name: Monitoring Contributor - use_common_alert_schema: false - email_receiver: - noc: - name: email_alert_support1 - email_address: arnaul@microsoft.com - use_common_alert_schema: false - - service_health_alerts: - enable_service_health_alerts: true - name: alerts - shortname: HealthAlerts - resource_group_key: alerts - action_group_name: actiongrp - email_alert_settings: - support1: - name: email_alert_support1 - email_address: arnaul@microsoft.com - use_common_alert_schema: false - - automation_accounts: - account1: - name: automationAccount1 - resource_group_key: management - - recovery_vaults: - asr: - name: asr - resource_group_key: management - soft_delete_enabled: true - backup_policies: - vms: - default: - name: vm-default-policy - # Default to UTC - # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - retention_weekly: - count: 2 - weekdays: - - Sunday - retention_monthly: - count: 2 - weeks: - - First - weekdays: - - Sunday - retention_yearly: - count: 1 - weeks: - - First - months: - - January - weekdays: - - Sunday diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml b/templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml deleted file mode 100644 index a9ecd6e97..000000000 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml +++ /dev/null @@ -1,105 +0,0 @@ -tfstates: - platform: - ### Level0 ### - launchpad: - lz_key_name: launchpad - tfstate: caf_launchpad.tfstate - workspace: tfstate - base_config_path: launchpad - level: level0 - launchpad_credentials: - lz_key_name: launchpad_credentials_rotation - tfstate: launchpad_credentials_rotation.tfstate - base_config_path: credentials - level: level0 - - ### Level1 ### - management: - lz_key_name: management - tfstate: management.tfstate - base_config_path: management - level: level1 - identity: - lz_key_name: identity - tfstate: identity.tfstate - base_config_path: identity - level: level1 - eslz: - lz_key_name: eslz - tfstate: eslz.tfstate - base_config_path: eslz - level: level1 - - ## Level2 ## - identity_level2: - prod: - lz_key_name: identity_level2 - tfstate: identity_level2.tfstate - level: level2 - non_prod: - lz_key_name: identity_level2 - tfstate: identity_level2.tfstate - level: level2 - - identity_level2_aadds: - prod: - lz_key_name: identity_level2_aadds - tfstate: identity_level2_aadds.tfstate - level: level2 - - virtual_wans: - prod: - lz_key_name: connectivity_virtual_wan - tfstate: connectivity_virtual_wan.tfstate - base_config_path: connectivity/virtual_wan - level: level2 - - virtual_hubs: - prod: - lz_key_name: connectivity_virtual_hub_prod - tfstate: connectivity_virtual_hub_prod.tfstate - workspace: tfstate - base_config_path: connectivity/virtual_hub - level: level2 - non_prod: - lz_key_name: connectivity_virtual_hub_non_prod - tfstate: connectivity_virtual_hub_non_prod.tfstate - workspace: tfstate - base_config_path: connectivity/virtual_hub - level: level2 - - azurerm_firewalls: - prod: - lz_key_name: connectivity_firewalls_prod - tfstate: connectivity_firewalls_prod.tfstate - level: level2 - non_prod: - lz_key_name: connectivity_firewalls_non_prod - tfstate: connectivity_firewalls_non_prod.tfstate - level: level2 - - azurerm_firewall_policies: - prod: - lz_key_name: connectivity_firewall_policies_prod - tfstate: connectivity_firewall_policies_prod.tfstate - level: level2 - non_prod: - lz_key_name: connectivity_firewall_policies_non_prod - tfstate: connectivity_firewall_policies_non_prod.tfstate - level: level2 - - private_dns: - prod: - lz_key_name: connectivity_private_dns_prod - tfstate: connectivity_private_dns_prod.tfstate - level: level2 - non_prod: - lz_key_name: connectivity_private_dns_non_prod - tfstate: connectivity_private_dns_non_prod.tfstate - level: level2 - - - asvm: - lz_key_name: asvm - tfstate: asvm_subscription_vending_machine.tfstate - level: level2 diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/README.md deleted file mode 100644 index 872e24b3d..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/README.md +++ /dev/null @@ -1,40 +0,0 @@ -# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform - - -:rocket: START HERE: [Follow the onboarding guide from](https://aztfmod.github.io/documentation/docs/enterprise-scale/landingzones/platform/org-setup) - - -For further executions or command, you can refer to the following sections - -## Commands - -### Clone the landingzone project (Terraform base code) -```bash -# Git Urls or from a fork -# https://github.com/Azure/caf-terraform-landingzones.git -git clone /tf/caf/landingzones -cd /tf/caf/landingzones -git pull -git checkout aci_network - -``` - -### Rover ignite the platform -Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps. -Rover ignite creates the tfvars and also the documentation. - -```bash -rover login -t -s - -rover ignite \ - --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ - -e base_templates_folder=/tf/caf/landingzones/templates/platform \ - -e resource_template_folder=/tf/caf/landingzones/templates/resources \ - -e config_folder=/tf/caf/definitions/single_subscription \ - -e landingzones_folder=/tf/caf/landingzones - -``` - -### Next step - -Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created. diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml deleted file mode 100644 index f7666fbaa..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# -# Set the workflow to bootstrap the Azure platform landing zones -# -deployments: - 0: - 0: - launchpad: - 1: - launchpad_credentials: - # 2: - # subscriptions: - 3: - identity: - 4: - management: - 5: - eslz: - diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml deleted file mode 100644 index b32dda92f..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml +++ /dev/null @@ -1,460 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level0/credentials - -deployments: - landingzone: - tfstate: - platform: - launchpad_credentials: - global_settings_key: - platform: - launchpad: - remote_tfstates: - platform: - launchpad: - - -subscriptions: - launchpad_credentials: - resource_groups: - sp_credentials: - name: credentials - - keyvaults: - cred_ea_account_owner: - name: eaowner - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_ea_account_owner - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - cred_level0: - name: idl0 - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_level0 - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - level0: - lz_key: launchpad - azuread_group_key: level0 - secret_permissions: - - Get - cred_identity: - name: id - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_identity - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - cred_management: - name: mg - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_management - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - management_azuread_group: - lz_key: launchpad - azuread_group_key: management - secret_permissions: - - Get - cred_eslz: - name: es - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_eslz - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - eslz_azuread_group: - lz_key: launchpad - azuread_group_key: eslz - secret_permissions: - - Get - cred_connectivity: - name: co - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_connectivity - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - connectivity_azuread_group: - lz_key: launchpad - azuread_group_key: connectivity - secret_permissions: - - Get - cred_subscription_creation_platform: - name: scp - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_subscription_creation_platform - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - subscription_creation_platform_azuread_group: - lz_key: launchpad - azuread_group_key: subscription_creation_platform - secret_permissions: - - Get - cred_subscription_creation_landingzones: - name: scl - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_subscription_creation_landingzones - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - subscription_creation_platform_azuread_group: - lz_key: launchpad - azuread_group_key: subscription_creation_landingzones - secret_permissions: - - Get - cred_gitops: - name: gitops - resource_group_key: sp_credentials - purge_protection_enabled: false - tags: - caf_environment: - caf_identity_aad_key: cred_gitops - creation_policies: - caf_platform_maintainers: - lz_key: launchpad - azuread_group_key: caf_platform_maintainers - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity_azuread_group: - lz_key: launchpad - azuread_group_key: identity - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - cred_ea_account_owner: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_level0: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_identity: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_management: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_eslz: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_connectivity: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_subscription_creation_platform: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_subscription_creation_landingzones: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - cred_gitops: - gitops: - azuread_service_principal_key: gitops - secret_permissions: - - Get - - - azuread_applications: - gitops: - application_name: app-azure-platform-credentials-for-gitops - - azuread_service_principals: - gitops: - azuread_application: - key: gitops - - azuread_credentials: - gitops: - type: password - azuread_credential_policy_key: gitops - azuread_application: - key: gitops - keyvaults: - cred_gitops: - secret_prefix: sp - level0: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: level0 - keyvaults: - cred_level0: - secret_prefix: sp - identity: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: identity - keyvaults: - cred_identity: - secret_prefix: sp - management: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: management - keyvaults: - cred_management: - secret_prefix: sp - eslz: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: eslz - keyvaults: - cred_eslz: - secret_prefix: sp - connectivity: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: connectivity - keyvaults: - cred_connectivity: - secret_prefix: sp - subscription_creation_platform: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: subscription_creation_platform - keyvaults: - cred_subscription_creation_platform: - secret_prefix: sp - subscription_creation_landingzones: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - lz_key: launchpad - key: subscription_creation_landingzones - keyvaults: - cred_subscription_creation_landingzones: - secret_prefix: sp - - azuread_credential_policies: - gitops: - length: 250 - special: false - upper: true - number: true - expire_in_days: 360 - rotation_key0: - days: 181 - rotation_key1: - days: 300 - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 65 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml deleted file mode 100644 index ae3eae00c..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml +++ /dev/null @@ -1,89 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level2/asvm - -deployments: - landingzone: - tfstate: - platform: - asvm: - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: - -subscriptions: - launchpad: - resource_groups: - level3: - name: caf-level3 - tags: - level: level3 - level4: - name: caf-level4 - tags: - level: level4 - - storage_accounts: - level3: - name: l3 - resource_group_key: level3 - account_kind: BlobStorage - account_tier: Standard - shared_access_key_enabled: false - account_replication_type: GRS - blob_properties: - versioning_enabled: true - last_access_time_enabled: true - container_delete_retention_policy: - days: 7 - delete_retention_policy: - days: 7 - containers: - tfstate: - name: tfstate - tags: - ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. - # Only adjust the environment value at creation time - caf_environment: - caf_launchpad: launchpad - caf_tfstate: level3 - level4: - name: l4 - resource_group_key: level4 - account_kind: BlobStorage - account_tier: Standard - shared_access_key_enabled: false - account_replication_type: GRS - blob_properties: - versioning_enabled: true - last_access_time_enabled: true - container_delete_retention_policy: - days: 7 - delete_retention_policy: - days: 7 - tags: - ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. - # Only adjust the environment value at creation time - caf_environment: - caf_launchpad: launchpad - caf_tfstate: level4 - - keyvaults: - level3: - name: l3 - resource_group_key: level3 - level4: - name: l4 - resource_group_key: level4 - - - azuread_groups: - caf_ac_landingzone_maintainers_non_prod: - name: caf_ac_landingzone_maintainers_non_prod - - caf_ac_landingzone_maintainers_prod: - name: caf_ac_landingzone_maintainers_prod diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml deleted file mode 100644 index ce09fa332..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml +++ /dev/null @@ -1,34 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level2/connectivity/azurerm_firewall_policies/prod - -deployments: - landingzone: - tfstate: - platform: - azurerm_firewall_policies: prod - global_settings_key: - platform: - virtual_wans: prod - remote_tfstates: - platform: - virtual_wans: prod - - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-prod-firewall-policies - region_key: region1 - - azurerm_firewall_policies: - root: - name: "prod-root-policy" - region_key: region1 - resource_group: - key: firewall_policies - dns: - proxy_enabled: true - threat_intelligence_mode: "Alert" diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml deleted file mode 100644 index 680c57f8d..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml +++ /dev/null @@ -1,78 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level2//connectivity/azurerm_firewalls/prod - -deployments: - landingzone: - tfstate: - platform: - azurerm_firewalls: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - virtual_hubs: prod - azurerm_firewall_policies: prod - - -subscriptions: - connectivity: - resource_groups: - firewall_policies: - name: connectivity-prod-firewall - region_key: region1 - - - virtual_networks: - vnet: - name: vnet-connectivity-prod-fw-plinks - resource_group_key: firewall_policies - region_key: region1 - address_space: - - 10.101.61.0/24 - specialsubnets: - AzureFirewallSubnet: - name: AzureFirewallSubnet - cidr: - - 10.101.61.0/26 - - public_ip_addresses: - fw_pip1: - name: pip-prod-fw-01 - resource_group_key: firewall_policies - sku: Standard - allocation_method: Static - ip_version: IPv4 - idle_timeout_in_minutes: 4 - - azurerm_firewalls: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - resource_group_key: firewall_policies - vnet_key: vnet - sku_tier: Standard - firewall_policy: - key: root - lz_key: connectivity_firewall_policies_prod - zones: - - 1 - - 2 - - 3 - public_ips: - ip1: - name: pip1 - public_ip_key: fw_pip1 - vnet_key: vnet - subnet_key: AzureFirewallSubnet - - - virtual_hub_connections: - vnet_to_hub: - name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod - virtual_hub: - lz_key: connectivity_virtual_hub_prod - key: prod - vnet: - vnet_key: vnet \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml deleted file mode 100644 index 732513477..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml +++ /dev/null @@ -1,192 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level2/connectivity/private_dns/prod - -deployments: - landingzone: - tfstate: - platform: - private_dns: prod - global_settings_key: - platform: - azurerm_firewalls: prod - remote_tfstates: - platform: - azurerm_firewalls: prod - identity_level2: prod - -subscriptions: - connectivity: - - role_mapping: - custom_role_mapping: - resource_groups: - dns_connectivity_prod: - landgingzone_extended: - azuread_groups: - lz_key: identity_level2 - keys: - - caf_prod_landingzones_dns_contributors - built_in_role_mapping: - resource_groups: - dns_connectivity_prod: - Private DNS Zone Contributor: - azuread_groups: - lz_key: identity_level2 - keys: - - caf_prod_landingzones_dns_contributors - - resource_groups: - dns_connectivity_prod: - name: dns-connectivity-prod - private_dns: - privatelink.adf.azure.com: - name: privatelink.adf.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.datafactory.azure.net: - name: privatelink.datafactory.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.blob.core.windows.net: - name: privatelink.blob.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.file.core.windows.net: - name: privatelink.file.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.notebooks.azure.net: - name: privatelink.notebooks.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.dfs.core.windows.net: - name: privatelink.dfs.core.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.vaultcore.azure.net: - name: privatelink.vaultcore.azure.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.southeastasia.azmk8s.io: - name: privatelink.southeastasia.azmk8s.io - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.azurecr.io: - name: privatelink.azurecr.io - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.southeastasia.backup.windowsazure.com: - name: privatelink.southeastasia.backup.windowsazure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.siterecovery.windowsazure.com: - name: privatelink.siterecovery.windowsazure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.servicebus.windows.net: - name: privatelink.servicebus.windows.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.api.azureml.ms: - name: privatelink.api.azureml.ms - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.monitor.azure.com: - name: privatelink.monitor.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.oms.opinsights.azure.com: - name: privatelink.oms.opinsights.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.ods.opinsights.azure.com: - name: privatelink.ods.opinsights.azure.com - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - privatelink.agentsvc.azure-automation.net: - name: privatelink.agentsvc.azure-automation.net - resource_group_key: dns_connectivity_prod - vnet_links: - fw_prod_plinks_01: - name: fw-prod-plinks-01 - vnet_key: vnet - lz_key: connectivity_firewalls_prod - - custom_role_definitions: - landgingzone_extended: - name: landingzone-networking-private-dns-extended - useprefix: true - description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read - - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write - - diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml deleted file mode 100644 index 43d9836f2..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml +++ /dev/null @@ -1,52 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level2/connectivity/virtual_hubs/prod - -deployments: - landingzone: - tfstate: - platform: - virtual_hubs: prod - global_settings_key: - platform: - virtual_wans: prod - remote_tfstates: - platform: - virtual_wans: prod - custom_variables: - virtual_hub_lz_key: connectivity_virtual_hub_prod - # ddos_protection_plan_id: - -subscriptions: - connectivity: - virtual_hubs: - prod: - name: Production - virtual_wan: - lz_key: connectivity_virtual_wan - key: global_wan - region_key: region1 - hub_address_prefix: 10.101.51.0/24 - deploy_s2s: false - s2s_config: - name: prod - scale_unit: 1 - deploy_er: false - er_config: - name: prod - scale_units: 1 - - express_route_connections: - prod: - enable_er_connections: false - name: er-1-prod - virtual_hub: - key: prod - circuit_peering: - tfstate_key: prod - key: private_peering - express_route_circuit_authorization: - tfstate_key: prod - key: vhub-prod - diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml deleted file mode 100644 index e5fd0d618..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml +++ /dev/null @@ -1,29 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level2/connectivity/virtual_wans - -deployments: - landingzone: - tfstate: - platform: - virtual_wans: prod - global_settings_key: - platform: - management: - remote_tfstates: - platform: - management: - -subscriptions: - connectivity: - virtual_wans: - global_wan: - name: vwan - resource_group_key: global_wan - region_key: region1 - - resource_groups: - global_wan: - name: connectivity-global-wan - region_key: region1 diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml deleted file mode 100644 index 9ce1cf573..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml +++ /dev/null @@ -1,22 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level2/identity/prod - -deployments: - landingzone: - tfstate: - platform: - identity_level2: prod - global_settings_key: - platform: - identity: - remote_tfstates: - platform: - identity: - -subscriptions: - identity: - azuread_groups: - caf_prod_landingzones_dns_contributors: - name: caf ac prod landingzones dns contributors \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml deleted file mode 100644 index 42ba8f62a..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml +++ /dev/null @@ -1,328 +0,0 @@ -archetype_definitions: - root: - archetype_id: root - policy_assignments: - Allowed-Locations: - listOfAllowedLocations: - - southeastasia # Use the lower-case region's name, short version with no space - - eastasia - Deny-RSG-Locations: - listOfAllowedLocations: - - southeastasia - - eastasia - # Set to Audit as Terraform cannot combine both in one operation yet. - Deny-Subnet-Without-Nsg: - effect: Audit - # Set to Audit as Terraform cannot combine both in one operation yet. - Deny-Subnet-Without-Udr: - effect: Audit - # Deploy-Nsg-FlowLogs: - # retention: 10 - # storageAccountResourceId: - # trafficAnalyticsInterval: 10 - # flowAnalyticsEnabled: true - # logAnalytics: - # lz_key: management - # output_key: diagnostics - # resource_type: log_analytics - # resource_key: region1 - # attribute_key: id - # More details on in the parameters in the Azure Policy definition (Azure Security Benchmark) 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 - # Change the attributes values as they are not the same. Some are DeployIfNotExist, Some Disabled, Enabled... - Deploy-ASC-Monitoring: - aadAuthenticationInSqlServerMonitoringEffect: Disabled - diskEncryptionMonitoringEffect: Disabled - encryptionOfAutomationAccountMonitoringEffect: Disabled - identityDesignateLessThanOwnersMonitoringEffect: Disabled - identityDesignateMoreThanOneOwnerMonitoringEffect: Disabled - identityEnableMFAForWritePermissionsMonitoringEffect: Disabled - identityRemoveDeprecatedAccountMonitoringEffect: Disabled - identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect: Disabled - identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect: Disabled - identityRemoveExternalAccountWithReadPermissionsMonitoringEffect: Disabled - identityRemoveExternalAccountWithWritePermissionsMonitoringEffect: Disabled - jitNetworkAccessMonitoringEffect: Disabled - networkSecurityGroupsOnSubnetsMonitoringEffect: Disabled - sqlDbEncryptionMonitoringEffect: Disabled - sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled - sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled - sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled - sqlServerAdvancedDataSecurityMonitoringEffect: Disabled - systemUpdatesMonitoringEffect: Disabled - useRbacRulesMonitoringEffect: Disabled - vmssSystemUpdatesMonitoringEffect: Disabled - windowsDefenderExploitGuardMonitoringEffect: Disabled - Deploy-ASCDF-Config: - emailSecurityContact: - logAnalytics: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - enableAscForKubernetes: DeployIfNotExists - enableAscForSql: DeployIfNotExists - enableAscForSqlOnVm: DeployIfNotExists - enableAscForDns: DeployIfNotExists - enableAscForArm: DeployIfNotExists - enableAscForOssDb: DeployIfNotExists - enableAscForAppServices: DeployIfNotExists - enableAscForRegistries: DeployIfNotExists - enableAscForKeyVault: DeployIfNotExists - enableAscForStorage: DeployIfNotExists - enableAscForServers: DeployIfNotExists - Deploy-AzActivity-Log: - logAnalytics: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - Deploy-LX-Arc-Monitoring: - Deploy-Resource-Diag: - profileName: eslz-diagnostic-log - logAnalytics: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - Deploy-WS-Arc-Monitoring: - logAnalytics: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - Deploy-VM-Monitoring: - logAnalytics_1: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - Deploy-VMSS-Monitoring: - logAnalytics_1: - lz_key: management - output_key: diagnostics - resource_type: log_analytics - resource_key: region1 - attribute_key: id - policy_definitions: - Append-AppService-httpsonly: - Append-AppService-latestTLS: - Append-KV-SoftDelete: - Append-Redis-disableNonSslPort: - Append-Redis-sslEnforcement: - Audit-MachineLearning-PrivateEndpointId: - Deny-AA-child-resources: - Deny-AppGW-Without-WAF: - Deny-AppServiceApiApp-http: - Deny-AppServiceFunctionApp-http: - Deny-AppServiceWebApp-http: - Deny-Databricks-NoPublicIp: - Deny-Databricks-Sku: - Deny-Databricks-VirtualNetwork: - Deny-MachineLearning-Aks: - Deny-MachineLearning-Compute-SubnetId: - Deny-MachineLearning-Compute-VmSize: - Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess: - Deny-MachineLearning-ComputeCluster-Scale: - Deny-MachineLearning-HbiWorkspace: - Deny-MachineLearning-PublicAccessWhenBehindVnet: - Deny-MachineLearning-PublicNetworkAccess: - Deny-MySql-http: - Deny-PostgreSql-http: - Deny-Private-DNS-Zones: - Deny-PublicEndpoint-MariaDB: - Deny-PublicIP: - Deny-RDP-From-Internet: - Deny-Redis-http: - Deny-Sql-minTLS: - Deny-SqlMi-minTLS: - Deny-Storage-minTLS: - Deny-Subnet-Without-Nsg: - Deny-Subnet-Without-Udr: - Deny-VNET-Peer-Cross-Sub: - Deny-VNet-Peering: - Deploy-ASC-SecurityContacts: - Deploy-Budget: - Deploy-Custom-Route-Table: - Deploy-DDoSProtection: - Deploy-Diagnostics-AA: - Deploy-Diagnostics-ACI: - Deploy-Diagnostics-ACR: - Deploy-Diagnostics-AnalysisService: - Deploy-Diagnostics-ApiForFHIR: - Deploy-Diagnostics-APIMgmt: - Deploy-Diagnostics-ApplicationGateway: - Deploy-Diagnostics-CDNEndpoints: - Deploy-Diagnostics-CognitiveServices: - Deploy-Diagnostics-CosmosDB: - Deploy-Diagnostics-Databricks: - Deploy-Diagnostics-DataExplorerCluster: - Deploy-Diagnostics-DataFactory: - Deploy-Diagnostics-DLAnalytics: - Deploy-Diagnostics-EventGridSub: - Deploy-Diagnostics-EventGridSystemTopic: - Deploy-Diagnostics-EventGridTopic: - Deploy-Diagnostics-ExpressRoute: - Deploy-Diagnostics-Firewall: - Deploy-Diagnostics-FrontDoor: - Deploy-Diagnostics-Function: - Deploy-Diagnostics-HDInsight: - Deploy-Diagnostics-iotHub: - Deploy-Diagnostics-LoadBalancer: - Deploy-Diagnostics-LogicAppsISE: - Deploy-Diagnostics-MariaDB: - Deploy-Diagnostics-MediaService: - Deploy-Diagnostics-MlWorkspace: - Deploy-Diagnostics-MySQL: - Deploy-Diagnostics-NetworkSecurityGroups: - Deploy-Diagnostics-NIC: - Deploy-Diagnostics-PostgreSQL: - Deploy-Diagnostics-PowerBIEmbedded: - Deploy-Diagnostics-RedisCache: - Deploy-Diagnostics-Relay: - Deploy-Diagnostics-SignalR: - Deploy-Diagnostics-SQLElasticPools: - Deploy-Diagnostics-SQLMI: - Deploy-Diagnostics-TimeSeriesInsights: - Deploy-Diagnostics-TrafficManager: - Deploy-Diagnostics-VirtualNetwork: - Deploy-Diagnostics-VM: - Deploy-Diagnostics-VMSS: - Deploy-Diagnostics-VNetGW: - Deploy-Diagnostics-WebServerFarm: - Deploy-Diagnostics-Website: - Deploy-Diagnostics-WVDAppGroup: - Deploy-Diagnostics-WVDHostPools: - Deploy-Diagnostics-WVDWorkspace: - Deploy-FirewallPolicy: - Deploy-MySQL-sslEnforcement: - Deploy-Nsg-FlowLogs-to-LA: - Deploy-Nsg-FlowLogs: - Deploy-PostgreSQL-sslEnforcement: - Deploy-Sql-AuditingSettings: - Deploy-SQL-minTLS: - Deploy-Sql-SecurityAlertPolicies: - Deploy-Sql-Tde: - Deploy-Sql-vulnerabilityAssessments: - Deploy-SqlMi-minTLS: - Deploy-Storage-sslEnforcement: - Deploy-Windows-DomainJoin: - policy_set_definitions: - Deny-PublicPaaSEndpoints: - Deploy-ASCDF-Config: - Deploy-Diagnostics-LogAnalytics: - Deploy-Sql-Security: - Enforce-Encryption-CMK: - Enforce-EncryptTransit: - remediation: - policy: - policy_set_definitions: - # policyDefinitionReferenceId = https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/c7958266bd227e52dc1a3468e8c881633bc1b373/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json#L766 - # /providers/microsoft.management/managementgroups/contlle/providers/microsoft.authorization/policyassignments/deploy-resource-diag - Deploy-Diagnostics-LogAnalytics: - - ExpressRouteDeployDiagnosticLogDeployLogAnalytics - - FirewallDeployDiagnosticLogDeployLogAnalytics - - KeyVaultDeployDiagnosticLogDeployLogAnalytics - - LoadBalancerDeployDiagnosticLogDeployLogAnalytics - - NetworkNICDeployDiagnosticLogDeployLogAnalytics - - NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics - - NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics - - RecoveryVaultDeployDiagnosticLogDeployLogAnalytics - - storageaccountdeploydiagnosticlogdeployloganalytics - - VirtualNetworkDeployDiagnosticLogDeployLogAnalytics - - VNetGWDeployDiagnosticLogDeployLogAnalytics - Deploy-ASCDF-Config: - - defenderForOssDb - - defenderForVM - - defenderForSqlServerVirtualMachines - - defenderForAppServices - - defenderForStorageAccounts - - defenderForKubernetesService - - defenderForContainerRegistry - - defenderForKeyVaults - - defenderForDns - - defenderForArm - - defenderForSqlPaas - - securityEmailContact - - ascExport - landing-zones: - archetype_id: landing-zones - policy_assignments: - Deny-IP-Forwarding: - Deny-Priv-Containers-AKS: - Deny-Priv-Escalation-AKS: - Deny-RDP-From-Internet: - Deny-Storage-http: - Deploy-AKS-Policy: - Deploy-SQL-DB-Auditing: - Deploy-SQL-Threat: - Enable-DDoS-VNET: - Enforce-AKS-HTTPS: - Enforce-TLS-SSL: - # Deploy-Windows-DomainJoin: - # domainFQDN: aadds-xl.co.id - - archetype_config: - access_control: - Owner: - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - subscription_creation_landingzones - connectivity: - archetype_id: platform_connectivity - policy_assignments: - Enable-DDoS-VNET: - role_definitions: - CAF-network-vhub-peering: - archetype_config: - access_control: - Owner: - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - connectivity - # Make sure you replace with the Management Group ID in UPPER CASE - '[-CONNECTIVITY] CAF-network-vhub-peering': - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - subscription_creation_landingzones - - identity - - management - management: - archetype_id: platform_management - archetype_config: - access_control: - Owner: - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - management - identity: - archetype_id: platform_identity - policy_assignments: - Deny-RDP-From-Internet: - Deny-Public-IP: - archetype_config: - access_control: - Owner: - azuread_groups: - lz_key: launchpad - attribute_key: id - resource_keys: - - identity - decommissioned: - archetype_id: platform_decommissioned - platform: - archetype_id: platform - sandboxes: - archetype_id: platform_sandboxes \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml deleted file mode 100644 index 6ae8db0c4..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml +++ /dev/null @@ -1,26 +0,0 @@ -archetype_definitions: - corp: - display_name: Corp - archetype_id: landingzone_corp - parent_management_group_id: landing-zones - subscription_ids: - online: - display_name: Online - archetype_id: landingzone_online - parent_management_group_id: landing-zones - subscription_ids: - corp-prod: - display_name: Production - archetype_id: landingzone_prod - parent_management_group_id: corp - subscription_ids: - corp-non-prod: - display_name: Non Production - archetype_id: landingzone_non_prod - parent_management_group_id: corp - subscription_ids: - online-web: - display_name: Non Production - archetype_id: landingzone_online_web - parent_management_group_id: online - subscription_ids: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml deleted file mode 100644 index a8dc8b3d1..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml +++ /dev/null @@ -1,8 +0,0 @@ -gitops: - landingzones: aci_network - -relative_destination_folder: level1/eslz - -# Keep the following to allow rover ignite to process the deployment. -subscriptions: - launchpad: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md deleted file mode 100644 index def2a5a6d..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy assignments - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json deleted file mode 100644 index 789acde60..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "aks-capability", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)", - "displayName": "Kubernetes cluster containers should only use allowed capabilities.", - "notScopes": [], - "parameters": {}, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", - "scope": "${current_scope_resource_id}", - "enforcementMode": true - }, - "location": "${default_location}", - "identity": { - "type": "None" - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json deleted file mode 100644 index bce0689ad..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "Allowed-Locations", - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "properties": { - "description": "Specifies the allowed locations (regions) where Resources can be deployed.", - "displayName": "Limit allowed locations for Resources", - "notScopes": [], - "parameters": {}, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "scope": "${current_scope_resource_id}", - "enforcementMode": null - }, - "location": "${default_location}", - "identity": { - "type": "None" - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md deleted file mode 100644 index e47f922fd..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md deleted file mode 100644 index c09d2c016..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md +++ /dev/null @@ -1,10 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - -# List of the default policy set definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md deleted file mode 100644 index f3f823e56..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md +++ /dev/null @@ -1,2 +0,0 @@ -# Custom ESLZ library -In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance. \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md deleted file mode 100644 index 2230928aa..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md +++ /dev/null @@ -1,11 +0,0 @@ - -# Public documentation of the custom landingzones - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes - - -# List of the default role defitions - -https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json b/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json deleted file mode 100644 index 19523d87b..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "name": "48ec94a9-9a14-488d-928d-5e73f96b335c", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2018-01-01-preview", - "properties": { - "roleName": "CAF-network-vhub-peering", - "description": "Authorize vnet peerings to the vhub and DDOS to be deployed by policy.", - "type": "customRole", - "permissions": [ - { - "actions": [ - "Microsoft.Network/ddosProtectionPlans/join/action", - "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*", - "Microsoft.Network/virtualHubs/read", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [ - ], - "dataActions": [], - "notDataActions": [] - } - ], - "assignableScopes": [ - "${current_scope_resource_id}" - ] - } -} \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml deleted file mode 100644 index fcd494b62..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml +++ /dev/null @@ -1,86 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level1/identity - -deployments: - landingzone: - tfstate: - platform: - identity: - global_settings_key: - platform: - launchpad: - remote_tfstates: - platform: - launchpad: - -subscriptions: - identity: - resource_groups: - management: - name: management - alerts: - name: alerts - - service_health_alerts: - enable_service_health_alerts: true - name: alerts - shortname: HealthAlerts - resource_group_key: alerts - action_group_name: actiongrp - email_alert_settings: - support1: - name: email_alert_support1 - email_address: - use_common_alert_schema: false - - recovery_vaults: - asr: - name: asr - resource_group_key: management - soft_delete_enabled: true - backup_policies: - vms: - default: - name: vm-default-policy - # Default to UTC - # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - retention_weekly: - count: 2 - weekdays: - - Sunday - retention_monthly: - count: 2 - weeks: - - First - weekdays: - - Sunday - retention_yearly: - count: 1 - weeks: - - First - months: - - January - weekdays: - - Sunday - - -# Bring here you existing active directory security groups. -# Those are the groups you will inject to RBAC in the Enterprise Scale deployment. -# Note Terraform will create a new Azure AD group and add the existing as a member -# -# level1: -# azuread_groups: -# network_ops_team: -# name: netops -# members: -# # Set the list of the existing groups -# objects_ids: -# - existing_azure_ad_group_object_id diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml deleted file mode 100644 index c635c8ab1..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml +++ /dev/null @@ -1,510 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level0/launchpad - -deployments: - landingzone: - tfstate: - platform: - launchpad: - - -subscriptions: - launchpad: - resource_groups: - level0: - name: caf-level0 - level1: - name: caf-level1 - level2: - name: caf-level2 - - storage_accounts: - level0: - name: l0 - resource_group_key: level0 - account_kind: BlobStorage - account_tier: Standard - shared_access_key_enabled: false - account_replication_type: GRS - blob_properties: - versioning_enabled: true - last_access_time_enabled: true - container_delete_retention_policy: - days: 7 - delete_retention_policy: - days: 7 - containers: - tfstate: - name: tfstate - tags: - ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. - # Only adjust the environment value at creation time - caf_environment: - caf_launchpad: launchpad - caf_tfstate: level0 - level1: - name: l1 - resource_group_key: level1 - account_kind: BlobStorage - account_tier: Standard - shared_access_key_enabled: false - account_replication_type: GRS - blob_properties: - versioning_enabled: true - last_access_time_enabled: true - container_delete_retention_policy: - days: 7 - delete_retention_policy: - days: 7 - containers: - tfstate: - name: tfstate - tags: - ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. - # Only adjust the environment value at creation time - caf_environment: - caf_launchpad: launchpad - caf_tfstate: level1 - level2: - name: l2 - resource_group_key: level2 - account_kind: BlobStorage - account_tier: Standard - shared_access_key_enabled: false - account_replication_type: GRS - blob_properties: - versioning_enabled: true - last_access_time_enabled: true - container_delete_retention_policy: - days: 7 - delete_retention_policy: - days: 7 - containers: - tfstate: - name: tfstate - tags: - ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. - # Only adjust the environment value at creation time - caf_environment: - caf_launchpad: launchpad - caf_tfstate: level2 - - role_mapping: - built_in_role_mapping: - management_group: - # if you are using a root_parent_id, replace the following root by the root_parent_id value - root: - User Access Administrator: - azuread_groups: - keys: - - level0 - Management Group Contributor: - azuread_groups: - keys: - - eslz - - caf_platform_maintainers - Owner: - azuread_groups: - keys: - - eslz - - caf_platform_maintainers - - connectivity # only when deploying in single subscription - - identity # only when deploying in single subscription - - management # only when deploying in single subscription - - subscription_creation_landingzones # # only when deploying in single subscription - Reader: - azuread_groups: - keys: - - caf_platform_contributors - subscriptions: - logged_in_subscription: - Owner: - azuread_groups: - keys: - - level0 - - subscription_creation_platform - - caf_platform_maintainers - Reader: - azuread_groups: - keys: - - identity - resource_groups: - level0: - Reader: - azuread_groups: - keys: - - identity - - subscription_creation_platform - - caf_platform_contributors - level1: - Reader: - azuread_groups: - keys: - - identity - - management - - eslz - - subscription_creation_platform - - caf_platform_contributors - level2: - Reader: - azuread_groups: - keys: - - identity - - management - - connectivity - - subscription_creation_platform - - caf_platform_contributors - - storage_accounts: - level0: - Storage Blob Data Contributor: - azuread_groups: - keys: - - level0 - - identity - - caf_platform_maintainers - Storage Blob Data Reader: - azuread_groups: - keys: - - management - - eslz - - subscription_creation_platform - - caf_platform_contributors - level1: - Storage Blob Data Contributor: - azuread_groups: - keys: - - caf_platform_maintainers - - identity - - management - - eslz - - subscription_creation_platform - Storage Blob Data Reader: - azuread_groups: - keys: - - connectivity - - caf_platform_contributors - - level0 - level2: - Storage Blob Data Contributor: - azuread_groups: - keys: - - identity - - connectivity - - management - - caf_platform_maintainers - - level0 - Storage Blob Data Reader: - azuread_groups: - keys: - - subscription_creation_landingzones - - caf_platform_contributors - - keyvaults: - level0: - name: l0 - sku_name: premium - resource_group_key: level0 - level1: - name: l1 - sku_name: premium - resource_group_key: level1 - level2: - name: l2 - sku_name: premium - resource_group_key: level2 - - keyvault_access_policies: - level0: - sp_level0: - azuread_group_key: level0 - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity: - azuread_group_key: identity - secret_permissions: - - Get - level1: - sp_level0: - azuread_group_key: level0 - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity: - azuread_group_key: identity - secret_permissions: - - Get - management: - azuread_group_key: management - secret_permissions: - - Get - eslz: - azuread_group_key: eslz - secret_permissions: - - Get - subscription_creation_platform: - azuread_group_key: subscription_creation_platform - secret_permissions: - - Get - level2: - sp_level0: - azuread_group_key: level0 - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - identity: - azuread_group_key: identity - secret_permissions: - - Get - management: - azuread_group_key: management - secret_permissions: - - Get - connectivity: - azuread_group_key: connectivity - secret_permissions: - - Get - subscription_creation_platform: - azuread_group_key: subscription_creation_platform - secret_permissions: - - Get - - azuread_applications: - level0: - application_name: sp-caf-level0 - identity: - application_name: sp-caf-identity - management: - application_name: sp-caf-management - eslz: - application_name: sp-caf-eslz - connectivity: - application_name: sp-caf-connectivity - subscription_creation_platform: - application_name: sp-caf-subscription_creation_platform - subscription_creation_landingzones: - application_name: sp-caf-subscription_creation_landingzones - - azuread_service_principals: - # Manage the deployment of the level0 - level0: - azuread_application: - key: level0 - # Manage the deployment of Enterprise Scale - eslz: - azuread_application: - key: eslz - # Manage the deployment of the connectivity services - connectivity: - azuread_application: - key: connectivity - # Manage the deployment of the shared services - management: - azuread_application: - key: management - # Manage the deployment of the identity services - identity: - azuread_application: - key: identity - # Has delegation to create platform subscriptions - subscription_creation_platform: - azuread_application: - key: subscription_creation_platform - # Has delegation to create landingzone subscriptions - subscription_creation_landingzones: - azuread_application: - key: subscription_creation_landingzones - - azuread_api_permissions: - level0: - microsoft_graph: - resource_app_id: 00000003-0000-0000-c000-000000000000 - resource_access: - AppRoleAssignment_ReadWrite_All: - id: 06b708a9-e830-4db3-a914-8e69da51d44f - type: Role - DelegatedPermissionGrant_ReadWrite_All: - id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a - type: Role - DelegatedPermissionGrant_ReadWrite_All: - id: 18a4783c-866b-4cc7-a460-3d5e5662c884 - type: Role - identity: - active_directory_graph: - resource_app_id: 00000002-0000-0000-c000-000000000000 - resource_access: - Application_ReadWrite_OwnedBy: - id: 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7 - type: Role - Directory_ReadWrite_All: - id: 78c8a3c8-a07e-4b9e-af1b-b5ccab50a175 - type: Role - microsoft_graph: - resource_app_id: 00000003-0000-0000-c000-000000000000 - resource_access: - AppRoleAssignment_ReadWrite_All: - id: 06b708a9-e830-4db3-a914-8e69da51d44f - type: Role - DelegatedPermissionGrant_ReadWrite_All: - id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a - type: Role - GroupReadWriteAll: - id: 62a82d76-70ea-41e2-9197-370581804d09 - type: Role - RoleManagement_ReadWrite_Directory: - id: 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 - type: Role - - azuread_roles: - azuread_service_principals: - level0: - roles: - - Privileged Role Administrator - - Application Administrator - - Groups Administrator - identity: - roles: - - User Administrator - - Application Administrator - - Groups Administrator - subscription_creation_landingzones: - roles: - - Application Administrator - - Groups Administrator - - dynamic_keyvault_secrets: - level0: - subscription_id: - output_key: client_config - attribute_key: subscription_id - secret_name: subscription-id - tenant_id: - output_key: client_config - attribute_key: tenant_id - secret_name: tenant-id - level1: - lower_stg: - output_key: storage_accounts - resource_key: level0 - attribute_key: name - secret_name: lower-storage-account-name - lower_rg: - output_key: resource_groups - resource_key: level0 - attribute_key: name - secret_name: lower-resource-group-name - subscription_id: - output_key: client_config - attribute_key: subscription_id - secret_name: subscription-id - tenant_id: - output_key: client_config - attribute_key: tenant_id - secret_name: tenant-id - level2: - lower_stg: - output_key: storage_accounts - resource_key: level1 - attribute_key: name - secret_name: lower-storage-account-name - lower_rg: - output_key: resource_groups - resource_key: level1 - attribute_key: name - secret_name: lower-resource-group-name - subscription_id: - output_key: client_config - attribute_key: subscription_id - secret_name: subscription-id - tenant_id: - output_key: client_config - attribute_key: tenant_id - secret_name: tenant-id - - azuread_groups: - caf_platform_maintainers: - name: caf-platform-maintainers - description: High privileged group to run all CAF deployments from vscode. Can be used to bootstrap or troubleshoot deployments. - prevent_duplicate_name: true - owners: - - - caf_platform_contributors: - name: caf-platform-contributors - description: Can only execute terraform plans for level1 and level2. They can test platform improvements and propose PR. - prevent_duplicate_name: true - owners: - - - level0: - name: caf-level0 - prevent_duplicate_name: true - owners: - - - members: - azuread_service_principal_keys: - - level0 - eslz: - name: caf-eslz - prevent_duplicate_name: true - owners: - - - members: - azuread_service_principal_keys: - - eslz - identity: - name: caf-identity - prevent_duplicate_name: true - owners: - - - members: - azuread_service_principal_keys: - - identity - management: - name: caf-management - prevent_duplicate_name: true - owners: - - - members: - azuread_service_principal_keys: - - management - connectivity: - name: caf-connectivity - prevent_duplicate_name: true - owners: - - - members: - azuread_service_principal_keys: - - connectivity - subscription_creation_platform: - name: caf-subscription_creation_platform - prevent_duplicate_name: true - owners: - - - members: - azuread_service_principal_keys: - - subscription_creation_platform - subscription_creation_landingzones: - name: caf-subscription_creation_landingzones - prevent_duplicate_name: true - owners: - - - members: - azuread_service_principal_keys: - - subscription_creation_landingzones - # object_ids: - # - 746f54dc-285b-454b-8c55-3d499be91e1f - diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/management.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/management.yaml deleted file mode 100644 index 37116aea2..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/management.yaml +++ /dev/null @@ -1,101 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level1/management - -deployments: - landingzone: - tfstate: - platform: - management: - global_settings_key: - platform: - launchpad: - remote_tfstates: - platform: - launchpad: - -subscriptions: - management: - resource_groups: - management: - name: management - alerts: - name: alerts - - diagnostic_log_analytics: - # if you change this key you also need to change it in the ESLZ deployment - # eslz/archetype_config_overrides.caf.platform.yaml - # eslz/custom_landing_zones.caf.platform.yaml - region1: - name: logre1 - resource_group_key: management - - monitor_action_groups: - networking_operations: - action_group_name: Networking Operations - resource_group_key: alerts - shortname: netops - arm_role_alert: - contributors: - name: Monitoring Contributor - role_name: Monitoring Contributor - use_common_alert_schema: false - email_receiver: - noc: - name: email_alert_support1 - email_address: - use_common_alert_schema: false - - service_health_alerts: - enable_service_health_alerts: true - name: alerts - shortname: HealthAlerts - resource_group_key: alerts - action_group_name: actiongrp - email_alert_settings: - support1: - name: email_alert_support1 - email_address: - use_common_alert_schema: false - - automation_accounts: - account1: - name: automationAccount1 - resource_group_key: management - - recovery_vaults: - asr: - name: asr - resource_group_key: management - soft_delete_enabled: true - backup_policies: - vms: - default: - name: vm-default-policy - # Default to UTC - # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - retention_weekly: - count: 2 - weekdays: - - Sunday - retention_monthly: - count: 2 - weeks: - - First - weekdays: - - Sunday - retention_yearly: - count: 1 - weeks: - - First - months: - - January - weekdays: - - Sunday diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml deleted file mode 100644 index 70fba14b7..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml +++ /dev/null @@ -1,22 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level1/subscriptions - -deployments: - landingzone: - tfstate: - platform: - subscriptions: - -subscriptions: - launchpad: - subscriptions: - launchpad: - subscription_id: - identity: - subscription_id: - connectivity: - subscription_id: - management: - subscription_id: \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml b/templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml deleted file mode 100644 index a5c8d0546..000000000 --- a/templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml +++ /dev/null @@ -1,144 +0,0 @@ -tfstates: - platform: - ### Level0 ### - launchpad: - lz_key_name: launchpad - tfstate: caf_launchpad.tfstate - workspace: tfstate - level: level0 - identity_aad_key: cred_level0 - config_file: launchpad.yaml - sub_template_folder: level0/launchpad - yaml: level0/launchpad/ansible.yaml - launchpad_credentials: - lz_key_name: launchpad_credentials_rotation - tfstate: launchpad_credentials_rotation.tfstate - level: level0 - identity_aad_key: cred_identity - config_file: credentials.yaml - sub_template_folder: level0/credentials - - ### Level1 ### - management: - lz_key_name: management - tfstate: management.tfstate - level: level1 - identity_aad_key: cred_management - config_file: management.yaml - identity: - lz_key_name: identity - tfstate: identity.tfstate - level: level1 - identity_aad_key: cred_identity - config_file: identity.yaml - sub_template_folder: level1/identity - eslz: - lz_key_name: eslz - tfstate: eslz.tfstate - level: level1 - identity_aad_key: cred_eslz - config_file: eslz/eslz.yaml - sub_template_folder: level1/eslz - yaml: level1/eslz/ansible.yaml - platform_subscriptions: - lz_key_name: platform_subscriptions - tfstate: platform_subscriptions.tfstate - level: level1 - identity_aad_key: cred_subscription_creation_platform - config_file: subscriptions.yaml - sub_template_folder: level1/subscriptions - - ## Level2 ## - identity_level2: - prod: - lz_key_name: identity_level2 - tfstate: identity_level2.tfstate - level: level2 - identity_aad_key: cred_identity - non_prod: - lz_key_name: identity_level2 - tfstate: identity_level2_non_prod.tfstate - level: level2 - identity_aad_key: cred_identity - - identity_level2_aadds: - prod: - lz_key_name: identity_level2_aadds - tfstate: identity_level2_aadds.tfstate - level: - identity_aad_key: cred_identity - - virtual_wans: - prod: - lz_key_name: connectivity_virtual_wan - tfstate: connectivity_virtual_wan.tfstate - level: level2 - identity_aad_key: cred_connectivity - - virtual_hubs: - prod: - lz_key_name: connectivity_virtual_hub_prod - tfstate: connectivity_virtual_hub_prod.tfstate - workspace: tfstate - level: level2 - identity_aad_key: cred_connectivity - non_prod: - lz_key_name: connectivity_virtual_hub_non_prod - tfstate: connectivity_virtual_hub_non_prod.tfstate - workspace: tfstate - level: level2 - identity_aad_key: cred_connectivity - - azurerm_firewalls: - prod: - lz_key_name: connectivity_firewalls_prod - tfstate: connectivity_firewalls_prod.tfstate - level: level2 - identity_aad_key: cred_connectivity - non_prod: - lz_key_name: connectivity_firewalls_non_prod - tfstate: connectivity_firewalls_non_prod.tfstate - level: level2 - identity_aad_key: cred_connectivity - - azurerm_firewall_policies: - prod: - lz_key_name: connectivity_firewall_policies_prod - tfstate: connectivity_firewall_policies_prod.tfstate - level: level2 - identity_aad_key: cred_connectivity - non_prod: - lz_key_name: connectivity_firewall_policies_non_prod - tfstate: connectivity_firewall_policies_non_prod.tfstate - level: level2 - identity_aad_key: cred_connectivity - - private_dns: - prod: - lz_key_name: connectivity_private_dns_prod - tfstate: connectivity_private_dns_prod.tfstate - level: level2 - identity_aad_key: cred_connectivity - non_prod: - lz_key_name: connectivity_private_dns_non_prod - tfstate: connectivity_private_dns_non_prod.tfstate - level: level2 - identity_aad_key: cred_connectivity - - vpn_sites: - prod: - lz_key_name: connectivity_vpn_sites_prod - tfstate: connectivity_vpn_sites_prod.tfstate - sub_template_folder: level2/connectivity - level: level2 - identity_aad_key: cred_connectivity - - asvm: - lz_key_name: asvm - tfstate: asvm_subscription_vending_machine.tfstate - level: level2 - identity_aad_key: cred_level0 - sub_template_folder: level2/asvm - yaml: level2/asvm/ansible.yaml - rover_ignite_dependencies: - - launchpad diff --git a/templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx b/templates/platform/IP Address Plan.xlsx similarity index 100% rename from templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx rename to templates/platform/IP Address Plan.xlsx diff --git a/templates/platform/ansible.yaml b/templates/platform/ansible.yaml deleted file mode 100644 index ee88a105e..000000000 --- a/templates/platform/ansible.yaml +++ /dev/null @@ -1,99 +0,0 @@ -- name: Process deployment based on bootstrap.yaml - hosts: localhost - - tasks: - - - name: "load {{ config_folder }}/bootstrap.yaml" - include_vars: - name: bootstrap - dir: "{{ config_folder }}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "bootstrap.yaml" - - - name: "Load variable for landingzones config" - include_vars: - name: asvm_config__to_merge - dir: "{{config_folder}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "config.asvm.yaml|tfstates.asvm.yaml|deployments.yaml" - - - name: "Load variable for platform config" - include_vars: - name: platform_config__to_merge - dir: "{{config_folder_platform | default(config_folder)}}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml|subscriptions.yaml" - - - name: Merge asvm and platform variables - merge_vars: - suffix_to_merge: config__to_merge - merged_var_name: config - expected_type: 'dict' - recursive_dict_merge: True - - - name: "Get latest cache folder" - set_fact: - job_cache_base_path: "/home/vscode/.terraform.cache" - destination_base: '{{config.configuration_folders.platform.destination_base_path}}' - config: "{{ ansible_facts.config }}" - - - debug: - msg: - - "{{bootstrap}}" - - "{{config}}" - # verbosity: 2 - -# -# Generate the foundation services -# - - - include_tasks: "process_foundations.yaml" - loop: "{{bootstrap.deployments.keys()}}" - when: bootstrap != {} - loop_control: - loop_var: stage - vars: - step: deployments - -# -# Process the deployments folders -# - - - find: - paths: "{{config_folder}}/deployments" - recurse: yes - patterns: "*.yaml" - file_type: file - register: files_to_process - - - debug: - msg: - - "{{files_to_process}}" - verbosity: 2 - - - - name: Process deployments folder configuration files - include_tasks: "process_deployments.yaml" - loop: "{{files_to_process.files}}" - loop_control: - loop_var: file_to_process - -## Platform readme - - - name: "[{{ base_templates_folder }}] readme" - ansible.builtin.template: - src: "{{ base_templates_folder }}/readme.md" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/readme.md" - force: yes - -# -# Formatting & Linters -# - - - name: Terraform Formatting - shell: | - terraform fmt -recursive {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }} - diff --git a/templates/platform/ansible/ansible.yaml b/templates/platform/ansible/ansible.yaml new file mode 100644 index 000000000..0d42de4fb --- /dev/null +++ b/templates/platform/ansible/ansible.yaml @@ -0,0 +1,99 @@ +- name: Process deployment based on ignite.yaml + hosts: localhost + + tasks: + + - name: "load {{ config_folder }}/ignite.yaml" + include_vars: + name: bootstrap + dir: "{{ config_folder }}" + depth: 1 + ignore_unknown_extensions: true + files_matching: "ignite.yaml" + + - name: "Load variable for platform config" + include_vars: + name: resources + dir: "{{config_folder_platform | default(config_folder)}}" + depth: 0 + ignore_unknown_extensions: true + files_matching: ".yaml" + ignore_files: "ignite.yaml" + + - name: "Set variables" + set_fact: + job_cache_base_path: "/home/vscode/.terraform.cache" + destination_base_path: '{{resources.configuration_folders.platform.destination_base_path}}/{{ resources.configuration_folders.platform.destination_relative_path }}' + + - name: "Creates destination directory - {{destination_base_path}}" + file: + path: "{{destination_base_path}}" + state: directory + + + - debug: + msg: + - "bootstrap: {{bootstrap}}" + - "resources: {{resources}}" + +# +# Generate the foundation services +# + + - name: Process core deployments + include_tasks: "process_stages.yaml" + loop: "{{bootstrap.deployments.root.keys()}}" + loop_control: + loop_var: tfstate + vars: + lz_type: platform + stage: root + + - name: Process eslz deployments + include_tasks: "process_stages.yaml" + loop: "{{bootstrap.deployments.eslz.keys()}}" + loop_control: + loop_var: tfstate + when: + - launchpad_tfstate_exists.rc == 0 + vars: + lz_type: platform + stage: eslz + +# +# Process the deployments folders +# + + - find: + paths: "{{config_folder}}/scale_out_domains" + recurse: yes + patterns: "*.yaml" + file_type: file + register: files_to_process + + - name: Process scale out domaines deployments + include_tasks: "process_stages.yaml" + loop: "{{bootstrap.deployments.scale_out_domains.keys()}}" + loop_control: + loop_var: tfstate + when: + - launchpad_tfstate_exists.rc == 0 + vars: + lz_type: platform + stage: scale_out_domains + +## Platform readme + + - name: "[{{ base_templates_folder }}] readme" + ansible.builtin.template: + src: "{{ base_templates_folder }}/readme.md" + dest: "{{ destination_base_path }}/readme.md" + force: yes + +# +# Formatting & Linters +# + + - name: Terraform Formatting + shell: | + terraform fmt -recursive {{ destination_base_path }} diff --git a/templates/platform/ansible/load_deployments.yaml b/templates/platform/ansible/load_deployments.yaml new file mode 100644 index 000000000..f6b358be8 --- /dev/null +++ b/templates/platform/ansible/load_deployments.yaml @@ -0,0 +1,44 @@ + +- name: "Process 1 deployment file {{stage}}" + set_fact: + "{{stage}}_{{item}}_deployment__to_merge": "{{ lookup('template', '{{ config_folder_platform_templates + \"/services/\" + topology.deployments[stage][item]}}') | from_yaml }}" + loop: "{{topology.deployments[stage].keys()}}" + when: + - stage == 'root' or stage == 'eslz' + - topologies is not defined + +- name: "Copy file {{stage}} from {{config_folder_platform_templates}}/services/" + ansible.builtin.template: + src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][item]}}" + dest: "{{destination_path}}/{{topologies[item].tfstate.config_file}}" + loop: "{{topology.deployments[stage].keys()}}" + when: + - stage == 'root' + - topologies is defined + +- name: "Copy file {{stage}} from {{config_folder_platform_templates}}/services/" + ansible.builtin.template: + src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][item]}}" + dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}" + loop: "{{topology.deployments[stage].keys()}}" + when: + - stage == 'eslz' + - topologies is defined + + +- name: "Process 2 deployment file {{stage}}" + include_tasks: "load_deployments_eslz.yaml" + loop: "{{topology.deployments[stage].keys()}}" + loop_control: + loop_var: service + when: + - stage == 'eslz' + - topologies is defined + +- name: "Process 2 deployment file {{stage}}" + include_tasks: "load_deployments_env.yaml" + loop: "{{topology.deployments[stage].keys()}}" + loop_control: + loop_var: service + when: + - stage == 'scale_out_domains' diff --git a/templates/platform/ansible/load_deployments_env.yaml b/templates/platform/ansible/load_deployments_env.yaml new file mode 100644 index 000000000..c1a42518e --- /dev/null +++ b/templates/platform/ansible/load_deployments_env.yaml @@ -0,0 +1,31 @@ +- name: "Process 3 deployment file {{stage}}/{{service}}" + set_fact: + "{{service}}_{{env}}_deployment__to_merge": "{{ lookup('template', '{{ config_folder_platform_templates + \"/services/\" + topology.deployments[stage][service][env]}}') | from_yaml }}" + loop: "{{topology.deployments[stage][service].keys()}}" + loop_control: + loop_var: env + when: + - topologies is not defined + + +- name: "Creates directory" + file: + path: "{{destination_path}}/{{stage}}/{{env}}" + state: directory + loop: "{{topology.deployments[stage][service].keys()}}" + loop_control: + loop_var: env + when: + - topologies is defined + +- name: "Copy file {{stage}}/{{service}}" + ansible.builtin.template: + src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][service][env]}}" + dest: "{{destination_path}}/{{stage}}/{{env}}/{{topologies[service + '_' + env].tfstate.config_file}}" + loop: "{{topology.deployments[stage][service].keys()}}" + loop_control: + loop_var: env + when: + - topologies is defined + + diff --git a/templates/platform/ansible/load_deployments_eslz.yaml b/templates/platform/ansible/load_deployments_eslz.yaml new file mode 100644 index 000000000..b0f35fdf4 --- /dev/null +++ b/templates/platform/ansible/load_deployments_eslz.yaml @@ -0,0 +1,57 @@ + +- name: "{{destination_eslz_path}} - Set tfstate_object" + set_fact: + tfstate_object: "{{topologies['eslz_' + service].tfstate}}" + +- name: "{{destination_path}}/{{stage}} - Set landingzone file_path" + set_fact: + destination_eslz_path: "{{destination_path}}/{{stage}}/{{service}}" + template_folder: "{{config_folder_platform_templates}}/{{ tfstate_object.template_lib_folder}}" + +- name: "{{destination_eslz_path}} - Set landingzone file_path" + set_fact: + template_lib_folder: "{{template_folder}}/lib/{{ tfstate_object.eslz_version }}" + +- name: "{{destination_eslz_path}} - Set landingzone file_path" + set_fact: + mg: "{{ lookup('template', '{{ template_lib_folder }}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" + mg_custom: "{{ lookup('template', '{{ template_lib_folder }}/custom_landing_zones.caf.platform.yaml') | from_yaml }}" + +- debug: + msg: "{{destination_eslz_path}}" + +- name: "Clean-up destination directory" + shell: | + rm -rf "{{ destination_eslz_path }}" + when: + - topology.enterprise_scale[service].clean_up_destination_folder + +- name: "Creates directory structure - {{template_lib_folder}}" + shell: mkdir -p "{{ destination_eslz_path }}/lib/{{ item.path }}" + with_filetree: "{{ template_lib_folder }}" + when: + - item.state == 'directory' + +- name: " Lib" + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ destination_eslz_path }}/lib/{{ item.path }}" + force: yes + with_filetree: "{{ template_lib_folder }}" + when: + - item.state == 'file' + - item.path is not search(".j2") + - item.path is not search(".yaml") or item.path is search(".json") or item.path is search(".md") + - topologies.platform_core_setup.enterprise_scale[service].update_lib_folder + + +- name: " Lib" + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ destination_eslz_path }}/{{ item.path }}" + force: yes + with_filetree: "{{ template_lib_folder }}" + when: + - item.state == 'file' + - item.path is search(".yaml") + - topologies.platform_core_setup.enterprise_scale[service].update_lib_folder diff --git a/templates/platform/ansible/process_deployments.yaml b/templates/platform/ansible/process_deployments.yaml new file mode 100644 index 000000000..529840455 --- /dev/null +++ b/templates/platform/ansible/process_deployments.yaml @@ -0,0 +1,38 @@ + +- debug: + msg: + - "env: {{env}}" + - "lz_type: {{lz_type}}" + - "tfstate: {{tfstate}}" + + +# - set_fact: +# lz_type: "{{resources.deployments.landingzone.tfstate.keys() | first}}" + +# - set_fact: +# # tfstate: "{{resources.deployments.landingzone.tfstate[lz_type].keys() | first}}" +# env: "{{resources.deployments.landingzone.tfstate[lz_type].values() | first | default('')}}" + +# - debug: +# msg: +# - "{{config}}" +# - "{{lz_type}}" +# - "{{tfstate}}" +# - "{{env}}" +# verbosity: 2 + + +- name: "Set tfstate_object" + set_fact: + tfstate_object: '{{resources.tfstates[lz_type][tfstate][env] }}' + + +- debug: + msg: + - "{{tfstate_object}}" + +- name: "Including tasks process_tfstate.yaml" + include_tasks: "process_tfstate.yaml" + loop: ["{{ tfstate }}"] + loop_control: + loop_var: deployment \ No newline at end of file diff --git a/templates/platform/process_foundations.yaml b/templates/platform/ansible/process_foundations.yaml similarity index 100% rename from templates/platform/process_foundations.yaml rename to templates/platform/ansible/process_foundations.yaml diff --git a/templates/platform/process_resources.yaml b/templates/platform/ansible/process_resources.yaml similarity index 77% rename from templates/platform/process_resources.yaml rename to templates/platform/ansible/process_resources.yaml index c3b7a0054..beca98235 100644 --- a/templates/platform/process_resources.yaml +++ b/templates/platform/ansible/process_resources.yaml @@ -1,4 +1,4 @@ -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}} - check file to process" +- name: "resources - {{resource_type}} - check file to process" stat: path: "{{ansible_to_process}}/{{resource_type}}.tfvars.j2" register: override_file @@ -20,7 +20,7 @@ # # resources # -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}}" +- name: "resources - {{resource_type}}" ansible.builtin.template: src: "{{ item }}" dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" diff --git a/templates/platform/ansible/process_stages.yaml b/templates/platform/ansible/process_stages.yaml new file mode 100644 index 000000000..566b50421 --- /dev/null +++ b/templates/platform/ansible/process_stages.yaml @@ -0,0 +1,40 @@ + +- debug: + msg: + - "tfstate {{tfstate}}}}" + - "{{lz_type}}" + +- name: "Set tfstate_object" + set_fact: + tfstate_object: "{{resources.tfstates[lz_type]['eslz_' + tfstate] if stage == 'eslz' else resources.tfstates[lz_type][tfstate] }}" + env: '' + +- name: "Set config_folder" + set_fact: + config_folder: '{{ tfstate_object.sub_template_folder | default() }}' + +- debug: + msg: + - "{{lz_type}}" + - "{{tfstate}}" + - "{{tfstate_object}}" + - "{{config_folder}}" + verbosity: 2 + +- name: "Including tasks process_tfstate.yaml" + include_tasks: "process_tfstate.yaml" + loop: ["{{tfstate}}"] + loop_control: + loop_var: deployment + vars: + config_file: "{{config_folder + '/' + tfstate_object.config_file }}" + when: stage != 'scale_out_domains' + +- name: "Process deployments" + include_tasks: "process_deployments.yaml" + loop: "{{bootstrap.deployments.scale_out_domains[tfstate].keys()}}" + loop_control: + loop_var: env + vars: + deployment: deployment + when: stage == 'scale_out_domains' diff --git a/templates/platform/process_subscription_resources.yaml b/templates/platform/ansible/process_subscription_resources.yaml similarity index 55% rename from templates/platform/process_subscription_resources.yaml rename to templates/platform/ansible/process_subscription_resources.yaml index a13fafa8c..c648d66cf 100644 --- a/templates/platform/process_subscription_resources.yaml +++ b/templates/platform/ansible/process_subscription_resources.yaml @@ -2,49 +2,56 @@ - debug: msg: - "subscription_key {{subscription_key}}" - - "{{resources.subscriptions[subscription_key]}}" - name: "{{deployment}} - Set ansible_to_process" set_fact: ansible_to_process: "{{base_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else base_templates_folder + '/generic'}}" + tfstate_resource: "{{ 'eslz_' + deployment if stage == 'eslz' else deployment if env == '' else deployment + '_' + env }}" verbosity: 2 -- name: "{{deployment}} - Set landingzone file_path" + +- debug: + msg: + - "{{env}}" + - "{{tfstate_resource}}" + + +- name: "{{tfstate_resource}} - Set landingzone file_path" set_fact: landingzone_template: "{{resource_template_folder}}/landingzone.tfvars.j2" landingzone_override: "{{ansible_to_process}}/landingzone.tfvars.j2" - destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}" + destination_path: "{{destination_base_path}}/{{resources['eslz_' + deployment].relative_destination_folder if stage == 'eslz' else resources[tfstate_resource].relative_destination_folder}}" level: "{{tfstate_object.level}}" verbosity: 2 -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - check file to process" +- name: "[{{tfstate_resource}}] - landingzone - check overrides to process in {{ansible_to_process}}" stat: path: "{{landingzone_override}}" register: landingzone_override_file -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - Clean-up directory" +- name: "[{{tfstate_resource}}] - landingzone - Clean-up directory" file: path: "{{destination_path}}" state: absent - when: config.configuration_folders.platform.cleanup_destination | bool + when: resources.configuration_folders.platform.cleanup_destination | bool -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - Creates directory" +- name: "[{{tfstate_resource}}] - landingzone - Creates directory" file: path: "{{destination_path}}" state: directory -- name: "{{deployment}} - process custom yaml process" +- name: "{{tfstate_resource}} - process custom yaml process" include_tasks: "{{base_templates_folder}}/{{tfstate_object.yaml}}" when: tfstate_object.yaml is defined # # landingzone.tfvars # -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone" +- name: "{{tfstate_resource}} - landingzone" ansible.builtin.template: src: "{{ item }}" dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" @@ -56,16 +63,16 @@ # Resources # -- name: "{{deployment}} - process resources" +- name: "{{tfstate_resource}} - process resources" include_tasks: "process_resources.yaml" - loop: "{{resources.subscriptions[subscription_key] | list if resources.subscriptions[subscription_key] is mapping else [] }}" + loop: "{{resources[tfstate_resource].subscriptions[subscription_key] | list if resources[tfstate_resource].subscriptions[subscription_key] is mapping else [] }}" loop_control: loop_var: resource_type # # overrides # -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }}" +- name: "[{{tfstate_resource}} - {{resources[tfstate_resource].relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }}" ansible.builtin.template: src: "{{ item }}" dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" diff --git a/templates/platform/process_tfstate.yaml b/templates/platform/ansible/process_tfstate.yaml similarity index 58% rename from templates/platform/process_tfstate.yaml rename to templates/platform/ansible/process_tfstate.yaml index 3fd2e2a6f..52a3d1314 100644 --- a/templates/platform/process_tfstate.yaml +++ b/templates/platform/ansible/process_tfstate.yaml @@ -1,23 +1,23 @@ - debug: msg: - "{{lz_type}}" + - "{{deployment}}" + - "{{env}}" - name: "Verify {{deployment}} {{lz_type}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :" debug: msg: - - "{{config.tfstates[lz_type][deployment]}}" - - "resources - {{resources}}" + - "{{resources.tfstates[lz_type]['eslz_' + tfstate] if stage == 'eslz' else resources.tfstates[lz_type][deployment] if env == '' else resources.tfstates[lz_type][deployment][env]}}" - name: "{{deployment}} - tfstate_object sub_template_folder- {{env}}" debug: msg: - 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}' - 'tfstate_object - {{tfstate_object}}' - verbosity: 2 - name: "{{deployment}} - process subscription resources" include_tasks: "process_subscription_resources.yaml" - loop: "{{resources.subscriptions.keys()}}" + loop: "{{resources['eslz_' + tfstate].subscriptions.keys() if stage == 'eslz' else resources[tfstate].subscriptions.keys() if env == '' else resources[tfstate + '_' + env].subscriptions.keys() }}" loop_control: loop_var: subscription_key vars: diff --git a/templates/platform/ansible/walk-through.yaml b/templates/platform/ansible/walk-through.yaml new file mode 100644 index 000000000..d188d6280 --- /dev/null +++ b/templates/platform/ansible/walk-through.yaml @@ -0,0 +1,117 @@ +- name: Get deployment user object_id + shell: az ad signed-in-user show --query objectId -o tsv + register: object_id + +- name: Get deployment user UPN + shell: az ad signed-in-user show --query userPrincipalName -o tsv + register: upn + +- name: Get default user's tenant name + shell: az rest --method get --url "https://graph.microsoft.com/v1.0/organization" --query "value[0].verifiedDomains[?isDefault].name" -o tsv + register: tenant_name + +- name: Get default user's tenant guid + shell: az account show --query tenantId -o tsv + register: tenant_id + +- name: Get default subscription id + shell: az account show --query id -o tsv + register: subscription_id + +- name: Get default subscription name + shell: az account show --query name -o tsv + register: subscription_name + + +- set_fact: + regions: "{{ azure_regions }}" + +- set_fact: + topology: "{{ lookup('template', '{{ topology_file }}') | from_yaml }}" + destination_path: "{{destination_base_path + '/' + definitions_relative_path}}" + + +- name: "Creates directory - {{destination_path}}" + file: + path: "{{destination_path}}" + state: directory + +# +# Load the files into variables +# + +- include_tasks: "load_deployments.yaml" + loop: "{{topology.deployments.keys()}}" + loop_control: + loop_var: stage + +- name: Merge deployment files into topologies variable + merge_vars: + suffix_to_merge: _deployment__to_merge + merged_var_name: merged_topologies + expected_type: 'dict' + recursive_dict_merge: True + +- set_fact: + topologies: "{{ merged_topologies }}" + + +# Need topologies to render the following templates +- name: "load tfstates" + set_fact: + "tfstates_deployment__to_merge": "{{ lookup('template', '{{config_folder_platform_templates}}/services/tfstates.yaml') | from_yaml }}" + +- name: "load template.caf.platform" + set_fact: + "caf_platform_deployment__to_merge": "{{ lookup('template', '{{config_folder_platform_templates}}/services/template.caf.platform.yaml') | from_yaml }}" + +- name: Merge deployment files into topologies variable + merge_vars: + suffix_to_merge: _deployment__to_merge + merged_var_name: merged_topologies + expected_type: 'dict' + recursive_dict_merge: True + +- set_fact: + topologies: "{{ merged_topologies }}" + +- debug: + msg: "topologies: {{topologies}}" + +# +# Generate target folder structure and files +# + +- name: Copy files + include_tasks: "load_deployments.yaml" + loop: "{{topology.deployments.keys()}}" + loop_control: + loop_var: stage + +- name: tfstates.yaml + ansible.builtin.template: + src: "{{config_folder_platform_templates}}/services/tfstates.yaml" + dest: "{{destination_path}}/tfstates.yaml" + +- name: ignite.yaml + ansible.builtin.template: + src: "{{config_folder_platform_templates}}/eslz_single_subscription.yaml" + dest: "{{destination_path}}/ignite.yaml" + +- name: template.caf.platform.yaml + ansible.builtin.template: + src: "{{config_folder_platform_templates}}/services/template.caf.platform.yaml" + dest: "{{destination_path}}/{{topology.customer_name}}.caf.platform.yaml" + +- name: readme.me + ansible.builtin.template: + src: "{{config_folder_platform_templates}}/services/README.md" + dest: "{{destination_path}}/GETTING-STARTED.md" + + +- debug: + msg: + - "You have now initialized the definition of the platform" + - "You can review and adjust the yaml files." + - "configuration folder: - {{destination_path}}" + - "readme: {{destination_path}}/GETTING-STARTED.md" \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/config.asvm.yaml b/templates/platform/asvm/orion-landingzone/config.asvm.yaml similarity index 100% rename from templates/enterprise-scale/contoso/asvm/orion-landingzone/config.asvm.yaml rename to templates/platform/asvm/orion-landingzone/config.asvm.yaml diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml b/templates/platform/asvm/orion-landingzone/deployments/orion_dev.yaml similarity index 100% rename from templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml rename to templates/platform/asvm/orion-landingzone/deployments/orion_dev.yaml diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml b/templates/platform/asvm/orion-landingzone/deployments/orion_prod.yaml similarity index 100% rename from templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml rename to templates/platform/asvm/orion-landingzone/deployments/orion_prod.yaml diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml b/templates/platform/asvm/orion-landingzone/deployments/subscriptions.yaml similarity index 100% rename from templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml rename to templates/platform/asvm/orion-landingzone/deployments/subscriptions.yaml diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md b/templates/platform/asvm/orion-landingzone/readme.md similarity index 100% rename from templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md rename to templates/platform/asvm/orion-landingzone/readme.md diff --git a/templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml b/templates/platform/asvm/orion-landingzone/tfstates.asvm.yaml similarity index 100% rename from templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml rename to templates/platform/asvm/orion-landingzone/tfstates.asvm.yaml diff --git a/templates/platform/eslz_single_subscription.yaml b/templates/platform/eslz_single_subscription.yaml new file mode 100644 index 000000000..81b12c9e5 --- /dev/null +++ b/templates/platform/eslz_single_subscription.yaml @@ -0,0 +1,171 @@ +customer_name: {{customer_name}} +caf_environment: {{caf_environment}} +caf_landingzone_branch: AL-azurerm2931 + +caf_regions: +{% for region, location in regions.items() %} + {{region}}: {{location}} +{% endfor %} + +# Use the lower-case region's name, short version with no space +resources_allowed_regions: +{% for region in regions.keys() %} + - {{region}} +{% endfor %} + +resource_groups_allowed_regions: +{% for region in regions.keys() %} + - {{region}} +{% endfor %} + +default_region_key: {{default_region_key}} + +azuread_user_ea_account_owner: {{upn.stdout}} +ea_owner_object_id: {{object_id.stdout}} + +azuread_identity_mode: service_principal +enable_azuread_groups: True +enable_azuread_applications: True + +enable_azure_subscription_vending_machine: True + +enterprise_scale: + {{eslz_mg_prefix}}: + version_to_deploy: "v1.1.1" + management_group_prefix: {{eslz_mg_prefix}} + management_group_name: "{{eslz_mg_name}}" + deploy_core_landing_zones: True + clean_up_destination_folder: True + update_lib_folder: True + + +subscription_deployment_mode: single_reuse + +subscriptions: + launchpad: # Do not rename the key + name: {{subscription_name.stdout}} + create_alias: false + subscription_id: {{subscription_id.stdout}} + identity: # Do not rename the key + name: {{subscription_name.stdout}} + create_alias: false + subscription_id: {{subscription_id.stdout}} + connectivity: # Do not rename the key + name: {{subscription_name.stdout}} + create_alias: false + subscription_id: {{subscription_id.stdout}} + management: # Do not rename the key + name: {{subscription_name.stdout}} + create_alias: false + subscription_id: {{subscription_id.stdout}} + +deployments: + root: + launchpad: launchpad_azuread_sp_single_subscription.yaml + launchpad_credentials: launchpad_credentials_azuread_sp.yaml + subscriptions: subscriptions.yaml + identity: identity.yaml + management: management.yaml + asvm: asvm.yaml + eslz: + {{eslz_mg_prefix}}: eslz.yaml + scale_out_domains: + identity_level2: + prod: identity_level2.yaml + non_prod: identity_level2.yaml + virtual_wans: + prod: connectivity_virtual_wans.yaml + virtual_hubs: + prod: connectivity_virtual_hubs.yaml + non_prod: connectivity_virtual_hubs.yaml + virtual_hubs_route_tables: + prod: connectivity_virtual_hubs_route_tables.yaml + non_prod: connectivity_virtual_hubs_route_tables.yaml + azurerm_firewalls: + prod: connectivity_firewalls.yaml + non_prod: connectivity_firewalls.yaml + azurerm_firewall_policies: + prod: connectivity_firewall_policies.yaml + non_prod: connectivity_firewall_policies.yaml + private_dns: + prod: connectivity_private_dns.yaml + non_prod: connectivity_private_dns.yaml + +# +# Advanced settings +# + +notifications: + monitor_action_groups: + networking_operations: {{default_email_address}} + service_health_alerts: {{default_email_address}} + azure_defender: + emailSecurityContact: {{default_email_address}} + + +backup_policies: + vms: + default: + name: vm-default-policy + # Default to UTC + # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ + timezone: SE Asia Standard Time + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + retention_weekly: + count: 2 + weekdays: + - Sunday + retention_monthly: + count: 2 + weeks: + - First + weekdays: + - Sunday + retention_yearly: + count: 1 + weeks: + - First + months: + - January + weekdays: + - Sunday + + +identity: + backup_policy: + vms: default + +management: + backup_policy: + vms: default + +connectivity: + backup_policy: + vms: default + + private_dns_zones: + zones: + privatelink.adf.azure.com: + privatelink.datafactory.azure.net: + privatelink.blob.core.windows.net: + privatelink.file.core.windows.net: + privatelink.notebooks.azure.net: + privatelink.dfs.core.windows.net: + privatelink.vaultcore.azure.net: + privatelink.azurecr.io: + privatelink.siterecovery.windowsazure.com: + privatelink.servicebus.windows.net: + privatelink.api.azureml.ms: + privatelink.monitor.azure.com: + privatelink.oms.opinsights.azure.com: + privatelink.ods.opinsights.azure.com: + privatelink.agentsvc.azure-automation.net: + + # region will be de-tokenized by the values set in resources_allowed_regions + regional_zones: + privatelink.region.azmk8s.io: + privatelink.region.backup.windowsazure.com: diff --git a/templates/platform/generic/readme.md b/templates/platform/generic/readme.md index 920e71fd6..9c9e84e37 100644 --- a/templates/platform/generic/readme.md +++ b/templates/platform/generic/readme.md @@ -4,24 +4,24 @@ rover logout # login a with a user member of the caf-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[ tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details[resources.subscriptions.keys() | first].subscription_id }} \ {% elif subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id is defined %} -target_subscription {{ subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} -tfstate {{ tfstate_object.tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -w {{ tfstate_object.workspace | default('tfstate') }} \ -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ diff --git a/templates/platform/level0/README.md b/templates/platform/level0/README.md index 49212d2d2..ab7f0421c 100644 --- a/templates/platform/level0/README.md +++ b/templates/platform/level0/README.md @@ -1,5 +1,5 @@ ## Introduction -This directory contains details around the configurations which are deployed to the config. All the components are deployed in a layered approach. +This directory contains details around the configurations which are deployed to the resources. All the components are deployed in a layered approach. ### Level 0 Deployment Elements | Resources Deployed diff --git a/templates/platform/level0/billing_subscription_role_delegations/ansible.yaml b/templates/platform/level0/billing_subscription_role_delegations/ansible.yaml index bdcf02efd..8ddd78a86 100644 --- a/templates/platform/level0/billing_subscription_role_delegations/ansible.yaml +++ b/templates/platform/level0/billing_subscription_role_delegations/ansible.yaml @@ -1,21 +1,21 @@ - name: "[{{ level }}-{{ base_folder }}] Clean-up directory" file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" + path: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" state: absent - when: config.configuration_folders.platform.cleanup_destination | bool + when: resources.configuration_folders.platform.cleanup_destination | bool - name: "[{{ level }}-{{ base_folder }}] Creates directory" - when: config.caf_terraform.billing_subscription_role_delegations.enable == true + when: resources.caf_terraform.billing_subscription_role_delegations.enable == true register: level0_billing_subscription_role_delegations file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" + path: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" state: directory - name: "[{{ level }}-{{ base_folder }}] subscription role delegation" - when: config.caf_terraform.billing_subscription_role_delegations.enable == true + when: resources.caf_terraform.billing_subscription_role_delegations.enable == true ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - "{{ level }}/{{ base_folder }}/*.tfvars.j2" diff --git a/templates/platform/level0/billing_subscription_role_delegations/landingzone.tfvars.j2 b/templates/platform/level0/billing_subscription_role_delegations/landingzone.tfvars.j2 index 3d6c53658..810f750d0 100644 --- a/templates/platform/level0/billing_subscription_role_delegations/landingzone.tfvars.j2 +++ b/templates/platform/level0/billing_subscription_role_delegations/landingzone.tfvars.j2 @@ -1,12 +1,12 @@ landingzone = { backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}" - global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" - level = "{{ config.tfstates.platform.launchpad.level }}" - key = "{{ config.tfstates.platform.billing_subscription_role_delegations.lz_key_name }}" + global_settings_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" + level = "{{ resources.tfstates.platform.launchpad.level }}" + key = "{{ resources.tfstates.platform.billing_subscription_role_delegations.lz_key_name }}" tfstates = { - {{ config.tfstates.platform.launchpad.lz_key_name }} = { + {{ resources.tfstates.platform.launchpad.lz_key_name }} = { level = "current" - tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}" + tfstate = "{{ resources.tfstates.platform.launchpad.tfstate }}" } } } diff --git a/templates/platform/level0/billing_subscription_role_delegations/readme.md b/templates/platform/level0/billing_subscription_role_delegations/readme.md index 40fe1e65f..ff67da8f1 100644 --- a/templates/platform/level0/billing_subscription_role_delegations/readme.md +++ b/templates/platform/level0/billing_subscription_role_delegations/readme.md @@ -3,19 +3,19 @@ Set-up the subscription delegations for platform and landingzone subscriptions ```bash -# Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} -rover login -t {{ config.platform_identity.tenant_name }} +# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +rover login -t {{ resources.platform_identity.tenant_name }} rover \ -lz {{ landingzones_folder }}/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/level0/billing_subscription_role_delegations \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.billing_subscription_role_delegations.tfstate }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -var-folder {{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/level0/billing_subscription_role_delegations \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ resources.tfstates.platform.billing_subscription_role_delegations.tfstate }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ -launchpad \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.billing_subscription_role_delegations.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.billing_subscription_role_delegations.tfstate }}.tfplan \ -a plan rover logout @@ -25,13 +25,13 @@ rover logout # Run rover ignite to generate the next level configuration files To execute this step you need to login with on of the CAF maintainers: -{% for maintainer in config.platform_identity.caf_platform_maintainers %} +{% for maintainer in resources.platform_identity.caf_platform_maintainers %} - {{ maintainer }} {% endfor %} ```bash -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} rover ignite \ --playbook {{ landingzones_folder }}/ansible.yaml \ diff --git a/templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2 b/templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2 index af20cb1ea..2e8521165 100644 --- a/templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2 +++ b/templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2 @@ -2,18 +2,18 @@ subscription_billing_role_assignments = { # Delegated accounts who can create subscriptions. # Used by Gitops pipelines subscription_creators = { - billing_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" - enrollment_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" + billing_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" + enrollment_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" billing_role_definition_name = "Enrollment account subscription creator" principals = { azuread_service_principals = { subscription_creation_platform = { - lz_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" key = "subscription_creation_platform" } subscription_creation_landingzones = { - lz_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" key = "subscription_creation_landingzones" } } diff --git a/templates/platform/level0/credentials/dynamic_secrets.tfvars.j2 b/templates/platform/level0/credentials/dynamic_secrets.tfvars.j2 index 3ac296361..0e87a4c76 100644 --- a/templates/platform/level0/credentials/dynamic_secrets.tfvars.j2 +++ b/templates/platform/level0/credentials/dynamic_secrets.tfvars.j2 @@ -14,7 +14,7 @@ dynamic_keyvault_secrets = { } tenant_id = { secret_name = "tenant-id" - value = "{{ config.caf_terraform.launchpad.tenant_id }}" # {{ config.platform_identity.tenant_name }} Tenant + value = "{{ resources.caf_terraform.launchpad.tenant_id }}" # {{ resources.platform_identity.tenant_name }} Tenant } } diff --git a/templates/platform/level0/credentials/landingzone.tfvars.j2 b/templates/platform/level0/credentials/landingzone.tfvars.j2 index 30d5e3f8f..f65598b8f 100644 --- a/templates/platform/level0/credentials/landingzone.tfvars.j2 +++ b/templates/platform/level0/credentials/landingzone.tfvars.j2 @@ -1,12 +1,12 @@ landingzone = { backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}" - global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" - level = "{{ config.tfstates.platform.launchpad.level }}" - key = "{{ config.tfstates.platform.launchpad_credentials.lz_key_name }}" + global_settings_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" + level = "{{ resources.tfstates.platform.launchpad.level }}" + key = "{{ resources.tfstates.platform.launchpad_credentials.lz_key_name }}" tfstates = { - {{ config.tfstates.platform.launchpad.lz_key_name }} = { + {{ resources.tfstates.platform.launchpad.lz_key_name }} = { level = "current" - tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}" + tfstate = "{{ resources.tfstates.platform.launchpad.tfstate }}" } } } diff --git a/templates/platform/level0/credentials/readme.md b/templates/platform/level0/credentials/readme.md index 9ad485217..cdf13dc74 100644 --- a/templates/platform/level0/credentials/readme.md +++ b/templates/platform/level0/credentials/readme.md @@ -3,22 +3,22 @@ ```bash # For manual bootstrap: -# Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} -rover login -t {{ config.platform_identity.tenant_name }} +# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +rover login -t {{ resources.platform_identity.tenant_name }} rover \ -{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} +{% if ((resources.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ resources.tfstates.platform.launchpad_credentials.tfstate }} \ -launchpad \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \ -a plan ``` @@ -30,18 +30,18 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla # On success plan, execute rover \ -{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} +{% if ((resources.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ resources.tfstates.platform.launchpad_credentials.tfstate }} \ -launchpad \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \ -a apply ``` @@ -50,7 +50,7 @@ rover \ # On success, re-execute the rover ignite rover ignite \ - --playbook {{ base_templates_folder }}/ansible.yaml \ + --playbook {{ base_templates_folder }}/ansible/ansible.yaml \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{resource_template_folder}} \ -e config_folder={{ config_folder }} \ @@ -66,7 +66,7 @@ Just re-execute the plan/apply command as above and you will notice the rover wi When you have successfully deployed the launchpad you can move to the next step. -{% if config.caf_terraform.billing_subscription_role_delegations.enable %} +{% if resources.caf_terraform.billing_subscription_role_delegations.enable %} [[Deploy the billing subscription role delegation](../billing_subscription_role_delegations/readme.md) {% else %} [Deploy the subscription services](../../level1/subscriptions/readme.md) diff --git a/templates/platform/level0/credentials/role_mappings.tfvars.j2 b/templates/platform/level0/credentials/role_mappings.tfvars.j2 index 16b3339f7..b6ea33f21 100644 --- a/templates/platform/level0/credentials/role_mappings.tfvars.j2 +++ b/templates/platform/level0/credentials/role_mappings.tfvars.j2 @@ -6,7 +6,7 @@ role_mapping = { built_in_role_mapping = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} resource_groups = { sp_credentials = { "Contributor" = { @@ -14,7 +14,7 @@ role_mapping = { keys = [ "identity" ] - lz_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" } } } diff --git a/templates/platform/level0/launchpad/ansible.yaml b/templates/platform/level0/launchpad/ansible.yaml index fb41fe5e2..50ca184d5 100644 --- a/templates/platform/level0/launchpad/ansible.yaml +++ b/templates/platform/level0/launchpad/ansible.yaml @@ -6,86 +6,98 @@ path: "{{ job_cache_base_path }}/launchpad" state: directory -- name: "[{{resources.relative_destination_folder}}] Get tfstate account name" +- name: "[{{resources[tfstate].relative_destination_folder}}] Get tfstate account name" register: launchpad_storage_account shell: | az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ tfstate_object.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - debug: msg: "{{launchpad_storage_account}}" -- name: "[{{resources.relative_destination_folder}}] Get launchpad tfstate details" +- name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad tfstate details" register: launchpad_tfstate_exists ignore_errors: true shell: | az storage blob download \ - --name "{{ config.tfstates.platform.launchpad.tfstate }}" \ + --name "{{ resources.tfstates.platform.launchpad.tfstate }}" \ --account-name "{{ launchpad_storage_account.stdout | default('') }}" \ - --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --container-name "{{ resources.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + --file "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" -- name: "[{{resources.relative_destination_folder}}] Get subscription_creation_landingzones details" +- debug: + msg: "{{launchpad_tfstate_exists}}" + +- name: "[{{resources[tfstate].relative_destination_folder}}] Get subscription_creation_landingzones details" when: - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + - resources.platform_core_setup.enable_azure_subscription_vending_machine + shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" register: launchpad_tfstate -- name: "[{{resources.relative_destination_folder}}] Get launchpad json data" +- name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad json data" when: - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + - resources.platform_core_setup.enable_azure_subscription_vending_machine set_fact: scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" -- name: "[{{resources.relative_destination_folder}}] set launchpad_azuread_groups" +- name: "[{{resources[tfstate].relative_destination_folder}}] set launchpad_azuread_groups" when: - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + - resources.platform_core_setup.enable_azure_subscription_vending_machine set_fact: launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" vars: path: 'outputs.objects.value.launchpad.azuread_groups' -- name: "[{{resources.relative_destination_folder}}] Get credentials tfstate details" +- name: "[{{resources[tfstate].relative_destination_folder}}] Get credentials tfstate details for {{ resources.tfstates.platform.launchpad_credentials.tfstate }} from {{ launchpad_storage_account.stdout }}/{{ resources.tfstates.platform.launchpad.workspace | default('tfstate') }}" register: credentials_tfstate_exists - ignore_errors: true + when: + - launchpad_tfstate_exists.rc == 0 shell: | az storage blob download \ - --name "{{ config.tfstates.platform.launchpad_credentials.tfstate }}" \ + --name "{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" \ --account-name "{{ launchpad_storage_account.stdout }}" \ - --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --container-name "{{ resources.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + --file "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" -- name: "[{{resources.relative_destination_folder}}] Get launchpad_credentials details" +- name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad_credentials details" when: credentials_tfstate_exists.rc == 0 - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" register: launchpad_credentials -- name: "[{{resources.relative_destination_folder}}] Get launchpad_credentials json data" +- name: "Keyvaults" + debug: + msg: + - "{{credentials_tfstate_exists}}" + - "{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" + - "{{launchpad_credentials}}" + verbosity: 2 + +- name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad_credentials json data" when: credentials_tfstate_exists.rc == 0 set_fact: credjsondata: "{{ launchpad_credentials.stdout | from_json }}" -- name: "[{{resources.relative_destination_folder}}] set keyvaults" +- name: "[{{resources[tfstate].relative_destination_folder}}] set keyvaults" when: credentials_tfstate_exists.rc == 0 set_fact: keyvaults: "{{ credjsondata | json_query(path) }}" vars: - path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults' + path: 'outputs.objects.value.launchpad_credentials.keyvaults' -- name: "[{{resources.relative_destination_folder}}] cleanup" +- name: "[{{resources[tfstate].relative_destination_folder}}] cleanup" when: credentials_tfstate_exists.rc == 0 file: - path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad_credentials.tfstate }}" + path: "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" state: absent -- name: "[{{resources.relative_destination_folder}}] cleanup" +- name: "[{{resources[tfstate].relative_destination_folder}}] cleanup" when: launchpad_tfstate_exists.rc == 0 file: - path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + path: "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" state: absent diff --git a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 index 6f7c91e37..562e5c141 100644 --- a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 +++ b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 @@ -1,20 +1,20 @@ -{% if config.platform_identity.enable_azuread_groups %} +{% if resources.platform_identity.enable_azuread_groups %} azuread_groups_membership = { caf_platform_maintainers = { -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} object_ids = { logged_in = { keys = ["user"] } } {% endif %} -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} members = { -{% if config.platform_identity.caf_platform_maintainers.user_principal_names is defined %} +{% if resources.platform_identity.caf_platform_maintainers.user_principal_names is defined %} user_principal_names = [ - "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}", -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_identity.caf_platform_maintainers.user_principal_names is mapping%} -{% for user in config.platform_identity.caf_platform_maintainers.user_principal_names %} + "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}", +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and resources.platform_identity.caf_platform_maintainers.user_principal_names is mapping%} +{% for user in resources.platform_identity.caf_platform_maintainers.user_principal_names %} "{{ user }}", {% endfor %} {% endif %} @@ -25,14 +25,14 @@ azuread_groups_membership = { } caf_platform_contributors = { members = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} -{% if config.platform_identity.caf_platform_maintainers.user_principal_names is mapping %} - user_principal_names = {{ config.platform_identity.caf_platform_maintainers.user_principal_names | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.caf_platform_maintainers.user_principal_names is mapping %} + user_principal_names = {{ resources.platform_identity.caf_platform_maintainers.user_principal_names | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% endif %} {% endif %} } } } {% else %} -# Azure AD Groups in config.platform_identity.enable_azuread_groups is not set to true +# Azure AD Groups in resources.platform_identity.enable_azuread_groups is not set to true {% endif %} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/global_settings.tfvars.j2 b/templates/platform/level0/launchpad/global_settings.tfvars.j2 index c886e95eb..11a1feaa8 100644 --- a/templates/platform/level0/launchpad/global_settings.tfvars.j2 +++ b/templates/platform/level0/launchpad/global_settings.tfvars.j2 @@ -3,26 +3,26 @@ # # passthrough means the default CAF naming convention is not applied and you are responsible # of the unicity of the names you are giving. the CAF provider will clear out -passthrough = {{ config.caf_terraform.naming_convention.passthrough | string | lower }} +passthrough = {{ resources.caf_terraform.naming_convention.passthrough | string | lower }} # adds random chars at the end of the names produced by the provider # Do not change the following values once the launchpad deployed. # Enable tag inheritance (can be changed) -inherit_tags = {{ config.caf_terraform.naming_convention.inherit_tags | string | lower }} +inherit_tags = {{ resources.caf_terraform.naming_convention.inherit_tags | string | lower }} # When passthrough is set to false, define the number of random characters to add to the names -random_length = {{ config.caf_terraform.naming_convention.random_length }} +random_length = {{ resources.caf_terraform.naming_convention.random_length }} # Set the prefix that will be added to all azure resources. # if not set and passthrough=false, the CAF module generates a random one. -{% if config.caf_terraform.naming_convention.prefix is defined %} -prefix = "{{ config.caf_terraform.naming_convention.prefix }}" +{% if resources.caf_terraform.naming_convention.prefix is defined %} +prefix = "{{ resources.caf_terraform.naming_convention.prefix }}" {% endif %} # Default region. When not set to a resource it will use that value -default_region = "{{ config.caf_terraform.launchpad.default_region_key }}" +default_region = "{{ resources.caf_terraform.launchpad.default_region_key }}" # You can reference the regions by using region1, region2 or set your own keys regions = { -{% for key in config.caf_terraform.launchpad.regions.keys() %} - {{ key }} = "{{ config.caf_terraform.launchpad.regions[key].name }}" +{% for key, value in resources.caf_terraform.launchpad.regions.items() %} + {{ key }} = "{{ value }}" {% endfor %} } @@ -36,10 +36,10 @@ launchpad_key_names = { ] } -{% if config.caf_terraform.launchpad.tags is defined %} +{% if resources.caf_terraform.launchpad.tags is defined %} # Global tags tags = { -{% for tag_key, tag_value in config.caf_terraform.launchpad.tags.items() %} +{% for tag_key, tag_value in resources.caf_terraform.launchpad.tags.items() %} {{ tag_key }} = "{{ tag_value }}" {% endfor %} } diff --git a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 index 3dca65e8a..320ccb59e 100644 --- a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 +++ b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 @@ -1,21 +1,21 @@ keyvaults = { level0 = { - name = "{{ resources.subscriptions[subscription_key].keyvaults.level0.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level0.resource_group_key }}" - sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" + name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level0.name }}" + resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level0.resource_group_key }}" + sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level0" - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" } creation_policies = { - // {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} + // {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} bootstrap_user = { - object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" + object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.enable_azuread_groups %} +{% if resources.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -25,7 +25,7 @@ keyvaults = { secret_permissions = ["Get"] } {% endif %} -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault @@ -37,21 +37,21 @@ keyvaults = { } level1 = { - name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level1.resource_group_key }}" - sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" + name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.name }}" + resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.resource_group_key }}" + sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level1" - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" } creation_policies = { - // {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} + // {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} bootstrap_user = { - object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" + object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.enable_azuread_groups %} +{% if resources.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -61,7 +61,7 @@ keyvaults = { secret_permissions = ["Get"] } {% endif %} -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault @@ -73,21 +73,21 @@ keyvaults = { } level2 = { - name = "{{ resources.subscriptions[subscription_key].keyvaults.level2.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level2.resource_group_key }}" - sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" + name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level2.name }}" + resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level2.resource_group_key }}" + sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level2" - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" } creation_policies = { - // {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} + // {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} bootstrap_user = { - object_id = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" + object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if config.platform_identity.enable_azuread_groups %} +{% if resources.platform_identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -97,7 +97,7 @@ keyvaults = { secret_permissions = ["Get"] } {% endif %} -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index 7ffc72441..f982e9a3f 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -1,29 +1,29 @@ -# Launchpad - {{ config.caf_terraform.launchpad.caf_environment }} +# Launchpad - {{ resources.caf_terraform.launchpad.caf_environment }} ## Pre-requisites This scenario requires the following privileges: -| Component | Privileges | -|--------------------|--------------------| -| Active Directory | None | -| Azure subscription | Subscription owner | +| Component | Privileges | +|--------------------|----------------------| +| Active Directory | Global Administrator | +| Azure subscription | Subscription owner | ## Deployment -{% if config.caf_terraform.billing_subscription_role_delegations is defined %} +{% if resources.caf_terraform.billing_subscription_role_delegations is defined %} ### Pre-requisite Elevate your credentials to the tenant root level to have enough privileges to create the management group hierarchy. ```bash -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} -# Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +{% if resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} +# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} {% else %} -# Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with an account owner. +# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with an account owner. {% endif %} -rover login -t {{ config.platform_identity.tenant_name }} -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +rover login -t {{ resources.platform_identity.tenant_name }} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" {% endif %} @@ -33,14 +33,14 @@ az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?ap ### Launchpad ```bash -{% if config.caf_terraform.billing_subscription_role_delegations is defined %} -{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} -# Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +{% if resources.caf_terraform.billing_subscription_role_delegations is defined %} +{% if resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} +# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} {% else %} -# Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with an account owner. +# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with an account owner. {% endif %} {% endif %} -rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }} +rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} cd {{ landingzones_folder }} git fetch origin @@ -48,18 +48,18 @@ git checkout {{ resources.gitops.caf_landingzone_branch }} git pull rover \ -{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} +{% if ((resources.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_launchpad \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \ -launchpad \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \ -a plan ``` @@ -71,27 +71,33 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla # On success plan, execute rover \ -{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} +{% if ((resources.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_launchpad \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \ -launchpad \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \ -a apply ``` +Execute a rover logout and rover login in order to make sure your azure sessions has the Azure groups membership updated. + ```bash +rover logout + +rover login -t {{ resources.platform_identity.tenant_name }} + # On success, re-execute the rover ignite rover ignite \ - --playbook {{ base_templates_folder }}/ansible.yaml \ + --playbook {{ base_templates_folder }}/ansible/ansible.yaml \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{resource_template_folder}} \ -e config_folder={{ config_folder }} \ @@ -99,20 +105,11 @@ rover ignite \ ``` -Execute a rover logout and rover login in order to make sure your azure sessions has the Azure groups membership updated. - -```bash -rover logout - -rover login -t {{ config.platform_identity.tenant_name }} - -``` - # Next steps When you have successfully deployed the launchpad you can move to the next step. -{% if config.platform_identity.azuread_identity_mode == 'service_principal' %} +{% if resources.platform_identity.azuread_identity_mode == 'service_principal' %} [Deploy the credentials landing zone](../credentials/readme.md) {% else %} [Deploy the management services](../../level1/management/readme.md) diff --git a/templates/platform/level1/eslz/ansible.yaml b/templates/platform/level1/eslz/ansible.yaml index 02159edd4..84a21a46c 100644 --- a/templates/platform/level1/eslz/ansible.yaml +++ b/templates/platform/level1/eslz/ansible.yaml @@ -1,9 +1,11 @@ - name: "{{level }}-{{ deployment}} - Set landingzone file_path" set_fact: - destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{ level }}/{{ deployment }}" - mg: "{{ lookup('file', '{{ config_folder }}/eslz/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" - mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/custom_landing_zones.caf.platform.yaml') | from_yaml }}" + destination_path: "{{resources.configuration_folders.platform.destination_base_path}}/{{resources.configuration_folders.platform.destination_relative_path}}/{{ resources['eslz_' + deployment].relative_destination_folder }}" + mg: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" + mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/custom_landing_zones.caf.platform.yaml') | from_yaml }}" level: "{{tfstate_object.level}}" + definition_source_folder: "{{config_folder}}/eslz/{{ deployment}}" + template_source_folder: "{{base_templates_folder}}/{{tfstate_object.template_lib_folder}}" verbosity: 2 - debug: @@ -13,12 +15,11 @@ shell: | rm -rf "{{ destination_path }}" when: - - config.platform_core_setup.enterprise_scale.enable - - config.platform_core_setup.enterprise_scale.clean_up_destination_folder + - resources.platform_core_setup.enterprise_scale[deployment].clean_up_destination_folder - name: "{{ level }}-{{ deployment }} | Creates directory structure" - shell: mkdir -p "{{ destination_path }}/lib/{{ item.path }}" - with_filetree: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder}}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}" + shell: mkdir -p "{{ destination_path }}/{{ item.path }}" + with_filetree: "{{ definition_source_folder }}" when: item.state == 'directory' - name: "{{ level }}-{{ deployment }} | Tfvars" @@ -27,12 +28,12 @@ dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - - "{{ level }}/{{ deployment }}/*.j2" - - "{{ level }}/{{ deployment }}/*.md" + - "{{ template_source_folder }}/*.j2" + - "{{ template_source_folder }}/*.md" - name: "{{ level }}-{{ deployment }} | Lib - archetypes - built-in" ansible.builtin.template: - src: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder}}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/archetype_definition_template.json.j2" + src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/archetype_definitions/archetype_definition_template.json.j2" dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg.archetype_definitions[item].archetype_id }}.json" force: yes loop: "{{ mg.archetype_definitions.keys() }}" @@ -43,20 +44,30 @@ when: - mg_custom.archetype_definitions is defined ansible.builtin.template: - src: "{{ base_templates_folder }}/{{ tfstate_object.sub_template_folder }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/archetype_definitions/custom_landing_zone_template.json.j2" + src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/archetype_definitions/custom_landing_zone_template.json.j2" dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg_custom.archetype_definitions[item].archetype_id }}.json" force: yes loop: "{{ mg_custom.archetype_definitions.keys() }}" loop_control: loop_var: item +- name: "{{ level }}-{{ deployment }} | archetypes" + ansible.builtin.template: + src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/{{item}}" + dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + force: yes + loop: + - archetype_config_overrides.tfvars.j2 + - custom_landing_zones.tfvars.j2 + - name: "{{ level }}-{{ deployment }} | Lib" ansible.builtin.template: src: "{{ item.src }}" - dest: "{{ destination_path }}/lib/{{ item.path }}" + dest: "{{ destination_path }}/{{ item.path }}" force: yes - with_filetree: "{{ config_folder }}/eslz/lib" - when: item.state == 'file' and config.platform_core_setup.enterprise_scale.update_lib_folder + with_filetree: "{{ definition_source_folder }}" + when: + - item.state == 'file' and resources.platform_core_setup.enterprise_scale[deployment].update_lib_folder - name: "{{ level }}-{{ deployment }} | overrides" when: @@ -66,4 +77,4 @@ dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - - "{{ level }}/{{ deployment }}/lib/{{ config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy }}/*.tfvars.j2" + - "{{ definition_source_folder }}/*.tfvars.j2" diff --git a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 index 8a1c36582..ef0f81290 100644 --- a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 +++ b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 @@ -1,11 +1,11 @@ # relative path to {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz -library_path = "../../../../{{ config.configuration_folders.platform.destination_relative_path }}/{{ tfstate_object.sub_template_folder }}/lib" -{% if config.platform_core_setup.enterprise_scale.root_parent_id is defined %} -root_parent_id = "{{ config.platform_core_setup.enterprise_scale.root_parent_id }}" +library_path = "../../../../{{ resources.configuration_folders.platform.destination_relative_path }}/{{tfstate_object.level}}/{{stage}}/{{deployment}}/lib" +{% if resources.platform_core_setup.enterprise_scale[deployment].root_parent_id is defined %} +root_parent_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].root_parent_id }}" {% endif %} -root_id = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}" -root_name = "{{ config.platform_core_setup.enterprise_scale.management_group_name }}" -deploy_core_landing_zones = {{ config.platform_core_setup.enterprise_scale.deploy_core_landing_zones | string | lower }} -{% if (config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine | default(false)) and config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +root_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].management_group_prefix }}" +root_name = "{{ resources.platform_core_setup.enterprise_scale[deployment].management_group_name }}" +deploy_core_landing_zones = {{ resources.platform_core_setup.enterprise_scale[deployment].deploy_core_landing_zones | string | lower }} +{% if (resources.platform_core_setup.enable_azure_subscription_vending_machine | default(false)) and resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} reconcile_vending_subscriptions = true {% endif %} \ No newline at end of file diff --git a/templates/platform/level1/eslz/landingzone.tfvars.j2 b/templates/platform/level1/eslz/landingzone.tfvars.j2 deleted file mode 100644 index a532255c1..000000000 --- a/templates/platform/level1/eslz/landingzone.tfvars.j2 +++ /dev/null @@ -1,26 +0,0 @@ -landingzone = { - backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}" - global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" - level = "level1" - key = "{{ config.tfstates.platform.eslz.lz_key_name }}" - tfstates = { - {{ config.tfstates.platform.launchpad.lz_key_name }} = { - level = "lower" - tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}" - } - {{ config.tfstates.platform.management.lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" - } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'single_reuse' %} - {{ config.tfstates.platform.platform_subscriptions.lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.platform_subscriptions.tfstate }}" - } -{% endif %} - {{ config.tfstates.platform.identity.lz_key_name }} = { - level = "current" - tfstate = "{{ config.tfstates.platform.identity.tfstate }}" - } - } -} diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 b/templates/platform/level1/eslz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 index c731806ec..d97605f1a 100644 --- a/templates/platform/level1/eslz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 @@ -6,22 +6,22 @@ archetype_config_overrides = { "Deny-Resource-Locations" = { "listOfAllowedLocations" = { value = [ - "{{ config.caf_terraform.launchpad.regions.region1.name }}", - "{{ config.caf_terraform.launchpad.regions.region2.name }}" + "{{ resources.caf_terraform.launchpad.regions.region1.name }}", + "{{ resources.caf_terraform.launchpad.regions.region2.name }}" ] } } "Deny-RSG-Locations" = { "listOfAllowedLocations" = { value = [ - "{{ config.caf_terraform.launchpad.regions.region1.name }}", - "{{ config.caf_terraform.launchpad.regions.region2.name }}" + "{{ resources.caf_terraform.launchpad.regions.region1.name }}", + "{{ resources.caf_terraform.launchpad.regions.region2.name }}" ] } } "Deploy-Resource-Diag" = { "logAnalytics" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" resource_key = "central_logs_region1" @@ -33,7 +33,7 @@ archetype_config_overrides = { } "Deploy-VM-Monitoring" = { "logAnalytics" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" resource_key = "central_logs_region1" @@ -42,7 +42,7 @@ archetype_config_overrides = { } "Deploy-VMSS-Monitoring" = { "logAnalytics" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" resource_key = "central_logs_region1" diff --git a/templates/platform/level1/eslz/lib/v0.1.x/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v0.1.x/custom_landing_zones.tfvars.j2 index 75d3f2d03..75955e0df 100644 --- a/templates/platform/level1/eslz/lib/v0.1.x/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v0.1.x/custom_landing_zones.tfvars.j2 @@ -1,7 +1,7 @@ custom_landing_zones = { - {{ config.eslz.root_id }}-corp = { + {{ resources.eslz.root_id }}-corp = { display_name = "Corp" - parent_management_group_id = "{{ config.eslz.root_id }}-landing-zones" + parent_management_group_id = "{{ resources.eslz.root_id }}-landing-zones" archetype_config = { archetype_id = "landingzone_corp" parameters = {} @@ -10,9 +10,9 @@ custom_landing_zones = { subscriptions = {} subscription_ids = [] } - {{ config.eslz.root_id }}-online = { + {{ resources.eslz.root_id }}-online = { display_name = "Online" - parent_management_group_id = "{{ config.eslz.root_id }}-landing-zones" + parent_management_group_id = "{{ resources.eslz.root_id }}-landing-zones" archetype_config = { archetype_id = "landingzone_online" parameters = {} diff --git a/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.old b/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.old index 1875a1bb2..4b36919b8 100644 --- a/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.old +++ b/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.old @@ -6,8 +6,8 @@ archetype_config_overrides = { "Allowed-Locations" = { "listOfAllowedLocations" = { values = [ -{% for key in config.caf_terraform.launchpad.regions.keys() %} - "{{ config.caf_terraform.launchpad.regions[key].name }}", +{% for key in resources.caf_terraform.launchpad.regions.keys() %} + "{{ resources.caf_terraform.launchpad.regions[key].name }}", {% endfor %} ] } @@ -15,18 +15,18 @@ archetype_config_overrides = { "Deny-RSG-Locations" = { "listOfAllowedLocations" = { values = [ -{% for key in config.caf_terraform.launchpad.regions.keys() %} - "{{ config.caf_terraform.launchpad.regions[key].name }}", +{% for key in resources.caf_terraform.launchpad.regions.keys() %} + "{{ resources.caf_terraform.launchpad.regions[key].name }}", {% endfor %} ] } } "Deploy-Resource-Diag" = { "logAnalytics" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" attribute_key = "id" } "profileName" = { @@ -35,64 +35,64 @@ archetype_config_overrides = { } "Deploy-AzActivity-Log" = { "logAnalytics" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" attribute_key = "id" } } -{% if "VM" in config.platform_management.enable_monitoring %} +{% if "VM" in resources.platform_management.enable_monitoring %} "Deploy-VM-Monitoring" = { "logAnalytics_1" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" attribute_key = "id" } } {% endif %} -{% if "VMSS" in config.platform_management.enable_monitoring %} +{% if "VMSS" in resources.platform_management.enable_monitoring %} "Deploy-VMSS-Monitoring" = { "logAnalytics_1" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" attribute_key = "id" } } {% endif %} -{% if "Arc" in config.platform_management.enable_monitoring %} +{% if "Arc" in resources.platform_management.enable_monitoring %} "Deploy-WS-Arc-Monitoring" = { "logAnalytics" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" attribute_key = "id" } } "Deploy-LX-Arc-Monitoring" = { "logAnalytics" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" attribute_key = "id" } } {% endif %} "Deploy-ASC-Defender" = { "emailSecurityContact" = { - value = "{{ config.notifications.security_center_email_contact }}" + value = "{{ resources.notifications.security_center_email_contact }}" } "logAnalytics" = { - lz_key = "{{ config.tfstates.platform.management.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" attribute_key = "id" } {% for parameter_key in mg.archetype_definitions.root.policy_assignments["Deploy-ASC-Defender"].keys() %} @@ -109,10 +109,10 @@ archetype_config_overrides = { archetype_id = "landingzone" parameters = {} access_control = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { "azuread_groups" = { - lz_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" attribute_key = "id" resource_keys = [ "subscription_creation_landingzones" @@ -133,20 +133,20 @@ archetype_config_overrides = { archetype_id = "platform_connectivity" parameters = {} access_control = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { "azuread_groups" = { - lz_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" attribute_key = "id" resource_keys = [ "connectivity" ] } } -{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} - "[{{ config.platform_core_setup.enterprise_scale.management_group_prefix | upper }}-CONNECTIVITY] CAF-network-vhub-peering" = { +{% if resources.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} + "[{{ resources.platform_core_setup.enterprise_scale.management_group_prefix | upper }}-CONNECTIVITY] CAF-network-vhub-peering" = { "azuread_groups" = { - lz_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" attribute_key = "id" resource_keys = [ "subscription_creation_landingzones" @@ -162,10 +162,10 @@ archetype_config_overrides = { archetype_id = "platform_identity" parameters = {} access_control = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { "azuread_groups" = { - lz_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" attribute_key = "id" resource_keys = [ "identity" @@ -180,10 +180,10 @@ archetype_config_overrides = { archetype_id = "platform_management" parameters = {} access_control = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { "azuread_groups" = { - lz_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" attribute_key = "id" resource_keys = [ "management" diff --git a/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 b/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 index e24a0bef6..ee59be455 100644 --- a/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 @@ -33,9 +33,9 @@ archetype_config_overrides = { {% else %} parameters = {} {% endif %} -{% if level.archetype_config.access_control is defined %} +{% if level.archetype_resources.access_control is defined %} access_control = { -{% for level_ac_key, level_ac in level.archetype_config.access_control.items() %} +{% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} "{{ level_role_key }}" = { diff --git a/templates/platform/level1/eslz/lib/v0.3.3/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v0.3.3/custom_landing_zones.tfvars.j2 index 4ebb58b6b..d6b3890d7 100644 --- a/templates/platform/level1/eslz/lib/v0.3.3/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v0.3.3/custom_landing_zones.tfvars.j2 @@ -1,8 +1,8 @@ custom_landing_zones = { {% for key, level in mg_custom.archetype_definitions.items() %} - {{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ key }} = { + {{ resources.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ key }} = { display_name = "{{ mg_custom.archetype_definitions[key].display_name }}" - parent_management_group_id = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ mg_custom.archetype_definitions[key].parent_management_group_id }}" + parent_management_group_id = "{{ resources.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ mg_custom.archetype_definitions[key].parent_management_group_id }}" archetype_config = { archetype_id = "{{mg_custom.archetype_definitions[key].archetype_id }}" {% if mg_custom.archetype_definitions[key].policy_assignments is defined %} @@ -36,9 +36,9 @@ custom_landing_zones = { {% else %} parameters = {} {% endif %} -{% if mg_custom.archetype_definitions[key].archetype_config.access_control is defined %} +{% if mg_custom.archetype_definitions[key].archetype_resources.access_control is defined %} access_control = { -{% for level_ac_key, level_ac in mg_custom.archetype_definitions[key].archetype_config.access_control.items() %} +{% for level_ac_key, level_ac in mg_custom.archetype_definitions[key].archetype_resources.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} "{{ level_role_key }}" = { diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml b/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml similarity index 83% rename from templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml rename to templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml index 678d0df5a..f36891f30 100644 --- a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml +++ b/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml @@ -4,12 +4,14 @@ archetype_definitions: policy_assignments: Allowed-Locations: listOfAllowedLocations: - - southeastasia # Use the lower-case region's name, short version with no space - - eastasia +{% for region in topology.resources_allowed_regions %} + - {{topology.caf_regions[region]}} +{% endfor %} Deny-RSG-Locations: listOfAllowedLocations: - - southeastasia - - eastasia +{% for region in topology.resource_groups_allowed_regions %} + - {{topology.caf_regions[region]}} +{% endfor %} # Set to Audit as Terraform cannot combine both in one operation yet. Deny-Subnet-Without-Nsg: effect: Audit @@ -37,12 +39,12 @@ archetype_definitions: sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled sqlServerAdvancedDataSecurityMonitoringEffect: Disabled - systemUpdatesMonitoringEffect: Disabled + systemUpdatesMonitoringEffect: AuditIfNotExists useRbacRulesMonitoringEffect: Disabled vmssSystemUpdatesMonitoringEffect: Disabled windowsDefenderExploitGuardMonitoringEffect: Disabled Deploy-ASCDF-Config: - emailSecurityContact: + emailSecurityContact: {{topology.notifications.azure_defender.emailSecurityContact}} logAnalytics: lz_key: management output_key: diagnostics @@ -104,6 +106,7 @@ archetype_definitions: Append-Redis-disableNonSslPort: Append-Redis-sslEnforcement: Audit-MachineLearning-PrivateEndpointId: + CAF-Deploy-Nsg-FlowLogs: Deny-AA-child-resources: Deny-AppGW-Without-WAF: Deny-AppServiceApiApp-http: @@ -244,6 +247,7 @@ archetype_definitions: Deny-IP-Forwarding: Deny-Priv-Containers-AKS: Deny-Priv-Escalation-AKS: + Deny-Private-DNS-Zones: Deny-RDP-From-Internet: Deny-Storage-http: Deploy-AKS-Policy: @@ -252,6 +256,34 @@ archetype_definitions: Enable-DDoS-VNET: Enforce-AKS-HTTPS: Enforce-TLS-SSL: + CAF-Deploy-Nsg-FlowLogs: + effect: DeployIfNotExists + retention: 5 + storageAccountResourceId: + lz_key: management + output_key: objects + resource_type: storage_accounts + resource_key: nsgflogs + attribute_key: id + interval: 60 + flowAnalyticsEnabled: true + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deny-Public-Endpoints: + ACRPublicIpDenyEffect: Audit + AFSPublicIpDenyEffect: Audit + AKSPublicIpDenyEffect: Audit + BatchPublicIpDenyEffect: Audit + CosmosPublicIpDenyEffect: Audit + KeyVaultPublicIpDenyEffect: Audit + MySQLFlexPublicIpDenyEffect: Audit + PostgreSQLFlexPublicIpDenyEffect: Audit + SqlServerPublicIpDenyEffect: Audit + StoragePublicIpDenyEffect: Audit archetype_config: access_control: Owner: @@ -275,7 +307,7 @@ archetype_definitions: resource_keys: - connectivity # Make sure you replace with the Management Group ID in UPPER CASE - '[-CONNECTIVITY] CAF-network-vhub-peering': + '[{{topology.caf_environment | upper}}-CONNECTIVITY] CAF-network-vhub-peering': azuread_groups: lz_key: launchpad attribute_key: id @@ -285,6 +317,8 @@ archetype_definitions: - management management: archetype_id: platform_management + policy_assignments: + Deny-Private-DNS-Zones: archetype_config: access_control: Owner: @@ -298,6 +332,8 @@ archetype_definitions: policy_assignments: Deny-RDP-From-Internet: Deny-Public-IP: + Deny-Private-DNS-Zones: + Deny-IP-Forwarding: archetype_config: access_control: Owner: @@ -308,7 +344,31 @@ archetype_definitions: - identity decommissioned: archetype_id: platform_decommissioned + policy_assignments: + Deny-IP-Forwarding: + Deny-Private-DNS-Zones: platform: archetype_id: platform + policy_assignments: + CAF-Deploy-Nsg-FlowLogs: + effect: DeployIfNotExists + retention: 5 + storageAccountResourceId: + lz_key: management + output_key: objects + resource_type: storage_accounts + resource_key: nsgflogs + attribute_key: id + interval: 60 + flowAnalyticsEnabled: true + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id sandboxes: - archetype_id: platform_sandboxes \ No newline at end of file + archetype_id: platform_sandboxes + policy_assignments: + Deny-IP-Forwarding: + Deny-Private-DNS-Zones: \ No newline at end of file diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 index 304554212..b63fcab3a 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 @@ -2,7 +2,7 @@ archetype_config_overrides = { {% for key, level in mg.archetype_definitions.items() %} {{ key }} = { archetype_id = "{{mg.archetype_definitions[key].archetype_id }}" -{% if mg.archetype_definitions[key].policy_assignments is defined %} +{% if mg.archetype_definitions[key].policy_assignments is mapping %} parameters = { {% for pa_key, pa_value in mg.archetype_definitions[key].policy_assignments.items() %} {% if pa_value is mapping %} @@ -33,10 +33,10 @@ archetype_config_overrides = { {% else %} parameters = {} {% endif %} -{% if level.archetype_config.access_control is defined %} +{% if level.archetype_resources.access_control is mapping %} access_control = { -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} -{% for level_ac_key, level_ac in level.archetype_config.access_control.items() %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} "{{ level_role_key }}" = { @@ -49,7 +49,7 @@ archetype_config_overrides = { {% endfor %} {% else %} "Owner" = { - "principal_ids" = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] + "principal_ids" = ["{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] } {% endif %} } diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 b/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 index a489b4cdc..8eb4f14ea 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 @@ -1,7 +1,7 @@ { "{{ mg.archetype_definitions[item].archetype_id }}": { "policy_assignments": [ -{% if mg.archetype_definitions[item].policy_assignments is defined %} +{% if mg.archetype_definitions[item].policy_assignments is mapping %} {% for key in mg.archetype_definitions[item].policy_assignments.keys() %} {% if loop.last %} "{{ key }}" @@ -10,7 +10,7 @@ {% endif %} {% endfor %} {% endif %} -{% if mg_custom.archetype_definitions[item].policy_assignments is defined %} +{% if mg_custom.archetype_definitions[item].policy_assignments is mapping %} {% for key in mg_custom.archetype_definitions[item].policy_assignments.keys() %} {% if loop.last %} "{{ key }}" @@ -21,7 +21,7 @@ {% endif %} ], "policy_definitions": [ -{% if mg.archetype_definitions[item].policy_definitions is defined %} +{% if mg.archetype_definitions[item].policy_definitions is mapping %} {% for key in mg.archetype_definitions[item].policy_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -30,7 +30,7 @@ {% endif %} {% endfor %} {% endif %} -{% if mg_custom.archetype_definitions[item].policy_definitions is defined %} +{% if mg_custom.archetype_definitions[item].policy_definitions is mapping %} {% for key in mg_custom.archetype_definitions[item].policy_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -41,7 +41,7 @@ {% endif %} ], "policy_set_definitions": [ -{% if mg.archetype_definitions[item].policy_set_definitions is defined %} +{% if mg.archetype_definitions[item].policy_set_definitions is mapping %} {% for key in mg.archetype_definitions[item].policy_set_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -50,7 +50,7 @@ {% endif %} {% endfor %} {% endif %} -{% if mg_custom.archetype_definitions[item].policy_set_definitions is defined %} +{% if mg_custom.archetype_definitions[item].policy_set_definitions is mapping %} {% for key in mg_custom.archetype_definitions[item].policy_set_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -61,7 +61,7 @@ {% endif %} ], "role_definitions": [ -{% if mg.archetype_definitions[item].role_definitions is defined %} +{% if mg.archetype_definitions[item].role_definitions is mapping %} {% for key in mg.archetype_definitions[item].role_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -70,7 +70,7 @@ {% endif %} {% endfor %} {% endif %} -{% if mg_custom.archetype_definitions[item].role_definitions is defined %} +{% if mg_custom.archetype_definitions[item].role_definitions is mapping %} {% for key in mg_custom.archetype_definitions[item].role_definitions.keys() %} {% if loop.last %} "{{ key }}" diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 b/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 index a795469dc..04df5040a 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 @@ -1,7 +1,7 @@ { "{{ mg_custom.archetype_definitions[item].archetype_id }}": { "policy_assignments": [ -{% if mg.archetype_definitions[item].policy_assignments is defined %} +{% if mg.archetype_definitions[item].policy_assignments is mapping %} {% for key in mg.archetype_definitions[item].policy_assignments.keys() %} {% if loop.last %} "{{ key }}" @@ -10,7 +10,7 @@ {% endif %} {% endfor %} {% endif %} -{% if mg_custom.archetype_definitions[item].policy_assignments is defined %} +{% if mg_custom.archetype_definitions[item].policy_assignments is mapping %} {% for key in mg_custom.archetype_definitions[item].policy_assignments.keys() %} {% if loop.last %} "{{ key }}" @@ -21,7 +21,7 @@ {% endif %} ], "policy_definitions": [ -{% if mg.archetype_definitions[item].policy_definitions is defined %} +{% if mg.archetype_definitions[item].policy_definitions is mapping %} {% for key in mg.archetype_definitions[item].policy_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -30,7 +30,7 @@ {% endif %} {% endfor %} {% endif %} -{% if mg_custom.archetype_definitions[item].policy_definitions is defined %} +{% if mg_custom.archetype_definitions[item].policy_definitions is mapping %} {% for key in mg_custom.archetype_definitions[item].policy_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -41,7 +41,7 @@ {% endif %} ], "policy_set_definitions": [ -{% if mg.archetype_definitions[item].policy_set_definitions is defined %} +{% if mg.archetype_definitions[item].policy_set_definitions is mapping %} {% for key in mg.archetype_definitions[item].policy_set_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -50,7 +50,7 @@ {% endif %} {% endfor %} {% endif %} -{% if mg_custom.archetype_definitions[item].policy_set_definitions is defined %} +{% if mg_custom.archetype_definitions[item].policy_set_definitions is mapping %} {% for key in mg_custom.archetype_definitions[item].policy_set_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -61,7 +61,7 @@ {% endif %} ], "role_definitions": [ -{% if mg.archetype_definitions[item].role_definitions is defined %} +{% if mg.archetype_definitions[item].role_definitions is mapping %} {% for key in mg.archetype_definitions[item].role_definitions.keys() %} {% if loop.last %} "{{ key }}" @@ -70,7 +70,7 @@ {% endif %} {% endfor %} {% endif %} -{% if mg_custom.archetype_definitions[item].role_definitions is defined %} +{% if mg_custom.archetype_definitions[item].role_definitions is mapping %} {% for key in mg_custom.archetype_definitions[item].role_definitions.keys() %} {% if loop.last %} "{{ key }}" diff --git a/templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/custom_landing_zones.caf.platform.yaml b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.caf.platform.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/custom_landing_zones.caf.platform.yaml rename to templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.caf.platform.yaml diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 index c95c57d8a..0ceba9780 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 @@ -1,8 +1,8 @@ custom_landing_zones = { {% for key, level in mg_custom.archetype_definitions.items() %} - {{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ key }} = { + {{ resources.platform_core_setup.enterprise_scale[deployment].management_group_prefix }}-{{ key }} = { display_name = "{{ level.display_name }}" - parent_management_group_id = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ level.parent_management_group_id }}" + parent_management_group_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].management_group_prefix }}-{{ level.parent_management_group_id }}" archetype_config = { archetype_id = "{{ level.archetype_id }}" {% if level.policy_assignments is defined %} @@ -36,10 +36,10 @@ custom_landing_zones = { {% else %} parameters = {} {% endif %} -{% if level.archetype_config.access_control is defined %} +{% if level.archetype_resources.access_control is defined %} access_control = { -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} -{% for level_ac_key, level_ac in level.archetype_config.access_control.items() %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} "{{ level_role_key }}" = { @@ -52,7 +52,7 @@ custom_landing_zones = { {% endfor %} {% else %} "Owner" = { - "principal_ids" = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] + "principal_ids" = ["{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] } {% endif %} } diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json b/templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json new file mode 100644 index 000000000..575e6f450 --- /dev/null +++ b/templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json @@ -0,0 +1,18 @@ +{ + "name": "CAF-Deploy-Nsg-FlowLogs", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy if not exists nsg flowlogs and traffic analytics on network security groups. Define also the retention days.", + "displayName": "CAF - Enable Nsg flowlogs and traffic analytics.", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/CAF-Deploy-Nsg-FlowLogs", + "scope": "${current_scope_resource_id}", + "enforcementMode": true + }, + "location": "${default_location}", + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json b/templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json new file mode 100644 index 000000000..cddfc581a --- /dev/null +++ b/templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json @@ -0,0 +1,228 @@ +{ + "name": "CAF-Deploy-Nsg-FlowLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "CAF - Enable Nsg flowlogs and traffic analytics.", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "flowAnalyticsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Traffic Analytics", + "description": null + }, + "defaultValue": "true" + }, + "interval": { + "type": "String", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)", + "description": null + }, + "defaultValue": "60" + }, + "retention": { + "type": "String", + "metadata": { + "displayName": "Retention days in storage account. If you want to retain data forever and do not want to apply any retention policy, set retention (days) to 0.", + "description": null + }, + "defaultValue": "2" + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + }, + "defaultValue": "" + }, + "storageAccountResourceId": { + "type": "String", + "metadata": { + "displayName": "Storage Account Resource Id", + "description": null, + "strongType": "Microsoft.Storage/storageAccounts" + }, + "defaultValue": "" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "equals": "Microsoft.Network/networkSecurityGroups", + "field": "type" + } + ] + }, + "then": { + "details": { + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "flowAnalyticsEnabled": { + "value": "[bool(parameters('flowAnalyticsEnabled'))]" + }, + "interval": { + "value": "[int(parameters('interval'))]" + }, + "location": { + "value": "[field('location')]" + }, + "networkSecurityGroup": { + "value": "[field('id')]" + }, + "retention": { + "value": "[int(parameters('retention'))]" + }, + "storageAccountResourceId": { + "value": "[parameters('storageAccountResourceId')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "location": "[parameters('location')]", + "outputs": {}, + "parameters": { + "flowAnalyticsEnabled": { + "type": "bool" + }, + "interval": { + "type": "int" + }, + "location": { + "type": "String" + }, + "networkSecurityGroup": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "storageAccountResourceId": { + "type": "String" + }, + "time": { + "defaultValue": "[utcNow()]", + "type": "String" + }, + "logAnalytics": { + "type": "String" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "[take(concat('NetworkWatcherRG', '.', variables('securityGroupName')), 64)]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "2020-05-01", + "name": "[concat('NetworkWatcher_', toLower(parameters('location')))]", + "location": "[parameters('location')]", + "properties": {}, + "resources": [ + { + "apiVersion": "2019-11-01", + "dependsOn": [ + "[concat('NetworkWatcher_', toLower(parameters('location')))]" + ], + "name": "[concat(variables('securityGroupName'), '-Network-flowlog')]", + "location": "[parameters('location')]", + "properties": { + "enabled": true, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[bool(parameters('flowAnalyticsEnabled'))]", + "trafficAnalyticsInterval": "[parameters('interval')]", + "workspaceRegion": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]", + "workspaceResourceId": "[parameters('logAnalytics')]" + } + }, + "format": { + "type": "JSON", + "version": 2 + }, + "retentionPolicy": { + "days": "[parameters('retention')]", + "enabled": true + }, + "storageId": "[parameters('storageAccountResourceId')]", + "targetResourceId": "[parameters('networkSecurityGroup')]" + }, + "type": "flowLogs" + } + ], + "type": "Microsoft.Network/networkWatchers" + } + ] + } + }, + "resourceGroup": "NetworkWatcherRG", + "type": "Microsoft.Resources/deployments" + } + ], + "variables": { + "securityGroupName": "[split(parameters('networkSecurityGroup'), '/')[8]]" + } + } + } + }, + "existenceCondition": { + "allof": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled", + "equals": "[bool(parameters('flowAnalyticsEnabled'))]" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.trafficAnalyticsInterval", + "equals": "[parameters('interval')]" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/retentionPolicy.days", + "equals": "[parameters('retention')]" + } + ] + }, + "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]", + "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "type": "Microsoft.Network/networkWatchers/flowLogs" + }, + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/templates/platform/level1/eslz/readme.md b/templates/platform/level1/eslz/readme.md index 553131925..eff897294 100644 --- a/templates/platform/level1/eslz/readme.md +++ b/templates/platform/level1/eslz/readme.md @@ -2,28 +2,28 @@ ## Deploy Enterprise Scale -Note you need to adjust the branch to deploy Enterprise Scale to {{ config.platform_core_setup.enterprise_scale.private_lib[config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy].caf_landingzone_branch }} +Note you need to adjust the branch to deploy Enterprise Scale to {{ resources.platform_core_setup.private_lib[tfstate_object.eslz_version].caf_landingzone_branch }} ```bash az account clear # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin -git checkout {{ config.platform_core_setup.enterprise_scale.private_lib[config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy].caf_landingzone_branch }} +git checkout {{ resources.platform_core_setup.private_lib[tfstate_object.eslz_version].caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.eslz.tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.eslz.tfstate }}.tfplan \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ tfstate_object.tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -level {{ tfstate_object.level }} \ + -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 index d1d1846aa..101b1279f 100644 --- a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 +++ b/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 @@ -1,51 +1,51 @@ subscription_id_overrides = { -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.root is defined %} - root = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.root is defined %} + root = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} root = [] {% endif %} {% endif %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %} - decommissioned = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %} + decommissioned = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} decommissioned = [] {% endif %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes is defined %} - sandboxes = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes is defined %} + sandboxes = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} sandboxes = [] {% endif %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] is defined %} - landing-zones = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] is defined %} + landing-zones = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} landing-zones = [] {% endif %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform is defined %} - platform = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.platform is defined %} + platform = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} platform = [] {% endif %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity is defined %} - connectivity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity is defined %} + connectivity = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} connectivity = [] {% endif %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.management is defined %} - management = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.management is defined %} + management = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} management = [] {% endif %} -{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity is defined %} - identity = {{ config.platform_core_setup.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.identity is defined %} + identity = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} identity = [] {% endif %} {% else %} -{% if config.platform_core_setup.enterprise_scale.subscription_deployment_mode == 'single_reuse' %} +{% if resources.subscription_deployment_mode == 'single_reuse' %} root = [ - "{{ config.caf_terraform.launchpad.subscription_id }}" + "{{ resources.caf_terraform.launchpad.subscription_id }}" ] {% else %} root = [] @@ -60,27 +60,27 @@ subscription_id_overrides = { {% endif %} } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'single_reuse' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and resources.subscription_deployment_mode != 'single_reuse' %} subscription_id_overrides_by_keys = { connectivity = { connectivity = { - lz_key = "{{ config.tfstates.platform.platform_subscriptions.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.platform_subscriptions.lz_key_name }}" key = "connectivity" } } management = { launchpad = { - lz_key = "{{ config.tfstates.platform.platform_subscriptions.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.platform_subscriptions.lz_key_name }}" key = "launchpad" } management = { - lz_key = "{{ config.tfstates.platform.platform_subscriptions.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.platform_subscriptions.lz_key_name }}" key = "management" } } identity = { identity = { - lz_key = "{{ config.tfstates.platform.platform_subscriptions.lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.platform_subscriptions.lz_key_name }}" key = "identity" } } diff --git a/templates/platform/level1/identity/readme.md b/templates/platform/level1/identity/readme.md index b7aea606e..8abcacd95 100644 --- a/templates/platform/level1/identity/readme.md +++ b/templates/platform/level1/identity/readme.md @@ -8,31 +8,31 @@ rover logout # login a with a user member of the caf-maintainers group {% if platform_subscriptions_details is defined %} -rover login -t {{ config.platform_identity.tenant_name }} -s {{ platform_subscriptions_details.identity.subscription_id }} +rover login -t {{ resources.platform_identity.tenant_name }} -s {{ platform_subscriptions_details.identity.subscription_id }} {% elif subscriptions.platform_subscriptions.identity.subscription_id is defined %} -rover login -t {{ config.platform_identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.identity.subscription_id }} +rover login -t {{ resources.platform_identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.identity.subscription_id }} {% else %} -rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }} +rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} {% endif %} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ {% elif subscriptions.platform_subscriptions.identity.subscription_id is defined %} -target_subscription {{ subscriptions.platform_subscriptions.identity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.identity.tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.identity.tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.identity.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.identity.tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level1/management/readme.md b/templates/platform/level1/management/readme.md index 6ae638062..5f3d6f4af 100644 --- a/templates/platform/level1/management/readme.md +++ b/templates/platform/level1/management/readme.md @@ -8,33 +8,33 @@ rover logout # login a with a user member of the caf-maintainers group {% if platform_subscriptions_details is defined %} -rover login -t {{ config.platform_identity.tenant_name }} -s {{ platform_subscriptions_details.management.subscription_id }} +rover login -t {{ resources.platform_identity.tenant_name }} -s {{ platform_subscriptions_details.management.subscription_id }} {% elif subscriptions.platform_subscriptions.management.subscription_id is defined %} -rover login -t {{ config.platform_identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.management.subscription_id }} +rover login -t {{ resources.platform_identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.management.subscription_id }} {% else %} -rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }} +rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} {% endif %} rover \ {% if platform_subscriptions_details.eslz is defined %} -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.management.subscription_id }} \ {% elif subscriptions.platform_subscriptions.management.subscription_id is defined %} -target_subscription {{ subscriptions.platform_subscriptions.management.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.management.tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.management.tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.management.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.management.tfstate }}.tfplan \ -a plan ``` @@ -44,7 +44,7 @@ rover \ When you have successfully deployed the management landing zone, you can move to the next step: -{% if config.platform_core_setup.enterprise_scale.enable %} +{% if resources.platform_core_setup.enterprise_scale is defined %} [Deploy Enterprise Scale](../../level1/eslz/readme.md) {% else %} [Deploy Connectivity](../../level2/connectivity/readme.md) diff --git a/templates/platform/level1/subscriptions/readme.md b/templates/platform/level1/subscriptions/readme.md index 709273ff6..2fbd42004 100644 --- a/templates/platform/level1/subscriptions/readme.md +++ b/templates/platform/level1/subscriptions/readme.md @@ -4,22 +4,22 @@ Set-up the subscription delegations for platform and landingzone subscriptions ```bash # For manual bootstrap: -# Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} -rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }} +# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} rover \ {% if platform_subscriptions_details.eslz is defined %} -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.platform_subscriptions.tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ - -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}.tfplan \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ tfstate_object.tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -level {{ tfstate_object.level }} \ + -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level1/subscriptions/subscriptions.tfvars.j2 b/templates/platform/level1/subscriptions/subscriptions.tfvars.j2 deleted file mode 100644 index d0579f505..000000000 --- a/templates/platform/level1/subscriptions/subscriptions.tfvars.j2 +++ /dev/null @@ -1,38 +0,0 @@ -# -# Execute the following command to get the billing_account_name and management_group_id -# -# az rest --method get --uri https://management.azure.com/providers/Microsoft.Billing/billingaccounts/?api-version=2020-05-01 -# -# To retrieve the first billing account -# -# billing_account_name=$(az rest --method get --uri https://management.azure.com/providers/Microsoft.Billing/billingaccounts?api-version=2020-05-01 --query "value[?properties.agreementType=='EnterpriseAgreement'].{name:name}" -o tsv) -# -# enrollment_account_name=$(az rest --method get --uri https://management.azure.com/providers/Microsoft.Billing/billingaccounts?api-version=2020-05-01 --query "value[?properties.agreementType=='EnterpriseAgreement'].{name:properties.enrollmentAccounts[0].name}" -o tsv) -# - -subscriptions = { - - {{ config.tfstates.platform.launchpad.lz_key_name }} = { - name = "{{ config.caf_terraform.launchpad.subscription_name }}" - alias = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ config.caf_terraform.launchpad.alias}}" - subscription_id = "{{ config.caf_terraform.launchpad.subscription_id }}" - } -{% for key in subscriptions.platform_subscriptions.keys() %} - {{ key }} = { - name = "{{ subscriptions.platform_subscriptions[key].name }}" -{% if subscriptions.platform_subscriptions[key].alias is defined %} - alias = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ subscriptions.platform_subscriptions[key].alias }}" -{% endif %} -{% if subscriptions.platform_subscriptions[key].billing_account_name is defined %} - billing_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" - enrollment_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" - workload = "{{ subscriptions.platform_subscriptions[key].workload | default('DevTest') }}" -{% else %} -{% if subscriptions.platform_subscriptions[key].subscription_id is defined %} - subscription_id = "{{ subscriptions.platform_subscriptions[key].subscription_id }}" -{% endif %} -{% endif %} - } -{% endfor %} - -} \ No newline at end of file diff --git a/templates/platform/level2/asvm/ansible.yaml b/templates/platform/level2/asvm/ansible.yaml index aeb7d2b6f..01f4214e9 100644 --- a/templates/platform/level2/asvm/ansible.yaml +++ b/templates/platform/level2/asvm/ansible.yaml @@ -1,43 +1,43 @@ -- name: "[{{resources.relative_destination_folder}}] Get tfstate account name" +- name: "[{{resources.configuration_folders.platform.destination_relative_path}}] Get tfstate account name" register: launchpad_storage_account shell: | az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - debug: msg: "{{launchpad_storage_account}}" -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get launchpad tfstate details" +- name: "[{{deployment}} - {{resources.configuration_folders.platform.destination_relative_path}}] - Get launchpad tfstate details" register: launchpad_tfstate_exists ignore_errors: true shell: | az storage blob download \ - --name "{{ config.tfstates.platform.launchpad.tfstate }}" \ + --name "{{ resources.tfstates.platform.launchpad.tfstate }}" \ --account-name "{{ launchpad_storage_account.stdout | default('') }}" \ - --container-name "{{ config.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ + --container-name "{{ resources.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + --file "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get subscription_creation_landingzones details" +- name: "[{{deployment}} - {{resources.configuration_folders.platform.destination_relative_path}}] - Get subscription_creation_landingzones details" when: - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}" + - resources.platform_core_setup.enable_azure_subscription_vending_machine + shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" register: launchpad_tfstate -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get launchpad json data" +- name: "[{{deployment}} - {{v}}] - Get launchpad json data" when: - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + - resources.platform_core_setup.enable_azure_subscription_vending_machine set_fact: scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" - name: "[{{deployment}} - {{resources.relative_destination_folder}}] - set launchpad_azuread_groups" when: - launchpad_tfstate_exists.rc == 0 - - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine + - resources.platform_core_setup.enable_azure_subscription_vending_machine set_fact: launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" vars: @@ -48,8 +48,8 @@ register: level2_storage_account shell: | az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.asvm.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.asvm.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - debug: msg: "{{level2_storage_account}}" @@ -59,8 +59,8 @@ register: level2_storage_rg shell: | az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ config.tfstates.platform.asvm.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{resourceGroup:resourceGroup}[0]" -o json | jq -r .resourceGroup + --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.asvm.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{resourceGroup:resourceGroup}[0]" -o json | jq -r .resourceGroup - debug: msg: "{{level2_storage_account}}" diff --git a/templates/platform/level2/asvm/keyvaults.tfvars.j2 b/templates/platform/level2/asvm/keyvaults.tfvars.j2 index f9a6f9fc6..9cfefb0e6 100644 --- a/templates/platform/level2/asvm/keyvaults.tfvars.j2 +++ b/templates/platform/level2/asvm/keyvaults.tfvars.j2 @@ -1,17 +1,16 @@ keyvaults = { level3 = { - name = "{{ resources.subscriptions[subscription_key].keyvaults.level3.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level3.resource_group_key }}" - sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level3.sku_name | default('standard') }}" + name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level3.name }}" + resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level3.resource_group_key }}" + sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level3.sku_name | default('standard') }}" tags = { caf_tfstate = "level3" - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" } creation_policies = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} -{% if launchpad_azuread_groups is defined %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} subscription_creation_landingzones = { object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" secret_permissions = ["Get"] @@ -25,8 +24,7 @@ keyvaults = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } {% endif %} -{% endif %} -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault @@ -38,16 +36,16 @@ keyvaults = { } level4 = { - name = "{{ resources.subscriptions[subscription_key].keyvaults.level4.name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults.level4.resource_group_key }}" - sku_name = "{{ resources.subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" + name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level4.name }}" + resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level4.resource_group_key }}" + sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level4" - caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" } creation_policies = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} {% if launchpad_azuread_groups is defined %} subscription_creation_landingzones = { object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" @@ -73,7 +71,7 @@ keyvaults = { } {% endif %} {% endif %} -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault diff --git a/templates/platform/level2/asvm/readme.md b/templates/platform/level2/asvm/readme.md index 9f0ed82a6..629fdbe83 100644 --- a/templates/platform/level2/asvm/readme.md +++ b/templates/platform/level2/asvm/readme.md @@ -2,24 +2,24 @@ ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ config.tfstates.platform.asvm.tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ resources.tfstates.platform.asvm.tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.asvm.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.asvm.tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/asvm/role_mappings.tfvars.j2 b/templates/platform/level2/asvm/role_mappings.tfvars.j2 index c5076acbf..8dba28ebe 100644 --- a/templates/platform/level2/asvm/role_mappings.tfvars.j2 +++ b/templates/platform/level2/asvm/role_mappings.tfvars.j2 @@ -9,7 +9,7 @@ role_mapping = { resource_groups = { level3 = { "Reader" = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -31,7 +31,7 @@ role_mapping = { } level4 = { "Reader" = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -56,7 +56,7 @@ role_mapping = { storage_accounts = { level3 = { "Storage Blob Data Contributor" = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -69,7 +69,7 @@ role_mapping = { } {% endif %} } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} "Owner" = { object_ids = { keys = [ @@ -82,7 +82,7 @@ role_mapping = { level4 = { "Storage Blob Data Contributor" = { -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -95,7 +95,7 @@ role_mapping = { } {% endif %} } -{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} "Owner" = { object_ids = { keys = [ diff --git a/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md b/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md index 46a4ee3c4..b44cf7c05 100644 --- a/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md +++ b/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md @@ -9,28 +9,28 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.azurerm_firewall_policies[deployment].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.azurerm_firewall_policies[deployment].tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.azurerm_firewall_policies[deployment].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.azurerm_firewall_policies[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/connectivity/azurerm_firewalls/readme.md b/templates/platform/level2/connectivity/azurerm_firewalls/readme.md index 098a664d3..6028a8453 100644 --- a/templates/platform/level2/connectivity/azurerm_firewalls/readme.md +++ b/templates/platform/level2/connectivity/azurerm_firewalls/readme.md @@ -9,28 +9,28 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.azurerm_firewalls[deployment].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.azurerm_firewalls[deployment].tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.azurerm_firewalls[deployment].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.azurerm_firewalls[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/connectivity/express_route_circuit/ansible.yaml b/templates/platform/level2/connectivity/express_route_circuit/ansible.yaml index 10950aaed..86a234a4a 100644 --- a/templates/platform/level2/connectivity/express_route_circuit/ansible.yaml +++ b/templates/platform/level2/connectivity/express_route_circuit/ansible.yaml @@ -1,23 +1,23 @@ - name: Express_routes {{ circuit }} - Clean-up directory file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }}" + path: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }}" state: absent when: - - config.configuration_folders.platform.cleanup_destination | bool + - resources.configuration_folders.platform.cleanup_destination | bool - name: Express_routes {{ circuit }} - Creates directory structure file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }}" + path: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }}" state: directory - name: Express_routes {{ circuit }} - variables set_fact: - destination_path_resources: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }}" + destination_path_resources: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }}" - name: Express_routes {{ circuit }} - readme ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - "{{ level }}/{{ base_folder }}/express_route_circuit/*.md" diff --git a/templates/platform/level2/connectivity/express_route_circuit/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/express_route_circuit/landingzone.tfvars.j2 index b5d785b79..aa9f0e93b 100644 --- a/templates/platform/level2/connectivity/express_route_circuit/landingzone.tfvars.j2 +++ b/templates/platform/level2/connectivity/express_route_circuit/landingzone.tfvars.j2 @@ -1,12 +1,12 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}" - level = "{{ config.tfstates.platform.express_route_circuits[circuit].level }}" - key = "{{ config.tfstates.platform.express_route_circuits[circuit].lz_key_name }}" + global_settings_key = "{{ resources.tfstates.platform.management.lz_key_name }}" + level = "{{ resources.tfstates.platform.express_route_circuits[circuit].level }}" + key = "{{ resources.tfstates.platform.express_route_circuits[circuit].lz_key_name }}" tfstates = { - {{ config.tfstates.platform.management.lz_key_name }} = { + {{ resources.tfstates.platform.management.lz_key_name }} = { level = "lower" - tfstate = "{{ config.tfstates.platform.management.tfstate }}" + tfstate = "{{ resources.tfstates.platform.management.tfstate }}" } } } diff --git a/templates/platform/level2/connectivity/express_route_circuit/readme.md b/templates/platform/level2/connectivity/express_route_circuit/readme.md index 1c60fa82c..d1e25a127 100644 --- a/templates/platform/level2/connectivity/express_route_circuit/readme.md +++ b/templates/platform/level2/connectivity/express_route_circuit/readme.md @@ -9,28 +9,28 @@ Note you need to adjust the branch {{ connectivity_express_routes.gitops.caf_lan ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -var-folder {{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.express_route_circuits[circuit].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.express_route_circuits[circuit].tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.express_route_circuits[circuit].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.express_route_circuits[circuit].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/connectivity/express_route_circuit_peering/ansible.yaml b/templates/platform/level2/connectivity/express_route_circuit_peering/ansible.yaml index faf21e149..108fc32f8 100644 --- a/templates/platform/level2/connectivity/express_route_circuit_peering/ansible.yaml +++ b/templates/platform/level2/connectivity/express_route_circuit_peering/ansible.yaml @@ -1,23 +1,23 @@ - name: "[{{ level }}-{{ circuit }}] - express route peering - Clean-up directory" file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }}" + path: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }}" state: absent when: - - config.configuration_folders.platform.cleanup_destination | bool + - resources.configuration_folders.platform.cleanup_destination | bool - name: "[{{ level }}-{{ circuit }}] - express route peering - Creates directory structure" file: - path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }}" + path: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }}" state: directory - name: "[{{ level }}-{{ circuit }}] - express route peering - variables" set_fact: - destination_path_resources: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }}" + destination_path_resources: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }}" - name: "[{{ level }}-{{ circuit }}] - express route peering - readme" ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - "{{ level }}/{{ base_folder }}/express_route_circuit_peering/*.md" diff --git a/templates/platform/level2/connectivity/express_route_circuit_peering/landingzone.tfvars.j2 b/templates/platform/level2/connectivity/express_route_circuit_peering/landingzone.tfvars.j2 index a6e040839..e27df4155 100644 --- a/templates/platform/level2/connectivity/express_route_circuit_peering/landingzone.tfvars.j2 +++ b/templates/platform/level2/connectivity/express_route_circuit_peering/landingzone.tfvars.j2 @@ -1,12 +1,12 @@ landingzone = { backend_type = "azurerm" - global_settings_key = "{{ config.tfstates.platform.express_route_circuits[circuit].lz_key_name }}" - level = "{{ config.tfstates.platform.express_route_circuit_peerings[circuit].level }}" - key = "{{ config.tfstates.platform.express_route_circuit_peerings[circuit].lz_key_name }}" + global_settings_key = "{{ resources.tfstates.platform.express_route_circuits[circuit].lz_key_name }}" + level = "{{ resources.tfstates.platform.express_route_circuit_peerings[circuit].level }}" + key = "{{ resources.tfstates.platform.express_route_circuit_peerings[circuit].lz_key_name }}" tfstates = { - {{ config.tfstates.platform.express_route_circuits[circuit].lz_key_name }} = { + {{ resources.tfstates.platform.express_route_circuits[circuit].lz_key_name }} = { level = "current" - tfstate = "{{ config.tfstates.platform.express_route_circuits[circuit].tfstate }}" + tfstate = "{{ resources.tfstates.platform.express_route_circuits[circuit].tfstate }}" } } } diff --git a/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md b/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md index eff7095be..4fc49b432 100644 --- a/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md +++ b/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md @@ -3,28 +3,28 @@ ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ - -var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -var-folder {{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.express_route_circuit_peerings[circuit].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.express_route_circuit_peerings[circuit].tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.express_route_circuit_peerings[circuit].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.express_route_circuit_peerings[circuit].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/connectivity/private_dns/readme.md b/templates/platform/level2/connectivity/private_dns/readme.md index 64b1123f6..7d6a5b7cc 100644 --- a/templates/platform/level2/connectivity/private_dns/readme.md +++ b/templates/platform/level2/connectivity/private_dns/readme.md @@ -9,28 +9,28 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.private_dns[deployment].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.private_dns[deployment].tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.private_dns[deployment].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.private_dns[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/connectivity/virtual_hubs/readme.md b/templates/platform/level2/connectivity/virtual_hubs/readme.md index 68ac71d7d..6b66dfdf7 100644 --- a/templates/platform/level2/connectivity/virtual_hubs/readme.md +++ b/templates/platform/level2/connectivity/virtual_hubs/readme.md @@ -2,35 +2,35 @@ ## Select the correct branch for the landingzones code -Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services +Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the connectivity services ## {{ deployment }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.virtual_hubs[deployment].tfstate }} \ + -tfstate {{ resources.tfstates.platform.virtual_hubs[deployment].tfstate }} \ -log-severity ERROR \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.virtual_hubs[deployment].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.virtual_hubs[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/connectivity/virtual_wans/readme.md b/templates/platform/level2/connectivity/virtual_wans/readme.md index 05376e5a6..a0c28ceb2 100644 --- a/templates/platform/level2/connectivity/virtual_wans/readme.md +++ b/templates/platform/level2/connectivity/virtual_wans/readme.md @@ -2,28 +2,28 @@ ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.virtual_wans[deployment].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.virtual_wans[deployment].tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.virtual_wans[deployment].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.virtual_wans[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/identity/identity_level2/readme.md b/templates/platform/level2/identity/identity_level2/readme.md index a015f470c..06b3e7d8a 100644 --- a/templates/platform/level2/identity/identity_level2/readme.md +++ b/templates/platform/level2/identity/identity_level2/readme.md @@ -7,21 +7,21 @@ Deploy the identity services rover logout # login a with a user member of the caf-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ - -tfstate {{ config.tfstates.platform.identity_level2[deployment].tfstate }} \ - -log-severity {{ config.gitops.rover_log_error }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.identity_level2[deployment].tfstate }} \ + -log-severity {{ resources.gitops.rover_log_error }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.identity_level2[deployment].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.identity_level2[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/identity/identity_level2_aadds/readme.md b/templates/platform/level2/identity/identity_level2_aadds/readme.md index 787801456..a28da5dd7 100644 --- a/templates/platform/level2/identity/identity_level2_aadds/readme.md +++ b/templates/platform/level2/identity/identity_level2_aadds/readme.md @@ -9,28 +9,28 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.identity_level2_aadds[deployment].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.identity_level2_aadds[deployment].tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.identity_level2_aadds[deployment].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.identity_level2_aadds[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level2/identity/identity_level2_adds/readme.md b/templates/platform/level2/identity/identity_level2_adds/readme.md index 402705e04..63e164cdf 100644 --- a/templates/platform/level2/identity/identity_level2_adds/readme.md +++ b/templates/platform/level2/identity/identity_level2_adds/readme.md @@ -5,28 +5,28 @@ Deploy 2 domain controllers in the primary region ```bash # login a with a user member of the caf-maintainers group -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ {% else %} - -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ {% endif %} - -tfstate {{ config.tfstates.platform.identity_level2_adds[deployment].tfstate }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -tfstate {{ resources.tfstates.platform.identity_level2_adds[deployment].tfstate }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ config.tfstates.platform.identity_level2_adds[deployment].tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.identity_level2_adds[deployment].tfstate }}.tfplan \ -a plan ``` diff --git a/templates/platform/level3/ansible.yaml b/templates/platform/level3/ansible.yaml index 30473753e..1838d0712 100644 --- a/templates/platform/level3/ansible.yaml +++ b/templates/platform/level3/ansible.yaml @@ -3,8 +3,8 @@ register: keyvault_scl shell: | az keyvault list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_identity_aad_key=='cred_subscription_creation_landingzones' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r --arg http "https://" --arg suffix ".vault.azure.net/" '$http + (.name) + $suffix' + --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_identity_aad_key=='cred_subscription_creation_landingzones' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r --arg http "https://" --arg suffix ".vault.azure.net/" '$http + (.name) + $suffix' - debug: msg: "{{keyvault_scl.stdout}}" @@ -17,8 +17,8 @@ register: storage_account_level3 shell: | az storage account list \ - --subscription {{ config.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='level3' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r + --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='level3' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r - debug: msg: "{{storage_account_level3.stdout}}" @@ -28,16 +28,16 @@ ignore_errors: true shell: | az storage blob download \ - --name "{{ config.tfstates.asvm.subscriptions.tfstate }}" \ + --name "{{ resources.tfstates.asvm.subscriptions.tfstate }}" \ --account-name "{{ storage_account_level3.stdout|from_json|json_query('name') }}" \ - --container-name "{{ config.tfstates.asvm.subscriptions.workspace | default('tfstate') }}" \ + --container-name "{{ resources.tfstates.asvm.subscriptions.workspace | default('tfstate') }}" \ --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ config.tfstates.asvm.subscriptions.tfstate }}" + --file "~/.terraform.cache/launchpad/{{ resources.tfstates.asvm.subscriptions.tfstate }}" - name: "[{{ level }}-{{ subscription_key }}] Get subscription_creation_landingzones details" when: - landingzones_subscriptions.rc == 0 - shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates.asvm.subscriptions.tfstate }}" + shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.asvm.subscriptions.tfstate }}" register: landingzones_tfstate - debug: @@ -55,7 +55,7 @@ set_fact: asvm_subscriptions_details: "{{ scljsondata | json_query(path) }}" vars: - path: 'outputs.objects.value.{{config.tfstates.asvm.subscriptions.lz_key_name}}.subscriptions' + path: 'outputs.objects.value.{{resources.tfstates.asvm.subscriptions.lz_key_name}}.subscriptions' - debug: msg: "{{asvm_subscriptions_details}}" \ No newline at end of file diff --git a/templates/platform/level3/readme.md b/templates/platform/level3/readme.md index 59849c77c..2b2232a61 100644 --- a/templates/platform/level3/readme.md +++ b/templates/platform/level3/readme.md @@ -1,6 +1,6 @@ ```bash -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} unset ARM_SKIP_PROVIDER_REGISTRATION @@ -9,18 +9,18 @@ git pull git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \ {% endif %} -lz {{landingzones_folder}}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ {% if asvm_subscriptions_details[subscription_key].subscription_id is defined %} -target_subscription {{ asvm_subscriptions_details[subscription_key].subscription_id }} \ {% endif %} -tfstate {{ tfstate_object.tfstate }} \ --workspace {{ tfstate_object.workspace }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level3/subscriptions/readme.md b/templates/platform/level3/subscriptions/readme.md index bf78079dd..f88b0746d 100644 --- a/templates/platform/level3/subscriptions/readme.md +++ b/templates/platform/level3/subscriptions/readme.md @@ -2,23 +2,23 @@ ### Create storage containers for the landingzone ```bash -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} cd {{landingzones_folder}} git pull git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \ {% endif %} -lz {{landingzones_folder}}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{config.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{resources.caf_terraform.launchpad.subscription_id }} \ -tfstate {{ tfstate_object.tfstate }} \ --workspace {{ tfstate_object.workspace | default('tfstate') }} \ - -env {{ config.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 b/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 index 963808f8d..05ee1e366 100644 --- a/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 +++ b/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 @@ -1,13 +1,13 @@ storage_containers = { {% for key in resources.subscriptions[subscription_key].subscriptions.keys() %} {{ key }}_level3 = { - name = "{{ config.tfstates.asvm[key].workspace }}" + name = "{{ resources.tfstates.asvm[key].workspace }}" storage_account = { name = "{{storage_account_level3.stdout|from_json|json_query('name')}}" } } {{ key }}_level4 = { - name = "{{ config.tfstates.asvm[key].workspace }}" + name = "{{ resources.tfstates.asvm[key].workspace }}" storage_account = { name = "{{storage_account_level4.stdout|from_json|json_query('name')}}" } diff --git a/templates/platform/pipelines/README.md b/templates/platform/pipelines/README.md index 453154a6a..5d45470d2 100644 --- a/templates/platform/pipelines/README.md +++ b/templates/platform/pipelines/README.md @@ -22,7 +22,7 @@ ansible-playbook e2e.yaml \ ## Prerequisites ```bash -branch={{ config.eslz.private_lib[config.eslz.private_lib.version_to_deploy].caf_landingzone_branch }} +branch={{ resources.eslz.private_lib[resources.eslz.private_lib.version_to_deploy].caf_landingzone_branch }} cd {{ destination_base_path }} git clone --branch ${branch} https://github.com/Azure/caf-terraform-landingzones.git landingzones diff --git a/templates/platform/pipelines/demo.yaml b/templates/platform/pipelines/demo.yaml index 6830023e0..49dae435c 100644 --- a/templates/platform/pipelines/demo.yaml +++ b/templates/platform/pipelines/demo.yaml @@ -1,18 +1,18 @@ - name: Clean-up directory file: - path: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ base_folder }}" + path: "{{ destination_base_path }}{{ resources.configuration_folders.destination_relative_path }}/{{ base_folder }}" state: absent - when: config.configuration_folders.cleanup_destination | bool + when: resources.configuration_folders.cleanup_destination | bool - name: Creates directory file: - path: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ base_folder }}" + path: "{{ destination_base_path }}{{ resources.configuration_folders.destination_relative_path }}/{{ base_folder }}" state: directory - name: Symphony ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_base_path }}{{ resources.configuration_folders.destination_relative_path }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - "{{ base_folder }}/symphony*.yaml" @@ -20,7 +20,7 @@ - name: Next steps ansible.builtin.template: src: "{{ item }}" - dest: "{{ destination_base_path }}{{ config.configuration_folders.destination_relative_path }}/{{ item | basename | regex_replace('.j2$', '') }}" + dest: "{{ destination_base_path }}{{ resources.configuration_folders.destination_relative_path }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes with_fileglob: - "{{ base_folder }}/README.md" diff --git a/templates/platform/pipelines/symphony_e2e.yaml b/templates/platform/pipelines/symphony_e2e.yaml index 0d86c0d6c..44053ff52 100644 --- a/templates/platform/pipelines/symphony_e2e.yaml +++ b/templates/platform/pipelines/symphony_e2e.yaml @@ -2,7 +2,7 @@ environment: {{ model }} repositories: - name: landingzones uri: https://github.com/Azure/caf-terraform-landingzones.git - branch: {{ config.caf_landingzone_branch }} + branch: {{ resources.caf_landingzone_branch }} # All paths are relative levels: @@ -11,8 +11,8 @@ levels: stacks: - stack: launchpad landingZonePath: landingzones/caf_launchpad - configurationPath: "{{ config.configuration_folders.destination_relative_path }}/{{ config.tfstates.platform.launchpad.level }}/{{ config.tfstates.platform.launchpad.base_config_path }}" - tfState: {{ config.tfstates.platform.launchpad.tfstate }} + configurationPath: "{{ resources.configuration_folders.destination_relative_path }}/{{ resources.tfstates.platform.launchpad.level }}/{{ resources.tfstates.platform.launchpad.base_config_path }}" + tfState: {{ resources.tfstates.platform.launchpad.tfstate }} repository: landingzones launchpad: true @@ -21,21 +21,21 @@ levels: stacks: - stack: management landingZonePath: landingzones/caf_solution - configurationPath: "{{ config.configuration_folders.destination_relative_path }}/{{ config.tfstates.platform.management.level }}/{{ config.tfstates.platform.management.base_config_path }}" - tfState: {{ config.tfstates.platform.management.tfstate }} + configurationPath: "{{ resources.configuration_folders.destination_relative_path }}/{{ resources.tfstates.platform.management.level }}/{{ resources.tfstates.platform.management.base_config_path }}" + tfState: {{ resources.tfstates.platform.management.tfstate }} repository: landingzones - stack: eslz landingZonePath: landingzones/caf_solution/add-ons/caf_eslz - configurationPath: "{{ config.configuration_folders.destination_relative_path }}/{{ config.tfstates.platform.eslz.level }}/{{ config.tfstates.platform.eslz.base_config_path }}" - tfState: {{ config.tfstates.platform.eslz.tfstate }} + configurationPath: "{{ resources.configuration_folders.destination_relative_path }}/{{ resources.tfstates.platform.eslz.level }}/{{ resources.tfstates.platform.eslz.base_config_path }}" + tfState: {{ resources.tfstates.platform.eslz.tfstate }} repository: landingzones - branch: "{{ config.eslz.private_lib[config.eslz.private_lib.version_to_deploy].caf_landingzone_branch }}" + branch: "{{ resources.eslz.private_lib[resources.eslz.private_lib.version_to_deploy].caf_landingzone_branch }}" - level: level2 type: platform stacks: - stack: connectivity_virtual_wan landingZonePath: landingzones/caf_solution - configurationPath: "{{ config.configuration_folders.destination_relative_path }}/{{ config.tfstates.platform.management.level }}/{{ config.tfstates.platform.management.base_config_path }}" - tfState: {{ config.tfstates.platform.management.tfstate }} + configurationPath: "{{ resources.configuration_folders.destination_relative_path }}/{{ resources.tfstates.platform.management.level }}/{{ resources.tfstates.platform.management.base_config_path }}" + tfState: {{ resources.tfstates.platform.management.tfstate }} repository: landingzones \ No newline at end of file diff --git a/templates/platform/process_deployments.yaml b/templates/platform/process_deployments.yaml deleted file mode 100644 index 4fda246ee..000000000 --- a/templates/platform/process_deployments.yaml +++ /dev/null @@ -1,39 +0,0 @@ - -- debug: - msg: "file {{file_to_process.path}}" - -- set_fact: - resources: "{{ lookup('file', '{{ file_to_process.path }}') | from_yaml }}" - -- set_fact: - lz_type: "{{resources.deployments.landingzone.tfstate.keys() | first}}" - -- set_fact: - tfstate: "{{resources.deployments.landingzone.tfstate[lz_type].keys() | first}}" - env: "{{resources.deployments.landingzone.tfstate[lz_type].values() | first | default('')}}" - -- debug: - msg: - - "{{config}}" - - "{{lz_type}}" - - "{{tfstate}}" - - "{{env}}" - verbosity: 2 - - -- name: "Set tfstate_object" - set_fact: - tfstate_object: '{{config.tfstates[lz_type][tfstate] if env == "" else config.tfstates[lz_type][tfstate][env] }}' - - -- debug: - msg: - - "{{tfstate_object}}" - -- name: "Including tasks process_tfstate.yaml" - include_tasks: "process_tfstate.yaml" - loop: ["{{ tfstate }}"] - loop_control: - loop_var: deployment - vars: - config_file: "{{ file_to_process.path }}" \ No newline at end of file diff --git a/templates/platform/process_stages.yaml b/templates/platform/process_stages.yaml deleted file mode 100644 index 4c96e75b7..000000000 --- a/templates/platform/process_stages.yaml +++ /dev/null @@ -1,39 +0,0 @@ - -- debug: - msg: - - "tfstate {{tfstate}} - {{tfstates[tfstate]}}" - - "{{lz_type}}" - -- set_fact: - tfstate_key: "{{ tfstates[tfstate].keys() | first }}" - env: "{{ tfstates[tfstate].values() | first | default('') }}" - - -- name: "Set tfstate_object" - set_fact: - tfstate_object: '{{config.tfstates[lz_type][tfstate_key] if env == "" else config.tfstates[lz_type][tfstate_key][env] }}' - -- name: "Set config_folder" - set_fact: - config_folder: '{{ tfstate_object.sub_template_folder | default() }}' - -- debug: - msg: - - "{{config}}" - - "{{lz_type}}" - - "{{tfstate_key}}" - - "{{env}}" - - "{{tfstate_object}}" - - "{{config_folder}}" - verbosity: 2 - -- set_fact: - resources: "{{ lookup('file', '{{ config_folder + \"/\" + tfstate_object.config_file }}') | from_yaml }}" - -- name: "Including tasks process_tfstate.yaml" - include_tasks: "process_tfstate.yaml" - loop: ["{{tfstate_key}}"] - loop_control: - loop_var: deployment - vars: - config_file: "{{config_folder + '/' + tfstate_object.config_file }}" \ No newline at end of file diff --git a/templates/platform/readme.md b/templates/platform/readme.md index d3b1ed5d3..db5b52b7e 100644 --- a/templates/platform/readme.md +++ b/templates/platform/readme.md @@ -2,18 +2,20 @@ # Generate the terraform configuration files To execute this step you need to login with one of the CAF maintainers accounts: -{% for maintainer in config.platform_identity.caf_platform_maintainers %} +{% for maintainer in resources.platform_identity.caf_platform_maintainers %} - {{ maintainer }} {% endfor %} ```bash -rover login -t {{ config.platform_identity.tenant_name }} +rover login -t {{ resources.platform_identity.tenant_name }} rover ignite \ - --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ + --playbook {{ base_templates_folder }}/ansible/ansible.yaml \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{resource_template_folder}} \ - -e config_folder={{ config_folder }} + -e config_folder={{ config_folder }} \ + -e landingzones_folder={{ landingzones_folder }} + ``` -Get started with the [launchpad](./platform/level0/launchpad) \ No newline at end of file +Get started with the [launchpad](./level0/launchpad) diff --git a/templates/platform/services/README.md b/templates/platform/services/README.md new file mode 100644 index 000000000..d8b04db5d --- /dev/null +++ b/templates/platform/services/README.md @@ -0,0 +1,41 @@ +# Cloud Adoption Framework landing zones for Terraform - Ignite the Azure Platform and landing zones + + +:rocket: START HERE: [Follow the onboarding guide from](https://aztfmod.github.io/documentation/docs/enterprise-scale/landingzones/platform/org-setup) + + +For further executions or command, you can refer to the following sections + +## Commands + +### Clone the landingzone project (Terraform base code) +```bash +git clone https://github.com/Azure/caf-terraform-landingzones.git {{destination_base_path}}/landingzones +cd {{destination_base_path}}/landingzones && git pull +git checkout {{topology.caf_landingzone_branch}} + +``` + +### Rover ignite the platform +Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps. Just follow the readme and next steps. + +Rover ignite creates the tfvars and also the documentation. + +```bash +rover login -t {{tenant_name.stdout}} -s {{subscription_id.stdout}} + + rover ignite \ + --playbook {{ config_folder_platform_templates }}/ansible/ansible.yaml \ + -e base_templates_folder={{ config_folder_platform_templates }} \ + -e resource_template_folder={{landingzones_folder}}/templates/resources \ + -e config_folder={{destination_base_path}}/{{definitions_relative_path}} \ + -e landingzones_folder={{landingzones_folder}} + + +``` + +### Next step + +Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created. + +Get started with the [launchpad]({{destination_base_path}}/{{configuration_relative_path}}/{{topologies.launchpad.relative_destination_folder}}) diff --git a/templates/platform/services/asvm.yaml b/templates/platform/services/asvm.yaml new file mode 100644 index 000000000..8a9d56df6 --- /dev/null +++ b/templates/platform/services/asvm.yaml @@ -0,0 +1,101 @@ +asvm: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/asvm + + tfstate: + lz_key_name: asvm + tfstate: asvm_subscription_vending_machine.tfstate + level: level2 + config_file: asvm.yaml + identity_aad_key: cred_level0 + sub_template_folder: level2/asvm + yaml: level2/asvm/ansible.yaml + # Do not rename the tfstate_key_name + tfstate_key_name: asvm + + deployments: + landingzone: + tfstate: + platform: + asvm: + global_settings_key: + platform: + management: + remote_tfstates: + platform: + management: + + subscriptions: + launchpad: + resource_groups: + level3: + name: caf-level3 + tags: + level: level3 + level4: + name: caf-level4 + tags: + level: level4 + + storage_accounts: + level3: + name: l3 + resource_group_key: level3 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + containers: + tfstate: + name: tfstate + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: contosolle + caf_launchpad: launchpad + caf_tfstate: level3 + level4: + name: l4 + resource_group_key: level4 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: contosolle + caf_launchpad: launchpad + caf_tfstate: level4 + + keyvaults: + level3: + name: l3 + resource_group_key: level3 + level4: + name: l4 + resource_group_key: level4 + + + azuread_groups: + caf_ac_landingzone_maintainers_non_prod: + name: caf_ac_landingzone_maintainers_non_prod + + caf_ac_landingzone_maintainers_prod: + name: caf_ac_landingzone_maintainers_prod diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_route_peerings.yaml b/templates/platform/services/connectivity_express_route_peerings.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_route_peerings.yaml rename to templates/platform/services/connectivity_express_route_peerings.yaml diff --git a/templates/platform/services/connectivity_express_routes.yaml b/templates/platform/services/connectivity_express_routes.yaml new file mode 100644 index 000000000..8e87480a2 --- /dev/null +++ b/templates/platform/services/connectivity_express_routes.yaml @@ -0,0 +1,22 @@ +gitops: + caf_landingzone_branch: AL-azurerm2931 + +express_route_circuits: + {{env}}: + name: er-1-{{env}} + resource_group_key: {{env}} + service_provider_name: XL Axiata + peering_location: Jakarta + tier: Standard + family: MeteredData + bandwidth_in_mbps: 50 + +express_route_circuit_authorizations: + vhub-prod: + name: er-auth-vhub-{{env}} + resource_group_key: {{env}} + + +resource_groups: + name: connectivity-express-route-{{env}} + region_key: region1 diff --git a/templates/platform/services/connectivity_firewall_policies.yaml b/templates/platform/services/connectivity_firewall_policies.yaml new file mode 100644 index 000000000..671c32fbf --- /dev/null +++ b/templates/platform/services/connectivity_firewall_policies.yaml @@ -0,0 +1,44 @@ +azurerm_firewall_policies_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/connectivity/azurerm_firewall_policies/{{env}} + + tfstate: + lz_key_name: connectivity_firewall_policies_{{env}} + tfstate: connectivity_firewall_policies_{{env}}.tfstate + level: level2 + config_file: azurerm_firewall_policies.yaml + identity_aad_key: cred_connectivity + # Do not rename the tfstate_key_name + tfstate_key_name: azurerm_firewall_policies + + deployments: + landingzone: + tfstate: + platform: + azurerm_firewall_policies: {{env}} + global_settings_key: + platform: + virtual_wans: prod + remote_tfstates: + platform: + virtual_wans: prod + + + subscriptions: + connectivity: + resource_groups: + firewall_policies: + name: connectivity-{{env}}-firewall-policies + region_key: region1 + + azurerm_firewall_policies: + root: + name: "{{env}}-root-policy" + region_key: region1 + resource_group: + key: firewall_policies + dns: + proxy_enabled: true + threat_intelligence_mode: "Alert" diff --git a/templates/platform/services/connectivity_firewalls.yaml b/templates/platform/services/connectivity_firewalls.yaml new file mode 100644 index 000000000..c6ba8c7d8 --- /dev/null +++ b/templates/platform/services/connectivity_firewalls.yaml @@ -0,0 +1,88 @@ +azurerm_firewalls_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/connectivity/azurerm_firewalls/{{env}} + + tfstate: + lz_key_name: connectivity_firewalls_{{env}} + tfstate: connectivity_firewalls_{{env}}.tfstate + level: level2 + config_file: azurerm_firewalls.yaml + identity_aad_key: cred_connectivity + # Do not rename the tfstate_key_name + tfstate_key_name: azurerm_firewalls + + deployments: + landingzone: + tfstate: + platform: + azurerm_firewalls: {{env}} + global_settings_key: + platform: + virtual_hubs: {{env}} + remote_tfstates: + platform: + virtual_hubs: {{env}} + azurerm_firewall_policies: {{env}} + + + subscriptions: + connectivity: + resource_groups: + firewall_policies: + name: connectivity-{{env}}-firewall + region_key: region1 + + + virtual_networks: + vnet: + name: vnet-connectivity-{{env}}-fw-plinks + resource_group_key: firewall_policies + region_key: region1 + address_space: + - 10.101.61.0/24 + specialsubnets: + AzureFirewallSubnet: + name: AzureFirewallSubnet + cidr: + - 10.101.61.0/26 + + public_ip_addresses: + fw_pip1: + name: pip-{{env}}-fw-01 + resource_group_key: firewall_policies + sku: Standard + allocation_method: Static + ip_version: IPv4 + idle_timeout_in_minutes: 4 + + azurerm_firewalls: + fw_{{env}}_plinks_01: + name: fw-{{env}}-plinks-01 + resource_group_key: firewall_policies + vnet_key: vnet + sku_tier: Standard + firewall_policy: + key: root + lz_key: connectivity_firewall_policies_{{env}} + zones: + - 1 + - 2 + - 3 + public_ips: + ip1: + name: pip1 + public_ip_key: fw_pip1 + vnet_key: vnet + subnet_key: AzureFirewallSubnet + + + virtual_hub_connections: + vnet_to_hub: + name: vnet-connectivity-{{env}}-fw-plinks-TO-vhub-{{env}} + virtual_hub: + lz_key: connectivity_virtual_hubs_{{env}} + key: {{env}} + vnet: + vnet_key: vnet \ No newline at end of file diff --git a/templates/platform/services/connectivity_private_dns.yaml b/templates/platform/services/connectivity_private_dns.yaml new file mode 100644 index 000000000..81922ab7e --- /dev/null +++ b/templates/platform/services/connectivity_private_dns.yaml @@ -0,0 +1,88 @@ +private_dns_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/connectivity/private_dns/{{env}} + + tfstate: + lz_key_name: connectivity_private_dns_{{env}} + tfstate: connectivity_private_dns_{{env}}.tfstate + level: level2 + config_file: private_dns.yaml + identity_aad_key: cred_connectivity + # Do not rename the tfstate_key_name + tfstate_key_name: private_dns + + deployments: + landingzone: + tfstate: + platform: + private_dns: {{env}} + global_settings_key: + platform: + azurerm_firewalls: {{env}} + remote_tfstates: + platform: + azurerm_firewalls: {{env}} + identity_level2: {{env}} + + subscriptions: + connectivity: + + role_mapping: + custom_role_mapping: + resource_groups: + dns_connectivity_{{env}}: + landgingzone_extended: + azuread_groups: + lz_key: identity_level2_{{env}} + keys: + - caf_{{env}}_landingzones_dns_contributors + built_in_role_mapping: + resource_groups: + dns_connectivity_{{env}}: + Private DNS Zone Contributor: + azuread_groups: + lz_key: identity_level2_{{env}} + keys: + - caf_{{env}}_landingzones_dns_contributors + + custom_role_definitions: + landgingzone_extended: + name: landingzone-networking-private-dns-extended + useprefix: true + description: "({{env}}) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read + - Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write + + resource_groups: + dns_connectivity_{{env}}: + name: dns-connectivity-{{env}} + + private_dns: +{% for key in topology.connectivity.private_dns_zones.zones %} + {{key}}: + name: {{key}} + resource_group_key: dns_connectivity_{{env}} + vnet_links: + fw_{{env}}_plinks_01: + name: fw-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_{{env}} +{% endfor %} +{% for region in topology.resources_allowed_regions %} +{% for z_key in topology.connectivity.private_dns_zones.regional_zones %} + {{z_key | replace('region', region)}}: + name: {{z_key | replace('region', region)}} + resource_group_key: dns_connectivity_{{env}} + vnet_links: + fw_{{env}}_plinks_01: + name: fw-plinks-01 + vnet_key: vnet + lz_key: connectivity_firewalls_{{env}} +{% endfor %} +{% endfor %} + \ No newline at end of file diff --git a/templates/platform/services/connectivity_virtual_hubs.yaml b/templates/platform/services/connectivity_virtual_hubs.yaml new file mode 100644 index 000000000..5aa22f32d --- /dev/null +++ b/templates/platform/services/connectivity_virtual_hubs.yaml @@ -0,0 +1,63 @@ +virtual_hubs_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/connectivity/virtual_hubs/{{env}} + + tfstate: + lz_key_name: connectivity_virtual_hubs_{{env}} + tfstate: connectivity_virtual_hubs_{{env}}.tfstate + workspace: tfstate + level: level2 + config_file: virtual_hubs.yaml + identity_aad_key: cred_connectivity + # Do not rename the tfstate_key_name + tfstate_key_name: virtual_hubs + + deployments: + landingzone: + tfstate: + platform: + virtual_hubs: {{env}} + global_settings_key: + platform: + virtual_wans: prod + remote_tfstates: + platform: + virtual_wans: prod + custom_variables: + virtual_hub_lz_key: connectivity_virtual_hubs_{{env}} + # ddos_protection_plan_id: + + subscriptions: + connectivity: + virtual_hubs: + {{env}}: + name: Production + virtual_wan: + lz_key: connectivity_virtual_wans_{{env}} + key: global_wan + region_key: region1 + hub_address_prefix: 10.101.51.0/24 + deploy_s2s: false + s2s_config: + name: {{env}} + scale_unit: 1 + deploy_er: false + er_config: + name: {{env}} + scale_units: 1 + + express_route_connections: + {{env}}: + enable_er_connections: false + name: er-1-{{env}} + virtual_hub: + key: {{env}} + circuit_peering: + tfstate_key: {{env}} + key: private_peering + express_route_circuit_authorization: + tfstate_key: {{env}} + key: vhub-{{env}} + diff --git a/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml b/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml new file mode 100644 index 000000000..1383615ff --- /dev/null +++ b/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml @@ -0,0 +1,47 @@ +virtual_hubs_route_tables_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/connectivity/virtual_hubs_route_tables/{{env}} + + tfstate: + lz_key_name: virtual_hubs_route_tables_{{env}} + tfstate: connectivity_virtual_hubs_route_tables_{{env}}.tfstate + workspace: tfstate + level: level2 + config_file: virtual_hubs_route_tables.yaml + identity_aad_key: cred_connectivity + # Do not rename the tfstate_key_name + tfstate_key_name: virtual_hubs_route_tables + + deployments: + landingzone: + tfstate: + platform: + virtual_hubs_route_tables: {{env}} + global_settings_key: + platform: + virtual_hubs: {{env}} + remote_tfstates: + platform: + virtual_hubs: {{env}} + azurerm_firewalls: {{env}} + + subscriptions: + connectivity: + virtual_hub_route_tables: + egress: + name: egress + virtual_hub: + lz_key: connectivity_virtual_hubs_{{env}} + key: {{env}} + routes: + egress_internet: + name: egress-internet + destinations_type: CIDR + destinations: + - 0.0.0.0/0 + next_hop: + lz_key: connectivity_firewalls_{{env}} + resource_type: virtual_hub_connection + key: vnet_to_hub diff --git a/templates/platform/services/connectivity_virtual_wans.yaml b/templates/platform/services/connectivity_virtual_wans.yaml new file mode 100644 index 000000000..728d5571a --- /dev/null +++ b/templates/platform/services/connectivity_virtual_wans.yaml @@ -0,0 +1,39 @@ +virtual_wans_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/connectivity/virtual_wans + + tfstate: + lz_key_name: connectivity_virtual_wans_{{env}} + tfstate: connectivity_virtual_wans_{{env}}.tfstate + level: level2 + config_file: virtual_wans.yaml + identity_aad_key: cred_connectivity + # Do not rename the tfstate_key_name + tfstate_key_name: virtual_wans + + deployments: + landingzone: + tfstate: + platform: + virtual_wans: {{env}} + global_settings_key: + platform: + management: + remote_tfstates: + platform: + management: + + subscriptions: + connectivity: + virtual_wans: + global_wan: + name: vwan + resource_group_key: global_wan + region_key: region1 + + resource_groups: + global_wan: + name: connectivity-global-wan + region_key: region1 diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_gateway_connections.yaml b/templates/platform/services/connectivity_vpn_gateway_connections.yaml similarity index 50% rename from templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_gateway_connections.yaml rename to templates/platform/services/connectivity_vpn_gateway_connections.yaml index c8eeeee61..d1b46ade7 100644 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_gateway_connections.yaml +++ b/templates/platform/services/connectivity_vpn_gateway_connections.yaml @@ -25,29 +25,4 @@ vpn_gateway_connections: pfs_group: None sa_data_size_kb: 102400000 sa_lifetime_sec: 3600 - non_prod: - name: production - internet_security_enabled: true - vpn_site: - key: non_prod - virtual_hub: - lz_key: connectivity_virtual_hub_non_prod - key: non_prod - vpn_links: - non_prod: - name: non_prod - shared_key: - bgp_enabled: false - bandwidth_mbps: 100 - link_index: 0 - protocol: IKEv2 - ipsec_policies: - policy1: - dh_group: DHGroup24 - ike_encryption_algorithm: AES256 - ike_integrity_algorithm: SHA256 - encryption_algorithm: AES256 - integrity_algorithm: SHA256 - pfs_group: None - sa_data_size_kb: 102400000 - sa_lifetime_sec: 3600 + diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_sites.yaml b/templates/platform/services/connectivity_vpn_sites.yaml similarity index 100% rename from templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_vpn_sites.yaml rename to templates/platform/services/connectivity_vpn_sites.yaml diff --git a/templates/platform/services/eslz.yaml b/templates/platform/services/eslz.yaml new file mode 100644 index 000000000..914c76404 --- /dev/null +++ b/templates/platform/services/eslz.yaml @@ -0,0 +1,38 @@ +eslz_{{item}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level1/eslz/{{item}} + + + tfstate: + lz_key_name: eslz_{{item}} + tfstate: eslz_{{item}}.tfstate + level: level1 + identity_aad_key: cred_eslz + config_file: eslz_{{item}}.yaml + template_lib_folder: level1/eslz + sub_template_folder: level1/eslz + eslz_version: {{topology.enterprise_scale[item].version_to_deploy}} + yaml: level1/eslz/ansible.yaml + # Do not rename the tfstate_key_name + tfstate_key_name: eslz_{{item}} + + deployments: + landingzone: + tfstate: + platform: + eslz_contoso: + global_settings_key: + platform: + launchpad: + remote_tfstates: + platform: + launchpad: + identity: + management: + subscriptions: + + # Keep the following to allow rover ignite to process the deployment. + subscriptions: + launchpad: \ No newline at end of file diff --git a/templates/platform/services/identity.yaml b/templates/platform/services/identity.yaml new file mode 100644 index 000000000..33fa5a962 --- /dev/null +++ b/templates/platform/services/identity.yaml @@ -0,0 +1,68 @@ +identity: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level1/identity + + tfstate: + lz_key_name: identity + tfstate: identity.tfstate + level: level1 + identity_aad_key: cred_identity + config_file: identity.yaml + sub_template_folder: level1/identity + # Do not rename the tfstate_key_name + tfstate_key_name: identity + + deployments: + landingzone: + tfstate: + platform: + identity: + global_settings_key: + platform: + launchpad: + remote_tfstates: + platform: + launchpad: + + subscriptions: + identity: + resource_groups: + management: + name: management + alerts: + name: alerts + + service_health_alerts: + enable_service_health_alerts: true + name: alerts + shortname: HealthAlerts + resource_group_key: alerts + action_group_name: actiongrp + email_alert_settings: + support1: + name: email_alert_support1 + email_address: {{topology.notifications.service_health_alerts}} + use_common_alert_schema: false + + recovery_vaults: + asr: + name: asr + resource_group_key: management + soft_delete_enabled: true + backup_policies: + {{topology.backup_policies | to_nice_yaml(width=80, indent=2) | indent(12)}} + +# Bring here you existing active directory security groups. +# Those are the groups you will inject to RBAC in the Enterprise Scale deployment. +# Note Terraform will create a new Azure AD group and add the existing as a member + + # azuread_groups: + # network_ops_team: + # name: netops + # members: + # # Set the list of the existing groups + # objects_ids: + # - existing_azure_ad_group_object_id + diff --git a/templates/platform/services/identity_level2.yaml b/templates/platform/services/identity_level2.yaml new file mode 100644 index 000000000..e75711948 --- /dev/null +++ b/templates/platform/services/identity_level2.yaml @@ -0,0 +1,33 @@ +identity_level2_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/identity/{{env}} + + tfstate: + lz_key_name: identity_level2_{{env}} + tfstate: identity_level2_{{env}}.tfstate + level: level2 + config_file: identity_level2.yaml + identity_aad_key: cred_identity + # Do not rename the tfstate_key_name + tfstate_key_name: identity_level2 + + + deployments: + landingzone: + tfstate: + platform: + identity_level2: {{env}} + global_settings_key: + platform: + identity: + remote_tfstates: + platform: + identity: + + subscriptions: + identity: + azuread_groups: + caf_{{env}}_landingzones_dns_contributors: + name: caf ac {{env}} landingzones dns contributors \ No newline at end of file diff --git a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_aadds.yaml b/templates/platform/services/identity_level2_aadds.yaml similarity index 99% rename from templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_aadds.yaml rename to templates/platform/services/identity_level2_aadds.yaml index f022c591b..52f41c611 100644 --- a/templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_aadds.yaml +++ b/templates/platform/services/identity_level2_aadds.yaml @@ -1,5 +1,5 @@ gitops: - landingzones: aci_network + landingzones: AL-azurerm2931 deployments: identity: diff --git a/templates/platform/services/identity_level2_adds.yaml b/templates/platform/services/identity_level2_adds.yaml new file mode 100644 index 000000000..527ef8c31 --- /dev/null +++ b/templates/platform/services/identity_level2_adds.yaml @@ -0,0 +1,407 @@ +identity_level2_adds_{{env}}: + gitops: + landingzones: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/identity/adds/{{env}} + + deployments: + identity: + landingzone: + tfstate: + platform: + identity_level2_adds: {{env}} + global_settings_key: + platform: + virtual_hubs: {{env}} + remote_tfstates: + platform: + management: + virtual_hubs: {{env}} + identity: + + tfstate: + lz_key_name: identity_level2_adds_{{env}} + tfstate: identity_level2_adds_{{env}}.tfstate + level: level2 + identity_aad_key: cred_identity + # Do not rename the tfstate_key_name + tfstate_key_name: identity_level2 + + subscriptions: + identity: + resource_groups: + rg: + name: identity-{{env}}-adds + region_key: region1 + + virtual_networks: + vnet: + name: identity-{{env}}-adds + resource_group_key: rg + region_key: region1 + address_space: + - 10.10.100.0/27 + dns_servers: + - 10.10.100.4 + - 10.10.100.5 + subnets: + adds: + name: snet-adds + cidr: + - 10.10.100.0/28 + nsg_key: adds_re1 + management: + name: snet-adds-management + cidr: + - 10.10.100.16/28 + + keyvaults: + adds_credentials: + name: addskv + resource_group_key: rg + sku_name: premium + purge_protection_enabled: false + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + dynamic_keyvault_secrets: + adds_credentials: + vmadmin-username: + secret_name: vmadmin-username + value: vmadmin + vmadmin-password: + secret_name: vmadmin-password + value: Very@Str5ngP!44w0rdToChaNge# + + virtual_machines: + adds1: + resource_group: + key: rg + region: region1 + os_type: windows + keyvault_key: adds_credentials + backup: + vault_key: asr + policy_key: default + lz_key: identity + + virtual_machine_settings: + windows: + computer_name: adds1 + name: adds1 + admin_password_key: vmadmin-password + admin_username_key: vmadmin-username + network_interface_keys: + - nic0 + provision_vm_agent: true + size: Standard_F2 + zone: 1 + os_disk: + name: adds1-os + caching: ReadWrite + storage_account_type: Standard_LRS + disk_size_gb: 128 + # identity: + # type: SystemAssigned, UserAssigned + # managed_identity_keys: + # - id1 + # remote: + # lz_key_name1: + # managed_identity_keys: + # - id2 + # - id3 + # lz_key_name2: + # managed_identity_keys: + # - id4 + # - id5 + + # custom_image_id: + + source_image_reference: + publisher: MicrosoftWindowsServer + offer: WindowsServer + sku: 2019-Datacenter + version: latest + + data_disks: + lun1: + name: adds1-data1 + lun: "1" + caching: None + storage_account_type: Standard_LRS + create_option: Empty + disk_size_gb: 10 + zones: + - "1" + + networking_interfaces: + nic0: + name: 0 + vnet_key: vnet + subnet_key: adds + enable_ip_forwarding: false + internal_dns_name_label: adds1-nic0 + private_ip_address_allocation: Static + private_ip_address: 10.10.100.4 + primary: true + tags: + adds: "ok" + dns_servers: + # - Set on-prem dns + - 10.10.100.5 + network_security_group: + key: adds_re1 + # ip_configurations: + # conf2: + # name: 0-conf + # vnet_key: vnet + # subnet_key: management + # enable_ip_forwarding: false + # private_ip_address_allocation: Static + # private_ip_address: 10.10.100.20 + + adds2: + resource_group: + key: rg + region: region1 + os_type: windows + keyvault_key: adds_credentials + backup: + vault_key: asr + policy_key: default + lz_key: identity_level2 + + virtual_machine_settings: + windows: + computer_name: adds2 + name: adds2 + admin_password_key: vmadmin-password + admin_username_key: vmadmin-username + network_interface_keys: + - nic0 + provision_vm_agent: true + size: Standard_F2 + zone: 2 + os_disk: + name: adds2-os + caching: ReadWrite + storage_account_type: Standard_LRS + disk_size_gb: 128 + # identity: + # type: SystemAssigned, UserAssigned + # managed_identity_keys: + # - id1 + # remote: + # lz_key_name1: + # managed_identity_keys: + # - id2 + # - id3 + # lz_key_name2: + # managed_identity_keys: + # - id4 + # - id5 + + + source_image_reference: + publisher: MicrosoftWindowsServer + offer: WindowsServer + sku: 2019-Datacenter + version: latest + + data_disks: + lun1: + name: adds2-data1 + lun: "1" + storage_account_type: Standard_LRS + create_option: Empty + disk_size_gb: 10 + zones: + - "2" + + networking_interfaces: + nic0: + name: 0 + vnet_key: vnet + subnet_key: adds + enable_ip_forwarding: false + internal_dns_name_label: adds2-nic0 + private_ip_address_allocation: Static + private_ip_address: 10.10.100.5 + primary: true + tags: + adds: "ok" + dns_servers: + # - Set on-prem ADDS dns + - 10.10.100.4 + network_security_group: + key: adds_re1 + # ip_configurations: + # conf2: + # name: 0-conf + # vnet_key: vnet + # subnet_key: management + # enable_ip_forwarding: false + # private_ip_address_allocation: Static + # private_ip_address: 10.10.100.21 + + virtual_hub_connections: + vnet_to_hub: + name: vnet-identity-prod-adds-TO-vhub-prod + virtual_hub: + lz_key: connectivity_virtual_hub_prod + key: prod + vnet: + vnet_key: vnet + + network_security_group_definition: + adds_re1: + version: 1 + resource_group_key: rg + region: region1 + name: nsg-adds-re1 + # Reference - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts + # following is for Windows Server 2008 and later + nsg: + Inbound: + 400: + name: W32Time. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + # source_address_prefixes: + # - on-prem CIDR for ADDS + source_port_range: "49152-65535" + destination_port_range: "123" + destination_address_prefix: "*" + 401: + name: RPC Endpoint Mapper. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "135" + destination_address_prefix: "*" + 402: + name: Kerberos password change tcp. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "464" + destination_address_prefix: "*" + 403: + name: Kerberos password change udp. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "464" + destination_address_prefix: "*" + 404: + name: RPC for LSA, SAM, NetLogon. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "49152-65535" + destination_address_prefix: "*" + 405: + name: LDAP-tcp. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "389" + destination_address_prefix: "*" + 406: + name: LDAP-udp. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "389" + destination_address_prefix: "*" + 407: + name: LDAP SSL. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "636" + destination_address_prefix: "*" + 408: + name: LDAP GC. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "3268" + destination_address_prefix: "*" + 409: + name: LDAP GC SSL. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "3269" + destination_address_prefix: "*" + 410: + name: DNS tcp. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_ranges: + - "53" + - "49152-65535" + destination_port_range: "53" + destination_address_prefix: "*" + 411: + name: DNS udp. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + source_port_ranges: + - "53" + - "49152-65535" + destination_port_range: "53" + destination_address_prefix: "*" + 412: + name: Kerberos tcp. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "88" + destination_address_prefix: "*" + 413: + name: Kerberos udp. + access: Allow + protocol: udp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "88" + destination_address_prefix: "*" + 414: + name: SMB. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "445" + destination_address_prefix: "*" + # Adjust the following based on your RPC custom ports configuration + 415: + name: FRS RPC. + access: Allow + protocol: tcp + source_address_prefix: "VirtualNetwork" + source_port_range: "49152-65535" + destination_port_range: "49152-65535" + destination_address_prefix: "*" \ No newline at end of file diff --git a/templates/platform/services/launchpad_azuread_sp_single_subscription.yaml b/templates/platform/services/launchpad_azuread_sp_single_subscription.yaml new file mode 100644 index 000000000..04dc47b71 --- /dev/null +++ b/templates/platform/services/launchpad_azuread_sp_single_subscription.yaml @@ -0,0 +1,522 @@ +launchpad: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level0/launchpad + + tfstate: + lz_key_name: launchpad + tfstate: caf_launchpad.tfstate + workspace: tfstate + level: level0 + identity_aad_key: cred_level0 + config_file: launchpad.yaml + sub_template_folder: level0/launchpad + yaml: level0/launchpad/ansible.yaml + # Do not rename the tfstate_key_name + tfstate_key_name: launchpad + + deployments: + landingzone: + tfstate: + platform: + launchpad: + + subscriptions: + launchpad: + resource_groups: + level0: + name: caf-level0 + level1: + name: caf-level1 + level2: + name: caf-level2 + + storage_accounts: + level0: + name: l0 + resource_group_key: level0 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + containers: + tfstate: + name: tfstate + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: {{topology.caf_environment}} + caf_launchpad: launchpad + caf_tfstate: level0 + level1: + name: l1 + resource_group_key: level1 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + containers: + tfstate: + name: tfstate + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: {{topology.caf_environment}} + caf_launchpad: launchpad + caf_tfstate: level1 + level2: + name: l2 + resource_group_key: level2 + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: GRS + blob_properties: + versioning_enabled: true + last_access_time_enabled: true + container_delete_retention_policy: + days: 7 + delete_retention_policy: + days: 7 + containers: + tfstate: + name: tfstate + tags: + ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. + # Only adjust the environment value at creation time + caf_environment: {{topology.caf_environment}} + caf_launchpad: launchpad + caf_tfstate: level2 + + role_mapping: + built_in_role_mapping: + management_group: + # if you are using a root_parent_id, replace the following root by the root_parent_id value + root: + User Access Administrator: + azuread_groups: + keys: + - level0 + Management Group Contributor: + azuread_groups: + keys: + - eslz + - caf_platform_maintainers + Owner: + azuread_groups: + keys: + - eslz + - caf_platform_maintainers + - connectivity # only when deploying in single subscription + - identity # only when deploying in single subscription + - management # only when deploying in single subscription + - subscription_creation_landingzones # # only when deploying in single subscription + Reader: + azuread_groups: + keys: + - caf_platform_contributors + subscriptions: + logged_in_subscription: + Owner: + azuread_groups: + keys: + - level0 + - subscription_creation_platform + - caf_platform_maintainers + Reader: + azuread_groups: + keys: + - identity + resource_groups: + level0: + Reader: + azuread_groups: + keys: + - identity + - subscription_creation_platform + - caf_platform_contributors + level1: + Reader: + azuread_groups: + keys: + - identity + - management + - eslz + - subscription_creation_platform + - caf_platform_contributors + level2: + Reader: + azuread_groups: + keys: + - identity + - management + - connectivity + - subscription_creation_platform + - caf_platform_contributors + + storage_accounts: + level0: + Storage Blob Data Contributor: + azuread_groups: + keys: + - level0 + - identity + - caf_platform_maintainers + Storage Blob Data Reader: + azuread_groups: + keys: + - management + - eslz + - subscription_creation_platform + - caf_platform_contributors + level1: + Storage Blob Data Contributor: + azuread_groups: + keys: + - caf_platform_maintainers + - identity + - management + - eslz + - subscription_creation_platform + Storage Blob Data Reader: + azuread_groups: + keys: + - connectivity + - caf_platform_contributors + - level0 + level2: + Storage Blob Data Contributor: + azuread_groups: + keys: + - identity + - connectivity + - management + - caf_platform_maintainers + - level0 + Storage Blob Data Reader: + azuread_groups: + keys: + - subscription_creation_landingzones + - caf_platform_contributors + + keyvaults: + level0: + name: l0 + sku_name: premium + resource_group_key: level0 + level1: + name: l1 + sku_name: premium + resource_group_key: level1 + level2: + name: l2 + sku_name: premium + resource_group_key: level2 + + keyvault_access_policies: + level0: + sp_level0: + azuread_group_key: level0 + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity: + azuread_group_key: identity + secret_permissions: + - Get + level1: + sp_level0: + azuread_group_key: level0 + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity: + azuread_group_key: identity + secret_permissions: + - Get + management: + azuread_group_key: management + secret_permissions: + - Get + eslz: + azuread_group_key: eslz + secret_permissions: + - Get + subscription_creation_platform: + azuread_group_key: subscription_creation_platform + secret_permissions: + - Get + level2: + sp_level0: + azuread_group_key: level0 + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity: + azuread_group_key: identity + secret_permissions: + - Get + management: + azuread_group_key: management + secret_permissions: + - Get + connectivity: + azuread_group_key: connectivity + secret_permissions: + - Get + subscription_creation_platform: + azuread_group_key: subscription_creation_platform + secret_permissions: + - Get + + azuread_applications: + level0: + application_name: sp-caf-level0 + identity: + application_name: sp-caf-identity + management: + application_name: sp-caf-management + eslz: + application_name: sp-caf-eslz + connectivity: + application_name: sp-caf-connectivity + subscription_creation_platform: + application_name: sp-caf-subscription_creation_platform + subscription_creation_landingzones: + application_name: sp-caf-subscription_creation_landingzones + + azuread_service_principals: + # Manage the deployment of the level0 + level0: + azuread_application: + key: level0 + # Manage the deployment of Enterprise Scale + eslz: + azuread_application: + key: eslz + # Manage the deployment of the connectivity services + connectivity: + azuread_application: + key: connectivity + # Manage the deployment of the shared services + management: + azuread_application: + key: management + # Manage the deployment of the identity services + identity: + azuread_application: + key: identity + # Has delegation to create platform subscriptions + subscription_creation_platform: + azuread_application: + key: subscription_creation_platform + # Has delegation to create landingzone subscriptions + subscription_creation_landingzones: + azuread_application: + key: subscription_creation_landingzones + + azuread_api_permissions: + level0: + microsoft_graph: + resource_app_id: 00000003-0000-0000-c000-000000000000 + resource_access: + AppRoleAssignment_ReadWrite_All: + id: 06b708a9-e830-4db3-a914-8e69da51d44f + type: Role + DelegatedPermissionGrant_ReadWrite_All: + id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a + type: Role + Application_ReadWrite_OwnedBy: + id: 18a4783c-866b-4cc7-a460-3d5e5662c884 + type: Role + identity: + active_directory_graph: + resource_app_id: 00000002-0000-0000-c000-000000000000 + resource_access: + Application_ReadWrite_OwnedBy: + id: 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7 + type: Role + Directory_ReadWrite_All: + id: 78c8a3c8-a07e-4b9e-af1b-b5ccab50a175 + type: Role + microsoft_graph: + resource_app_id: 00000003-0000-0000-c000-000000000000 + resource_access: + AppRoleAssignment_ReadWrite_All: + id: 06b708a9-e830-4db3-a914-8e69da51d44f + type: Role + DelegatedPermissionGrant_ReadWrite_All: + id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a + type: Role + GroupReadWriteAll: + id: 62a82d76-70ea-41e2-9197-370581804d09 + type: Role + RoleManagement_ReadWrite_Directory: + id: 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 + type: Role + + azuread_roles: + azuread_service_principals: + level0: + roles: + - Privileged Role Administrator + - Application Administrator + - Groups Administrator + identity: + roles: + - User Administrator + - Application Administrator + - Groups Administrator + subscription_creation_landingzones: + roles: + - Application Administrator + - Groups Administrator + + dynamic_keyvault_secrets: + level0: + subscription_id: + output_key: client_config + attribute_key: subscription_id + secret_name: subscription-id + tenant_id: + output_key: client_config + attribute_key: tenant_id + secret_name: tenant-id + level1: + lower_stg: + output_key: storage_accounts + resource_key: level0 + attribute_key: name + secret_name: lower-storage-account-name + lower_rg: + output_key: resource_groups + resource_key: level0 + attribute_key: name + secret_name: lower-resource-group-name + subscription_id: + output_key: client_config + attribute_key: subscription_id + secret_name: subscription-id + tenant_id: + output_key: client_config + attribute_key: tenant_id + secret_name: tenant-id + level2: + lower_stg: + output_key: storage_accounts + resource_key: level1 + attribute_key: name + secret_name: lower-storage-account-name + lower_rg: + output_key: resource_groups + resource_key: level1 + attribute_key: name + secret_name: lower-resource-group-name + subscription_id: + output_key: client_config + attribute_key: subscription_id + secret_name: subscription-id + tenant_id: + output_key: client_config + attribute_key: tenant_id + secret_name: tenant-id + + azuread_groups: + caf_platform_maintainers: + name: caf-platform-maintainers + description: High privileged group to run all CAF deployments from vscode. Can be used to bootstrap or troubleshoot deployments. + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + caf_platform_contributors: + name: caf-platform-contributors + description: Can only execute terraform plans for level1 and level2. They can test platform improvements and propose PR. + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + level0: + name: caf-level0 + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + members: + azuread_service_principal_keys: + - level0 + eslz: + name: caf-eslz + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + members: + azuread_service_principal_keys: + - eslz + identity: + name: caf-identity + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + members: + azuread_service_principal_keys: + - identity + management: + name: caf-management + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + members: + azuread_service_principal_keys: + - management + connectivity: + name: caf-connectivity + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + members: + azuread_service_principal_keys: + - connectivity + subscription_creation_platform: + name: caf-subscription_creation_platform + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + members: + azuread_service_principal_keys: + - subscription_creation_platform + subscription_creation_landingzones: + name: caf-subscription_creation_landingzones + prevent_duplicate_name: true + owners: + - {{topology.ea_owner_object_id}} + members: + azuread_service_principal_keys: + - subscription_creation_landingzones + # object_ids: + # - + diff --git a/templates/platform/services/launchpad_credentials_azuread_sp.yaml b/templates/platform/services/launchpad_credentials_azuread_sp.yaml new file mode 100644 index 000000000..140104390 --- /dev/null +++ b/templates/platform/services/launchpad_credentials_azuread_sp.yaml @@ -0,0 +1,470 @@ +launchpad_credentials: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level0/credentials + + tfstate: + lz_key_name: launchpad_credentials + tfstate: launchpad_credentials.tfstate + level: level0 + identity_aad_key: cred_identity + config_file: credentials.yaml + sub_template_folder: level0/credentials + # Do not rename the tfstate_key_name + tfstate_key_name: launchpad_credentials + + deployments: + landingzone: + tfstate: + platform: + launchpad_credentials: + global_settings_key: + platform: + launchpad: + remote_tfstates: + platform: + launchpad: + + + subscriptions: + launchpad_credentials: + resource_groups: + sp_credentials: + name: credentials + + keyvaults: + cred_ea_account_owner: + name: eaowner + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_ea_account_owner + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + cred_level0: + name: idl0 + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_level0 + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + level0: + lz_key: launchpad + azuread_group_key: level0 + secret_permissions: + - Get + cred_identity: + name: id + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_identity + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + cred_management: + name: mg + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_management + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + management_azuread_group: + lz_key: launchpad + azuread_group_key: management + secret_permissions: + - Get + cred_eslz: + name: es + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_eslz + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + eslz_azuread_group: + lz_key: launchpad + azuread_group_key: eslz + secret_permissions: + - Get + cred_connectivity: + name: co + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_connectivity + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + connectivity_azuread_group: + lz_key: launchpad + azuread_group_key: connectivity + secret_permissions: + - Get + cred_subscription_creation_platform: + name: scp + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_subscription_creation_platform + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + subscription_creation_platform_azuread_group: + lz_key: launchpad + azuread_group_key: subscription_creation_platform + secret_permissions: + - Get + cred_subscription_creation_landingzones: + name: scl + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_subscription_creation_landingzones + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + subscription_creation_platform_azuread_group: + lz_key: launchpad + azuread_group_key: subscription_creation_landingzones + secret_permissions: + - Get + cred_gitops: + name: gitops + resource_group_key: sp_credentials + purge_protection_enabled: false + tags: + caf_environment: {{topology.caf_environment}} + caf_identity_aad_key: cred_gitops + creation_policies: + caf_platform_maintainers: + lz_key: launchpad + azuread_group_key: caf_platform_maintainers + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + identity_azuread_group: + lz_key: launchpad + azuread_group_key: identity + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + cred_ea_account_owner: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_level0: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_identity: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_management: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_eslz: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_connectivity: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_subscription_creation_platform: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_subscription_creation_landingzones: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + cred_gitops: + gitops: + azuread_service_principal_key: gitops + secret_permissions: + - Get + + azuread_applications: + gitops: + application_name: app-azure-platform-credentials-for-gitops + + azuread_service_principals: + gitops: + azuread_application: + key: gitops + + azuread_credentials: + gitops: + type: password + azuread_credential_policy_key: gitops + azuread_application: + key: gitops + keyvaults: + cred_gitops: + secret_prefix: sp + level0: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: level0 + keyvaults: + cred_level0: + secret_prefix: sp + identity: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: identity + keyvaults: + cred_identity: + secret_prefix: sp + management: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: management + keyvaults: + cred_management: + secret_prefix: sp + eslz: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: eslz + keyvaults: + cred_eslz: + secret_prefix: sp + connectivity: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: connectivity + keyvaults: + cred_connectivity: + secret_prefix: sp + subscription_creation_platform: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: subscription_creation_platform + keyvaults: + cred_subscription_creation_platform: + secret_prefix: sp + subscription_creation_landingzones: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + lz_key: launchpad + key: subscription_creation_landingzones + keyvaults: + cred_subscription_creation_landingzones: + secret_prefix: sp + + azuread_credential_policies: + gitops: + length: 250 + special: false + upper: true + number: true + expire_in_days: 360 + rotation_key0: + days: 181 + rotation_key1: + days: 300 + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 65 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + diff --git a/templates/platform/services/management.yaml b/templates/platform/services/management.yaml new file mode 100644 index 000000000..80b38accf --- /dev/null +++ b/templates/platform/services/management.yaml @@ -0,0 +1,93 @@ +management: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level1/management + + tfstate: + lz_key_name: management + tfstate: management.tfstate + level: level1 + identity_aad_key: cred_management + config_file: management.yaml + sub_template_folder: level1/management + # Do not rename the tfstate_key_name + tfstate_key_name: management + + deployments: + landingzone: + tfstate: + platform: + management: + global_settings_key: + platform: + launchpad: + remote_tfstates: + platform: + launchpad: + + subscriptions: + management: + resource_groups: + management: + name: management + alerts: + name: alerts + + storage_accounts: + nsgflogs: + name: nsglogs + resource_group_key: management + account_kind: BlobStorage + account_tier: Standard + shared_access_key_enabled: false + account_replication_type: LRS + + diagnostic_log_analytics: + # if you change this key you also need to change it in the ESLZ deployment + # eslz/archetype_config_overrides.caf.platform.yaml + # eslz/custom_landing_zones.caf.platform.yaml + region1: + name: logre1 + resource_group_key: management + + monitor_action_groups: + networking_operations: + action_group_name: Networking Operations + resource_group_key: alerts + shortname: netops + arm_role_alert: + contributors: + name: Monitoring Contributor + role_name: Monitoring Contributor + use_common_alert_schema: false + email_receiver: + noc: + name: email_alert_support1 + email_address: {{topology.notifications.monitor_action_groups.networking_operations}} + use_common_alert_schema: false + + service_health_alerts: + enable_service_health_alerts: true + name: alerts + shortname: HealthAlerts + resource_group_key: alerts + action_group_name: actiongrp + email_alert_settings: + support1: + name: email_alert_support1 + email_address: {{topology.notifications.service_health_alerts}} + use_common_alert_schema: false + + automation_accounts: + account1: + name: automationAccount1 + resource_group_key: management + + recovery_vaults: + asr: + name: asr + resource_group_key: management + soft_delete_enabled: true + backup_policies: + {{topology.backup_policies | to_nice_yaml(width=80, indent=2) | indent(12)}} diff --git a/templates/platform/services/subscriptions.yaml b/templates/platform/services/subscriptions.yaml new file mode 100644 index 000000000..d5cace057 --- /dev/null +++ b/templates/platform/services/subscriptions.yaml @@ -0,0 +1,35 @@ +subscriptions: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level1/subscriptions + + tfstate: + lz_key_name: subscriptions + tfstate: platform_subscriptions.tfstate + level: level1 + identity_aad_key: cred_subscription_creation_platform + config_file: subscriptions.yaml + sub_template_folder: level1/subscriptions + # Do not rename the tfstate_key_name + tfstate_key_name: subscriptions + + deployments: + landingzone: + tfstate: + platform: + subscriptions: + + subscriptions: + launchpad: + subscriptions: +{% for key, value in topology.subscriptions.items() %} + {{key}}: +{% for l_key, l_value in value.items() %} +{% if l_key == 'create_alias' %} + {{l_key}}: {{l_value | lower }} +{% else %} + {{l_key}}: {{l_value}} +{% endif %} +{% endfor %} +{% endfor %} diff --git a/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml b/templates/platform/services/template.caf.platform.yaml similarity index 61% rename from templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml rename to templates/platform/services/template.caf.platform.yaml index dcab56fb8..9a41baef1 100644 --- a/templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml +++ b/templates/platform/services/template.caf.platform.yaml @@ -5,9 +5,9 @@ configuration_folders: # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. cleanup_destination: true # base destination folder where rover ignite will store the tfvars files. No / at the end - destination_base_path: /tf/caf + destination_base_path: {{destination_base_path}} # destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end - destination_relative_path: platform/ + destination_relative_path: {{configuration_relative_path}} caf_terraform: @@ -22,28 +22,19 @@ caf_terraform: # if passthrough is set to false, add random suffix to name, up to the random_lenght value. random_length: 3 launchpad: - caf_environment: + caf_environment: {{topology.caf_environment}} regions: - region1: - # set the short form of the Azure region - name: southeastasia # Use the lower-case region's name, short version with no space - slug: sea - region2: - name: eastasia # Use the lower-case region's name, short version with no space - slug: ea - default_region_key: region1 - # Define the number of CAF levels to use. Recommeded is 3 for the platform. - # number_of_levels: 3 - # blob_versioning_enabled: true - # container_delete_retention_policy: 7 - # delete_retention_policy: 7 +{% for region, location in regions.items() %} + {{region}}: {{location}} +{% endfor %} + default_region_key: {{topology.default_region_key}} # Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd. - subscription_id: - subscription_name: LLE-Resource Sub1 - tenant_id: + subscription_id: {{subscription_id.stdout}} + subscription_name: {{subscription_name.stdout}} + tenant_id: {{tenant_id.stdout}} global_tags_propagated: yes tags: - test: + caf_deployment_mode: demo_single_subscription billing_subscription_role_delegations: # true: enable this deployment. The remaining attributes are required. @@ -55,56 +46,54 @@ caf_terraform: enable: false # Azure Active Directory User (UPN) that is Account Owner in the EA portal # if enable=false, set the upn of the user doing the manual deployment - azuread_user_ea_account_owner: + azuread_user_ea_account_owner: {{topology.azuread_user_ea_account_owner}} # see comments above to get the object_id # - # Also set this GUID to the owner of the launchpad azuread_groups + # Also set this GUID to the owner of the launchpad azuread_groups # - azuread_user_ea_account_owner_object_id: + azuread_user_ea_account_owner_object_id: {{topology.ea_owner_object_id}} # Only set the following two attributes when enable=true billing_account_name: enrollment_account_name: platform_core_setup: + enable_azure_subscription_vending_machine: {{topology.enable_azure_subscription_vending_machine | lower}} + private_lib: + v0.3.3: + caf_landingzone_branch: "patch.5.4.4" + v1.1.1: + caf_landingzone_branch: "AL-azurerm2931" enterprise_scale: - enable: true - management_group_name: - management_group_prefix: - deploy_core_landing_zones: true - enable_azure_subscription_vending_machine: true - clean_up_destination_folder: true - update_lib_folder: true - # resuse_subscriptions - do not create subscriptions through API automation. Requires the following subscription_id_overrides to be set with 4 subscriptions - # single_reuse - Deploy on a single subscription - subscription_deployment_mode: single_reuse - # Option only set if you've be given a delegated management group ID. - # Comment to deploy to deploy at the tenant root level - # root_parent_id: lab - private_lib: - version_to_deploy: v1.1.1 - v0.1.x: - caf_landingzone_branch: "2107.1" - v0.3.3: - caf_landingzone_branch: "patch.5.4.4" - v1.1.1: - caf_landingzone_branch: "aci_network" +{% for key, value in topology.enterprise_scale.items() %} + {{key}}: + management_group_prefix: "{{value.management_group_prefix}}" + management_group_name: "{{value.management_group_name}}" + deploy_core_landing_zones: {{value.deploy_core_landing_zones | lower}} + clean_up_destination_folder: {{value.clean_up_destination_folder | lower}} + update_lib_folder: {{value.update_lib_folder | lower}} + version_to_deploy: "{{value.version_to_deploy}}" +{% if value.root_parent_id is defined %} + root_parent_id: "{{value.root_parent_id}}" +{% endif %} +{% endfor %} -platform_management: - enable: true +subscription_deployment_mode: single_reuse networking_topology: deployment_option: virtual_wan + + platform_identity: # Set the Azure Active Directory tenant name (primary domain name) # has to be the default domain name (custom dns name or tenantname.onmicrosoft.com) # check the AAD property - tenant_name: + tenant_name: {{tenant_name.stdout}} # only service_principal supported with rover ignite at the moment - azuread_identity_mode: service_principal - enable_azuread_groups: true - enable_azuread_applications: true + azuread_identity_mode: {{topology.azuread_identity_mode}} + enable_azuread_groups: {{topology.enable_azuread_groups}} + enable_azuread_applications: {{topology.enable_azuread_applications}} # UPNs you want to add in the caf_platform_maintainers Azure AD group # Can use user or guest accounts # Those users will have full permissions on platform. @@ -117,15 +106,7 @@ platform_identity: user_principal_names: # - -notifications: - service_health_alerts: - emails: - support1: - name: Support - email_address: - security_center_email_contact: - gitops: - caf_landingzone_branch: "aci_network" + caf_landingzone_branch: {{topology.caf_landingzone_branch}} deployment_mode: interactive rover_log_error: ERROR diff --git a/templates/platform/services/tfstates.yaml b/templates/platform/services/tfstates.yaml new file mode 100644 index 000000000..ac785d7c2 --- /dev/null +++ b/templates/platform/services/tfstates.yaml @@ -0,0 +1,28 @@ +tfstates: + platform: +{% for key in topology.deployments.root.keys() %} + {{topologies[key].tfstate.tfstate_key_name}}: +{% for l_key, l_value in topologies[key].tfstate.items() %} + {{l_key}}: {{l_value}} +{% endfor %} + +{% endfor %} + +{% for key in topology.deployments.eslz.keys() %} + {{topologies['eslz_' + key].tfstate.tfstate_key_name}}: +{% for l_key, l_value in topologies['eslz_' + key].tfstate.items() %} + {{l_key}}: {{l_value}} +{% endfor %} + +{% endfor %} + +{% for key in topology.deployments.scale_out_domains.keys() %} + {{key}}: +{% for a_key in topology.deployments.scale_out_domains[key].keys() %} + {{a_key}}: +{% for l_key, l_value in topologies[key + '_' + a_key].tfstate.items() %} + {{l_key}}: {{l_value}} +{% endfor %} +{% endfor %} + +{% endfor %} diff --git a/templates/platform/walk-through-single.yaml b/templates/platform/walk-through-single.yaml new file mode 100644 index 000000000..201ba3428 --- /dev/null +++ b/templates/platform/walk-through-single.yaml @@ -0,0 +1,53 @@ +# +# Initial script to select a topology and create the base templates for the definitions folder +# +# ansible-playbook /tf/caf/landingzones/templates/platform/walk-through-single.yaml \ +# -e topology_file=/tf/caf/landingzones/templates/platform/eslz_single_subscription.yaml \ +# -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \ +# -e landingzones_folder=/tf/caf/landingzones \ +# -e destination_base_path=/tf/caf \ +# -e definitions_relative_path=definitions/v1 \ +# -e configuration_relative_path=configuration/demo +# + +- name: Setup platform template repository + hosts: localhost + vars_prompt: + - name: customer_name + prompt: Set the short version of your customer name with no spaces + private: no + default: contoso + + - name: caf_environment + prompt: Set the CAF Environment value + private: no + default: contoso + + - name: default_email_address + prompt: Email address to send all notifications + private: no + + - name: azure_regions + prompt: Azure regions (lowercase, short version) + private: no + default: + region1: southeastasia + region2: eastasia + + - name: default_region_key + prompt: Default CAF Azure region key + private: no + default: region1 + + - name: eslz_mg_prefix + prompt: Management group prefix + private: no + + - name: eslz_mg_name + prompt: Management group name + private: no + + + tasks: + + - include_tasks: "ansible/walk-through.yaml" diff --git a/templates/readme.md b/templates/readme.md index aabe8006c..c6a224d5f 100644 --- a/templates/readme.md +++ b/templates/readme.md @@ -4,3 +4,6 @@ Rover Ignite allows you to create a coherent stack of configuration files for CA It integrates all levels in a consistent and interactive way. In some configuration, the output of an execution is needed to continue, you might have to run multiple times the rover ignite command in order to generate the full configuration files. +You have now created the configuration files and are ready to proceed with the deployment. + +[Go to](./level0/readme.md) \ No newline at end of file diff --git a/templates/resources/active_directory_domain_service.tfvars.j2 b/templates/resources/active_directory_domain_service.tfvars.j2 index 44091996f..9b1df748b 100644 --- a/templates/resources/active_directory_domain_service.tfvars.j2 +++ b/templates/resources/active_directory_domain_service.tfvars.j2 @@ -1,5 +1,5 @@ active_directory_domain_service = { -{% for key, value in resources.subscriptions[subscription_key].active_directory_domain_service.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].active_directory_domain_service.items() %} {{ key }} = { name = "{{ value.name }}" region = "{{ value.region }}" diff --git a/templates/resources/active_directory_domain_service_replica_set.tfvars.j2 b/templates/resources/active_directory_domain_service_replica_set.tfvars.j2 index 70ea38c19..75f07c367 100644 --- a/templates/resources/active_directory_domain_service_replica_set.tfvars.j2 +++ b/templates/resources/active_directory_domain_service_replica_set.tfvars.j2 @@ -1,5 +1,5 @@ active_directory_domain_service_replica_set = { -{% for key, value in resources.subscriptions[subscription_key].active_directory_domain_service_replica_set.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].active_directory_domain_service_replica_set.items() %} {{ key }} = { region = "{{ value.region }}" active_directory_domain_service = { diff --git a/templates/resources/automation_accounts.tfvars.j2 b/templates/resources/automation_accounts.tfvars.j2 index b80313ce5..e83e1afa4 100644 --- a/templates/resources/automation_accounts.tfvars.j2 +++ b/templates/resources/automation_accounts.tfvars.j2 @@ -1,5 +1,5 @@ automations = { -{% for key, automation in resources.subscriptions[subscription_key].automation_accounts.items() %} +{% for key, automation in resources[tfstate_resource].subscriptions[subscription_key].automation_accounts.items() %} {{ key }} = { name = "{{ automation.name }}" sku = "{{ automation.sku | default('Basic') }}" diff --git a/templates/resources/azuread_api_permissions.tfvars.j2 b/templates/resources/azuread_api_permissions.tfvars.j2 index 4a5ebc39e..1c4026711 100644 --- a/templates/resources/azuread_api_permissions.tfvars.j2 +++ b/templates/resources/azuread_api_permissions.tfvars.j2 @@ -1,5 +1,5 @@ azuread_api_permissions = { -{% for key, value in resources.subscriptions[subscription_key].azuread_api_permissions.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azuread_api_permissions.items() %} {{ key }} = { {% if value.microsoft_graph is defined %} microsoft_graph = { diff --git a/templates/resources/azuread_applications.tfvars.j2 b/templates/resources/azuread_applications.tfvars.j2 index b3dee9f39..c13b364fa 100644 --- a/templates/resources/azuread_applications.tfvars.j2 +++ b/templates/resources/azuread_applications.tfvars.j2 @@ -1,5 +1,5 @@ azuread_applications = { -{% for key, app in resources.subscriptions[subscription_key].azuread_applications.items() %} +{% for key, app in resources[tfstate_resource].subscriptions[subscription_key].azuread_applications.items() %} {{ key }} = { application_name = "{{ app.application_name }}" } diff --git a/templates/resources/azuread_credential_policies.tfvars.j2 b/templates/resources/azuread_credential_policies.tfvars.j2 index d2c3a2874..58e9776d2 100644 --- a/templates/resources/azuread_credential_policies.tfvars.j2 +++ b/templates/resources/azuread_credential_policies.tfvars.j2 @@ -1,5 +1,5 @@ azuread_credential_policies = { -{% for key, value in resources.subscriptions[subscription_key].azuread_credential_policies.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azuread_credential_policies.items() %} {{ key }} = { # Length of the password length = {{ value.length }} diff --git a/templates/resources/azuread_credentials.tfvars.j2 b/templates/resources/azuread_credentials.tfvars.j2 index 5dcb81e4c..f2ef07681 100644 --- a/templates/resources/azuread_credentials.tfvars.j2 +++ b/templates/resources/azuread_credentials.tfvars.j2 @@ -1,5 +1,5 @@ azuread_credentials = { -{% for key, cred in resources.subscriptions[subscription_key].azuread_credentials.items() %} +{% for key, cred in resources[tfstate_resource].subscriptions[subscription_key].azuread_credentials.items() %} {{ key }} = { type = "{{ cred.type | default('password') }}" azuread_credential_policy_key = "{{ cred.azuread_credential_policy_key }}" diff --git a/templates/resources/azuread_groups.tfvars.j2 b/templates/resources/azuread_groups.tfvars.j2 index d9f8cddbb..314755678 100644 --- a/templates/resources/azuread_groups.tfvars.j2 +++ b/templates/resources/azuread_groups.tfvars.j2 @@ -1,5 +1,5 @@ azuread_groups = { -{% for key, ad_group in resources.subscriptions[subscription_key].azuread_groups.items() %} +{% for key, ad_group in resources[tfstate_resource].subscriptions[subscription_key].azuread_groups.items() %} {{ key }} = { name = "{{ ad_group.name }}" {% if ad_group.description is defined %} diff --git a/templates/resources/azuread_groups_membership.tfvars.j2 b/templates/resources/azuread_groups_membership.tfvars.j2 index faf15682b..70bce2c45 100644 --- a/templates/resources/azuread_groups_membership.tfvars.j2 +++ b/templates/resources/azuread_groups_membership.tfvars.j2 @@ -1,5 +1,5 @@ azuread_groups_membership = { -{% for key, value in resources.subscriptions[subscription_key].azuread_groups_membership.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azuread_groups_membership.items() %} {{ key }} = { {% for l1_key , l1_value in value.items() %} {{l1_key}} = { diff --git a/templates/resources/azuread_roles.tfvars.j2 b/templates/resources/azuread_roles.tfvars.j2 index 338f4a52d..1badc9bdb 100644 --- a/templates/resources/azuread_roles.tfvars.j2 +++ b/templates/resources/azuread_roles.tfvars.j2 @@ -3,7 +3,7 @@ # az rest --method Get --uri https://graph.microsoft.com/v1.0/directoryRoleTemplates -o json | jq -r .value[].displayName # azuread_roles = { -{% for key, value in resources.subscriptions[subscription_key].azuread_roles.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azuread_roles.items() %} {{ key }} = { {% for l_key, l_value in value.items() %} {{l_key}} = { diff --git a/templates/resources/azuread_service_principals.tfvars.j2 b/templates/resources/azuread_service_principals.tfvars.j2 index 7503333e3..839316d61 100644 --- a/templates/resources/azuread_service_principals.tfvars.j2 +++ b/templates/resources/azuread_service_principals.tfvars.j2 @@ -1,6 +1,6 @@ azuread_service_principals = { -{% for key, sp in resources.subscriptions[subscription_key].azuread_service_principals.items() %} +{% for key, sp in resources[tfstate_resource].subscriptions[subscription_key].azuread_service_principals.items() %} {{ key }} = { azuread_application = { key = "{{ sp.azuread_application.key }}" diff --git a/templates/resources/azurerm_firewall_policies.tfvars.j2 b/templates/resources/azurerm_firewall_policies.tfvars.j2 index 1b787593a..d9fff5cb8 100644 --- a/templates/resources/azurerm_firewall_policies.tfvars.j2 +++ b/templates/resources/azurerm_firewall_policies.tfvars.j2 @@ -1,5 +1,5 @@ azurerm_firewall_policies = { -{% for key, value in resources.subscriptions[subscription_key].azurerm_firewall_policies.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azurerm_firewall_policies.items() %} {{ key }} = { name = "{{ value.name }}" {% if value.region_key is defined %} @@ -11,14 +11,14 @@ azurerm_firewall_policies = { resource_group = { key = "{{ value.resource_group.key }}" {% if value.resource_group.lz_key is defined %} - lz_key = "{{ config.tfstates.platform.azurerm_firewall_policies[value.resource_group.lz_key].lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.azurerm_firewall_policies[value.resource_group.lz_key].lz_key_name }}" {% endif %} } {% if value.base_policy is defined %} base_policy = { key = "{{ value.base_policy.key }}" {% if value.resource_group.lz_key is defined %} - lz_key = "{{ config.tfstates.platform.azurerm_firewall_policies[value.resource_group.lz_key].lz_key_name }}" + lz_key = "{{ resources.tfstates.platform.azurerm_firewall_policies[value.resource_group.lz_key].lz_key_name }}" {% endif %} } {% endif %} diff --git a/templates/resources/azurerm_firewalls.tfvars.j2 b/templates/resources/azurerm_firewalls.tfvars.j2 index 5711738f7..00ace3545 100644 --- a/templates/resources/azurerm_firewalls.tfvars.j2 +++ b/templates/resources/azurerm_firewalls.tfvars.j2 @@ -1,5 +1,5 @@ azurerm_firewalls = { -{% for key, value in resources.subscriptions[subscription_key].azurerm_firewalls.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azurerm_firewalls.items() %} {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/container_groups.tfvars.j2 b/templates/resources/container_groups.tfvars.j2 index f58a03762..c57245c6f 100644 --- a/templates/resources/container_groups.tfvars.j2 +++ b/templates/resources/container_groups.tfvars.j2 @@ -1,5 +1,5 @@ container_groups = { -{% for key, value in resources.subscriptions[subscription_key].container_groups.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].container_groups.items() %} {{ key }} = { name = "{{ value.name }}" {% if value.region is defined %} @@ -196,8 +196,8 @@ container_groups = { {% endif %} {% if value.dns_config is defined %} dns_config = { - nameservers = {{ value.dns_config.nameservers | replace('None','[]') | replace('\'','\"') }} - search_domains = {{ value.dns_config.search_domains | replace('None','[]') | replace('\'','\"') }} + nameservers = {{ value.dns_resources.nameservers | replace('None','[]') | replace('\'','\"') }} + search_domains = {{ value.dns_resources.search_domains | replace('None','[]') | replace('\'','\"') }} } {% endif %} } diff --git a/templates/resources/custom_role_definitions.tfvars.j2 b/templates/resources/custom_role_definitions.tfvars.j2 index 02f75f995..a807d3e83 100644 --- a/templates/resources/custom_role_definitions.tfvars.j2 +++ b/templates/resources/custom_role_definitions.tfvars.j2 @@ -1,5 +1,5 @@ custom_role_definitions = { -{% for key, value in resources.subscriptions[subscription_key].custom_role_definitions.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].custom_role_definitions.items() %} {{ key }} = { name = "{{ value.name }}" {% if value.useprefix is defined %} diff --git a/templates/resources/ddos_services.tfvars.j2 b/templates/resources/ddos_services.tfvars.j2 index d463d4e6c..eaf9a5ad4 100644 --- a/templates/resources/ddos_services.tfvars.j2 +++ b/templates/resources/ddos_services.tfvars.j2 @@ -1,5 +1,5 @@ ddos_services = { -{% for key, value in resources.subscriptions[subscription_key].ddos_services.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].ddos_services.items() %} "{{key}}" = { resource_group_key = "{{ value.resource_group_key }}" name = "{{ value.name }}" diff --git a/templates/resources/diagnostic_log_analytics.tfvars.j2 b/templates/resources/diagnostic_log_analytics.tfvars.j2 index 9fd8fe2a2..73783d880 100644 --- a/templates/resources/diagnostic_log_analytics.tfvars.j2 +++ b/templates/resources/diagnostic_log_analytics.tfvars.j2 @@ -3,16 +3,16 @@ # diagnostic_log_analytics = { -{% for key, dla in resources.subscriptions[subscription_key].diagnostic_log_analytics.items() %} +{% for key, dla in resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics.items() %} {{ key }} = { - region = "{{ dla.region | default(config.caf_terraform.launchpad.default_region_key)}}" + region = "{{ dla.region | default(resources.caf_terraform.launchpad.default_region_key)}}" name = "{{ dla.name }}" resource_group_key = "{{ dla.resource_group_key }}" -{% if resources.subscriptions[subscription_key].diagnostic_log_analytics[key].diagnostic_profiles is defined %} +{% if resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics[key].diagnostic_profiles is defined %} # you can setup up to 5 key diagnostic_profiles = { -{% for dp_key, dp_value in resources.subscriptions[subscription_key].diagnostic_log_analytics[key].diagnostic_profiles.items() %} +{% for dp_key, dp_value in resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics[key].diagnostic_profiles.items() %} {{ dp_key }} = { definition_key = "{{ dp_value.definition_key }}" destination_type = "{{ dp_value.destination_type }}" @@ -21,9 +21,9 @@ diagnostic_log_analytics = { {% endfor %} } {% endif %} -{% if resources.subscriptions[subscription_key].diagnostic_log_analytics[key].solutions is defined %} +{% if resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics[key].solutions is defined %} solutions = { -{% for sol_key, sol_value in resources.subscriptions[subscription_key].diagnostic_log_analytics[key].solutions.items() %} +{% for sol_key, sol_value in resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics[key].solutions.items() %} {{ sol_key }} = { "publisher" = "{{ sol_value.publisher }}" "product" = "{{ sol_value.product }}" diff --git a/templates/resources/diagnostic_storage_accounts.tfvars.j2 b/templates/resources/diagnostic_storage_accounts.tfvars.j2 index d3dda9027..55e1498b3 100644 --- a/templates/resources/diagnostic_storage_accounts.tfvars.j2 +++ b/templates/resources/diagnostic_storage_accounts.tfvars.j2 @@ -2,40 +2,40 @@ # Storage accounts, log analytics, event hubs diagnostic_storage_accounts = { -{% for key in config.caf_terraform.launchpad.regions.keys() %} +{% for key in resources.caf_terraform.launchpad.regions.keys() %} # Stores diagnostic logging for {{key}} - diaglogs_{{config.caf_terraform.launchpad.regions[key].slug}} = { - name = "diaglogs{{ config.caf_terraform.launchpad.regions[key].slug }}" + diaglogs_{{resources.caf_terraform.launchpad.regions[key].slug}} = { + name = "diaglogs{{ resources.caf_terraform.launchpad.regions[key].slug }}" region = "{{key}}" - resource_group_key = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.resource_group_key }}" - account_kind = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.account_kind }}" - account_tier = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.account_tier }}" - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - access_tier = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.access_tier }}" + resource_group_key = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.resource_group_key }}" + account_kind = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.account_kind }}" + account_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.account_tier }}" + account_replication_type = "{{ resources.caf_terraform.launchpad.account_replication_type }}" + access_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.access_tier }}" } {% endfor %} -{% for key in config.caf_terraform.launchpad.regions.keys() %} +{% for key in resources.caf_terraform.launchpad.regions.keys() %} # Stores security logs for siem for {{key}} - diagsiem_{{config.caf_terraform.launchpad.regions[key].slug}} = { - name = "siem{{ config.caf_terraform.launchpad.regions[key].slug }}" + diagsiem_{{resources.caf_terraform.launchpad.regions[key].slug}} = { + name = "siem{{ resources.caf_terraform.launchpad.regions[key].slug }}" region = "{{key}}" - resource_group_key = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.siem.resource_group_key }}" - account_kind = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.siem.account_kind }}" - account_tier = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.siem.account_tier }}" - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - access_tier = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.siem.access_tier }}" + resource_group_key = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.siem.resource_group_key }}" + account_kind = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.siem.account_kind }}" + account_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.siem.account_tier }}" + account_replication_type = "{{ resources.caf_terraform.launchpad.account_replication_type }}" + access_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.siem.access_tier }}" } {% endfor %} -{% for key in config.caf_terraform.launchpad.regions.keys() %} +{% for key in resources.caf_terraform.launchpad.regions.keys() %} # Stores boot diagnostic for {{key}} - bootdiag_{{config.caf_terraform.launchpad.regions[key].slug}} = { - name = "boot{{ config.caf_terraform.launchpad.regions[key].slug }}" + bootdiag_{{resources.caf_terraform.launchpad.regions[key].slug}} = { + name = "boot{{ resources.caf_terraform.launchpad.regions[key].slug }}" region = "{{key}}" - resource_group_key = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.resource_group_key }}" - account_kind = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.account_kind }}" - account_tier = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.account_tier }}" - account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}" - access_tier = "{{ resources.subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.access_tier }}" + resource_group_key = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.resource_group_key }}" + account_kind = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.account_kind }}" + account_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.account_tier }}" + account_replication_type = "{{ resources.caf_terraform.launchpad.account_replication_type }}" + access_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.access_tier }}" } {% endfor %} } \ No newline at end of file diff --git a/templates/resources/diagnostics_destinations.tfvars.j2 b/templates/resources/diagnostics_destinations.tfvars.j2 index 55f8acce2..d74490db6 100644 --- a/templates/resources/diagnostics_destinations.tfvars.j2 +++ b/templates/resources/diagnostics_destinations.tfvars.j2 @@ -7,9 +7,9 @@ diagnostics_destinations = { # in the region of the deployment storage = { all_regions = { -{% for key in config.caf_terraform.launchpad.regions.keys() %} - "{{ config.caf_terraform.launchpad.regions[key].name }}" = { - storage_account_key = "diagsiem_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" +{% for key in resources.caf_terraform.launchpad.regions.keys() %} + "{{ resources.caf_terraform.launchpad.regions[key].name }}" = { + storage_account_key = "diagsiem_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" } {% endfor %} } @@ -17,14 +17,14 @@ diagnostics_destinations = { log_analytics = { central_logs = { - log_analytics_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + log_analytics_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" log_analytics_destination_type = "Dedicated" } } event_hub_namespaces = { central_logs = { - event_hub_namespace_key = "central_logs_{{config.caf_terraform.launchpad.regions[config.caf_terraform.launchpad.default_region_key].slug}}" + event_hub_namespace_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" } } } diff --git a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 index b43870518..9a2d4460d 100644 --- a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 +++ b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 @@ -1,5 +1,5 @@ dynamic_keyvault_secrets = { -{% for key, value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} {{ key }} = { {% for l1_key, l1_value in value.items() %} {{l1_key}} = { diff --git a/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old b/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old deleted file mode 100644 index 0797ccf1a..000000000 --- a/templates/resources/dynamic_keyvault_secrets.tfvars.j2.old +++ /dev/null @@ -1,12 +0,0 @@ -dynamic_keyvault_secrets = { -{% for kv_key, kv_value in resources.subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} - {{ kv_key }} = { -{% for key, value in kv_value.items() %} - {{ key }} = { - secret_name = "{{ value.secret_name }}" - value = "{{ value['value'] }}" - } -{% endfor %} - } -{% endfor %} -} \ No newline at end of file diff --git a/templates/resources/express_route_connections.tfvars.j2 b/templates/resources/express_route_connections.tfvars.j2 index 2c16008ad..f5c89e688 100644 --- a/templates/resources/express_route_connections.tfvars.j2 +++ b/templates/resources/express_route_connections.tfvars.j2 @@ -1,5 +1,5 @@ express_route_connections = { -{% for key, value in resources.subscriptions[subscription_key].express_route_connections.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].express_route_connections.items() %} {% if value.enable_er_connections %} {{ key }} = { name = "{{ value.name }}" diff --git a/templates/resources/global_settings.tfvars.j2 b/templates/resources/global_settings.tfvars.j2 index 03b0894c4..2eb59063d 100644 --- a/templates/resources/global_settings.tfvars.j2 +++ b/templates/resources/global_settings.tfvars.j2 @@ -1,21 +1,21 @@ -{% if resources.subscriptions[subscription_key].global_settings is defined %} +{% if resources[tfstate_resource].subscriptions[subscription_key].global_settings is defined %} global_settings = { - passthrough = {{ resources.subscriptions[subscription_key].global_settings.passthrough | string | lower }} - prefix = "{{ resources.subscriptions[subscription_key].global_settings.prefix }}" - use_slug = {{ resources.subscriptions[subscription_key].global_settings.use_slug | string | lower }} - inherit_tags = {{ resources.subscriptions[subscription_key].global_settings.inherit_tags | string | lower }} - random_length = {{ resources.subscriptions[subscription_key].global_settings.random_length }} -{% if resources.subscriptions[subscription_key].global_settings.tags is defined %} + passthrough = {{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.passthrough | string | lower }} + prefix = "{{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.prefix }}" + use_slug = {{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.use_slug | string | lower }} + inherit_tags = {{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.inherit_tags | string | lower }} + random_length = {{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.random_length }} +{% if resources[tfstate_resource].subscriptions[subscription_key].global_settings.tags is defined %} tags = { -{% for tag, value in resources.subscriptions[subscription_key].global_settings.tags.items() %} +{% for tag, value in resources[tfstate_resource].subscriptions[subscription_key].global_settings.tags.items() %} "{{ tag }}" = "{{value}}" {% endfor %} } {% endif %} - default_region = "{{ resources.subscriptions[subscription_key].global_settings.default_region_key }}" + default_region = "{{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.default_region_key }}" regions = { -{% for key in resources.subscriptions[subscription_key].global_settings.regions.keys() %} - {{ key }} = "{{ resources.subscriptions[subscription_key].global_settings.regions[key].name }}" +{% for key in resources[tfstate_resource].subscriptions[subscription_key].global_settings.regions.keys() %} + {{ key }} = "{{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.regions[key].name }}" {% endfor %} } } diff --git a/templates/resources/keyvault_access_policies.tfvars.j2 b/templates/resources/keyvault_access_policies.tfvars.j2 index c1626040e..002960211 100644 --- a/templates/resources/keyvault_access_policies.tfvars.j2 +++ b/templates/resources/keyvault_access_policies.tfvars.j2 @@ -1,5 +1,5 @@ keyvault_access_policies = { - {% for key, policy in resources.subscriptions[subscription_key].keyvault_access_policies.items() %} + {% for key, policy in resources[tfstate_resource].subscriptions[subscription_key].keyvault_access_policies.items() %} {{ key }} = { {% for s_key, s_policy in policy.items() %} {{ s_key }} = { diff --git a/templates/resources/keyvaults.tfvars.j2 b/templates/resources/keyvaults.tfvars.j2 index 6608276c3..c2d44386f 100644 --- a/templates/resources/keyvaults.tfvars.j2 +++ b/templates/resources/keyvaults.tfvars.j2 @@ -1,9 +1,9 @@ keyvaults = { -{% for key, keyvault in resources.subscriptions[subscription_key].keyvaults.items() %} +{% for key, keyvault in resources[tfstate_resource].subscriptions[subscription_key].keyvaults.items() %} {{ key }} = { - name = "{{ resources.subscriptions[subscription_key].keyvaults[key].name }}" - resource_group_key = "{{ resources.subscriptions[subscription_key].keyvaults[key].resource_group_key }}" - sku_name = "{{ resources.subscriptions[subscription_key].keyvaults[key].sku_name | default('standard')}}" + name = "{{ resources[tfstate_resource].subscriptions[subscription_key].keyvaults[key].name }}" + resource_group_key = "{{ resources[tfstate_resource].subscriptions[subscription_key].keyvaults[key].resource_group_key }}" + sku_name = "{{ resources[tfstate_resource].subscriptions[subscription_key].keyvaults[key].sku_name | default('standard')}}" {% if keyvault.enabled_for_deployment is defined %} enabled_for_deployment = "{{ keyvault.enabled_for_deployment | string | lower }}" {% endif %} @@ -30,8 +30,8 @@ keyvaults = { } {% endif %} creation_policies = { -{% if config.platform_identity is defined %} -{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.platform_identity is defined %} +{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } diff --git a/templates/resources/landingzone.tfvars.j2 b/templates/resources/landingzone.tfvars.j2 index e2e330985..5ba1525f1 100644 --- a/templates/resources/landingzone.tfvars.j2 +++ b/templates/resources/landingzone.tfvars.j2 @@ -2,37 +2,37 @@ landingzone = { backend_type = "{{ tfstate_object.backend_type | default("azurerm") }}" level = "{{ tfstate_object.level }}" key = "{{ tfstate_object.lz_key_name }}" -{% if resources.deployments.landingzone.global_settings_key.platform is defined %} -{% if resources.deployments.landingzone.global_settings_key.platform.values() | first %} - global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first][resources.deployments.landingzone.global_settings_key.platform.values() | first].lz_key_name }}" +{% if resources[tfstate_resource].deployments.landingzone.global_settings_key.platform is defined %} +{% if resources[tfstate_resource].deployments.landingzone.global_settings_key.platform.values() | first %} + global_settings_key = "{{ resources.tfstates['platform'][resources[tfstate_resource].deployments.landingzone.global_settings_key.platform.keys() | first][resources[tfstate_resource].deployments.landingzone.global_settings_key.platform.values() | first].lz_key_name }}" {% else %} - global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" + global_settings_key = "{{ resources.tfstates['platform'][resources[tfstate_resource].deployments.landingzone.global_settings_key.platform.keys() | first].lz_key_name }}" {% endif %} -{% elif resources.deployments.landingzone.global_settings_key.asvm is defined %} - global_settings_key = "{{ config.tfstates['asvm'][resources.deployments.landingzone.global_settings_key.asvm.keys() | first].lz_key_name }}" +{% elif resources[tfstate_resource].deployments.landingzone.global_settings_key.asvm is defined %} + global_settings_key = "{{ resources.tfstates['asvm'][resources[tfstate_resource].deployments.landingzone.global_settings_key.asvm.keys() | first].lz_key_name }}" {% endif %} -{% if resources.deployments.landingzone.remote_tfstates is defined %} +{% if resources[tfstate_resource].deployments.landingzone.remote_tfstates is defined %} tfstates = { -{% if resources.deployments.landingzone.remote_tfstates.asvm is defined %} -{% if resources.deployments.landingzone.remote_tfstates.asvm.values() | first %} -{% for a_key, a_value in resources.deployments.landingzone.remote_tfstates.asvm.items() %} - {{ config.tfstates['asvm'][a_key][a_value].lz_key_name }} = { - tfstate = "{{ config.tfstates['asvm'][a_key][a_value].tfstate }}" - workspace = "{{ config.tfstates['asvm'][a_key].workspace }}" +{% if resources[tfstate_resource].deployments.landingzone.remote_tfstates.asvm is defined %} +{% if resources[tfstate_resource].deployments.landingzone.remote_tfstates.asvm.values() | first %} +{% for a_key, a_value in resources[tfstate_resource].deployments.landingzone.remote_tfstates.asvm.items() %} + {{ resources.tfstates['asvm'][a_key][a_value].lz_key_name }} = { + tfstate = "{{ resources.tfstates['asvm'][a_key][a_value].tfstate }}" + workspace = "{{ resources.tfstates['asvm'][a_key].workspace }}" } {% endfor %} {% else %} - {{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].lz_key_name }} = { - tfstate = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].tfstate }}" - workspace = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].workspace | default('tfstate')}}" + {{ resources.tfstates['asvm'][resources[tfstate_resource].deployments.landingzone.remote_tfstates.asvm.keys() | first].lz_key_name }} = { + tfstate = "{{ resources.tfstates['asvm'][resources[tfstate_resource].deployments.landingzone.remote_tfstates.asvm.keys() | first].tfstate }}" + workspace = "{{ resources.tfstates['asvm'][resources[tfstate_resource].deployments.landingzone.remote_tfstates.asvm.keys() | first].workspace | default('tfstate')}}" } {% endif %} {% endif %} -{% if resources.deployments.landingzone.remote_tfstates.platform is defined %} -{% for p_key in resources.deployments.landingzone.remote_tfstates.platform.keys() %} -{% if config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]] is defined %} - {{ config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]].lz_key_name }} = { - {% set remote_tfstate = config.tfstates['platform'][p_key][resources.deployments.landingzone.remote_tfstates.platform[p_key]] %} +{% if resources[tfstate_resource].deployments.landingzone.remote_tfstates.platform is defined %} +{% for p_key in resources[tfstate_resource].deployments.landingzone.remote_tfstates.platform.keys() %} +{% if resources.tfstates['platform'][p_key][resources[tfstate_resource].deployments.landingzone.remote_tfstates.platform[p_key]] is defined %} + {{ resources.tfstates['platform'][p_key][resources[tfstate_resource].deployments.landingzone.remote_tfstates.platform[p_key]].lz_key_name }} = { + {% set remote_tfstate = resources.tfstates['platform'][p_key][resources[tfstate_resource].deployments.landingzone.remote_tfstates.platform[p_key]] %} tfstate = "{{ remote_tfstate.tfstate }}" workspace = "{{ remote_tfstate.workspace | default('tfstate') }}" {% if remote_tfstate.level != level %} @@ -40,10 +40,10 @@ landingzone = { {% endif %} } {% else %} - {{ config.tfstates['platform'][p_key].lz_key_name }} = { - tfstate = "{{ config.tfstates['platform'][p_key].tfstate }}" - workspace = "{{ config.tfstates['platform'][p_key].workspace | default('tfstate') }}" -{% if config.tfstates['platform'][p_key].level != level %} + {{ resources.tfstates['platform'][p_key].lz_key_name }} = { + tfstate = "{{ resources.tfstates['platform'][p_key].tfstate }}" + workspace = "{{ resources.tfstates['platform'][p_key].workspace | default('tfstate') }}" +{% if resources.tfstates['platform'][p_key].level != level %} level = "lower" {% endif %} } @@ -53,9 +53,9 @@ landingzone = { } {% endif %} } -{% if resources.deployments[subscription_key][deployment].custom_variables is defined %} +{% if resources[tfstate_resource].deployments.custom_variables is defined %} custom_variables = { -{% for cv_key, cv_value in resources.deployments[subscription_key][deployment].custom_variables.items() %} +{% for cv_key, cv_value in resources[tfstate_resource].deployments.custom_variables.items() %} {{cv_key}} = "{{cv_value}}" {% endfor %} } diff --git a/templates/resources/managed_identities.tfvars.j2 b/templates/resources/managed_identities.tfvars.j2 index d7c483b16..fe2acaa41 100644 --- a/templates/resources/managed_identities.tfvars.j2 +++ b/templates/resources/managed_identities.tfvars.j2 @@ -1,5 +1,5 @@ managed_identities = { -{% for key, value in resources.subscriptions[subscription_key].managed_identities.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].managed_identities.items() %} {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/monitor_action_groups.tfvars.j2 b/templates/resources/monitor_action_groups.tfvars.j2 index 83601f60a..97851181d 100644 --- a/templates/resources/monitor_action_groups.tfvars.j2 +++ b/templates/resources/monitor_action_groups.tfvars.j2 @@ -1,5 +1,5 @@ monitor_action_groups = { -{% for key, mag in resources.subscriptions[subscription_key].monitor_action_groups.items() %} +{% for key, mag in resources[tfstate_resource].subscriptions[subscription_key].monitor_action_groups.items() %} {{ key }} = { action_group_name = "{{ mag.action_group_name }}" shortname = "{{ mag.shortname }}" diff --git a/templates/resources/network_profiles.tfvars.j2 b/templates/resources/network_profiles.tfvars.j2 index 1f30cba73..9c19c438e 100644 --- a/templates/resources/network_profiles.tfvars.j2 +++ b/templates/resources/network_profiles.tfvars.j2 @@ -1,5 +1,5 @@ network_profiles = { -{% for key, value in resources.subscriptions[subscription_key].network_profiles.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].network_profiles.items() %} {{ key }} = { name = "{{ value.name }}" resource_group = { diff --git a/templates/resources/network_security_group_definition.tfvars.j2 b/templates/resources/network_security_group_definition.tfvars.j2 index 90cf1d185..75dc71e57 100644 --- a/templates/resources/network_security_group_definition.tfvars.j2 +++ b/templates/resources/network_security_group_definition.tfvars.j2 @@ -1,5 +1,5 @@ network_security_group_definition = { -{% for key, value in resources.subscriptions[subscription_key].network_security_group_definition.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].network_security_group_definition.items() %} {{ key }} = { version = {{ value.version }} resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/private_dns.tfvars.j2 b/templates/resources/private_dns.tfvars.j2 index aeba296a4..57be0eee5 100644 --- a/templates/resources/private_dns.tfvars.j2 +++ b/templates/resources/private_dns.tfvars.j2 @@ -1,5 +1,5 @@ private_dns = { -{% for key, value in resources.subscriptions[subscription_key].private_dns.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].private_dns.items() %} "{{ key }}" = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/public_ip_addresses.tfvars.j2 b/templates/resources/public_ip_addresses.tfvars.j2 index 03e218019..65dab5bd3 100644 --- a/templates/resources/public_ip_addresses.tfvars.j2 +++ b/templates/resources/public_ip_addresses.tfvars.j2 @@ -1,5 +1,5 @@ public_ip_addresses = { -{% for key, value in resources.subscriptions[subscription_key].public_ip_addresses.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].public_ip_addresses.items() %} {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/recovery_vaults.tfvars.j2 b/templates/resources/recovery_vaults.tfvars.j2 index 6da1e957b..48c059738 100644 --- a/templates/resources/recovery_vaults.tfvars.j2 +++ b/templates/resources/recovery_vaults.tfvars.j2 @@ -1,10 +1,10 @@ recovery_vaults = { -{% for key, asr in resources.subscriptions[subscription_key].recovery_vaults.items() %} +{% for key, asr in resources[tfstate_resource].subscriptions[subscription_key].recovery_vaults.items() %} {{ key }} = { name = "{{ asr.name }}" resource_group_key = "{{ asr.resource_group_key }}" - region = "{{ asr.region | default(config.caf_terraform.launchpad.default_region_key) }}" + region = "{{ asr.region | default(resources.caf_terraform.launchpad.default_region_key) }}" soft_delete_enabled = {{ asr.soft_delete_enabled | default(true) | string | lower }} {% if asr.backup_policies is defined %} backup_policies = { diff --git a/templates/resources/resource_groups.tfvars.j2 b/templates/resources/resource_groups.tfvars.j2 index 939de697a..e612d6b64 100644 --- a/templates/resources/resource_groups.tfvars.j2 +++ b/templates/resources/resource_groups.tfvars.j2 @@ -1,8 +1,8 @@ resource_groups = { -{% for key, resource_group in resources.subscriptions[subscription_key].resource_groups.items() %} +{% for key, resource_group in resources[tfstate_resource].subscriptions[subscription_key].resource_groups.items() %} {{ key }} = { name = "{{ resource_group.name }}" - region = "{{ resource_group.region_key | default(config.caf_terraform.launchpad.default_region_key) }}" + region = "{{ resource_group.region_key | default(resources.caf_terraform.launchpad.default_region_key) }}" {% if resource_group.tags is defined %} tags = { {% for tag_key, tag_value in resource_group.tags.items() %} diff --git a/templates/resources/role_mapping.tfvars.j2 b/templates/resources/role_mapping.tfvars.j2 index 79827a28b..c9f28abd7 100644 --- a/templates/resources/role_mapping.tfvars.j2 +++ b/templates/resources/role_mapping.tfvars.j2 @@ -1,5 +1,5 @@ role_mapping = { -{% for top_key, mappings in resources.subscriptions[subscription_key].role_mapping.items() %} +{% for top_key, mappings in resources[tfstate_resource].subscriptions[subscription_key].role_mapping.items() %} {{ top_key }} = { {% for key, role_mappings in mappings.items() %} {{ key }} = { diff --git a/templates/resources/servicehealth.tfvars.j2 b/templates/resources/servicehealth.tfvars.j2 index f2ae44920..ace2397e3 100644 --- a/templates/resources/servicehealth.tfvars.j2 +++ b/templates/resources/servicehealth.tfvars.j2 @@ -1,14 +1,14 @@ monitoring = { -{% if resources.subscriptions[subscription_key].service_health_alerts is defined %} +{% if resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts is defined %} service_health_alerts = { - enable_service_health_alerts = {{resources.subscriptions[subscription_key].service_health_alerts.enable_service_health_alerts | lower | default(true)}} - name = "{{resources.subscriptions[subscription_key].service_health_alerts.name}}" - action_group_name = "{{resources.subscriptions[subscription_key].service_health_alerts.action_group_name}}" - shortname = "{{resources.subscriptions[subscription_key].service_health_alerts.shortname}}" - resource_group_key = "{{resources.subscriptions[subscription_key].service_health_alerts.resource_group_key}}" -{% if resources.subscriptions[subscription_key].service_health_alerts.email_alert_settings is defined %} + enable_service_health_alerts = {{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.enable_service_health_alerts | lower | default(true)}} + name = "{{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.name}}" + action_group_name = "{{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.action_group_name}}" + shortname = "{{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.shortname}}" + resource_group_key = "{{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.resource_group_key}}" +{% if resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.email_alert_settings is defined %} email_alert_settings = { -{% for key, sha in resources.subscriptions[subscription_key].service_health_alerts.email_alert_settings.items() %} +{% for key, sha in resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.email_alert_settings.items() %} {{ key }} = { name = "{{ sha.name }}" email_address = "{{ sha.email_address }}" diff --git a/templates/resources/storage_accounts.tfvars.j2 b/templates/resources/storage_accounts.tfvars.j2 index b9d9079ec..dc975b713 100644 --- a/templates/resources/storage_accounts.tfvars.j2 +++ b/templates/resources/storage_accounts.tfvars.j2 @@ -1,5 +1,5 @@ storage_accounts = { -{% for key, value in resources.subscriptions[subscription_key].storage_accounts.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].storage_accounts.items() %} {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/subscriptions.tfvars.j2 b/templates/resources/subscriptions.tfvars.j2 index 034a6bf70..f4fe59fea 100644 --- a/templates/resources/subscriptions.tfvars.j2 +++ b/templates/resources/subscriptions.tfvars.j2 @@ -1,15 +1,27 @@ +# +# Execute the following command to get the billing_account_name and management_group_id +# +# az rest --method get --uri https://management.azure.com/providers/Microsoft.Billing/billingaccounts/?api-version=2020-05-01 +# +# To retrieve the first billing account +# +# billing_account_name=$(az rest --method get --uri https://management.azure.com/providers/Microsoft.Billing/billingaccounts?api-version=2020-05-01 --query "value[?properties.agreementType=='EnterpriseAgreement'].{name:name}" -o tsv) +# +# enrollment_account_name=$(az rest --method get --uri https://management.azure.com/providers/Microsoft.Billing/billingaccounts?api-version=2020-05-01 --query "value[?properties.agreementType=='EnterpriseAgreement'].{name:properties.enrollmentAccounts[0].name}" -o tsv) +# + subscriptions = { -{% for key, value in resources.subscriptions[subscription_key].subscriptions.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].subscriptions.items() %} {{ key }} = { name = "{{ value.name }}" {% if value.create_alias is defined %} create_alias = {{ value.create_alias | lower}} {% endif %} {% if value.subscription_id is not defined %} - billing_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" - enrollment_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" + billing_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" + enrollment_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" {% if value.management_group_suffix is defined %} - management_group_id = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ value.management_group_suffix }}" + management_group_id = "{{ resources.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ value.management_group_suffix }}" {% else %} management_group_id = "{{ value.management_group_id }}" {% endif %} diff --git a/templates/resources/virtual_hub_connections.tfvars.j2 b/templates/resources/virtual_hub_connections.tfvars.j2 index b279dc554..a50e10095 100644 --- a/templates/resources/virtual_hub_connections.tfvars.j2 +++ b/templates/resources/virtual_hub_connections.tfvars.j2 @@ -1,5 +1,5 @@ virtual_hub_connections = { -{% for key, vhc in resources.subscriptions[subscription_key].virtual_hub_connections.items() %} +{% for key, vhc in resources[tfstate_resource].subscriptions[subscription_key].virtual_hub_connections.items() %} {{ key }} = { name = "{{ vhc.name }}" virtual_hub = { diff --git a/templates/resources/virtual_hub_route_tables.tfvars.j2 b/templates/resources/virtual_hub_route_tables.tfvars.j2 new file mode 100644 index 000000000..e385ed3f4 --- /dev/null +++ b/templates/resources/virtual_hub_route_tables.tfvars.j2 @@ -0,0 +1,37 @@ +virtual_hub_route_tables = { +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].virtual_hub_route_tables.items() %} + {{ key }} = { + name = "{{ value.name }}" + virtual_hub = { +{% if value.virtual_hub.id is defined %} + id = "{{value.virtual_hub.id}}" +{% else %} +{% for k, v in value.virtual_hub.items() %} + {{k}} = "{{v}}" +{% endfor %} +{% endif %} + } +{% if value.labels is defined %} + labels = {{value.labels | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% endif %} +{% if value.routes is defined %} + routes = { +{% for k, v in value.routes.items() %} + {{k}} = { + name = "{{v.name}}" + destinations_type = "{{v.destinations_type}}" + destinations = {{v.destinations | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if v.next_hop is defined %} + next_hop = { +{% for l, w in v.next_hop.items() %} + {{l}} = "{{w}}" +{% endfor %} + } +{% endif %} + } +{% endfor %} + } +{% endif %} + } +{% endfor %} +} \ No newline at end of file diff --git a/templates/resources/virtual_hubs.tfvars.j2 b/templates/resources/virtual_hubs.tfvars.j2 index 35b43cb6e..fd7f0ba66 100644 --- a/templates/resources/virtual_hubs.tfvars.j2 +++ b/templates/resources/virtual_hubs.tfvars.j2 @@ -1,5 +1,5 @@ virtual_hubs = { -{% for key, value in resources.subscriptions[subscription_key].virtual_hubs.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].virtual_hubs.items() %} {{ key }} = { virtual_wan = { {% if value.virtual_wan.lz_key is defined %} @@ -31,14 +31,14 @@ virtual_hubs = { deploy_p2s = {{ value.deploy_p2s | default(false) | lower }} {% if value.p2s_config is defined %} p2s_config = { - name = "{{ value.p2s_config.name }}" - scale_unit = "{{ value.p2s_config.scale_unit }}" -{% if value.p2s_config.connection_configuration is defined %} + name = "{{ value.p2s_resources.name }}" + scale_unit = "{{ value.p2s_resources.scale_unit }}" +{% if value.p2s_resources.connection_configuration is defined %} connection_configuration = { - name = "{{ value.p2s_config.connection_configuration.name }}" -{% if value.p2s_config.connection_configuration.vpn_client_address_pool is defined %} + name = "{{ value.p2s_resources.connection_configuration.name }}" +{% if value.p2s_resources.connection_configuration.vpn_client_address_pool is defined %} vpn_client_address_pool = { -{% for cap_key, cap_value in value.p2s_config.connection_configuration.vpn_client_address_pool.items() %} +{% for cap_key, cap_value in value.p2s_resources.connection_configuration.vpn_client_address_pool.items() %} {{cap_key}} = { address_prefixes = {{cap_value | replace('None','[]') | replace('\'','\"') }} } @@ -49,10 +49,10 @@ virtual_hubs = { {% endif %} {% if value.deploy_p2s.server_config is defined %} server_config = { - vpn_authentication_types = "{{ value.deploy_p2s.server_config.vpn_authentication_types }}" + vpn_authentication_types = "{{ value.deploy_p2s.server_resources.vpn_authentication_types }}" client_root_certificate = { - name = "{{ value.deploy_p2s.server_config.client_root_certificate.name }}" - public_cert_data = "{{ value.deploy_p2s.server_config.client_root_certificate.public_cert_data }}" + name = "{{ value.deploy_p2s.server_resources.client_root_certificate.name }}" + public_cert_data = "{{ value.deploy_p2s.server_resources.client_root_certificate.public_cert_data }}" } } {% endif %} @@ -62,14 +62,14 @@ virtual_hubs = { {% endif %} deploy_s2s = {{ value.deploy_s2s | string | lower | default(false) }} s2s_config = { -{% if value.s2s_config.name is defined %} - name = "{{ value.s2s_config.name }}" +{% if value.s2s_resources.name is defined %} + name = "{{ value.s2s_resources.name }}" {% endif %} -{% if value.s2s_config.scale_unit is defined %} - scale_unit = {{ value.s2s_config.scale_unit }} +{% if value.s2s_resources.scale_unit is defined %} + scale_unit = {{ value.s2s_resources.scale_unit }} {% endif %} -{% if value.s2s_config.routing_preference is defined %} - routing_preference = "{{ value.s2s_config.routing_preference | default('Microsoft Network') }}" +{% if value.s2s_resources.routing_preference is defined %} + routing_preference = "{{ value.s2s_resources.routing_preference | default('Microsoft Network') }}" {% endif %} {% if value.deploy_s2s.bgp_settings is defined %} bgp_settings = { @@ -89,10 +89,12 @@ virtual_hubs = { {% endif %} } deploy_er = {{ value.deploy_er | string | lower | default(false) }} +{% if value.er_resources is defined %} er_config = { - name = "{{ value.er_config.name }}" - scale_units = {{ value.er_config.scale_units }} + name = "{{ value.er_resources.name }}" + scale_units = {{ value.er_resources.scale_units }} } +{% endif %} {% if value.security_partner_provider is defined %} security_partner_provider = { {% for spp_key, spp_value in value.security_partner_provider.items() %} diff --git a/templates/resources/virtual_hubs_route_tables.tfvars.j2 b/templates/resources/virtual_hubs_route_tables.tfvars.j2 deleted file mode 100644 index c1d31f8c5..000000000 --- a/templates/resources/virtual_hubs_route_tables.tfvars.j2 +++ /dev/null @@ -1,35 +0,0 @@ -{% if connectivity_virtual_hub[virtual_hub].virtual_hub_route_tables is defined %} -virtual_hub_route_tables = { -{% for key, route_table in connectivity_virtual_hub[virtual_hub].virtual_hub_route_tables.items() %} - {{ key }} = { - name = "{{ route_table.name }}" - - virtual_hub = { - key = "{{ virtual_hub }}" - } - - # labels = ["label1"] - # routes = { - # egress_internet = { - # name = "egress-internet" - # destinations_type = "CIDR" - # destinations = ["0.0.0.0/0"] - - # # Either next_hop or next_hop_id can be used - # # - # # When using next_hop, the virtual_hub_connection must be deployed in a different landingzone. This cannot be tested in the standalone module. - # # Will be covered in the landingzone starter production configuration in future releases. - # # - # next_hop = { - # lz_key = "" # - # resource_type = "virtual_hub_connection" # Only supported value. - # resource_key = "egress-fw" - # } - # #to cather for external object - # #next_hop_id = "Azure_Resource_ID" - # } - # } - } -{% endfor %} -} -{% endif %} \ No newline at end of file diff --git a/templates/resources/virtual_machines.tfvars.j2 b/templates/resources/virtual_machines.tfvars.j2 index 73d5a364e..a213322a7 100644 --- a/templates/resources/virtual_machines.tfvars.j2 +++ b/templates/resources/virtual_machines.tfvars.j2 @@ -1,5 +1,5 @@ virtual_machines = { -{% for key, value in resources.subscriptions[subscription_key].virtual_machines.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].virtual_machines.items() %} {{ key }} = { resource_group = { {% if value.resource_group.lz_key is defined %} diff --git a/templates/resources/virtual_networks.tfvars.j2 b/templates/resources/virtual_networks.tfvars.j2 index 7a12ad5f0..854b0e704 100644 --- a/templates/resources/virtual_networks.tfvars.j2 +++ b/templates/resources/virtual_networks.tfvars.j2 @@ -1,5 +1,5 @@ vnets = { -{% for key, vnet in resources.subscriptions[subscription_key].virtual_networks.items() %} +{% for key, vnet in resources[tfstate_resource].subscriptions[subscription_key].virtual_networks.items() %} {{ key }} = { resource_group_key = "{{vnet.resource_group_key}}" vnet = { diff --git a/templates/resources/virtual_wans.tfvars.j2 b/templates/resources/virtual_wans.tfvars.j2 index 659ee3eb9..2f4fd1ae9 100644 --- a/templates/resources/virtual_wans.tfvars.j2 +++ b/templates/resources/virtual_wans.tfvars.j2 @@ -1,5 +1,5 @@ virtual_wans = { -{% for key, vwan in resources.subscriptions[subscription_key].virtual_wans.items() %} +{% for key, vwan in resources[tfstate_resource].subscriptions[subscription_key].virtual_wans.items() %} "{{key}}" = { resource_group_key = "{{ vwan.resource_group_key }}" name = "{{ vwan.name }}" diff --git a/templates/resources/vpn_gateway_connections.tfvars.j2 b/templates/resources/vpn_gateway_connections.tfvars.j2 index 4cb978052..9c7a2eea8 100644 --- a/templates/resources/vpn_gateway_connections.tfvars.j2 +++ b/templates/resources/vpn_gateway_connections.tfvars.j2 @@ -1,5 +1,5 @@ vpn_gateway_connections = { -{% for key, value in resources.subscriptions[subscription_key].vpn_gateway_connections.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].vpn_gateway_connections.items() %} {{ key }} = { name = "{{ value.name }}" internet_security_enabled = {{ value.internet_security_enabled | default(true) | string | lower }} // propagate to default route table diff --git a/templates/resources/vpn_sites.tfvars.j2 b/templates/resources/vpn_sites.tfvars.j2 index d79984684..604b98695 100644 --- a/templates/resources/vpn_sites.tfvars.j2 +++ b/templates/resources/vpn_sites.tfvars.j2 @@ -1,5 +1,5 @@ vpn_sites = { -{% for key, value in resources.subscriptions[subscription_key].vpn_sites.items() %} +{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].vpn_sites.items() %} {{ key }} = { name = "{{ value.name }}" resource_group = { From 39528520e20a208b1fb44e421b8c9c4cbd823ca8 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 28 Feb 2022 02:54:32 +0000 Subject: [PATCH 54/67] Update initial conditions --- .../platform/level0/launchpad/ansible.yaml | 23 +++++++++++++++---- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/templates/platform/level0/launchpad/ansible.yaml b/templates/platform/level0/launchpad/ansible.yaml index 50ca184d5..552484c7f 100644 --- a/templates/platform/level0/launchpad/ansible.yaml +++ b/templates/platform/level0/launchpad/ansible.yaml @@ -66,7 +66,9 @@ --file "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" - name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad_credentials details" - when: credentials_tfstate_exists.rc == 0 + when: + - launchpad_tfstate_exists.rc == 0 + - credentials_tfstate_exists.rc == 0 shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" register: launchpad_credentials @@ -77,27 +79,38 @@ - "{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" - "{{launchpad_credentials}}" verbosity: 2 + when: + - launchpad_tfstate_exists.rc == 0 + - credentials_tfstate_exists.rc == 0 - name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad_credentials json data" - when: credentials_tfstate_exists.rc == 0 + when: + - launchpad_tfstate_exists.rc == 0 + - credentials_tfstate_exists.rc == 0 set_fact: credjsondata: "{{ launchpad_credentials.stdout | from_json }}" - name: "[{{resources[tfstate].relative_destination_folder}}] set keyvaults" - when: credentials_tfstate_exists.rc == 0 + when: + - launchpad_tfstate_exists.rc == 0 + - credentials_tfstate_exists.rc == 0 set_fact: keyvaults: "{{ credjsondata | json_query(path) }}" vars: path: 'outputs.objects.value.launchpad_credentials.keyvaults' - name: "[{{resources[tfstate].relative_destination_folder}}] cleanup" - when: credentials_tfstate_exists.rc == 0 + when: + - launchpad_tfstate_exists.rc == 0 + - credentials_tfstate_exists.rc == 0 file: path: "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" state: absent - name: "[{{resources[tfstate].relative_destination_folder}}] cleanup" - when: launchpad_tfstate_exists.rc == 0 + when: + - launchpad_tfstate_exists.rc == 0 + - credentials_tfstate_exists.rc == 0 file: path: "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" state: absent From c6fc997a462c6ca0b2d29107411f0240ad2ce5ed Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 28 Feb 2022 02:57:51 +0000 Subject: [PATCH 55/67] Update initial conditions for readme --- templates/platform/level0/launchpad/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index f982e9a3f..eda624d24 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -71,7 +71,7 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla # On success plan, execute rover \ -{% if ((resources.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists is defined and credentials_tfstate_exists.rc == 0 %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_launchpad \ From ed96ae3db6fe2eaa2037eccfff96136463295e77 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 28 Feb 2022 04:54:17 +0000 Subject: [PATCH 56/67] Stabilisation --- templates/platform/ansible/walk-through.yaml | 4 + .../asvm/orion-landingzone/config.asvm.yaml | 4 - .../deployments/orion_dev.yaml | 511 ----------------- .../deployments/orion_prod.yaml | 524 ------------------ .../deployments/subscriptions.yaml | 31 -- .../platform/asvm/orion-landingzone/readme.md | 16 - .../asvm/orion-landingzone/tfstates.asvm.yaml | 28 - .../platform/level0/credentials/readme.md | 6 +- .../platform/level0/launchpad/ansible.yaml | 5 +- templates/platform/level0/launchpad/readme.md | 4 +- templates/platform/level1/eslz/readme.md | 8 +- templates/platform/level1/identity/readme.md | 4 +- .../platform/level1/management/readme.md | 10 +- .../platform/level1/subscriptions/readme.md | 2 - templates/platform/walk-through-single.yaml | 3 +- 15 files changed, 24 insertions(+), 1136 deletions(-) delete mode 100644 templates/platform/asvm/orion-landingzone/config.asvm.yaml delete mode 100644 templates/platform/asvm/orion-landingzone/deployments/orion_dev.yaml delete mode 100644 templates/platform/asvm/orion-landingzone/deployments/orion_prod.yaml delete mode 100644 templates/platform/asvm/orion-landingzone/deployments/subscriptions.yaml delete mode 100644 templates/platform/asvm/orion-landingzone/readme.md delete mode 100644 templates/platform/asvm/orion-landingzone/tfstates.asvm.yaml diff --git a/templates/platform/ansible/walk-through.yaml b/templates/platform/ansible/walk-through.yaml index d188d6280..4b71b0bd9 100644 --- a/templates/platform/ansible/walk-through.yaml +++ b/templates/platform/ansible/walk-through.yaml @@ -1,3 +1,7 @@ +# +# Get launchpad subscription details +# + - name: Get deployment user object_id shell: az ad signed-in-user show --query objectId -o tsv register: object_id diff --git a/templates/platform/asvm/orion-landingzone/config.asvm.yaml b/templates/platform/asvm/orion-landingzone/config.asvm.yaml deleted file mode 100644 index b39312f88..000000000 --- a/templates/platform/asvm/orion-landingzone/config.asvm.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# cleanup_destination - recommended to clean and recreated a clean state from template. -configuration_folders: - asvm: - cleanup_destination: true \ No newline at end of file diff --git a/templates/platform/asvm/orion-landingzone/deployments/orion_dev.yaml b/templates/platform/asvm/orion-landingzone/deployments/orion_dev.yaml deleted file mode 100644 index 5d411142e..000000000 --- a/templates/platform/asvm/orion-landingzone/deployments/orion_dev.yaml +++ /dev/null @@ -1,511 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level3/asvm/orion/dev - -deployments: - landingzone: - tfstate: - asvm: - orion_dev: - global_settings_key: - platform: - virtual_hubs: non_prod - remote_tfstates: - asvm: - subscriptions: - platform: - virtual_hubs: non_prod - azurerm_firewalls: non_prod - identity_level2: non_prod - asvm: - -subscriptions: - orion_dev: - resource_groups: - rg: - name: orion-dev - backup: - name: orion-dev-backup - networking: - name: orion-dev-networking - preparation: - name: orion-dev-preparation - modeling: - name: orion-dev-modeling - consumption: - name: orion-dev-consumption - analytics: - name: orion-dev-analytics - - virtual_networks: - vnet: - name: orion-dev - resource_group_key: networking - region_key: region1 - dns_servers_keys: - fw_prod_plinks_01: - resource_type: azurerm_firewall - lz_key: connectivity_firewalls_non_prod - key: fw_non_prod_plinks_01 - address_space: - - 10.101.200.0/23 - subnets: - databricks_preparation_egress: - name: databricks-preparation-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.200.0/26 - databricks_preparation_private: - name: databricks-preparation-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.200.64/26 - databricks_modeling_egress: - name: databricks-modeling-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.201.0/26 - databricks_modeling_private: - name: databricks-modeling-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.201.64/26 - consumption: - name: consumption - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.200.128/25 - databricks_notebooks: - name: databricks-notebooks - service_endpoints: - - Microsoft.Storage - - Microsoft.KeyVault - nsg_key: databricks_notebooks - cidr: - - 10.101.201.128/27 - private_endpoints: - name: private-endpoints - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.201.192/27 - - network_security_group_definition: - databricks_egress: - version: 1 - resource_group_key: networking - name: databricks-egress - nsg: - Inbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 5557 - destination_address_prefix: "*" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 22 - destination_address_prefix: "*" - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - 405: - name: ICMP - access: Allow - protocol: icmp - source_port_range: "*" - source_address_prefix: "*" - destination_port_range: "*" - destination_address_prefix: "*" - databricks_private: - version: 1 - resource_group_key: networking - name: databricks-private - nsg: - Inbound: - 400: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 401: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - consumption: - version: 1 - resource_group_key: networking - name: consumption - databricks_notebooks: - version: 1 - resource_group_key: networking - name: databricks-notebook - nsg: - Inbound: - 500: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 501: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 500: - name: AzureActiveDirectory - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureActiveDirectory" - destination_port_ranges: - - 80 - - 443 - 501: - name: AzureMachineLearning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureMachineLearning" - destination_port_ranges: - - 443 - 502: - name: AzureResourceManager - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureResourceManager" - destination_port_ranges: - - 443 - 503: - name: Storage SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "Storage.SoutheastAsia" - destination_port_ranges: - - 443 - 504: - name: AzureFrontDoor Frontend - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.Frontend" - destination_port_ranges: - - 443 - 505: - name: Container Registry SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureContainerRegistry.SoutheastAsia" - destination_port_ranges: - - 443 - 506: - name: Microsoft Container Registry SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "MicrosoftContainerRegistry.SoutheastAsia" - destination_port_ranges: - - 443 - 507: - name: Keyvault SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureKeyVault.SoutheastAsia" - destination_port_ranges: - - 443 - 508: - name: AzureFrontDoor FirstParty - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.FirstParty" - destination_port_range: "*" - - virtual_hub_connections: - vnet_to_dev: - name: vnet-orion-dev-TO-non-prod - virtual_hub: - lz_key: connectivity_virtual_hub_non_prod - key: non_prod - vnet: - vnet_key: vnet - - recovery_vaults: - asr: - name: vault-orion-dev - resource_group_key: backup - backup_policies: - vms: - default: - name: vm-default-policy - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - - keyvaults: - kv_delegated_sp: - name: oriondev0001 - resource_group_key: rg - creation_policies: - logged_in_user: - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - landingzone_maintainers_non_prod: - lz_key: asvm - azuread_group_key: caf_ac_landingzone_maintainers_non_prod - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - kv_delegated_sp: - app_LZContributors: - azuread_service_principal_key: sp_LZContributors - secret_permissions: - - Get - - azuread_applications: - app_LZContributors: - application_name: app-asvm-orion-dev-Contributors - - azuread_service_principals: - sp_LZContributors: - azuread_application: - key: app_LZContributors - - azuread_credentials: - app_LZContributors: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - key: app_LZContributors - keyvaults: - kv_delegated_sp: - secret_prefix: sp - - azuread_credential_policies: - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 70 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - - custom_role_definitions: - contributors_extended: - name: lz-orion-dev-contributors-extended - useprefix: true - description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/virtualNetworks/join/action - - role_mapping: - custom_role_mapping: - networking: - vnet: - contributors_extended: - azuread_service_principals: - keys: - - sp_LZContributors - - built_in_role_mapping: - resource_groups: - preparation: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - modeling: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - consumption: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - analytics: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - storage_containers: - orion_prod_level3: - lz_key: orion_subscriptions - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - orion_dev_level4: - lz_key: orion_subscriptions - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - diff --git a/templates/platform/asvm/orion-landingzone/deployments/orion_prod.yaml b/templates/platform/asvm/orion-landingzone/deployments/orion_prod.yaml deleted file mode 100644 index 2e92f9b04..000000000 --- a/templates/platform/asvm/orion-landingzone/deployments/orion_prod.yaml +++ /dev/null @@ -1,524 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level3/asvm/orion/prod - -deployments: - landingzone: - tfstate: - asvm: - orion_prod: - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - asvm: - subscriptions: - platform: - virtual_hubs: prod - azurerm_firewalls: prod - identity_level2: prod - asvm: - -subscriptions: - orion_prod: - resource_groups: - rg: - name: orion-prod - backup: - name: orion-prod-backup - networking: - name: orion-prod-networking - preparation: - name: orion-prod-preparation - modeling: - name: orion-prod-modeling - consumption: - name: orion-prod-consumption - analytics: - name: orion-prod-analytics - - virtual_networks: - vnet: - name: orion-prod - resource_group_key: networking - region_key: region1 - dns_servers_keys: - fw_prod_plinks_01: - resource_type: azurerm_firewall - lz_key: connectivity_firewalls_prod - key: fw_prod_plinks_01 - address_space: - - 10.101.8.0/23 - subnets: - databricks_preparation_egress: - name: databricks-preparation-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.8.0/26 - databricks_preparation_private: - name: databricks-preparation-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.8.64/26 - databricks_modeling_egress: - name: databricks-modeling-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.9.0/26 - databricks_modeling_private: - name: databricks-modeling-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.9.64/26 - consumption: - name: consumption - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.8.128/25 - databricks_notebooks: - name: databricks-notebooks - service_endpoints: - - Microsoft.Storage - - Microsoft.KeyVault - nsg_key: databricks_notebooks - cidr: - - 10.101.9.128/27 - private_endpoints: - name: private-endpoints - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.9.192/27 - - network_security_group_definition: - databricks_egress: - version: 1 - resource_group_key: networking - name: databricks-egress - nsg: - Inbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 5557 - destination_address_prefix: "*" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 22 - destination_address_prefix: "*" - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - 405: - name: ICMP - access: Allow - protocol: icmp - source_port_range: "*" - source_address_prefix: "*" - destination_port_range: "*" - destination_address_prefix: "*" - databricks_private: - version: 1 - resource_group_key: networking - name: databricks-private - nsg: - Inbound: - 400: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 401: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - consumption: - version: 1 - resource_group_key: networking - name: consumption - databricks_notebooks: - version: 1 - resource_group_key: networking - name: databricks-notebooks - nsg: - Inbound: - 500: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 501: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 500: - name: AzureActiveDirectory - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureActiveDirectory" - destination_port_ranges: - - 80 - - 443 - 501: - name: AzureMachineLearning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureMachineLearning" - destination_port_ranges: - - 443 - 502: - name: AzureResourceManager - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureResourceManager" - destination_port_ranges: - - 443 - 503: - name: Storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "Storage" - destination_port_ranges: - - 443 - 504: - name: AzureFrontDoor Frontend - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.Frontend" - destination_port_ranges: - - 443 - 505: - name: Container Registry - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureContainerRegistry" - destination_port_ranges: - - 443 - 506: - name: Microsoft Container Registry - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "MicrosoftContainerRegistry" - destination_port_ranges: - - 443 - 507: - name: Keyvault - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureKeyVault" - destination_port_ranges: - - 443 - 508: - name: AzureFrontDoor FirstParty - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.FirstParty" - destination_port_range: "*" - - virtual_hub_connections: - vnet_to_prod: - name: vnet-orion-prod-TO-prod - virtual_hub: - lz_key: connectivity_virtual_hub_prod - key: prod - vnet: - vnet_key: vnet - - recovery_vaults: - asr: - name: vault-orion-prod - resource_group_key: backup - backup_policies: - vms: - default: - name: vm-default-policy - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - - keyvaults: - kv_delegated_sp: - name: orionprod001 - resource_group_key: rg - creation_policies: - logged_in_user: - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - landingzone_maintainers_prod: - lz_key: asvm - azuread_group_key: caf_ac_landingzone_maintainers_prod - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - kv_delegated_sp: - app_LZContributors: - azuread_service_principal_key: sp_LZContributors - secret_permissions: - - Get - - azuread_applications: - app_LZContributors: - application_name: app-asvm-orion-prod-Contributors - - azuread_service_principals: - sp_LZContributors: - azuread_application: - key: app_LZContributors - - azuread_credentials: - app_LZContributors: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - key: app_LZContributors - keyvaults: - kv_delegated_sp: - secret_prefix: sp - - azuread_credential_policies: - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 70 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - - azuread_groups_membership: - caf_prod_landingzones_dns_contributors: - azuread_service_principals: - sp_LZContributors: - group_lz_key: identity_level2 - keys: - - sp_LZContributors - caf_ac_landingzone_maintainers_prod: - azuread_service_principals: - sp_LZContributors: - group_lz_key: asvm - keys: - - sp_LZContributors - - custom_role_definitions: - contributors_extended: - name: lz-orion-prod-contributors-extended - useprefix: true - description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/virtualNetworks/join/action - - role_mapping: - custom_role_mapping: - networking: - vnet: - contributors_extended: - azuread_service_principals: - keys: - - sp_LZContributors - - built_in_role_mapping: - resource_groups: - preparation: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - modeling: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - consumption: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - analytics: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - storage_containers: - orion_prod_level3: - lz_key: orion_subscriptions - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - orion_prod_level4: - lz_key: orion_subscriptions - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors diff --git a/templates/platform/asvm/orion-landingzone/deployments/subscriptions.yaml b/templates/platform/asvm/orion-landingzone/deployments/subscriptions.yaml deleted file mode 100644 index 2715fced1..000000000 --- a/templates/platform/asvm/orion-landingzone/deployments/subscriptions.yaml +++ /dev/null @@ -1,31 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level3/asvm/orion/subscriptions - -deployments: - landingzone: - tfstate: - asvm: - subscriptions: - global_settings_key: - platform: - asvm: - remote_tfstates: - platform: - asvm: - -subscriptions: - launchpad: - subscriptions: - orion_dev: - name: orion-dev - create_alias: false - subscription_id: - - orion_prod: - name: orion-prod - create_alias: false - subscription_id: - - \ No newline at end of file diff --git a/templates/platform/asvm/orion-landingzone/readme.md b/templates/platform/asvm/orion-landingzone/readme.md deleted file mode 100644 index 71db174b6..000000000 --- a/templates/platform/asvm/orion-landingzone/readme.md +++ /dev/null @@ -1,16 +0,0 @@ -# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM) - -## Generate the configuration files - -```bash - -rover ignite \ - --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ - -e base_templates_folder=/tf/caf/landingzones/templates/platform \ - -e resource_template_folder=/tf/caf/landingzones/templates/resources \ - -e config_folder=/tf/caf/definitions/asvm/orion-landingzone \ - -e config_folder_platform=/tf/caf/definitions \ - -e landingzones_folder=/tf/caf/landingzones - - -``` \ No newline at end of file diff --git a/templates/platform/asvm/orion-landingzone/tfstates.asvm.yaml b/templates/platform/asvm/orion-landingzone/tfstates.asvm.yaml deleted file mode 100644 index e745ac2f8..000000000 --- a/templates/platform/asvm/orion-landingzone/tfstates.asvm.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# ### orion ### -tfstates: - asvm: - subscriptions: - lz_key_name: orion_subscriptions - tfstate: orion_subscriptions.tfstate - workspace: tfstate - level: level3 - sub_template_folder: level3 - yaml: level3/ansible.yaml - - orion_dev: - lz_key_name: orion_dev_level3 - tfstate: orion_dev_level3.tfstate - workspace: orion-dev - level: level3 - sub_template_folder: level3 - yaml: level3/ansible.yaml - - - orion_prod: - lz_key_name: orion_prod_level3 - tfstate: orion_prod_level3.tfstate - workspace: orion-prod - level: level3 - sub_template_folder: level3 - yaml: level3/ansible.yaml - diff --git a/templates/platform/level0/credentials/readme.md b/templates/platform/level0/credentials/readme.md index cdf13dc74..e45008d7b 100644 --- a/templates/platform/level0/credentials/readme.md +++ b/templates/platform/level0/credentials/readme.md @@ -7,7 +7,7 @@ rover login -t {{ resources.platform_identity.tenant_name }} rover \ -{% if ((resources.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ @@ -23,14 +23,14 @@ rover \ ``` -If the plan is not successfull you need to come back to the yaml contoso.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan. +If the plan is not successfull you need to come back to the yaml {{resources.customer_name}}.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan. ```bash # On success plan, execute rover \ -{% if ((resources.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ diff --git a/templates/platform/level0/launchpad/ansible.yaml b/templates/platform/level0/launchpad/ansible.yaml index 552484c7f..45f884293 100644 --- a/templates/platform/level0/launchpad/ansible.yaml +++ b/templates/platform/level0/launchpad/ansible.yaml @@ -55,15 +55,14 @@ - name: "[{{resources[tfstate].relative_destination_folder}}] Get credentials tfstate details for {{ resources.tfstates.platform.launchpad_credentials.tfstate }} from {{ launchpad_storage_account.stdout }}/{{ resources.tfstates.platform.launchpad.workspace | default('tfstate') }}" register: credentials_tfstate_exists - when: - - launchpad_tfstate_exists.rc == 0 + ignore_errors: true shell: | az storage blob download \ --name "{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" \ --account-name "{{ launchpad_storage_account.stdout }}" \ --container-name "{{ resources.tfstates.platform.launchpad.workspace | default('tfstate') }}" \ --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" + --file "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}" - name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad_credentials details" when: diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index eda624d24..acc03af6d 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -48,7 +48,7 @@ git checkout {{ resources.gitops.caf_landingzone_branch }} git pull rover \ -{% if ((resources.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_launchpad \ @@ -71,7 +71,7 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla # On success plan, execute rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists is defined and credentials_tfstate_exists.rc == 0 %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_launchpad \ diff --git a/templates/platform/level1/eslz/readme.md b/templates/platform/level1/eslz/readme.md index eff897294..305c963f7 100644 --- a/templates/platform/level1/eslz/readme.md +++ b/templates/platform/level1/eslz/readme.md @@ -30,4 +30,10 @@ rover \ # Next steps - [Deploy Connectivity](../../level2/connectivity/readme.md) +[Deploy asvm](../../level2/asvm/readme.md) +{% if bootstrap.deployments.scale_out_domains.identity_level2 is defined %} +{% for key in bootstrap.deployments.scale_out_domains.identity_level2.keys() %} +[Deploy identity_level2 - {{key}}](../../{{resources['identity_level2_' + key].relative_destination_folder}}/readme.md) +{% endfor %} +{% endif %} +[Deploy Connectivity](../../level2/connectivity/virtual_wans/readme.md) diff --git a/templates/platform/level1/identity/readme.md b/templates/platform/level1/identity/readme.md index 8abcacd95..466fbab9f 100644 --- a/templates/platform/level1/identity/readme.md +++ b/templates/platform/level1/identity/readme.md @@ -40,4 +40,6 @@ rover \ # Next steps - [Deploy Enterprise Scale](../../level1/eslz/readme.md) +{% for key in bootstrap.deployments.eslz.keys() %} +[Deploy Enterprise Scale - {{key}}](../../level1/eslz/{{key}}/readme.md) +{% endfor %} diff --git a/templates/platform/level1/management/readme.md b/templates/platform/level1/management/readme.md index 5f3d6f4af..6756496f6 100644 --- a/templates/platform/level1/management/readme.md +++ b/templates/platform/level1/management/readme.md @@ -16,10 +16,8 @@ rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf {% endif %} rover \ -{% if platform_subscriptions_details.eslz is defined %} -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ -{% endif %} {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ @@ -44,8 +42,4 @@ rover \ When you have successfully deployed the management landing zone, you can move to the next step: -{% if resources.platform_core_setup.enterprise_scale is defined %} - [Deploy Enterprise Scale](../../level1/eslz/readme.md) -{% else %} - [Deploy Connectivity](../../level2/connectivity/readme.md) -{% endif %} +[Deploy Identity](../../level1/identity/readme.md) diff --git a/templates/platform/level1/subscriptions/readme.md b/templates/platform/level1/subscriptions/readme.md index 2fbd42004..6688fcd8d 100644 --- a/templates/platform/level1/subscriptions/readme.md +++ b/templates/platform/level1/subscriptions/readme.md @@ -8,10 +8,8 @@ Set-up the subscription delegations for platform and landingzone subscriptions rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} rover \ -{% if platform_subscriptions_details.eslz is defined %} {% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ -{% endif %} {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ diff --git a/templates/platform/walk-through-single.yaml b/templates/platform/walk-through-single.yaml index 201ba3428..505fd4b49 100644 --- a/templates/platform/walk-through-single.yaml +++ b/templates/platform/walk-through-single.yaml @@ -40,14 +40,13 @@ default: region1 - name: eslz_mg_prefix - prompt: Management group prefix + prompt: Management group prefix (value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens). private: no - name: eslz_mg_name prompt: Management group name private: no - tasks: - include_tasks: "ansible/walk-through.yaml" From bfeea5e3704e015ec877f7db9171021384dd0802 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 1 Mar 2022 02:39:36 +0000 Subject: [PATCH 57/67] Updates --- templates/platform/ansible/ansible.yaml | 2 +- .../process_subscription_resources.yaml | 2 +- templates/platform/ansible/walk-through.yaml | 21 +- .../platform/asvm/orion/config.asvm.yaml | 4 + .../asvm/orion/deployments/orion_dev.yaml | 511 +++++++++++++++++ .../asvm/orion/deployments/orion_prod.yaml | 540 ++++++++++++++++++ .../asvm/orion/deployments/subscriptions.yaml | 31 + templates/platform/asvm/orion/readme.md | 16 + .../platform/asvm/orion/tfstates.asvm.yaml | 28 + templates/platform/asvm/walk-through.yaml | 28 + templates/platform/level0/launchpad/readme.md | 23 +- templates/platform/level1/eslz/ansible.yaml | 2 +- .../level1/eslz/enterprise_scale.tfvars.j2 | 2 +- templates/platform/readme.md | 25 +- templates/platform/services/README.md | 28 +- .../connectivity_firewall_policies.yaml | 12 +- .../services/connectivity_private_dns.yaml | 4 +- ...> connectivity_private_dns_firewalls.yaml} | 24 +- .../connectivity_secure_firewalls.yaml | 52 ++ .../services/connectivity_virtual_hubs.yaml | 4 + ...onnectivity_virtual_hubs_route_tables.yaml | 6 +- .../services/connectivity_virtual_wans.yaml | 1 + templates/platform/services/ignite_input.yaml | 7 + .../services/template.caf.platform.yaml | 4 +- ...cription.yaml => single_subscription.yaml} | 9 +- .../platform/single_subscription_ao.yaml | 184 ++++++ templates/platform/walk-through-single.yaml | 3 + .../resources/azurerm_firewalls.tfvars.j2 | 2 + templates/resources/virtual_hubs.tfvars.j2 | 12 +- 29 files changed, 1523 insertions(+), 64 deletions(-) create mode 100644 templates/platform/asvm/orion/config.asvm.yaml create mode 100644 templates/platform/asvm/orion/deployments/orion_dev.yaml create mode 100644 templates/platform/asvm/orion/deployments/orion_prod.yaml create mode 100644 templates/platform/asvm/orion/deployments/subscriptions.yaml create mode 100644 templates/platform/asvm/orion/readme.md create mode 100644 templates/platform/asvm/orion/tfstates.asvm.yaml create mode 100644 templates/platform/asvm/walk-through.yaml rename templates/platform/services/{connectivity_firewalls.yaml => connectivity_private_dns_firewalls.yaml} (76%) create mode 100644 templates/platform/services/connectivity_secure_firewalls.yaml create mode 100644 templates/platform/services/ignite_input.yaml rename templates/platform/{eslz_single_subscription.yaml => single_subscription.yaml} (94%) create mode 100644 templates/platform/single_subscription_ao.yaml diff --git a/templates/platform/ansible/ansible.yaml b/templates/platform/ansible/ansible.yaml index 0d42de4fb..d4756dd19 100644 --- a/templates/platform/ansible/ansible.yaml +++ b/templates/platform/ansible/ansible.yaml @@ -23,7 +23,7 @@ - name: "Set variables" set_fact: job_cache_base_path: "/home/vscode/.terraform.cache" - destination_base_path: '{{resources.configuration_folders.platform.destination_base_path}}/{{ resources.configuration_folders.platform.destination_relative_path }}' + destination_base_path: '{{ destination_folder }}' - name: "Creates destination directory - {{destination_base_path}}" file: diff --git a/templates/platform/ansible/process_subscription_resources.yaml b/templates/platform/ansible/process_subscription_resources.yaml index c648d66cf..0d7197ba8 100644 --- a/templates/platform/ansible/process_subscription_resources.yaml +++ b/templates/platform/ansible/process_subscription_resources.yaml @@ -72,7 +72,7 @@ # # overrides # -- name: "[{{tfstate_resource}} - {{resources[tfstate_resource].relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }}" +- name: "[{{tfstate_resource}} - {{resources[tfstate_resource].relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }} to {{ destination_path }}" ansible.builtin.template: src: "{{ item }}" dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" diff --git a/templates/platform/ansible/walk-through.yaml b/templates/platform/ansible/walk-through.yaml index 4b71b0bd9..6f96aad59 100644 --- a/templates/platform/ansible/walk-through.yaml +++ b/templates/platform/ansible/walk-through.yaml @@ -32,7 +32,7 @@ - set_fact: topology: "{{ lookup('template', '{{ topology_file }}') | from_yaml }}" - destination_path: "{{destination_base_path + '/' + definitions_relative_path}}" + destination_path: "{{destination_folder}}" - name: "Creates directory - {{destination_path}}" @@ -40,6 +40,11 @@ path: "{{destination_path}}" state: directory +- name: ignite_input + ansible.builtin.template: + src: "{{platform_service_folder}}/ignite_input.yaml" + dest: "{{destination_path}}/ignite_input.yaml" + # # Load the files into variables # @@ -63,11 +68,11 @@ # Need topologies to render the following templates - name: "load tfstates" set_fact: - "tfstates_deployment__to_merge": "{{ lookup('template', '{{config_folder_platform_templates}}/services/tfstates.yaml') | from_yaml }}" + "tfstates_deployment__to_merge": "{{ lookup('template', '{{platform_service_folder}}/tfstates.yaml') | from_yaml }}" - name: "load template.caf.platform" set_fact: - "caf_platform_deployment__to_merge": "{{ lookup('template', '{{config_folder_platform_templates}}/services/template.caf.platform.yaml') | from_yaml }}" + "caf_platform_deployment__to_merge": "{{ lookup('template', '{{platform_service_folder}}/template.caf.platform.yaml') | from_yaml }}" - name: Merge deployment files into topologies variable merge_vars: @@ -94,22 +99,22 @@ - name: tfstates.yaml ansible.builtin.template: - src: "{{config_folder_platform_templates}}/services/tfstates.yaml" + src: "{{platform_service_folder}}/tfstates.yaml" dest: "{{destination_path}}/tfstates.yaml" - name: ignite.yaml ansible.builtin.template: - src: "{{config_folder_platform_templates}}/eslz_single_subscription.yaml" + src: "{{config_folder_platform_templates}}/single_subscription.yaml" dest: "{{destination_path}}/ignite.yaml" - name: template.caf.platform.yaml ansible.builtin.template: - src: "{{config_folder_platform_templates}}/services/template.caf.platform.yaml" + src: "{{platform_service_folder}}/template.caf.platform.yaml" dest: "{{destination_path}}/{{topology.customer_name}}.caf.platform.yaml" -- name: readme.me +- name: readme.md ansible.builtin.template: - src: "{{config_folder_platform_templates}}/services/README.md" + src: "{{platform_service_folder}}/README.md" dest: "{{destination_path}}/GETTING-STARTED.md" diff --git a/templates/platform/asvm/orion/config.asvm.yaml b/templates/platform/asvm/orion/config.asvm.yaml new file mode 100644 index 000000000..b39312f88 --- /dev/null +++ b/templates/platform/asvm/orion/config.asvm.yaml @@ -0,0 +1,4 @@ +# cleanup_destination - recommended to clean and recreated a clean state from template. +configuration_folders: + asvm: + cleanup_destination: true \ No newline at end of file diff --git a/templates/platform/asvm/orion/deployments/orion_dev.yaml b/templates/platform/asvm/orion/deployments/orion_dev.yaml new file mode 100644 index 000000000..5d411142e --- /dev/null +++ b/templates/platform/asvm/orion/deployments/orion_dev.yaml @@ -0,0 +1,511 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level3/asvm/orion/dev + +deployments: + landingzone: + tfstate: + asvm: + orion_dev: + global_settings_key: + platform: + virtual_hubs: non_prod + remote_tfstates: + asvm: + subscriptions: + platform: + virtual_hubs: non_prod + azurerm_firewalls: non_prod + identity_level2: non_prod + asvm: + +subscriptions: + orion_dev: + resource_groups: + rg: + name: orion-dev + backup: + name: orion-dev-backup + networking: + name: orion-dev-networking + preparation: + name: orion-dev-preparation + modeling: + name: orion-dev-modeling + consumption: + name: orion-dev-consumption + analytics: + name: orion-dev-analytics + + virtual_networks: + vnet: + name: orion-dev + resource_group_key: networking + region_key: region1 + dns_servers_keys: + fw_prod_plinks_01: + resource_type: azurerm_firewall + lz_key: connectivity_firewalls_non_prod + key: fw_non_prod_plinks_01 + address_space: + - 10.101.200.0/23 + subnets: + databricks_preparation_egress: + name: databricks-preparation-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.200.0/26 + databricks_preparation_private: + name: databricks-preparation-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.200.64/26 + databricks_modeling_egress: + name: databricks-modeling-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.201.0/26 + databricks_modeling_private: + name: databricks-modeling-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.201.64/26 + consumption: + name: consumption + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.200.128/25 + databricks_notebooks: + name: databricks-notebooks + service_endpoints: + - Microsoft.Storage + - Microsoft.KeyVault + nsg_key: databricks_notebooks + cidr: + - 10.101.201.128/27 + private_endpoints: + name: private-endpoints + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.201.192/27 + + network_security_group_definition: + databricks_egress: + version: 1 + resource_group_key: networking + name: databricks-egress + nsg: + Inbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 5557 + destination_address_prefix: "*" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 22 + destination_address_prefix: "*" + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + 405: + name: ICMP + access: Allow + protocol: icmp + source_port_range: "*" + source_address_prefix: "*" + destination_port_range: "*" + destination_address_prefix: "*" + databricks_private: + version: 1 + resource_group_key: networking + name: databricks-private + nsg: + Inbound: + 400: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 401: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + consumption: + version: 1 + resource_group_key: networking + name: consumption + databricks_notebooks: + version: 1 + resource_group_key: networking + name: databricks-notebook + nsg: + Inbound: + 500: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 501: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 500: + name: AzureActiveDirectory + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectory" + destination_port_ranges: + - 80 + - 443 + 501: + name: AzureMachineLearning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureMachineLearning" + destination_port_ranges: + - 443 + 502: + name: AzureResourceManager + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureResourceManager" + destination_port_ranges: + - 443 + 503: + name: Storage SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "Storage.SoutheastAsia" + destination_port_ranges: + - 443 + 504: + name: AzureFrontDoor Frontend + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.Frontend" + destination_port_ranges: + - 443 + 505: + name: Container Registry SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureContainerRegistry.SoutheastAsia" + destination_port_ranges: + - 443 + 506: + name: Microsoft Container Registry SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "MicrosoftContainerRegistry.SoutheastAsia" + destination_port_ranges: + - 443 + 507: + name: Keyvault SoutheastAsia + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureKeyVault.SoutheastAsia" + destination_port_ranges: + - 443 + 508: + name: AzureFrontDoor FirstParty + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.FirstParty" + destination_port_range: "*" + + virtual_hub_connections: + vnet_to_dev: + name: vnet-orion-dev-TO-non-prod + virtual_hub: + lz_key: connectivity_virtual_hub_non_prod + key: non_prod + vnet: + vnet_key: vnet + + recovery_vaults: + asr: + name: vault-orion-dev + resource_group_key: backup + backup_policies: + vms: + default: + name: vm-default-policy + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + + keyvaults: + kv_delegated_sp: + name: oriondev0001 + resource_group_key: rg + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + landingzone_maintainers_non_prod: + lz_key: asvm + azuread_group_key: caf_ac_landingzone_maintainers_non_prod + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + kv_delegated_sp: + app_LZContributors: + azuread_service_principal_key: sp_LZContributors + secret_permissions: + - Get + + azuread_applications: + app_LZContributors: + application_name: app-asvm-orion-dev-Contributors + + azuread_service_principals: + sp_LZContributors: + azuread_application: + key: app_LZContributors + + azuread_credentials: + app_LZContributors: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + key: app_LZContributors + keyvaults: + kv_delegated_sp: + secret_prefix: sp + + azuread_credential_policies: + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 70 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + + custom_role_definitions: + contributors_extended: + name: lz-orion-dev-contributors-extended + useprefix: true + description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/virtualNetworks/join/action + + role_mapping: + custom_role_mapping: + networking: + vnet: + contributors_extended: + azuread_service_principals: + keys: + - sp_LZContributors + + built_in_role_mapping: + resource_groups: + preparation: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + modeling: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + consumption: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + analytics: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + storage_containers: + orion_prod_level3: + lz_key: orion_subscriptions + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + orion_dev_level4: + lz_key: orion_subscriptions + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + diff --git a/templates/platform/asvm/orion/deployments/orion_prod.yaml b/templates/platform/asvm/orion/deployments/orion_prod.yaml new file mode 100644 index 000000000..f67c765e6 --- /dev/null +++ b/templates/platform/asvm/orion/deployments/orion_prod.yaml @@ -0,0 +1,540 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level3/asvm/orion/prod + +deployments: + landingzone: + tfstate: + asvm: + orion_prod: + global_settings_key: + platform: + virtual_hubs: prod + remote_tfstates: + asvm: + subscriptions: + platform: + virtual_hubs: prod + azurerm_firewalls: prod + identity_level2: prod + asvm: + +subscriptions: + orion_prod: + resource_groups: + rg: + name: orion-prod + backup: + name: orion-prod-backup + networking: + name: orion-prod-networking + preparation: + name: orion-prod-preparation + modeling: + name: orion-prod-modeling + consumption: + name: orion-prod-consumption + analytics: + name: orion-prod-analytics + + virtual_networks: + vnet: + name: orion-prod + resource_group_key: networking + region_key: region1 + dns_servers_keys: + fw_prod_plinks_01: + resource_type: azurerm_firewall + lz_key: connectivity_firewalls_prod + key: fw_prod_plinks_01 + address_space: + - 10.101.8.0/23 + subnets: + databricks_preparation_egress: + name: databricks-preparation-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.8.0/26 + databricks_preparation_private: + name: databricks-preparation-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.8.64/26 + databricks_modeling_egress: + name: databricks-modeling-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.9.0/26 + databricks_modeling_private: + name: databricks-modeling-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.9.64/26 + consumption: + name: consumption + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.8.128/25 + databricks_notebooks: + name: databricks-notebooks + service_endpoints: + - Microsoft.Storage + - Microsoft.KeyVault + nsg_key: databricks_notebooks + cidr: + - 10.101.9.128/27 + private_endpoints: + name: private-endpoints + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.9.192/27 + + network_security_group_definition: + databricks_egress: + version: 1 + resource_group_key: networking + name: databricks-egress + nsg: + Inbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 5557 + destination_address_prefix: "*" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 22 + destination_address_prefix: "*" + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + 405: + name: ICMP + access: Allow + protocol: icmp + source_port_range: "*" + source_address_prefix: "*" + destination_port_range: "*" + destination_address_prefix: "*" + databricks_private: + version: 1 + resource_group_key: networking + name: databricks-private + nsg: + Inbound: + 400: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 401: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + consumption: + version: 1 + resource_group_key: networking + name: consumption + databricks_notebooks: + version: 1 + resource_group_key: networking + name: databricks-notebooks + nsg: + Inbound: + 500: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 501: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 500: + name: AzureActiveDirectory + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectory" + destination_port_ranges: + - 80 + - 443 + 501: + name: AzureMachineLearning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureMachineLearning" + destination_port_ranges: + - 443 + 502: + name: AzureResourceManager + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureResourceManager" + destination_port_ranges: + - 443 + 503: + name: Storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "Storage" + destination_port_ranges: + - 443 + 504: + name: AzureFrontDoor Frontend + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.Frontend" + destination_port_ranges: + - 443 + 505: + name: Container Registry + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureContainerRegistry" + destination_port_ranges: + - 443 + 506: + name: Microsoft Container Registry + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "MicrosoftContainerRegistry" + destination_port_ranges: + - 443 + 507: + name: Keyvault + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureKeyVault" + destination_port_ranges: + - 443 + 508: + name: AzureFrontDoor FirstParty + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.FirstParty" + destination_port_range: "*" + + virtual_hub_connections: + vnet_to_prod: + name: vnet-orion-prod-TO-prod + virtual_hub: + lz_key: connectivity_virtual_hub_prod + key: prod + vnet: + vnet_key: vnet + routing: + egress: + lz_key: route tables + propagated_route_table: + labels: + - egress-firewall-prod + static_vnet_route: + egress_internet: + name: egress internet + address_prefix: + - 0.0.0.0/0 + # netx_hop_ip_address: 10.101.61.4 + next_hop: + lz_key: caf_networking_firewall + key: + interface_index: 0 + + recovery_vaults: + asr: + name: vault-orion-prod + resource_group_key: backup + backup_policies: + vms: + default: + name: vm-default-policy + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + + keyvaults: + kv_delegated_sp: + name: orionprod001 + resource_group_key: rg + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + landingzone_maintainers_prod: + lz_key: asvm + azuread_group_key: caf_ac_landingzone_maintainers_prod + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + kv_delegated_sp: + app_LZContributors: + azuread_service_principal_key: sp_LZContributors + secret_permissions: + - Get + + azuread_applications: + app_LZContributors: + application_name: app-asvm-orion-prod-Contributors + + azuread_service_principals: + sp_LZContributors: + azuread_application: + key: app_LZContributors + + azuread_credentials: + app_LZContributors: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + key: app_LZContributors + keyvaults: + kv_delegated_sp: + secret_prefix: sp + + azuread_credential_policies: + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 70 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + + azuread_groups_membership: + caf_prod_landingzones_dns_contributors: + azuread_service_principals: + sp_LZContributors: + group_lz_key: identity_level2 + keys: + - sp_LZContributors + caf_ac_landingzone_maintainers_prod: + azuread_service_principals: + sp_LZContributors: + group_lz_key: asvm + keys: + - sp_LZContributors + + custom_role_definitions: + contributors_extended: + name: lz-orion-prod-contributors-extended + useprefix: true + description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/virtualNetworks/join/action + + role_mapping: + custom_role_mapping: + networking: + vnet: + contributors_extended: + azuread_service_principals: + keys: + - sp_LZContributors + + built_in_role_mapping: + resource_groups: + preparation: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + modeling: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + consumption: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + analytics: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + storage_containers: + orion_prod_level3: + lz_key: orion_subscriptions + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + orion_prod_level4: + lz_key: orion_subscriptions + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors diff --git a/templates/platform/asvm/orion/deployments/subscriptions.yaml b/templates/platform/asvm/orion/deployments/subscriptions.yaml new file mode 100644 index 000000000..2715fced1 --- /dev/null +++ b/templates/platform/asvm/orion/deployments/subscriptions.yaml @@ -0,0 +1,31 @@ +gitops: + caf_landingzone_branch: aci_network + +relative_destination_folder: level3/asvm/orion/subscriptions + +deployments: + landingzone: + tfstate: + asvm: + subscriptions: + global_settings_key: + platform: + asvm: + remote_tfstates: + platform: + asvm: + +subscriptions: + launchpad: + subscriptions: + orion_dev: + name: orion-dev + create_alias: false + subscription_id: + + orion_prod: + name: orion-prod + create_alias: false + subscription_id: + + \ No newline at end of file diff --git a/templates/platform/asvm/orion/readme.md b/templates/platform/asvm/orion/readme.md new file mode 100644 index 000000000..71db174b6 --- /dev/null +++ b/templates/platform/asvm/orion/readme.md @@ -0,0 +1,16 @@ +# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM) + +## Generate the configuration files + +```bash + +rover ignite \ + --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ + -e base_templates_folder=/tf/caf/landingzones/templates/platform \ + -e resource_template_folder=/tf/caf/landingzones/templates/resources \ + -e config_folder=/tf/caf/definitions/asvm/orion-landingzone \ + -e config_folder_platform=/tf/caf/definitions \ + -e landingzones_folder=/tf/caf/landingzones + + +``` \ No newline at end of file diff --git a/templates/platform/asvm/orion/tfstates.asvm.yaml b/templates/platform/asvm/orion/tfstates.asvm.yaml new file mode 100644 index 000000000..e745ac2f8 --- /dev/null +++ b/templates/platform/asvm/orion/tfstates.asvm.yaml @@ -0,0 +1,28 @@ +# ### orion ### +tfstates: + asvm: + subscriptions: + lz_key_name: orion_subscriptions + tfstate: orion_subscriptions.tfstate + workspace: tfstate + level: level3 + sub_template_folder: level3 + yaml: level3/ansible.yaml + + orion_dev: + lz_key_name: orion_dev_level3 + tfstate: orion_dev_level3.tfstate + workspace: orion-dev + level: level3 + sub_template_folder: level3 + yaml: level3/ansible.yaml + + + orion_prod: + lz_key_name: orion_prod_level3 + tfstate: orion_prod_level3.tfstate + workspace: orion-prod + level: level3 + sub_template_folder: level3 + yaml: level3/ansible.yaml + diff --git a/templates/platform/asvm/walk-through.yaml b/templates/platform/asvm/walk-through.yaml new file mode 100644 index 000000000..837756b7c --- /dev/null +++ b/templates/platform/asvm/walk-through.yaml @@ -0,0 +1,28 @@ +# +# Initial script to select a topology and create the base templates for the definitions folder +# +# ansible-playbook /tf/caf/landingzones/templates/platform/asvm/walk-through.yaml \ +# -e topology_folder=/tf/caf/landingzones/templates/platform/asvm/orion \ +# -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \ +# -e landingzones_folder=/tf/caf/landingzones \ +# -e destination_folder=/tf/caf/definitions/asvm/orion + +- name: Deploy template to definition's folder + hosts: localhost + + tasks: + + - name: Get template files + register: asvm_files + find: + paths: {{topology_file}} + file_type: file + + - debug: + - msg: "{{asvm_files}}" + + - name: Deploy files + ansible.builtin.template: + src: "{{topology_folder}}/{{item}}" + dest: "{{destination_folder}}/{{item}}" + loop: \ No newline at end of file diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index acc03af6d..6c3d70134 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -113,4 +113,25 @@ When you have successfully deployed the launchpad you can move to the next step [Deploy the credentials landing zone](../credentials/readme.md) {% else %} [Deploy the management services](../../level1/management/readme.md) -{% endif %} \ No newline at end of file +{% endif %} + + +# To destroy the launchpad + +Destroying the launchpad is a specific opertion that requires the tfstate to be first downloaded in the rover and then run the terraform destroy command. Note the action to use is -a destroy + +```bash + +rover \ + -lz {{ landingzones_folder }}/caf_launchpad \ + -var-folder {{ destination_path }} \ + -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \ + -launchpad \ + -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -level {{ level }} \ + -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \ + -a destroy + +``` \ No newline at end of file diff --git a/templates/platform/level1/eslz/ansible.yaml b/templates/platform/level1/eslz/ansible.yaml index 84a21a46c..69350979f 100644 --- a/templates/platform/level1/eslz/ansible.yaml +++ b/templates/platform/level1/eslz/ansible.yaml @@ -1,6 +1,6 @@ - name: "{{level }}-{{ deployment}} - Set landingzone file_path" set_fact: - destination_path: "{{resources.configuration_folders.platform.destination_base_path}}/{{resources.configuration_folders.platform.destination_relative_path}}/{{ resources['eslz_' + deployment].relative_destination_folder }}" + destination_path: "{{destination_base_path}}/{{ resources['eslz_' + deployment].relative_destination_folder }}" mg: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/custom_landing_zones.caf.platform.yaml') | from_yaml }}" level: "{{tfstate_object.level}}" diff --git a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 index ef0f81290..88aeb21fd 100644 --- a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 +++ b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 @@ -1,5 +1,5 @@ # relative path to {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz -library_path = "../../../../{{ resources.configuration_folders.platform.destination_relative_path }}/{{tfstate_object.level}}/{{stage}}/{{deployment}}/lib" +library_path = "../../../../{{ destination_base_path }}/{{tfstate_object.level}}/{{stage}}/{{deployment}}/lib" {% if resources.platform_core_setup.enterprise_scale[deployment].root_parent_id is defined %} root_parent_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].root_parent_id }}" {% endif %} diff --git a/templates/platform/readme.md b/templates/platform/readme.md index db5b52b7e..88cbc8a20 100644 --- a/templates/platform/readme.md +++ b/templates/platform/readme.md @@ -1,21 +1,16 @@ # Generate the terraform configuration files -To execute this step you need to login with one of the CAF maintainers accounts: -{% for maintainer in resources.platform_identity.caf_platform_maintainers %} - - {{ maintainer }} -{% endfor %} +## Deploy in a single subscription -```bash -rover login -t {{ resources.platform_identity.tenant_name }} +``` +ansible-playbook /tf/caf/landingzones/templates/platform/walk-through-single.yaml \ + -e topology_file=/tf/caf/landingzones/templates/platform/single_subscription.yaml \ + -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \ + -e platform_service_folder=/tf/caf/landingzones/templates/platform/services \ + -e landingzones_folder=/tf/caf/landingzones \ + -e configuration_folder=/tf/caf/configuration/platform \ + -e destination_folder=/tf/caf/definition/platform -rover ignite \ - --playbook {{ base_templates_folder }}/ansible/ansible.yaml \ - -e base_templates_folder={{ base_templates_folder }} \ - -e resource_template_folder={{resource_template_folder}} \ - -e config_folder={{ config_folder }} \ - -e landingzones_folder={{ landingzones_folder }} +``` - ``` - -Get started with the [launchpad](./level0/launchpad) diff --git a/templates/platform/services/README.md b/templates/platform/services/README.md index d8b04db5d..935867d6a 100644 --- a/templates/platform/services/README.md +++ b/templates/platform/services/README.md @@ -10,8 +10,8 @@ For further executions or command, you can refer to the following sections ### Clone the landingzone project (Terraform base code) ```bash -git clone https://github.com/Azure/caf-terraform-landingzones.git {{destination_base_path}}/landingzones -cd {{destination_base_path}}/landingzones && git pull +git clone https://github.com/Azure/caf-terraform-landingzones.git {{landingzones_folder}} +cd {{landingzones_folder}} && git pull git checkout {{topology.caf_landingzone_branch}} ``` @@ -24,13 +24,13 @@ Rover ignite creates the tfvars and also the documentation. ```bash rover login -t {{tenant_name.stdout}} -s {{subscription_id.stdout}} - rover ignite \ +rover ignite \ --playbook {{ config_folder_platform_templates }}/ansible/ansible.yaml \ -e base_templates_folder={{ config_folder_platform_templates }} \ -e resource_template_folder={{landingzones_folder}}/templates/resources \ - -e config_folder={{destination_base_path}}/{{definitions_relative_path}} \ - -e landingzones_folder={{landingzones_folder}} - + -e config_folder={{destination_path}} \ + -e landingzones_folder={{landingzones_folder}} \ + -e destination_folder={{destination_folder}} ``` @@ -38,4 +38,18 @@ rover login -t {{tenant_name.stdout}} -s {{subscription_id.stdout}} Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created. -Get started with the [launchpad]({{destination_base_path}}/{{configuration_relative_path}}/{{topologies.launchpad.relative_destination_folder}}) +Get started with the [launchpad]({{destination_path}}/{{topologies.launchpad.relative_destination_folder}}) + +### Regenerate the definition folder + +```bash +ansible-playbook {{config_folder_platform_templates}}/walk-through-single.yaml \ + -e topology_file={{destination_folder}}/ignite.yaml \ + -e config_folder_platform_templates={{config_folder_platform_templates}} \ + -e platform_service_folder={{platform_service_folder}} \ + -e landingzones_folder={{landingzones_folder}} \ + -e destination_folder={{destination_folder}} \ + -e configuration_folder={{configuration_folder}} \ + --extra-vars "@{{destination_folder}}/ignite_input.yaml" + +``` \ No newline at end of file diff --git a/templates/platform/services/connectivity_firewall_policies.yaml b/templates/platform/services/connectivity_firewall_policies.yaml index 671c32fbf..e294e266a 100644 --- a/templates/platform/services/connectivity_firewall_policies.yaml +++ b/templates/platform/services/connectivity_firewall_policies.yaml @@ -34,8 +34,16 @@ azurerm_firewall_policies_{{env}}: region_key: region1 azurerm_firewall_policies: - root: - name: "{{env}}-root-policy" + secure_root: + name: "secure-root-policy-{{env}}" + region_key: region1 + resource_group: + key: firewall_policies + dns: + proxy_enabled: true + threat_intelligence_mode: "Alert" + dns_root: + name: "dns-root-policy-{{env}}" region_key: region1 resource_group: key: firewall_policies diff --git a/templates/platform/services/connectivity_private_dns.yaml b/templates/platform/services/connectivity_private_dns.yaml index 81922ab7e..c28789439 100644 --- a/templates/platform/services/connectivity_private_dns.yaml +++ b/templates/platform/services/connectivity_private_dns.yaml @@ -20,10 +20,10 @@ private_dns_{{env}}: private_dns: {{env}} global_settings_key: platform: - azurerm_firewalls: {{env}} + private_dns_firewalls: {{env}} remote_tfstates: platform: - azurerm_firewalls: {{env}} + private_dns_firewalls: {{env}} identity_level2: {{env}} subscriptions: diff --git a/templates/platform/services/connectivity_firewalls.yaml b/templates/platform/services/connectivity_private_dns_firewalls.yaml similarity index 76% rename from templates/platform/services/connectivity_firewalls.yaml rename to templates/platform/services/connectivity_private_dns_firewalls.yaml index c6ba8c7d8..894e8db0b 100644 --- a/templates/platform/services/connectivity_firewalls.yaml +++ b/templates/platform/services/connectivity_private_dns_firewalls.yaml @@ -1,17 +1,17 @@ -azurerm_firewalls_{{env}}: +private_dns_firewalls_{{env}}: gitops: caf_landingzone_branch: {{topology.caf_landingzone_branch}} - relative_destination_folder: level2/connectivity/azurerm_firewalls/{{env}} + relative_destination_folder: level2/connectivity/private_dns_firewalls/{{env}} tfstate: - lz_key_name: connectivity_firewalls_{{env}} - tfstate: connectivity_firewalls_{{env}}.tfstate + lz_key_name: connectivity_private_dns_firewalls_{{env}} + tfstate: connectivity_private_dns_firewalls_{{env}}.tfstate level: level2 - config_file: azurerm_firewalls.yaml + config_file: connectivity_private_dns_firewalls.yaml identity_aad_key: cred_connectivity # Do not rename the tfstate_key_name - tfstate_key_name: azurerm_firewalls + tfstate_key_name: private_dns_firewalls deployments: landingzone: @@ -30,7 +30,7 @@ azurerm_firewalls_{{env}}: subscriptions: connectivity: resource_groups: - firewall_policies: + firewall: name: connectivity-{{env}}-firewall region_key: region1 @@ -38,7 +38,7 @@ azurerm_firewalls_{{env}}: virtual_networks: vnet: name: vnet-connectivity-{{env}}-fw-plinks - resource_group_key: firewall_policies + resource_group_key: firewall region_key: region1 address_space: - 10.101.61.0/24 @@ -51,16 +51,16 @@ azurerm_firewalls_{{env}}: public_ip_addresses: fw_pip1: name: pip-{{env}}-fw-01 - resource_group_key: firewall_policies + resource_group_key: firewall sku: Standard allocation_method: Static ip_version: IPv4 idle_timeout_in_minutes: 4 azurerm_firewalls: - fw_{{env}}_plinks_01: - name: fw-{{env}}-plinks-01 - resource_group_key: firewall_policies + fw_{{env}}_dns: + name: fw-{{env}}-dns-01 + resource_group_key: firewall vnet_key: vnet sku_tier: Standard firewall_policy: diff --git a/templates/platform/services/connectivity_secure_firewalls.yaml b/templates/platform/services/connectivity_secure_firewalls.yaml new file mode 100644 index 000000000..acdc3f279 --- /dev/null +++ b/templates/platform/services/connectivity_secure_firewalls.yaml @@ -0,0 +1,52 @@ +secure_firewalls_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level2/connectivity/secure_firewalls/{{env}} + + tfstate: + lz_key_name: connectivity_secure_firewalls_{{env}} + tfstate: connectivity_secure_firewalls_{{env}}.tfstate + level: level2 + config_file: connectivity_secure_firewalls.yaml + identity_aad_key: cred_connectivity + # Do not rename the tfstate_key_name + tfstate_key_name: secure_firewalls + + deployments: + landingzone: + tfstate: + platform: + secure_firewalls: {{env}} + global_settings_key: + platform: + virtual_hubs: {{env}} + remote_tfstates: + platform: + virtual_wans: prod + virtual_hubs: {{env}} + azurerm_firewall_policies: {{env}} + + + subscriptions: + connectivity: + resource_groups: + firewall: + name: connectivity-{{env}}-secure-firewall + region_key: region1 + azurerm_firewalls: + fw_secure_{{env}}: + name: fw-secure-{{env}} + resource_group_key: firewall + sku_tier: Standard + virtual_hub: + lz_key: connectivity_virtual_hubs_{{env}} + key: {{env}} + public_ip_count: 1 + firewall_policy: + key: root + lz_key: connectivity_firewall_policies_{{env}} + zones: + - 1 + - 2 + - 3 \ No newline at end of file diff --git a/templates/platform/services/connectivity_virtual_hubs.yaml b/templates/platform/services/connectivity_virtual_hubs.yaml index 5aa22f32d..b5676dd46 100644 --- a/templates/platform/services/connectivity_virtual_hubs.yaml +++ b/templates/platform/services/connectivity_virtual_hubs.yaml @@ -47,6 +47,10 @@ virtual_hubs_{{env}}: er_config: name: {{env}} scale_units: 1 + deploy_p2s: false + p2s_config: + name: {{env}} + scale_units: 1 express_route_connections: {{env}}: diff --git a/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml b/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml index 1383615ff..eff04b932 100644 --- a/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml +++ b/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml @@ -25,7 +25,9 @@ virtual_hubs_route_tables_{{env}}: remote_tfstates: platform: virtual_hubs: {{env}} - azurerm_firewalls: {{env}} + secure_firewalls: {{env}} + private_dns_firewalls: {{env}} + virtual_hubs_route_tables: {{env}} subscriptions: connectivity: @@ -42,6 +44,6 @@ virtual_hubs_route_tables_{{env}}: destinations: - 0.0.0.0/0 next_hop: - lz_key: connectivity_firewalls_{{env}} + lz_key: connectivity_secure_firewalls_{{env}} resource_type: virtual_hub_connection key: vnet_to_hub diff --git a/templates/platform/services/connectivity_virtual_wans.yaml b/templates/platform/services/connectivity_virtual_wans.yaml index 728d5571a..a35271216 100644 --- a/templates/platform/services/connectivity_virtual_wans.yaml +++ b/templates/platform/services/connectivity_virtual_wans.yaml @@ -37,3 +37,4 @@ virtual_wans_{{env}}: global_wan: name: connectivity-global-wan region_key: region1 + diff --git a/templates/platform/services/ignite_input.yaml b/templates/platform/services/ignite_input.yaml new file mode 100644 index 000000000..ac48d3f2d --- /dev/null +++ b/templates/platform/services/ignite_input.yaml @@ -0,0 +1,7 @@ +customer_name: {{customer_name}} +caf_environment: {{caf_environment}} +default_email_address: {{default_email_address}} +default_region_key: {{default_region_key}} +eslz_mg_prefix: {{eslz_mg_prefix}} +eslz_mg_name: {{eslz_mg_name}} +azure_regions: {{azure_regions}} \ No newline at end of file diff --git a/templates/platform/services/template.caf.platform.yaml b/templates/platform/services/template.caf.platform.yaml index 9a41baef1..71a29ca1c 100644 --- a/templates/platform/services/template.caf.platform.yaml +++ b/templates/platform/services/template.caf.platform.yaml @@ -5,9 +5,9 @@ configuration_folders: # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. cleanup_destination: true # base destination folder where rover ignite will store the tfvars files. No / at the end - destination_base_path: {{destination_base_path}} + # destination_base_path: {{destination_path}} # destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end - destination_relative_path: {{configuration_relative_path}} + # destination_relative_path: {{destination_path}} caf_terraform: diff --git a/templates/platform/eslz_single_subscription.yaml b/templates/platform/single_subscription.yaml similarity index 94% rename from templates/platform/eslz_single_subscription.yaml rename to templates/platform/single_subscription.yaml index 81b12c9e5..e9580247b 100644 --- a/templates/platform/eslz_single_subscription.yaml +++ b/templates/platform/single_subscription.yaml @@ -81,12 +81,15 @@ deployments: virtual_hubs_route_tables: prod: connectivity_virtual_hubs_route_tables.yaml non_prod: connectivity_virtual_hubs_route_tables.yaml - azurerm_firewalls: - prod: connectivity_firewalls.yaml - non_prod: connectivity_firewalls.yaml azurerm_firewall_policies: prod: connectivity_firewall_policies.yaml non_prod: connectivity_firewall_policies.yaml + secure_firewalls: + prod: connectivity_secure_firewalls.yaml + non_prod: connectivity_secure_firewalls.yaml + private_dns_firewalls: + prod: connectivity_private_dns_firewalls.yaml + non_prod: connectivity_private_dns_firewalls.yaml private_dns: prod: connectivity_private_dns.yaml non_prod: connectivity_private_dns.yaml diff --git a/templates/platform/single_subscription_ao.yaml b/templates/platform/single_subscription_ao.yaml new file mode 100644 index 000000000..3c380b048 --- /dev/null +++ b/templates/platform/single_subscription_ao.yaml @@ -0,0 +1,184 @@ +# +# Always-on template builing: +# - 1 Enterprise Scale +# - 1 global Virtual Wan with a Secure Firewall in Virtual Hub for egress internet traffic +# - 1 Azure Firewall in spoke vnet for private DNS resolution per region +# + +customer_name: {{customer_name}} +caf_environment: {{caf_environment}} +caf_landingzone_branch: AL-azurerm2931 + +caf_regions: +{% for region, location in regions.items() %} + {{region}}: {{location}} +{% endfor %} + +# Use the lower-case region's name, short version with no space +resources_allowed_regions: +{% for region in regions.keys() %} + - {{region}} +{% endfor %} + +resource_groups_allowed_regions: +{% for region in regions.keys() %} + - {{region}} +{% endfor %} + +default_region_key: {{default_region_key}} + +azuread_user_ea_account_owner: {{upn.stdout}} +ea_owner_object_id: {{object_id.stdout}} + +azuread_identity_mode: service_principal +enable_azuread_groups: True +enable_azuread_applications: True + +enable_azure_subscription_vending_machine: True + +enterprise_scale: + {{eslz_mg_prefix}}: + version_to_deploy: "v1.1.1" + management_group_prefix: {{eslz_mg_prefix}} + management_group_name: "{{eslz_mg_name}}" + deploy_core_landing_zones: True + clean_up_destination_folder: True + update_lib_folder: True + + +subscription_deployment_mode: single_reuse + +subscriptions: + launchpad: # Do not rename the key + name: {{subscription_name.stdout}} + create_alias: false + subscription_id: {{subscription_id.stdout}} + identity: # Do not rename the key + name: {{subscription_name.stdout}} + create_alias: false + subscription_id: {{subscription_id.stdout}} + connectivity: # Do not rename the key + name: {{subscription_name.stdout}} + create_alias: false + subscription_id: {{subscription_id.stdout}} + management: # Do not rename the key + name: {{subscription_name.stdout}} + create_alias: false + subscription_id: {{subscription_id.stdout}} + +deployments: + root: + launchpad: launchpad_azuread_sp_single_subscription.yaml + launchpad_credentials: launchpad_credentials_azuread_sp.yaml + subscriptions: subscriptions.yaml + identity: identity.yaml + management: management.yaml + asvm: asvm.yaml + eslz: + {{eslz_mg_prefix}}: eslz.yaml + scale_out_domains: + identity_level2: + prod: identity_level2.yaml + non_prod: identity_level2.yaml + virtual_wans: + prod: connectivity_virtual_wans.yaml + virtual_hubs: +{% for region, location in regions.items() %} + {{region}}: connectivity_virtual_hubs.yaml +{% endfor %} + virtual_hubs_route_tables: +{% for region, location in regions.items() %} + {{region}}: connectivity_virtual_hubs_route_tables.yaml +{% endfor %} + azurerm_firewall_policies: + prod: connectivity_firewall_policies.yaml + secure_firewalls: +{% for region, location in regions.items() %} + {{region}}: connectivity_secure_firewalls.yaml +{% endfor %} + private_dns_firewalls: +{% for region, location in regions.items() %} + {{region}}: connectivity_private_dns_firewalls.yaml +{% endfor %} + private_dns: + prod: connectivity_private_dns.yaml + non_prod: connectivity_private_dns.yaml + +# +# Advanced settings +# + +notifications: + monitor_action_groups: + networking_operations: {{default_email_address}} + service_health_alerts: {{default_email_address}} + azure_defender: + emailSecurityContact: {{default_email_address}} + + +backup_policies: + vms: + default: + name: vm-default-policy + # Default to UTC + # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ + timezone: SE Asia Standard Time + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + retention_weekly: + count: 2 + weekdays: + - Sunday + retention_monthly: + count: 2 + weeks: + - First + weekdays: + - Sunday + retention_yearly: + count: 1 + weeks: + - First + months: + - January + weekdays: + - Sunday + + +identity: + backup_policy: + vms: default + +management: + backup_policy: + vms: default + +connectivity: + backup_policy: + vms: default + + private_dns_zones: + zones: + privatelink.adf.azure.com: + privatelink.datafactory.azure.net: + privatelink.blob.core.windows.net: + privatelink.file.core.windows.net: + privatelink.notebooks.azure.net: + privatelink.dfs.core.windows.net: + privatelink.vaultcore.azure.net: + privatelink.azurecr.io: + privatelink.siterecovery.windowsazure.com: + privatelink.servicebus.windows.net: + privatelink.api.azureml.ms: + privatelink.monitor.azure.com: + privatelink.oms.opinsights.azure.com: + privatelink.ods.opinsights.azure.com: + privatelink.agentsvc.azure-automation.net: + + # region will be de-tokenized by the values set in resources_allowed_regions + regional_zones: + privatelink.region.azmk8s.io: + privatelink.region.backup.windowsazure.com: diff --git a/templates/platform/walk-through-single.yaml b/templates/platform/walk-through-single.yaml index 505fd4b49..1740e135d 100644 --- a/templates/platform/walk-through-single.yaml +++ b/templates/platform/walk-through-single.yaml @@ -26,6 +26,7 @@ - name: default_email_address prompt: Email address to send all notifications private: no + default: email@address.com - name: azure_regions prompt: Azure regions (lowercase, short version) @@ -42,10 +43,12 @@ - name: eslz_mg_prefix prompt: Management group prefix (value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens). private: no + default: es - name: eslz_mg_name prompt: Management group name private: no + default: Contoso tasks: diff --git a/templates/resources/azurerm_firewalls.tfvars.j2 b/templates/resources/azurerm_firewalls.tfvars.j2 index 00ace3545..1149cb6bc 100644 --- a/templates/resources/azurerm_firewalls.tfvars.j2 +++ b/templates/resources/azurerm_firewalls.tfvars.j2 @@ -3,7 +3,9 @@ azurerm_firewalls = { {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" +{% if value.vnet_key is defined %} vnet_key = "{{ value.vnet_key }}" +{% endif %} {% if value.sku_tier is defined %} sku_tier = "{{ value.sku_tier }}" {% endif %} diff --git a/templates/resources/virtual_hubs.tfvars.j2 b/templates/resources/virtual_hubs.tfvars.j2 index fd7f0ba66..21394f3e0 100644 --- a/templates/resources/virtual_hubs.tfvars.j2 +++ b/templates/resources/virtual_hubs.tfvars.j2 @@ -31,14 +31,14 @@ virtual_hubs = { deploy_p2s = {{ value.deploy_p2s | default(false) | lower }} {% if value.p2s_config is defined %} p2s_config = { - name = "{{ value.p2s_resources.name }}" - scale_unit = "{{ value.p2s_resources.scale_unit }}" -{% if value.p2s_resources.connection_configuration is defined %} + name = "{{ value.p2s_config.name }}" + scale_unit = "{{ value.p2s_config.scale_unit | default(1) }}" +{% if value.p2s_config.connection_configuration is defined %} connection_configuration = { - name = "{{ value.p2s_resources.connection_configuration.name }}" -{% if value.p2s_resources.connection_configuration.vpn_client_address_pool is defined %} + name = "{{ value.p2s_config.connection_configuration.name }}" +{% if value.p2s_config.connection_configuration.vpn_client_address_pool is defined %} vpn_client_address_pool = { -{% for cap_key, cap_value in value.p2s_resources.connection_configuration.vpn_client_address_pool.items() %} +{% for cap_key, cap_value in value.p2s_config.connection_configuration.vpn_client_address_pool.items() %} {{cap_key}} = { address_prefixes = {{cap_value | replace('None','[]') | replace('\'','\"') }} } From f122e39178d81a87024f9e2124aa4856117dc348 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Tue, 1 Mar 2022 07:55:20 +0000 Subject: [PATCH 58/67] Fix secure firewall --- .../platform/level0/credentials/readme.md | 3 +- templates/platform/level0/launchpad/readme.md | 3 +- templates/platform/level1/eslz/ansible.yaml | 2 +- .../level1/eslz/enterprise_scale.tfvars.j2 | 2 +- templates/platform/services/README.md | 2 +- .../connectivity_private_dns_firewalls.yaml | 2 +- .../connectivity_secure_firewalls.yaml | 7 ++-- ...onnectivity_virtual_hubs_route_tables.yaml | 9 ++--- .../services/template.caf.platform.yaml | 5 --- .../resources/azurerm_firewalls.tfvars.j2 | 39 +++++++++---------- 10 files changed, 34 insertions(+), 40 deletions(-) diff --git a/templates/platform/level0/credentials/readme.md b/templates/platform/level0/credentials/readme.md index e45008d7b..8311aa48c 100644 --- a/templates/platform/level0/credentials/readme.md +++ b/templates/platform/level0/credentials/readme.md @@ -54,7 +54,8 @@ rover ignite \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{resource_template_folder}} \ -e config_folder={{ config_folder }} \ - -e landingzones_folder={{ landingzones_folder }} + -e landingzones_folder={{ landingzones_folder }} \ + -e destination_folder={{destination_folder}} ``` diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index 6c3d70134..bf86fb2b7 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -101,7 +101,8 @@ rover ignite \ -e base_templates_folder={{ base_templates_folder }} \ -e resource_template_folder={{resource_template_folder}} \ -e config_folder={{ config_folder }} \ - -e landingzones_folder={{ landingzones_folder }} + -e landingzones_folder={{ landingzones_folder }} \ + -e destination_folder={{destination_folder}} ``` diff --git a/templates/platform/level1/eslz/ansible.yaml b/templates/platform/level1/eslz/ansible.yaml index 69350979f..c0b842c41 100644 --- a/templates/platform/level1/eslz/ansible.yaml +++ b/templates/platform/level1/eslz/ansible.yaml @@ -1,6 +1,6 @@ - name: "{{level }}-{{ deployment}} - Set landingzone file_path" set_fact: - destination_path: "{{destination_base_path}}/{{ resources['eslz_' + deployment].relative_destination_folder }}" + # destination_path: "{{destination_base_path}}/{{ resources['eslz_' + deployment].relative_destination_folder }}" mg: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/custom_landing_zones.caf.platform.yaml') | from_yaml }}" level: "{{tfstate_object.level}}" diff --git a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 index 88aeb21fd..9074f6b76 100644 --- a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 +++ b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 @@ -1,5 +1,5 @@ # relative path to {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz -library_path = "../../../../{{ destination_base_path }}/{{tfstate_object.level}}/{{stage}}/{{deployment}}/lib" +library_path = "{{ destination_base_path }}/{{tfstate_object.level}}/{{stage}}/{{deployment}}/lib" {% if resources.platform_core_setup.enterprise_scale[deployment].root_parent_id is defined %} root_parent_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].root_parent_id }}" {% endif %} diff --git a/templates/platform/services/README.md b/templates/platform/services/README.md index 935867d6a..da1b26a5d 100644 --- a/templates/platform/services/README.md +++ b/templates/platform/services/README.md @@ -30,7 +30,7 @@ rover ignite \ -e resource_template_folder={{landingzones_folder}}/templates/resources \ -e config_folder={{destination_path}} \ -e landingzones_folder={{landingzones_folder}} \ - -e destination_folder={{destination_folder}} + -e destination_folder={{configuration_folder}} ``` diff --git a/templates/platform/services/connectivity_private_dns_firewalls.yaml b/templates/platform/services/connectivity_private_dns_firewalls.yaml index 894e8db0b..6bb260dab 100644 --- a/templates/platform/services/connectivity_private_dns_firewalls.yaml +++ b/templates/platform/services/connectivity_private_dns_firewalls.yaml @@ -17,7 +17,7 @@ private_dns_firewalls_{{env}}: landingzone: tfstate: platform: - azurerm_firewalls: {{env}} + private_dns_firewalls: {{env}} global_settings_key: platform: virtual_hubs: {{env}} diff --git a/templates/platform/services/connectivity_secure_firewalls.yaml b/templates/platform/services/connectivity_secure_firewalls.yaml index acdc3f279..1d4185d6b 100644 --- a/templates/platform/services/connectivity_secure_firewalls.yaml +++ b/templates/platform/services/connectivity_secure_firewalls.yaml @@ -23,7 +23,6 @@ secure_firewalls_{{env}}: virtual_hubs: {{env}} remote_tfstates: platform: - virtual_wans: prod virtual_hubs: {{env}} azurerm_firewall_policies: {{env}} @@ -38,10 +37,12 @@ secure_firewalls_{{env}}: fw_secure_{{env}}: name: fw-secure-{{env}} resource_group_key: firewall + sku_name: AZFW_Hub sku_tier: Standard virtual_hub: - lz_key: connectivity_virtual_hubs_{{env}} - key: {{env}} + {{env}}: + lz_key: connectivity_virtual_hubs_{{env}} + virtual_hub_key: {{env}} public_ip_count: 1 firewall_policy: key: root diff --git a/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml b/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml index eff04b932..187b67a94 100644 --- a/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml +++ b/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml @@ -27,13 +27,12 @@ virtual_hubs_route_tables_{{env}}: virtual_hubs: {{env}} secure_firewalls: {{env}} private_dns_firewalls: {{env}} - virtual_hubs_route_tables: {{env}} subscriptions: connectivity: virtual_hub_route_tables: - egress: - name: egress + egress_internet: + name: egress-internet virtual_hub: lz_key: connectivity_virtual_hubs_{{env}} key: {{env}} @@ -45,5 +44,5 @@ virtual_hubs_route_tables_{{env}}: - 0.0.0.0/0 next_hop: lz_key: connectivity_secure_firewalls_{{env}} - resource_type: virtual_hub_connection - key: vnet_to_hub + resource_type: azurerm_firewalls + key: fw_secure_{{env}} diff --git a/templates/platform/services/template.caf.platform.yaml b/templates/platform/services/template.caf.platform.yaml index 71a29ca1c..0e26ef5a6 100644 --- a/templates/platform/services/template.caf.platform.yaml +++ b/templates/platform/services/template.caf.platform.yaml @@ -4,11 +4,6 @@ configuration_folders: # true: force the destination folder to be deleted and re-created before the files are created. # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. cleanup_destination: true - # base destination folder where rover ignite will store the tfvars files. No / at the end - # destination_base_path: {{destination_path}} - # destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end - # destination_relative_path: {{destination_path}} - caf_terraform: naming_convention: diff --git a/templates/resources/azurerm_firewalls.tfvars.j2 b/templates/resources/azurerm_firewalls.tfvars.j2 index 1149cb6bc..ba8c96fbd 100644 --- a/templates/resources/azurerm_firewalls.tfvars.j2 +++ b/templates/resources/azurerm_firewalls.tfvars.j2 @@ -57,46 +57,43 @@ azurerm_firewalls = { {% if value.management_ip_configuration.subnet_id is defined %} subnet_id = "{{ value.management_ip_configuration.subnet_id }}" {% else %} - vnet_key = "{{ value.management_ip_configuration.vnet_key }}" - subnet_key = "{{ value.management_ip_configuration.subnet_key }}" + vnet_key = "{{ value.management_ip_configuration.vnet_key }}" + subnet_key = "{{ value.management_ip_configuration.subnet_key }}" {% if value.management_ip_configuration.lz_key is defined %} - lz_key = "{{ value.management_ip_configuration.lz_key }}" + lz_key = "{{ value.management_ip_configuration.lz_key }}" {% endif %} {% endif %} } {% endif %} -{% if value.virtual_hub_id is defined %} +{% if value.virtual_hub is defined %} virtual_hub = { -{% if value.virtual_hub.virtual_hub_id is defined %} - virtual_hub_id = "{{ value.virtual_hub_id }}" -{% elif value.virtual_hub is defined %} - virtual_wan_key = " {{ value.virtual_hub.virtual_wan_key }}" - virtual_hub_key = " {{ value.virtual_hub.virtual_hub_key }}" -{% if value.virtual_hub.lz_key is defined %} - lz_key = "{{ value.virtual_hub.lz_key }}" +{% for vh_key, vh_value in value.virtual_hub.items() %} + {{vh_key}} = { +{% if vh_value.lz_key is defined %} + lz_key = "{{vh_value.lz_key}}" {% endif %} - virtual_wan_key = " {{ value.virtual_hub.virtual_wan_key }}" -{% endif %} - public_ip_count = " {{ value.virtual_hub.public_ip_count }}" + virtual_hub_key = "{{vh_value.virtual_hub_key}}" + } +{% endfor %} } {% endif %} {% if value.public_ips is defined %} public_ips = { {% for p_key, p_value in value.public_ips.items() %} {{ p_key }} = { - name = "{{ p_value.name }}" + name = "{{ p_value.name }}" {% if p_value.public_ip_id is defined %} - public_ip_id = "{{ p_value.public_ip_id }}" + public_ip_id = "{{ p_value.public_ip_id }}" {% else %} - public_ip_key = "{{ p_value.public_ip_key }}" + public_ip_key = "{{ p_value.public_ip_key }}" {% endif %} {% if p_value.subnet_id is defined %} - subnet_id = "{{ p_value.subnet_id }}" + subnet_id = "{{ p_value.subnet_id }}" {% else %} - vnet_key = "{{ p_value.vnet_key }}" - subnet_key = "{{ p_value.subnet_key }}" + vnet_key = "{{ p_value.vnet_key }}" + subnet_key = "{{ p_value.subnet_key }}" {% if p_value.lz_key is defined %} - lz_key = "{{ p_value.lz_key }}" + lz_key = "{{ p_value.lz_key }}" {% endif %} {% endif %} } From 5e9134efdf43d62b7eae9746cd71d261df5fa745 Mon Sep 17 00:00:00 2001 From: Cheng Wang <99170159+chengwang514@users.noreply.github.com> Date: Wed, 9 Mar 2022 14:19:19 +1100 Subject: [PATCH 59/67] Added missing argument: "virtual_machine_os_type" in vm_extensions.tf --- caf_solution/vm_extensions.tf | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/caf_solution/vm_extensions.tf b/caf_solution/vm_extensions.tf index 9bb84b770..b4d1b01fe 100644 --- a/caf_solution/vm_extensions.tf +++ b/caf_solution/vm_extensions.tf @@ -104,10 +104,11 @@ module "vm_extension_custom_scriptextension" { if try(value.virtual_machine_extensions.custom_script, null) != null } - client_config = module.solution.client_config - virtual_machine_id = module.solution.virtual_machines[each.key].id - extension = each.value.virtual_machine_extensions.custom_script - extension_name = "custom_script" - managed_identities = merge(tomap({ (var.landingzone.key) = module.solution.managed_identities }), try(local.remote.managed_identities, {})) - storage_accounts = merge(tomap({ (var.landingzone.key) = module.solution.storage_accounts }), try(local.remote.storage_accounts, {})) -} \ No newline at end of file + client_config = module.solution.client_config + virtual_machine_id = module.solution.virtual_machines[each.key].id + virtual_machine_os_type = module.solution.virtual_machines[each.key].os_type + extension = each.value.virtual_machine_extensions.custom_script + extension_name = "custom_script" + managed_identities = merge(tomap({ (var.landingzone.key) = module.solution.managed_identities }), try(local.remote.managed_identities, {})) + storage_accounts = merge(tomap({ (var.landingzone.key) = module.solution.storage_accounts }), try(local.remote.storage_accounts, {})) +} From 29e704c9225cd3529989ea9cacc670b219a2b1ff Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 9 Mar 2022 09:35:56 +0000 Subject: [PATCH 60/67] Adding #286 --- caf_solution/local.database.tf | 1 + caf_solution/variables.database.tf | 3 +++ 2 files changed, 4 insertions(+) diff --git a/caf_solution/local.database.tf b/caf_solution/local.database.tf index 0bca77e4b..0dbc1dd59 100644 --- a/caf_solution/local.database.tf +++ b/caf_solution/local.database.tf @@ -26,6 +26,7 @@ locals { mysql_databases = var.mysql_databases mysql_servers = var.mysql_servers postgresql_servers = var.postgresql_servers + postgresql_flexible_servers = var.postgresql_flexible_servers synapse_workspaces = var.synapse_workspaces } ) diff --git a/caf_solution/variables.database.tf b/caf_solution/variables.database.tf index cdb357439..cabeaf701 100644 --- a/caf_solution/variables.database.tf +++ b/caf_solution/variables.database.tf @@ -71,6 +71,9 @@ variable "mysql_databases" { variable "mysql_servers" { default = {} } +variable "postgresql_flexible_servers" { + default = {} +} variable "postgresql_servers" { default = {} } From f1a35b442dfba1d965d0f90243acb29c6fed820d Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 9 Mar 2022 09:36:13 +0000 Subject: [PATCH 61/67] Udpating to 5.5.4 --- caf_launchpad/dynamic_secrets.tf | 2 +- caf_launchpad/landingzone.tf | 2 +- caf_solution/dynamic_secrets.tf | 2 +- caf_solution/landingzone.tf | 2 +- caf_solution/vm_extensions.tf | 10 +++++----- caf_solution/vmss_extensions.tf | 4 ++-- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/caf_launchpad/dynamic_secrets.tf b/caf_launchpad/dynamic_secrets.tf index a13d1961a..cf17bd023 100644 --- a/caf_launchpad/dynamic_secrets.tf +++ b/caf_launchpad/dynamic_secrets.tf @@ -1,7 +1,7 @@ module "dynamic_keyvault_secrets" { source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "5.5.3" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master" diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf index 7d191c34c..ae6b93138 100644 --- a/caf_launchpad/landingzone.tf +++ b/caf_launchpad/landingzone.tf @@ -1,6 +1,6 @@ module "launchpad" { source = "aztfmod/caf/azurerm" - version = "5.5.3" + version = "5.5.4" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" diff --git a/caf_solution/dynamic_secrets.tf b/caf_solution/dynamic_secrets.tf index d056dcb68..8753cf15d 100644 --- a/caf_solution/dynamic_secrets.tf +++ b/caf_solution/dynamic_secrets.tf @@ -1,6 +1,6 @@ module "dynamic_keyvault_secrets" { source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "5.5.3" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master" diff --git a/caf_solution/landingzone.tf b/caf_solution/landingzone.tf index 312fab722..aa38a02e7 100644 --- a/caf_solution/landingzone.tf +++ b/caf_solution/landingzone.tf @@ -1,6 +1,6 @@ module "solution" { source = "aztfmod/caf/azurerm" - version = "5.5.3" + version = "5.5.4" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network" # source = "../../aztfmod" diff --git a/caf_solution/vm_extensions.tf b/caf_solution/vm_extensions.tf index f240f6bd9..2567b45b2 100644 --- a/caf_solution/vm_extensions.tf +++ b/caf_solution/vm_extensions.tf @@ -4,7 +4,7 @@ module "vm_extension_monitoring_agent" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.3" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -26,7 +26,7 @@ module "vm_extension_monitoring_agent" { module "vm_extension_diagnostics" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.3" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -51,7 +51,7 @@ module "vm_extension_diagnostics" { module "vm_extension_microsoft_azure_domainjoin" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.3" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -71,7 +71,7 @@ module "vm_extension_microsoft_azure_domainjoin" { module "vm_extension_session_host_dscextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.3" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -93,7 +93,7 @@ module "vm_extension_session_host_dscextension" { module "vm_extension_custom_scriptextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.3" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" diff --git a/caf_solution/vmss_extensions.tf b/caf_solution/vmss_extensions.tf index 3dba38e60..2ce0cf371 100644 --- a/caf_solution/vmss_extensions.tf +++ b/caf_solution/vmss_extensions.tf @@ -1,6 +1,6 @@ module "vmss_extension_microsoft_azure_domainjoin" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_scale_set_extensions" - version = "5.5.3" + version = "5.5.4" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_scale_set_extensions?ref=master" @@ -21,7 +21,7 @@ module "vmss_extension_microsoft_azure_domainjoin" { module "vmss_extension_custom_scriptextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_scale_set_extensions" - version = "5.5.3" + version = "5.5.4" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_scale_set_extensions?ref=master" From cbbf09468f3a36555ff34e04d7630ec8a9785440 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Sat, 12 Mar 2022 10:22:50 +0000 Subject: [PATCH 62/67] Update with multi-region support --- caf_launchpad/dynamic_secrets.tf | 4 +- caf_launchpad/landingzone.tf | 6 +- .../add-ons/caf_eslz/enterprise_scale.tf | 4 +- caf_solution/dynamic_secrets.tf | 4 +- caf_solution/landingzone.tf | 6 +- caf_solution/vm_extensions.tf | 10 +- caf_solution/vmss_extensions.tf | 4 +- .../__pycache__/merge_vars.cpython-39.pyc | Bin .../action_plugins/merge_vars.py | 0 templates/ansible/ansible.yaml | 136 +++++ templates/ansible/asvm_definition.yaml | 70 +++ templates/ansible/load_alz.yaml | 7 + templates/ansible/load_deployments.yaml | 50 ++ templates/ansible/load_deployments_alz.yaml | 77 +++ .../ansible/load_deployments_env.yaml | 17 +- templates/ansible/load_regions.yaml | 22 + templates/ansible/process_deployments.yaml | 13 + templates/ansible/process_regions.yaml | 19 + .../ansible/process_resources.yaml | 0 .../ansible/process_stages.yaml | 16 +- .../process_subscription_resources.yaml | 17 +- templates/ansible/process_tfstate.yaml | 31 + .../walk-through-single.yaml | 28 +- .../{platform => }/ansible/walk-through.yaml | 67 ++- templates/asvm/ignite.yaml | 71 +++ templates/asvm/orion/deploy_template.sh | 17 + templates/asvm/orion/readme.md | 20 + templates/asvm/orion/readme_definition.md | 17 + templates/asvm/orion/resources.asvm.yaml | 526 +++++++++++++++++ templates/asvm/orion/subscriptions.asvm.yaml | 25 + templates/asvm/orion/tfstates.asvm.yaml | 20 + templates/asvm/readme.md | 7 + templates/asvm/walk-through.yaml | 81 +++ templates/platform/ansible/ansible.yaml | 99 ---- .../platform/ansible/load_deployments.yaml | 44 -- .../ansible/load_deployments_eslz.yaml | 57 -- .../platform/ansible/process_deployments.yaml | 38 -- .../platform/ansible/process_foundations.yaml | 11 - .../platform/ansible/process_tfstate.yaml | 24 - .../platform/asvm/orion/config.asvm.yaml | 4 - .../asvm/orion/deployments/orion_dev.yaml | 511 ----------------- .../asvm/orion/deployments/orion_prod.yaml | 540 ------------------ .../asvm/orion/deployments/subscriptions.yaml | 31 - templates/platform/asvm/orion/readme.md | 16 - .../platform/asvm/orion/tfstates.asvm.yaml | 28 - templates/platform/asvm/walk-through.yaml | 28 - templates/platform/deploy_platform.sh | 12 + templates/platform/generic/readme.md | 10 +- templates/platform/level0/README.md | 2 +- .../ansible.yaml | 4 +- .../readme.md | 14 +- .../subscription_creation_roles.tfvars.j2 | 4 +- .../credentials/dynamic_secrets.tfvars.j2 | 2 +- .../platform/level0/credentials/readme.md | 33 +- .../credentials/role_mappings.tfvars.j2 | 2 +- .../platform/level0/launchpad/ansible.yaml | 10 +- .../launchpad/azuread_group_members.tfvars.j2 | 22 +- .../launchpad/global_settings.tfvars.j2 | 18 +- .../level0/launchpad/keyvaults.tfvars.j2 | 48 +- templates/platform/level0/launchpad/readme.md | 73 ++- .../level1/{eslz => alz}/ansible.yaml | 37 +- .../level1/alz/enterprise_scale.tfvars.j2 | 11 + .../archetype_config_overrides.tfvars.j2 | 10 +- .../v0.1.x/archetype_definitions/README.md | 0 .../archetype_definition_landingzone.json | 0 ...archetype_definition_landingzone_corp.json | 0 ...chetype_definition_landingzone_online.json | 0 .../archetype_definition_platform.json | 0 ...type_definition_platform_connectivity.json | 0 ...rchetype_definition_platform_identity.json | 0 ...hetype_definition_platform_management.json | 0 .../archetype_definition_root.json | 0 .../lib/v0.1.x/custom_landing_zones.tfvars.j2 | 8 +- .../lib/v0.1.x/policy_assignments/README.md | 0 ...ent_pru_apply_security_benchmark.tmpl.json | 0 .../lib/v0.1.x/policy_definitions/README.md | 0 .../v0.1.x/policy_set_definitions/README.md | 0 .../lib/v0.1.x/role_definitions/README.md | 0 .../lib/v0.3.3/archetype_config_overrides.old | 36 +- .../archetype_config_overrides.tfvars.j2 | 0 .../v0.3.3/archetype_definitions/README.md | 0 .../archetype_definition_template.json.j2 | 0 .../custom_landing_zone_template.json.j2 | 0 .../lib/v0.3.3/custom_landing_zones.tfvars.j2 | 4 +- .../lib/v0.3.3/policy_assignments/README.md | 0 .../policy_assignment_caf_aks_capability.json | 0 ...olicy_assignment_es_allowed_locations.json | 0 .../lib/v0.3.3/policy_definitions/README.md | 0 .../v0.3.3/policy_set_definitions/README.md | 0 .../lib/v0.3.3/role_definitions/README.md | 0 .../role_definition_caf_vhub_peering.json | 0 ...chetype_config_overrides.caf.platform.yaml | 2 +- .../archetype_config_overrides.tfvars.j2 | 4 +- .../v1.1.1/archetype_definitions/README.md | 0 .../archetype_definition_template.json.j2 | 0 .../custom_landing_zone_template.json.j2 | 0 .../custom_landing_zones.caf.platform.yaml | 0 .../lib/v1.1.1/custom_landing_zones.tfvars.j2 | 8 +- .../lib/v1.1.1/policy_assignments/README.md | 0 .../policy_assignment_caf_aks_capability.json | 0 ...cy_assignment_caf_deploy_nsg_flowlogs.json | 0 ...olicy_assignment_es_allowed_locations.json | 0 .../lib/v1.1.1/policy_definitions/README.md | 0 ...cy_definition_caf_deploy_nsg_flowlogs.json | 8 +- .../v1.1.1/policy_set_definitions/README.md | 0 .../lib/v1.1.1/role_definitions/README.md | 0 .../role_definition_caf_vhub_peering.json | 0 ...chetype_config_overrides.caf.platform.yaml | 374 ++++++++++++ .../archetype_config_overrides.tfvars.j2 | 62 ++ .../v1.1.3/archetype_definitions/README.md | 11 + .../archetype_definition_template.json.j2 | 90 +++ .../custom_landing_zone_template.json.j2 | 90 +++ .../custom_landing_zones.caf.platform.yaml | 26 + .../lib/v1.1.3/custom_landing_zones.tfvars.j2 | 72 +++ .../lib/v1.1.3/policy_assignments/README.md | 10 + .../policy_assignment_caf_aks_capability.json | 18 + ...cy_assignment_caf_deploy_nsg_flowlogs.json | 18 + ...olicy_assignment_es_allowed_locations.json | 18 + .../lib/v1.1.3/policy_definitions/README.md | 10 + ...cy_definition_caf_deploy_nsg_flowlogs.json | 228 ++++++++ .../v1.1.3/policy_set_definitions/README.md | 10 + .../alz/lib/v1.1.3/role_definitions/README.md | 11 + .../role_definition_caf_vhub_peering.json | 26 + .../platform/level1/{eslz => alz}/readme.md | 16 +- .../subscription_id_overrides.tfvars.j2 | 40 +- .../level1/eslz/enterprise_scale.tfvars.j2 | 11 - templates/platform/level1/identity/readme.md | 18 +- .../platform/level1/management/readme.md | 14 +- .../platform/level1/subscriptions/readme.md | 10 +- templates/platform/level2/asvm/ansible.yaml | 32 +- .../platform/level2/asvm/keyvaults.tfvars.j2 | 24 +- templates/platform/level2/asvm/readme.md | 12 +- .../level2/asvm/role_mappings.tfvars.j2 | 12 +- .../azurerm_firewall_policies/readme.md | 10 +- .../connectivity/azurerm_firewalls/readme.md | 10 +- .../express_route_circuit/readme.md | 10 +- .../express_route_circuit_peering/readme.md | 10 +- .../level2/connectivity/private_dns/readme.md | 10 +- .../connectivity/virtual_hubs/readme.md | 10 +- .../connectivity/virtual_wans/readme.md | 10 +- .../level2/identity/identity_level2/readme.md | 10 +- .../identity/identity_level2_aadds/readme.md | 10 +- .../identity/identity_level2_adds/readme.md | 10 +- templates/platform/level3/ansible.yaml | 60 +- templates/platform/level3/readme.md | 8 +- .../platform/level3/subscriptions/readme.md | 12 +- .../storage_containers.tfvars.j2 | 12 +- templates/platform/pipelines/README.md | 2 +- .../platform/pipelines/symphony_e2e.yaml | 10 +- templates/platform/readme.md | 10 +- templates/platform/services/README.md | 19 +- templates/platform/services/alz.yaml | 35 ++ templates/platform/services/asvm.yaml | 13 +- .../services/connectivity_express_routes.yaml | 2 +- .../connectivity_firewall_policies.yaml | 16 +- .../services/connectivity_private_dns.yaml | 22 +- .../connectivity_private_dns_firewalls.yaml | 25 +- .../connectivity_secure_firewalls.yaml | 5 +- .../services/connectivity_virtual_hubs.yaml | 11 +- ...onnectivity_virtual_hubs_route_tables.yaml | 5 +- .../services/connectivity_virtual_wans.yaml | 5 +- templates/platform/services/eslz.yaml | 38 -- templates/platform/services/identity.yaml | 7 +- .../platform/services/identity_level2.yaml | 5 +- .../services/identity_level2_aadds.yaml | 327 +++++------ .../services/identity_level2_adds.yaml | 27 +- templates/platform/services/ignite_input.yaml | 7 - ...nchpad_azuread_sp_single_subscription.yaml | 37 +- .../launchpad_credentials_azuread_sp.yaml | 23 +- templates/platform/services/management.yaml | 36 +- .../platform/services/subscriptions.yaml | 7 +- ...rm.yaml => template.caf.platform.yaml.old} | 4 +- templates/platform/services/tfstates.yaml | 25 +- templates/platform/single_subscription.yaml | 233 +++++--- .../platform/single_subscription_ao.yaml | 184 ------ templates/platform/template_topology.yaml | 59 ++ .../active_directory_domain_service.tfvars.j2 | 2 +- ...ctory_domain_service_replica_set.tfvars.j2 | 2 +- .../resources/automation_accounts.tfvars.j2 | 2 +- .../azuread_api_permissions.tfvars.j2 | 2 +- .../resources/azuread_applications.tfvars.j2 | 2 +- .../azuread_credential_policies.tfvars.j2 | 2 +- .../resources/azuread_credentials.tfvars.j2 | 2 +- templates/resources/azuread_groups.tfvars.j2 | 2 +- .../azuread_groups_membership.tfvars.j2 | 2 +- templates/resources/azuread_roles.tfvars.j2 | 2 +- .../azuread_service_principals.tfvars.j2 | 2 +- .../azurerm_firewall_policies.tfvars.j2 | 2 +- .../resources/azurerm_firewalls.tfvars.j2 | 2 +- .../resources/container_groups.tfvars.j2 | 2 +- .../custom_role_definitions.tfvars.j2 | 2 +- templates/resources/ddos_services.tfvars.j2 | 2 +- .../diagnostic_log_analytics.tfvars.j2 | 30 +- .../diagnostic_storage_accounts.tfvars.j2 | 48 +- .../diagnostics_destinations.tfvars.j2 | 10 +- .../dynamic_keyvault_secrets.tfvars.j2 | 2 +- .../express_route_connections.tfvars.j2 | 2 +- templates/resources/global_settings.tfvars.j2 | 22 +- .../keyvault_access_policies.tfvars.j2 | 2 +- templates/resources/keyvaults.tfvars.j2 | 10 +- .../resources/managed_identities.tfvars.j2 | 2 +- .../resources/monitor_action_groups.tfvars.j2 | 2 +- .../resources/network_profiles.tfvars.j2 | 2 +- ...etwork_security_group_definition.tfvars.j2 | 2 +- templates/resources/private_dns.tfvars.j2 | 2 +- .../resources/public_ip_addresses.tfvars.j2 | 2 +- templates/resources/recovery_vaults.tfvars.j2 | 4 +- templates/resources/resource_groups.tfvars.j2 | 4 +- templates/resources/role_mapping.tfvars.j2 | 2 +- templates/resources/servicehealth.tfvars.j2 | 16 +- .../resources/storage_accounts.tfvars.j2 | 2 +- templates/resources/subscriptions.tfvars.j2 | 36 +- templates/resources/subscriptions_tpl.j2 | 26 + .../virtual_hub_connections.tfvars.j2 | 2 +- .../virtual_hub_route_tables.tfvars.j2 | 2 +- templates/resources/virtual_hubs.tfvars.j2 | 2 +- .../resources/virtual_machines.tfvars.j2 | 2 +- .../resources/virtual_networks.tfvars.j2 | 2 +- templates/resources/virtual_wans.tfvars.j2 | 2 +- .../vpn_gateway_connections.tfvars.j2 | 2 +- templates/resources/vpn_sites.tfvars.j2 | 2 +- .../_variables_azure_landing_zones.yaml | 6 + .../variables/_variables_networking_cidr.yaml | 85 +++ .../_variables_private_dns_zones.yaml | 57 ++ templates/variables/service_regions.yaml | 139 +++++ 225 files changed, 3785 insertions(+), 2637 deletions(-) rename templates/{platform => ansible}/action_plugins/__pycache__/merge_vars.cpython-39.pyc (100%) rename templates/{platform => ansible}/action_plugins/merge_vars.py (100%) create mode 100644 templates/ansible/ansible.yaml create mode 100644 templates/ansible/asvm_definition.yaml create mode 100644 templates/ansible/load_alz.yaml create mode 100644 templates/ansible/load_deployments.yaml create mode 100644 templates/ansible/load_deployments_alz.yaml rename templates/{platform => }/ansible/load_deployments_env.yaml (51%) create mode 100644 templates/ansible/load_regions.yaml create mode 100644 templates/ansible/process_deployments.yaml create mode 100644 templates/ansible/process_regions.yaml rename templates/{platform => }/ansible/process_resources.yaml (100%) rename templates/{platform => }/ansible/process_stages.yaml (59%) rename templates/{platform => }/ansible/process_subscription_resources.yaml (67%) create mode 100644 templates/ansible/process_tfstate.yaml rename templates/{platform => ansible}/walk-through-single.yaml (83%) rename templates/{platform => }/ansible/walk-through.yaml (61%) create mode 100644 templates/asvm/ignite.yaml create mode 100755 templates/asvm/orion/deploy_template.sh create mode 100644 templates/asvm/orion/readme.md create mode 100644 templates/asvm/orion/readme_definition.md create mode 100644 templates/asvm/orion/resources.asvm.yaml create mode 100644 templates/asvm/orion/subscriptions.asvm.yaml create mode 100644 templates/asvm/orion/tfstates.asvm.yaml create mode 100644 templates/asvm/readme.md create mode 100644 templates/asvm/walk-through.yaml delete mode 100644 templates/platform/ansible/ansible.yaml delete mode 100644 templates/platform/ansible/load_deployments.yaml delete mode 100644 templates/platform/ansible/load_deployments_eslz.yaml delete mode 100644 templates/platform/ansible/process_deployments.yaml delete mode 100644 templates/platform/ansible/process_foundations.yaml delete mode 100644 templates/platform/ansible/process_tfstate.yaml delete mode 100644 templates/platform/asvm/orion/config.asvm.yaml delete mode 100644 templates/platform/asvm/orion/deployments/orion_dev.yaml delete mode 100644 templates/platform/asvm/orion/deployments/orion_prod.yaml delete mode 100644 templates/platform/asvm/orion/deployments/subscriptions.yaml delete mode 100644 templates/platform/asvm/orion/readme.md delete mode 100644 templates/platform/asvm/orion/tfstates.asvm.yaml delete mode 100644 templates/platform/asvm/walk-through.yaml create mode 100755 templates/platform/deploy_platform.sh rename templates/platform/level1/{eslz => alz}/ansible.yaml (53%) create mode 100644 templates/platform/level1/alz/enterprise_scale.tfvars.j2 rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_config_overrides.tfvars.j2 (86%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_corp.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_online.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/archetype_definition_platform.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/archetype_definition_platform_connectivity.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/archetype_definition_platform_identity.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/archetype_definition_platform_management.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/archetype_definitions/archetype_definition_root.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/custom_landing_zones.tfvars.j2 (66%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/policy_assignments/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/policy_assignments/policy_assignment_pru_apply_security_benchmark.tmpl.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/policy_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/policy_set_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.1.x/role_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/archetype_config_overrides.old (74%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/archetype_config_overrides.tfvars.j2 (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/archetype_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/archetype_definitions/archetype_definition_template.json.j2 (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/archetype_definitions/custom_landing_zone_template.json.j2 (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/custom_landing_zones.tfvars.j2 (91%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/policy_assignments/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/policy_assignments/policy_assignment_caf_aks_capability.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/policy_assignments/policy_assignment_es_allowed_locations.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/policy_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/policy_set_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/role_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v0.3.3/role_definitions/role_definition_caf_vhub_peering.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml (99%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/archetype_config_overrides.tfvars.j2 (89%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/archetype_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/custom_landing_zones.caf.platform.yaml (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/custom_landing_zones.tfvars.j2 (81%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/policy_assignments/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/policy_assignments/policy_assignment_caf_aks_capability.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/policy_assignments/policy_assignment_es_allowed_locations.json (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/policy_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json (96%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/policy_set_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/role_definitions/README.md (100%) rename templates/platform/level1/{eslz => alz}/lib/v1.1.1/role_definitions/role_definition_caf_vhub_peering.json (100%) create mode 100644 templates/platform/level1/alz/lib/v1.1.3/archetype_config_overrides.caf.platform.yaml create mode 100644 templates/platform/level1/alz/lib/v1.1.3/archetype_config_overrides.tfvars.j2 create mode 100644 templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/README.md create mode 100644 templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/archetype_definition_template.json.j2 create mode 100644 templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/custom_landing_zone_template.json.j2 create mode 100644 templates/platform/level1/alz/lib/v1.1.3/custom_landing_zones.caf.platform.yaml create mode 100644 templates/platform/level1/alz/lib/v1.1.3/custom_landing_zones.tfvars.j2 create mode 100644 templates/platform/level1/alz/lib/v1.1.3/policy_assignments/README.md create mode 100644 templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_caf_aks_capability.json create mode 100644 templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json create mode 100644 templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_es_allowed_locations.json create mode 100644 templates/platform/level1/alz/lib/v1.1.3/policy_definitions/README.md create mode 100644 templates/platform/level1/alz/lib/v1.1.3/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json create mode 100644 templates/platform/level1/alz/lib/v1.1.3/policy_set_definitions/README.md create mode 100644 templates/platform/level1/alz/lib/v1.1.3/role_definitions/README.md create mode 100644 templates/platform/level1/alz/lib/v1.1.3/role_definitions/role_definition_caf_vhub_peering.json rename templates/platform/level1/{eslz => alz}/readme.md (55%) rename templates/platform/level1/{eslz => alz}/subscription_id_overrides.tfvars.j2 (69%) delete mode 100644 templates/platform/level1/eslz/enterprise_scale.tfvars.j2 create mode 100644 templates/platform/services/alz.yaml delete mode 100644 templates/platform/services/eslz.yaml delete mode 100644 templates/platform/services/ignite_input.yaml rename templates/platform/services/{template.caf.platform.yaml => template.caf.platform.yaml.old} (98%) delete mode 100644 templates/platform/single_subscription_ao.yaml create mode 100644 templates/platform/template_topology.yaml create mode 100644 templates/resources/subscriptions_tpl.j2 create mode 100644 templates/variables/_variables_azure_landing_zones.yaml create mode 100644 templates/variables/_variables_networking_cidr.yaml create mode 100644 templates/variables/_variables_private_dns_zones.yaml create mode 100644 templates/variables/service_regions.yaml diff --git a/caf_launchpad/dynamic_secrets.tf b/caf_launchpad/dynamic_secrets.tf index 278997136..27a5a63d2 100644 --- a/caf_launchpad/dynamic_secrets.tf +++ b/caf_launchpad/dynamic_secrets.tf @@ -1,9 +1,9 @@ module "dynamic_keyvault_secrets" { source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "5.5.1" + version = "5.5.4" - #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master" + # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=patch.5.5.4" for_each = try(var.dynamic_keyvault_secrets, {}) diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf index 7b5aaf7f0..21162063c 100644 --- a/caf_launchpad/landingzone.tf +++ b/caf_launchpad/landingzone.tf @@ -1,8 +1,8 @@ module "launchpad" { - # source = "aztfmod/caf/azurerm" - # version = "~> 5.5.1" + source = "aztfmod/caf/azurerm" + version = "~> 5.5.4" - source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=AL-azurerm2931" + # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=patch.5.5.4" # source = "../../aztfmod" providers = { diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf index 38311662a..3b21b9777 100644 --- a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -2,9 +2,9 @@ module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "1.1.1" + version = "1.1.3" - # source = "/tf/caf/eslz" + # source = "/tf/caf/alz" providers = { azurerm = azurerm diff --git a/caf_solution/dynamic_secrets.tf b/caf_solution/dynamic_secrets.tf index e5185523b..f7bd289a7 100644 --- a/caf_solution/dynamic_secrets.tf +++ b/caf_solution/dynamic_secrets.tf @@ -1,8 +1,8 @@ module "dynamic_keyvault_secrets" { source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets" - version = "5.5.1" + version = "5.5.4" - #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master" + # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=patch.5.5.4" for_each = { for keyvault_key, secrets in try(var.dynamic_keyvault_secrets, {}) : keyvault_key => { diff --git a/caf_solution/landingzone.tf b/caf_solution/landingzone.tf index 32088c277..32458b5c2 100644 --- a/caf_solution/landingzone.tf +++ b/caf_solution/landingzone.tf @@ -1,8 +1,8 @@ module "solution" { - # source = "aztfmod/caf/azurerm" - # version = "~> 5.5.1" + source = "aztfmod/caf/azurerm" + version = "~> 5.5.4" - source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=AL-azurerm2931" + # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=patch.5.5.4" # source = "../../aztfmod" providers = { diff --git a/caf_solution/vm_extensions.tf b/caf_solution/vm_extensions.tf index 9bb84b770..2567b45b2 100644 --- a/caf_solution/vm_extensions.tf +++ b/caf_solution/vm_extensions.tf @@ -4,7 +4,7 @@ module "vm_extension_monitoring_agent" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -26,7 +26,7 @@ module "vm_extension_monitoring_agent" { module "vm_extension_diagnostics" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -51,7 +51,7 @@ module "vm_extension_diagnostics" { module "vm_extension_microsoft_azure_domainjoin" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -71,7 +71,7 @@ module "vm_extension_microsoft_azure_domainjoin" { module "vm_extension_session_host_dscextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" @@ -93,7 +93,7 @@ module "vm_extension_session_host_dscextension" { module "vm_extension_custom_scriptextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions" - version = "5.5.1" + version = "5.5.4" #source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master" diff --git a/caf_solution/vmss_extensions.tf b/caf_solution/vmss_extensions.tf index e82ecf21d..2ce0cf371 100644 --- a/caf_solution/vmss_extensions.tf +++ b/caf_solution/vmss_extensions.tf @@ -1,6 +1,6 @@ module "vmss_extension_microsoft_azure_domainjoin" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_scale_set_extensions" - version = "5.5.1" + version = "5.5.4" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_scale_set_extensions?ref=master" @@ -21,7 +21,7 @@ module "vmss_extension_microsoft_azure_domainjoin" { module "vmss_extension_custom_scriptextension" { source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_scale_set_extensions" - version = "5.5.1" + version = "5.5.4" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_scale_set_extensions?ref=master" diff --git a/templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc b/templates/ansible/action_plugins/__pycache__/merge_vars.cpython-39.pyc similarity index 100% rename from templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc rename to templates/ansible/action_plugins/__pycache__/merge_vars.cpython-39.pyc diff --git a/templates/platform/action_plugins/merge_vars.py b/templates/ansible/action_plugins/merge_vars.py similarity index 100% rename from templates/platform/action_plugins/merge_vars.py rename to templates/ansible/action_plugins/merge_vars.py diff --git a/templates/ansible/ansible.yaml b/templates/ansible/ansible.yaml new file mode 100644 index 000000000..84a325524 --- /dev/null +++ b/templates/ansible/ansible.yaml @@ -0,0 +1,136 @@ +- name: Process deployment based on ignite.yaml + hosts: localhost + + tasks: + + - name: "Set variables" + set_fact: + job_cache_base_path: "/home/vscode/.terraform.cache" + destination_base_path: '{{ platform_configuration_folder }}' + resource_template_folder: "{{ public_templates_folder }}/resources" + platform_service_folder: "{{ public_templates_folder }}/platform/services" + + - name: "load {{ template_folder | default(platform_definition_folder)}}/ignite.yaml" + include_vars: + name: bootstrap + dir: "{{ template_folder | default(platform_definition_folder)}}" + depth: 1 + ignore_unknown_extensions: true + files_matching: "ignite.yaml" + + - name: "load _variables files" + include_vars: + name: variables + dir: "{{ template_folder | default(platform_service_folder)}}" + depth: 1 + ignore_unknown_extensions: true + files_matching: "_variables" + + - name: "Load variable for {{deployment_mode}} config from {{definition_folder}}" + include_vars: + name: asvm_resource__to_merge + dir: "{{definition_folder | default(platform_definition_folder)}}" + depth: 0 + # ignore_unknown_extensions: true + files_matching: ".yaml" + when: deployment_mode == 'asvm' + + - name: "Load variable for ignite.yaml config from {{platform_definition_folder}}" + include_vars: + name: ignite_resource__to_merge + dir: "{{platform_definition_folder}}" + depth: 0 + files_matching: "ignite.yaml" + when: deployment_mode == 'asvm' + + - name: "Load variable for tfstates.yaml config from {{platform_definition_folder}}" + include_vars: + name: tfstates_resource__to_merge + dir: "{{platform_definition_folder}}" + depth: 0 + files_matching: "tfstates.yaml" + when: deployment_mode == 'asvm' + + - name: "Load variable for platform config from {{platform_definition_folder}}" + include_vars: + name: platform_resource__to_merge + dir: "{{platform_definition_folder | default(template_folder)}}" + depth: 0 + ignore_unknown_extensions: true + files_matching: ".yaml" + when: deployment_mode == 'platform' + + - name: Merge resources variables + merge_vars: + suffix_to_merge: _resource__to_merge + merged_var_name: merged_resources + expected_type: 'dict' + recursive_dict_merge: True + + - set_fact: + resources: "{{ merged_resources }}" + + - name: "Creates destination directory - {{destination_base_path}}" + file: + path: "{{destination_base_path}}" + state: directory + + - debug: + msg: + - "bootstrap: {{bootstrap}}" + - "resources: {{resources}}" + +# +# Generate the foundation services +# + + - name: Process core deployments + include_tasks: "process_regions.yaml" + loop: "{{bootstrap.deployments[deployment_mode].root.keys()}}" + loop_control: + loop_var: region + vars: + lz_type: "{{deployment_mode}}" + stage: root + + - name: Process alz deployments + include_tasks: "process_regions.yaml" + loop: "{{bootstrap.deployments[deployment_mode].alz.keys()}}" + loop_control: + loop_var: region + when: + - bootstrap.deployments[deployment_mode].alz is defined and launchpad_tfstate_exists.rc == 0 + vars: + lz_type: "{{deployment_mode}}" + stage: alz + +# +# Process the deployments folders +# + + - find: + paths: "{{definition_folder | default(platform_definition_folder)}}/scale_out_domains" + recurse: yes + patterns: "*.yaml" + file_type: file + register: files_to_process + + - name: "Process deployments" + include_tasks: "process_regions.yaml" + loop: "{{bootstrap.deployments[deployment_mode].scale_out_domains.keys()}}" + loop_control: + loop_var: region + when: + - (launchpad_tfstate_exists is defined and launchpad_tfstate_exists.rc == 0) or (storage_account_level3 is defined and storage_account_level3.rc == 0) + vars: + lz_type: "{{deployment_mode}}" + stage: scale_out_domains + + +# +# Formatting & Linters +# + + - name: Terraform Formatting + shell: | + terraform fmt -recursive {{ destination_base_path }} diff --git a/templates/ansible/asvm_definition.yaml b/templates/ansible/asvm_definition.yaml new file mode 100644 index 000000000..531533aee --- /dev/null +++ b/templates/ansible/asvm_definition.yaml @@ -0,0 +1,70 @@ +- name: Process deployment based on ignite.yaml + hosts: localhost + + tasks: + + - debug: + msg: "{{landingzone_definition}}" + + - set_fact: + scale_out_domains: "{{scale_out_domains_input.split(',') }}" + + - name: Load templates + set_fact: + subscriptions_asvm: "{{ lookup('template', '{{ template_folder }}/subscriptions.asvm.yaml') }}" + tfstates: "{{ lookup('template', '{{ template_folder }}/tfstates.asvm.yaml') }}" + + - name: Load resources template + set_fact: + resources_{{scod}}: "{{ lookup('template', '{{ template_folder }}/resources.asvm.yaml') }}" + loop: "{{scale_out_domains}}" + loop_control: + loop_var: scod + + - debug: + msg: + - "subscriptions_asvm: {{subscriptions_asvm}}" + - "tfstates: {{tfstates}}" + + - debug: + msg: + - "{{'resources_' + scod}}: {{lookup('vars', 'resources_' + scod)}}" + loop: "{{scale_out_domains}}" + loop_control: + loop_var: scod + +# +# Create definition folder structure +# + + - name: "Creates definition directory - {{definition_folder}}" + file: + path: "{{definition_folder}}" + state: directory + + - name: "definition - tfstates" + copy: + content: "{{ tfstates }}" + dest: "{{ definition_folder }}/tfstates.asvm.yaml" + + - name: "definition - subscriptions_asvm" + copy: + content: "{{ subscriptions_asvm }}" + dest: "{{ definition_folder }}/subscriptions.asvm.yaml" + + - name: "definition - resources" + copy: + content: "{{lookup('vars', 'resources_' + scod)}}" + dest: "{{ definition_folder }}/{{landingzone_definition}}_{{scod}}.asvm.yaml" + loop: "{{scale_out_domains}}" + loop_control: + loop_var: scod + + - name: "definition - readme" + ansible.builtin.template: + src: "{{ topology_folder }}/readme_definition.md" + dest: "{{ definition_folder }}/readme.md" + + - debug: + msg: + - "next steps: {{definition_folder}}/readme.md" \ No newline at end of file diff --git a/templates/ansible/load_alz.yaml b/templates/ansible/load_alz.yaml new file mode 100644 index 000000000..d9e1a4149 --- /dev/null +++ b/templates/ansible/load_alz.yaml @@ -0,0 +1,7 @@ + +- include_tasks: "load_deployments_alz.yaml" + loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}" + loop_control: + loop_var: service + when: stage == 'alz' + diff --git a/templates/ansible/load_deployments.yaml b/templates/ansible/load_deployments.yaml new file mode 100644 index 000000000..c4a87afaf --- /dev/null +++ b/templates/ansible/load_deployments.yaml @@ -0,0 +1,50 @@ +- debug: + msg: + - "{{deployment_mode}}" + - "{{stage}}" + - "{{region}}" + - "topology: {{topology}}" + +- name: "Process 1 deployment file {{stage}}/{{region}}" + set_fact: + "{{stage}}_{{region}}_{{item}}_deployment__to_merge": "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][item]}}') | from_yaml }}" + loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}" + when: + - stage == 'root' or stage == 'alz' + - topologies is not defined + +- name: "Copy file {{stage}} from {{platform_service_folder}}" + ansible.builtin.template: + src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}" + dest: "{{destination_path}}/{{topologies[item].tfstate.config_file}}" + loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}" + when: + - stage == 'root' + - topologies is defined + +- name: "Copy file {{stage}} from {{platform_service_folder}}" + ansible.builtin.template: + src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}" + dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}" + loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}" + when: + - stage == 'alz' + - topologies is defined + + +- name: "Process 2 deployment file {{stage}}" + include_tasks: "load_deployments_alz.yaml" + loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}" + loop_control: + loop_var: service + when: + - stage == 'alz' + - topologies is defined + +- name: "Process 2 deployment file {{stage}}" + include_tasks: "load_deployments_env.yaml" + loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}" + loop_control: + loop_var: service + when: + - stage == 'scale_out_domains' diff --git a/templates/ansible/load_deployments_alz.yaml b/templates/ansible/load_deployments_alz.yaml new file mode 100644 index 000000000..a5e06c096 --- /dev/null +++ b/templates/ansible/load_deployments_alz.yaml @@ -0,0 +1,77 @@ +- debug: + msg: + - "{{deployment_mode}}" + - "{{stage}}" + - "{{region}}" + - "{{service}}" + +- name: "{{destination_alz_path}} - Set tfstate_object" + set_fact: + tfstate_object: "{{topologies['alz_' + service].tfstate}}" + +- name: "{{destination_path}}/{{stage}} - Set landingzone file_path" + set_fact: + destination_alz_path: "{{destination_path}}/{{stage}}/{{service}}" + alz_template_folder: "{{public_templates_folder}}/{{ tfstate_object.template_lib_folder}}" + +- name: "{{destination_alz_path}} - Set landingzone file_path" + set_fact: + template_lib_folder: "{{alz_template_folder}}/lib/{{ tfstate_object.alz_version }}" + +- name: "{{destination_alz_path}} - Set landingzone file_path" + set_fact: + mg: "{{ lookup('template', '{{ template_lib_folder }}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" + mg_custom: "{{ lookup('template', '{{ template_lib_folder }}/custom_landing_zones.caf.platform.yaml') | from_yaml }}" + +- debug: + msg: "{{destination_alz_path}}" + +- name: "Clean-up destination directory" + shell: | + rm -rf "{{ destination_alz_path }}" + when: + - topology.management_groups[region][service].clean_up_destination_folder | default(True) + +- name: "Creates directory structure - {{template_lib_folder}}" + shell: mkdir -p "{{ destination_alz_path }}/lib/{{ item.path }}" + with_filetree: "{{ template_lib_folder }}" + when: + - item.state == 'directory' + +- name: " Lib" + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ destination_alz_path }}/lib/{{ item.path }}" + force: yes + with_filetree: "{{ template_lib_folder }}" + when: + - item.state == 'file' + - item.path is not search(".j2") + - item.path is not search(".yaml") or item.path is search(".json") or item.path is search(".md") + - topology.management_groups[region][service].update_lib_folder | default(False) + + +- name: " Lib" + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ destination_alz_path }}/{{ item.path }}" + force: yes + with_filetree: "{{ template_lib_folder }}" + when: + - item.state == 'file' + - item.path is search(".yaml") + - topology.management_groups[region][service].update_lib_folder | default(False) + +# - name: "{{deployment_mode}}/{{stage}}/{{region}}/{{service}} to {{destination_path}}/{{'alz_' + service}}.yaml" +# ansible.builtin.template: +# src: "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][service]}}') | from_yaml }}" +# dest: "{{destination_path}}/{{'alz_' + service}}.yaml" +# force: yes +# vars: +# item: "{{service}}" + +- name: "{{deployment_mode}}/{{stage}}/{{region}}/{{service}} to {{destination_path}}/{{'alz_' + service}}.yaml" + ansible.builtin.template: + src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}" + dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}" + loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}" \ No newline at end of file diff --git a/templates/platform/ansible/load_deployments_env.yaml b/templates/ansible/load_deployments_env.yaml similarity index 51% rename from templates/platform/ansible/load_deployments_env.yaml rename to templates/ansible/load_deployments_env.yaml index c1a42518e..0c197a12d 100644 --- a/templates/platform/ansible/load_deployments_env.yaml +++ b/templates/ansible/load_deployments_env.yaml @@ -1,7 +1,14 @@ +- debug: + msg: + - "{{deployment_mode}}" + - "{{stage}}" + - "{{region}}" + - "{{service}}" + - name: "Process 3 deployment file {{stage}}/{{service}}" set_fact: - "{{service}}_{{env}}_deployment__to_merge": "{{ lookup('template', '{{ config_folder_platform_templates + \"/services/\" + topology.deployments[stage][service][env]}}') | from_yaml }}" - loop: "{{topology.deployments[stage][service].keys()}}" + "{{service}}_{{env}}_deployment__to_merge": "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][service][env]}}') | from_yaml }}" + loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}" loop_control: loop_var: env when: @@ -12,7 +19,7 @@ file: path: "{{destination_path}}/{{stage}}/{{env}}" state: directory - loop: "{{topology.deployments[stage][service].keys()}}" + loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}" loop_control: loop_var: env when: @@ -20,9 +27,9 @@ - name: "Copy file {{stage}}/{{service}}" ansible.builtin.template: - src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][service][env]}}" + src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][service][env]}}" dest: "{{destination_path}}/{{stage}}/{{env}}/{{topologies[service + '_' + env].tfstate.config_file}}" - loop: "{{topology.deployments[stage][service].keys()}}" + loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}" loop_control: loop_var: env when: diff --git a/templates/ansible/load_regions.yaml b/templates/ansible/load_regions.yaml new file mode 100644 index 000000000..72fa0a100 --- /dev/null +++ b/templates/ansible/load_regions.yaml @@ -0,0 +1,22 @@ +- include_tasks: "load_deployments.yaml" + loop: "{{topology.deployments[deployment_mode][stage].keys()}}" + loop_control: + loop_var: region + when: stage != 'alz' + +- include_tasks: "load_deployments.yaml" + loop: "{{topology.deployments[deployment_mode][stage].keys()}}" + loop_control: + loop_var: region + when: + - stage == 'alz' + - topologies is not defined + +- include_tasks: "load_alz.yaml" + loop: "{{topology.deployments[deployment_mode][stage].keys()}}" + loop_control: + loop_var: region + when: + - stage == 'alz' + - topologies is defined + diff --git a/templates/ansible/process_deployments.yaml b/templates/ansible/process_deployments.yaml new file mode 100644 index 000000000..38a14f354 --- /dev/null +++ b/templates/ansible/process_deployments.yaml @@ -0,0 +1,13 @@ + +- debug: + msg: + - "{{deployment_mode}}" + - "{{region}}" + - "{{tfstate}}" + + +- name: "Including tasks process_tfstate.yaml" + include_tasks: "process_tfstate.yaml" + loop: "{{bootstrap.deployments[deployment_mode].scale_out_domains[region][tfstate].keys()}}" + loop_control: + loop_var: env \ No newline at end of file diff --git a/templates/ansible/process_regions.yaml b/templates/ansible/process_regions.yaml new file mode 100644 index 000000000..fe0483643 --- /dev/null +++ b/templates/ansible/process_regions.yaml @@ -0,0 +1,19 @@ +- debug: + msg: + - "{{deployment_mode}}" + - "{{lz_type}}" + - "{{stage}}" + +- name: Process core deployments + include_tasks: "process_stages.yaml" + loop: "{{bootstrap.deployments[deployment_mode][stage][region].keys()}}" + loop_control: + loop_var: tfstate + when: stage != 'scale_out_domains' + +- name: Process core deployments + include_tasks: "process_deployments.yaml" + loop: "{{bootstrap.deployments[deployment_mode][stage][region].keys()}}" + loop_control: + loop_var: tfstate + when: stage == 'scale_out_domains' diff --git a/templates/platform/ansible/process_resources.yaml b/templates/ansible/process_resources.yaml similarity index 100% rename from templates/platform/ansible/process_resources.yaml rename to templates/ansible/process_resources.yaml diff --git a/templates/platform/ansible/process_stages.yaml b/templates/ansible/process_stages.yaml similarity index 59% rename from templates/platform/ansible/process_stages.yaml rename to templates/ansible/process_stages.yaml index 566b50421..8307079ee 100644 --- a/templates/platform/ansible/process_stages.yaml +++ b/templates/ansible/process_stages.yaml @@ -1,12 +1,15 @@ - debug: msg: - - "tfstate {{tfstate}}}}" + - "tfstate {{tfstate}}" - "{{lz_type}}" + - "{{stage}}" + - "{{region}}" + - "{{tfstate}}" - name: "Set tfstate_object" set_fact: - tfstate_object: "{{resources.tfstates[lz_type]['eslz_' + tfstate] if stage == 'eslz' else resources.tfstates[lz_type][tfstate] }}" + tfstate_object: "{{resources.tfstates[lz_type]['alz_' + tfstate] if stage == 'alz' else resources.tfstates[lz_type][tfstate] }}" env: '' - name: "Set config_folder" @@ -29,12 +32,3 @@ vars: config_file: "{{config_folder + '/' + tfstate_object.config_file }}" when: stage != 'scale_out_domains' - -- name: "Process deployments" - include_tasks: "process_deployments.yaml" - loop: "{{bootstrap.deployments.scale_out_domains[tfstate].keys()}}" - loop_control: - loop_var: env - vars: - deployment: deployment - when: stage == 'scale_out_domains' diff --git a/templates/platform/ansible/process_subscription_resources.yaml b/templates/ansible/process_subscription_resources.yaml similarity index 67% rename from templates/platform/ansible/process_subscription_resources.yaml rename to templates/ansible/process_subscription_resources.yaml index 0d7197ba8..38278ea07 100644 --- a/templates/platform/ansible/process_subscription_resources.yaml +++ b/templates/ansible/process_subscription_resources.yaml @@ -2,11 +2,14 @@ - debug: msg: - "subscription_key {{subscription_key}}" + - "{{deployment_mode}}" + - "{{tfstate}}" + - "{{env}}" -- name: "{{deployment}} - Set ansible_to_process" +- name: "{{deployment_mode}} - Set ansible_to_process" set_fact: - ansible_to_process: "{{base_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else base_templates_folder + '/generic'}}" - tfstate_resource: "{{ 'eslz_' + deployment if stage == 'eslz' else deployment if env == '' else deployment + '_' + env }}" + ansible_to_process: "{{public_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else public_templates_folder + '/platform/generic'}}" + tfstate_resource: "{{ 'alz_' + tfstate if stage == 'alz' else tfstate if env == '' else tfstate + '_' + env }}" verbosity: 2 @@ -20,7 +23,7 @@ set_fact: landingzone_template: "{{resource_template_folder}}/landingzone.tfvars.j2" landingzone_override: "{{ansible_to_process}}/landingzone.tfvars.j2" - destination_path: "{{destination_base_path}}/{{resources['eslz_' + deployment].relative_destination_folder if stage == 'eslz' else resources[tfstate_resource].relative_destination_folder}}" + destination_path: "{{destination_base_path}}/{{resources['alz_' + tfstate].relative_destination_folder if stage == 'alz' else resources[tfstate_resource].relative_destination_folder}}" level: "{{tfstate_object.level}}" verbosity: 2 @@ -35,7 +38,7 @@ file: path: "{{destination_path}}" state: absent - when: resources.configuration_folders.platform.cleanup_destination | bool + when: resources.configuration_folders[deployment_mode].cleanup_destination | default(true) - name: "[{{tfstate_resource}}] - landingzone - Creates directory" file: @@ -45,7 +48,7 @@ - name: "{{tfstate_resource}} - process custom yaml process" - include_tasks: "{{base_templates_folder}}/{{tfstate_object.yaml}}" + include_tasks: "{{public_templates_folder}}/{{tfstate_object.yaml}}" when: tfstate_object.yaml is defined # @@ -65,7 +68,7 @@ - name: "{{tfstate_resource}} - process resources" include_tasks: "process_resources.yaml" - loop: "{{resources[tfstate_resource].subscriptions[subscription_key] | list if resources[tfstate_resource].subscriptions[subscription_key] is mapping else [] }}" + loop: "{{resources[tfstate_resource].resources[subscription_key] | list if resources[tfstate_resource].resources[subscription_key] is mapping else [] }}" loop_control: loop_var: resource_type diff --git a/templates/ansible/process_tfstate.yaml b/templates/ansible/process_tfstate.yaml new file mode 100644 index 000000000..36908567e --- /dev/null +++ b/templates/ansible/process_tfstate.yaml @@ -0,0 +1,31 @@ +- debug: + msg: + - "{{deployment_mode}}" + - "{{stage}}" + - "{{tfstate}}" + - "{{env}}" + + +- name: "Set tfstate_object" + set_fact: + tfstate_object: "{{resources.tfstates[deployment_mode]['alz_' + tfstate] if stage == 'alz' else resources.tfstates[deployment_mode][tfstate] if env == '' else resources.tfstates[deployment_mode][tfstate][env]}}" + +- name: "Verify {{deployment_mode}}/{{stage}}/{{tfstate}}/{{env | default('')}} is defined under tfstates/{{deployment_mode}} in {{platform_definition_folder}}/tfstates.yaml :" + debug: + msg: + - "{{tfstate_object}}" + +- name: "{{deployment_mode}} - tfstate_object sub_template_folder- {{env | default('')}}" + debug: + msg: + - 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}' + - 'tfstate_object - {{tfstate_object}}' + # - "{{resources}}" + +- name: "{{deployment_mode}}/{{stage}}/{{tfstate}} - process subscription resources" + include_tasks: "process_subscription_resources.yaml" + loop: "{{resources['alz_' + tfstate].resources.keys() if stage == 'alz' else resources[tfstate].resources.keys() if env == '' else resources[tfstate + '_' + env].resources.keys() }}" + loop_control: + loop_var: subscription_key + vars: + level: "{{tfstate_object.level}}" diff --git a/templates/platform/walk-through-single.yaml b/templates/ansible/walk-through-single.yaml similarity index 83% rename from templates/platform/walk-through-single.yaml rename to templates/ansible/walk-through-single.yaml index 1740e135d..f6160614d 100644 --- a/templates/platform/walk-through-single.yaml +++ b/templates/ansible/walk-through-single.yaml @@ -2,7 +2,7 @@ # Initial script to select a topology and create the base templates for the definitions folder # # ansible-playbook /tf/caf/landingzones/templates/platform/walk-through-single.yaml \ -# -e topology_file=/tf/caf/landingzones/templates/platform/eslz_single_subscription.yaml \ +# -e topology_file=/tf/caf/landingzones/templates/platform/alz_single_subscription.yaml \ # -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \ # -e landingzones_folder=/tf/caf/landingzones \ # -e destination_base_path=/tf/caf \ @@ -23,6 +23,21 @@ private: no default: contoso + - name: prefix + prompt: Set the prefix to add to all resource. + private: no + default: caf + + - name: alz_mg_prefix + prompt: Management group prefix (value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens). + private: no + default: es + + - name: alz_mg_name + prompt: Management group name + private: no + default: Contoso + - name: default_email_address prompt: Email address to send all notifications private: no @@ -40,16 +55,7 @@ private: no default: region1 - - name: eslz_mg_prefix - prompt: Management group prefix (value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens). - private: no - default: es - - - name: eslz_mg_name - prompt: Management group name - private: no - default: Contoso tasks: - - include_tasks: "ansible/walk-through.yaml" + - include_tasks: "walk-through.yaml" diff --git a/templates/platform/ansible/walk-through.yaml b/templates/ansible/walk-through.yaml similarity index 61% rename from templates/platform/ansible/walk-through.yaml rename to templates/ansible/walk-through.yaml index 6f96aad59..e4f73cceb 100644 --- a/templates/platform/ansible/walk-through.yaml +++ b/templates/ansible/walk-through.yaml @@ -2,7 +2,7 @@ # Get launchpad subscription details # -- name: Get deployment user object_id +- name: Get deployment user object_id (make sure you are logged-in to the launchpad Azure subscription first.) shell: az ad signed-in-user show --query objectId -o tsv register: object_id @@ -29,28 +29,40 @@ - set_fact: regions: "{{ azure_regions }}" + deployment_mode: "platform" + topology: "{{bootstrap | default()}}" - set_fact: topology: "{{ lookup('template', '{{ topology_file }}') | from_yaml }}" - destination_path: "{{destination_folder}}" - + destination_path: "{{definition_folder | default(platform_definition_folder)}}" + resource_template_folder: "{{ public_templates_folder }}/resources" + platform_service_folder: "{{ public_templates_folder }}/platform/services" + public_templates_variables_folder: "{{ public_templates_folder }}/variables" - name: "Creates directory - {{destination_path}}" file: path: "{{destination_path}}" state: directory - -- name: ignite_input - ansible.builtin.template: - src: "{{platform_service_folder}}/ignite_input.yaml" - dest: "{{destination_path}}/ignite_input.yaml" # # Load the files into variables # +- name: "load _variables files" + include_vars: + name: variables + dir: "{{ public_templates_variables_folder}}" + depth: 1 + ignore_unknown_extensions: true + files_matching: "_variables" + -- include_tasks: "load_deployments.yaml" - loop: "{{topology.deployments.keys()}}" +- debug: + msg: + - "variables: {{variables}}" + - "{{topology}}" + +- include_tasks: "load_regions.yaml" + loop: "{{topology.deployments[deployment_mode].keys()}}" loop_control: loop_var: stage @@ -61,19 +73,15 @@ expected_type: 'dict' recursive_dict_merge: True -- set_fact: +- name: "Topologies merged" + set_fact: topologies: "{{ merged_topologies }}" - # Need topologies to render the following templates - name: "load tfstates" set_fact: "tfstates_deployment__to_merge": "{{ lookup('template', '{{platform_service_folder}}/tfstates.yaml') | from_yaml }}" -- name: "load template.caf.platform" - set_fact: - "caf_platform_deployment__to_merge": "{{ lookup('template', '{{platform_service_folder}}/template.caf.platform.yaml') | from_yaml }}" - - name: Merge deployment files into topologies variable merge_vars: suffix_to_merge: _deployment__to_merge @@ -92,11 +100,24 @@ # - name: Copy files - include_tasks: "load_deployments.yaml" - loop: "{{topology.deployments.keys()}}" + include_tasks: "load_regions.yaml" + loop: "{{topology.deployments[deployment_mode].keys()}}" loop_control: loop_var: stage +- find: + paths: "{{public_templates_variables_folder}}" + recurse: no + patterns: "_variables*.yaml" + file_type: file + register: variable_files_to_process + +- name: copy variables files + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "{{destination_path}}/{{ item.path | basename }}" + loop: "{{variable_files_to_process.files}}" + - name: tfstates.yaml ansible.builtin.template: src: "{{platform_service_folder}}/tfstates.yaml" @@ -104,13 +125,13 @@ - name: ignite.yaml ansible.builtin.template: - src: "{{config_folder_platform_templates}}/single_subscription.yaml" + src: "{{public_templates_folder}}/platform/single_subscription.yaml" dest: "{{destination_path}}/ignite.yaml" -- name: template.caf.platform.yaml - ansible.builtin.template: - src: "{{platform_service_folder}}/template.caf.platform.yaml" - dest: "{{destination_path}}/{{topology.customer_name}}.caf.platform.yaml" +# - name: template.caf.platform.yaml +# ansible.builtin.template: +# src: "{{platform_service_folder}}/template.caf.platform.yaml" +# dest: "{{destination_path}}/{{topology.customer_name}}.caf.platform.yaml" - name: readme.md ansible.builtin.template: diff --git a/templates/asvm/ignite.yaml b/templates/asvm/ignite.yaml new file mode 100644 index 000000000..b4dbe8210 --- /dev/null +++ b/templates/asvm/ignite.yaml @@ -0,0 +1,71 @@ + +landingzone_definition: {{landingzone_definition}} + +subscriptions: +{% for scod in scale_out_domains %} + {{scod}}: + name: {{landingzone_definition}}-{{scod}} +{% if generate_new_subscriptions %} + # Set to false if you do not have permissions to create an alias + create_alias: false + subscription_id: {{subscription_id}} +{% endif %} +{% endfor %} + +# +# deployments +# + +deployments: + asvm: + root: + region1: + asvm_subscriptions: subscriptions.asvm.yaml + scale_out_domains: + region1: + {{landingzone_definition}}: +{% for scod in scale_out_domains %} + {{scod}}: {{landingzone_definition}}_{{scod}}.asvm.yaml +{% endfor %} + +platform_mappings: +{%for key, value in platform_domain_mapping.items() %} + {{key}}: {{value}} +{% endfor %} + +# +# If platform folder and config not accessible to the asvm repo you need to add the following variables +# + +# caf_terraform: +# launchpad: +# caf_environment: cont0226 +# subscription_id: + +# cleanup_destination - recommended to clean and recreated a clean state from template. +configuration_folders: + asvm: + cleanup_destination: true + +# +# paths +# +topology_folder: {{topology_folder}} +public_templates_folder: {{public_templates_folder}} +landingzones_folder: {{landingzones_folder}} +template_folder: {{template_folder}} +definition_folder: {{definition_folder}} +platform_configuration_folder: {{platform_configuration_folder}} +platform_definition_folder: {{platform_definition_folder}} + +deployment_mode: {{deployment_mode}} + +# +# Ansible input responses +# + +# don't change the structure of the values for ansible to process them properly. +# you can update the values following the structure. +scale_out_domains_input: {{scale_out_domains_input}} +platform_domain_mapping_input: {{platform_domain_mapping_input}} +generate_new_subscriptions: {{generate_new_subscriptions}} \ No newline at end of file diff --git a/templates/asvm/orion/deploy_template.sh b/templates/asvm/orion/deploy_template.sh new file mode 100755 index 000000000..caa2a3e44 --- /dev/null +++ b/templates/asvm/orion/deploy_template.sh @@ -0,0 +1,17 @@ +#! /bin/bash + +echo -n "Name of the landingzone group definition (no spaces) to create: " +read -r landingzone_definition + +export ANSIBLE_DISPLAY_SKIPPED_HOSTS=False + +ansible-playbook /tf/caf/landingzones/templates/asvm/walk-through.yaml \ + -e topology_folder=/tf/caf/landingzones/templates/asvm/orion \ + -e public_templates_folder=/tf/caf/landingzones/templates \ + -e landingzones_folder=/tf/caf/landingzones \ + -e template_folder=/tf/caf/asvm/${landingzone_definition} \ + -e definition_folder=/tf/caf/asvm/${landingzone_definition}/definition \ + -e platform_configuration_folder=/tf/caf/configuration \ + -e platform_definition_folder=/tf/caf/platform/definition \ + -e deployment_mode=asvm \ + --extra-vars landingzone_definition=${landingzone_definition} \ No newline at end of file diff --git a/templates/asvm/orion/readme.md b/templates/asvm/orion/readme.md new file mode 100644 index 000000000..0fe298a03 --- /dev/null +++ b/templates/asvm/orion/readme.md @@ -0,0 +1,20 @@ +# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM) + +## Generate the configuration files + +```bash + +ansible-playbook {{public_templates_folder}}/ansible/asvm_definition.yaml \ + --extra-vars "@{{template_folder}}/ignite.yaml" + +``` + +## Regenerate the template + +Note: This playbook will override the customization you have performed in your {{platform_configuration_folder}} folder. + +```bash +ansible-playbook {{public_templates_folder}}/walk-through.yaml \ + --extra-vars "@{{template_folder}}/ignite.yaml" + +``` \ No newline at end of file diff --git a/templates/asvm/orion/readme_definition.md b/templates/asvm/orion/readme_definition.md new file mode 100644 index 000000000..e7946f6eb --- /dev/null +++ b/templates/asvm/orion/readme_definition.md @@ -0,0 +1,17 @@ +# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM) + +## Generate the configuration files + +```bash +ansible-playbook {{public_templates_folder}}/ansible/ansible.yaml \ + --extra-vars "@{{template_folder}}/ignite.yaml" + +``` + +## Regenerate the definition folder + +```bash +ansible-playbook {{public_templates_folder}}/ansible/asvm_definition.yaml \ + --extra-vars "@{{template_folder}}/ignite.yaml" + +``` \ No newline at end of file diff --git a/templates/asvm/orion/resources.asvm.yaml b/templates/asvm/orion/resources.asvm.yaml new file mode 100644 index 000000000..5234a7fff --- /dev/null +++ b/templates/asvm/orion/resources.asvm.yaml @@ -0,0 +1,526 @@ +{{landingzone_definition}}_{{scod}}: + gitops: + caf_landingzone_branch: aci_network + + relative_destination_folder: level3/{{landingzone_definition}}/{{scod}} + + deployments: + landingzone: + global_settings_key: + platform: + virtual_hubs: {{platform_mappings[scod]}} + remote_tfstates: + asvm: + asvm_subscriptions: + platform: + virtual_hubs: {{platform_mappings[scod]}} + virtual_hubs_route_tables: {{platform_mappings[scod]}} + secure_firewalls: {{platform_mappings[scod]}} + identity_level2: {{platform_mappings[scod]}} + asvm: + + resources: + {{landingzone_definition}}_{{scod}}: + resource_groups: + rg: + name: {{landingzone_definition}}-{{scod}} + backup: + name: {{landingzone_definition}}-{{scod}}-backup + networking: + name: {{landingzone_definition}}-{{scod}}-networking + preparation: + name: {{landingzone_definition}}-{{scod}}-preparation + modeling: + name: {{landingzone_definition}}-{{scod}}-modeling + consumption: + name: {{landingzone_definition}}-{{scod}}-consumption + analytics: + name: {{landingzone_definition}}-{{scod}}-analytics + + virtual_networks: + vnet: + name: {{landingzone_definition}}-{{scod}} + resource_group_key: networking + region_key: region1 + dns_servers_keys: + fw_secure_{{platform_mappings[scod]}}: + resource_type: azurerm_firewall + lz_key: connectivity_secure_firewalls_{{platform_mappings[scod]}} + key: fw_secure_{{platform_mappings[scod]}} + address_space: + - 10.101.8.0/23 + subnets: + databricks_preparation_egress: + name: databricks-preparation-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.8.0/26 + databricks_preparation_private: + name: databricks-preparation-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.8.64/26 + databricks_modeling_egress: + name: databricks-modeling-egress + nsg_key: databricks_egress + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.9.0/26 + databricks_modeling_private: + name: databricks-modeling-private + nsg_key: databricks_private + delegation: + name: databricks + service_delegation: Microsoft.Databricks/workspaces + actions: + - Microsoft.Network/virtualNetworks/subnets/join/action + - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action + - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action + cidr: + - 10.101.9.64/26 + consumption: + name: consumption + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.8.128/25 + databricks_notebooks: + name: databricks-notebooks + service_endpoints: + - Microsoft.Storage + - Microsoft.KeyVault + nsg_key: databricks_notebooks + cidr: + - 10.101.9.128/27 + private_endpoints: + name: private-endpoints + enforce_private_link_endpoint_network_policies: true + cidr: + - 10.101.9.192/27 + + network_security_group_definition: + databricks_egress: + version: 1 + resource_group_key: networking + name: databricks-egress + nsg: + Inbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 5557 + destination_address_prefix: "*" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureDatabricks" + destination_port_range: 22 + destination_address_prefix: "*" + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + 405: + name: ICMP + access: Allow + protocol: icmp + source_port_range: "*" + source_address_prefix: "*" + destination_port_range: "*" + destination_address_prefix: "*" + databricks_private: + version: 1 + resource_group_key: networking + name: databricks-private + nsg: + Inbound: + 400: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 401: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 400: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "AzureDatabricks" + 401: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 3306 + destination_address_prefix: "Sql" + 402: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 443 + destination_address_prefix: "Storage" + 403: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: "*" + destination_address_prefix: "VirtualNetwork" + 404: + name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "VirtualNetwork" + destination_port_range: 9093 + destination_address_prefix: "EventHub" + consumption: + version: 1 + resource_group_key: networking + name: consumption + databricks_notebooks: + version: 1 + resource_group_key: networking + name: databricks-notebooks + nsg: + Inbound: + 500: + name: Batch Node Management + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "BatchNodeManagement" + destination_address_prefix: "*" + destination_port_ranges: + - 29876 + - 29877 + 501: + name: Azure Machine Learning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "AzureMachineLearning" + destination_address_prefix: "*" + destination_port_ranges: + - 44224 + Outbound: + 500: + name: AzureActiveDirectory + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectory" + destination_port_ranges: + - 80 + - 443 + 501: + name: AzureMachineLearning + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureMachineLearning" + destination_port_ranges: + - 443 + 502: + name: AzureResourceManager + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureResourceManager" + destination_port_ranges: + - 443 + 503: + name: Storage + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "Storage" + destination_port_ranges: + - 443 + 504: + name: AzureFrontDoor Frontend + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.Frontend" + destination_port_ranges: + - 443 + 505: + name: Container Registry + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureContainerRegistry" + destination_port_ranges: + - 443 + 506: + name: Microsoft Container Registry + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "MicrosoftContainerRegistry" + destination_port_ranges: + - 443 + 507: + name: Keyvault + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureKeyVault" + destination_port_ranges: + - 443 + 508: + name: AzureFrontDoor FirstParty + access: Allow + protocol: tcp + source_port_range: "*" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.FirstParty" + destination_port_range: "*" + + virtual_hub_connections: + vnet_to_{{platform_mappings[scod]}}: + name: vnet-{{landingzone_definition}}-{{scod}}-TO-{{platform_mappings[scod]}} + virtual_hub: + lz_key: connectivity_virtual_hubs_{{platform_mappings[scod]}} + key: {{platform_mappings[scod]}} + vnet: + vnet_key: vnet + routing: + egress: + lz_key: virtual_hubs_route_tables_{{platform_mappings[scod]}} + + recovery_vaults: + asr: + name: vault-{{landingzone_definition}}-{{scod}} + resource_group_key: backup + backup_policies: + vms: + default: + name: vm-default-policy + timezone: "SE Asia Standard Time" + backup: + frequency: Daily + time: "23:00" + retention_daily: + count: 7 + + keyvaults: + kv_delegated_sp: + name: {{landingzone_definition}}{{scod}}001 + resource_group_key: rg + creation_policies: + logged_in_user: + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + landingzone_maintainers_{{platform_mappings[scod]}}: + lz_key: asvm + azuread_group_key: caf_ac_landingzone_maintainers_{{platform_mappings[scod]}} + secret_permissions: + - Set + - Get + - List + - Delete + - Purge + - Recover + + keyvault_access_policies: + kv_delegated_sp: + app_LZContributors: + azuread_service_principal_key: sp_LZContributors + secret_permissions: + - Get + + azuread_applications: + app_LZContributors: + application_name: app-asvm-{{landingzone_definition}}-{{scod}}-Contributors + + azuread_service_principals: + sp_LZContributors: + azuread_application: + key: app_LZContributors + + azuread_credentials: + app_LZContributors: + type: password + azuread_credential_policy_key: default_policy + azuread_application: + key: app_LZContributors + keyvaults: + kv_delegated_sp: + secret_prefix: sp + + azuread_credential_policies: + default_policy: + length: 250 + special: false + upper: true + number: true + expire_in_days: 70 + rotation_key0: + days: 33 + rotation_key1: + days: 58 + + azuread_groups_membership: + caf_{{platform_mappings[scod]}}_landingzones_dns_contributors: + azuread_service_principals: + sp_LZContributors: + group_lz_key: identity_level2_{{platform_mappings[scod]}} + keys: + - sp_LZContributors + caf_ac_landingzone_maintainers_{{platform_mappings[scod]}}: + azuread_service_principals: + sp_LZContributors: + group_lz_key: asvm + keys: + - sp_LZContributors + + custom_role_definitions: + contributors_extended: + name: lz-{{landingzone_definition}}-{{scod}}-contributors-extended + useprefix: true + description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." + permissions: + actions: + - Microsoft.Network/privateDnsZones/join/action + - Microsoft.Network/virtualNetworks/join/action + + role_mapping: + custom_role_mapping: + networking: + vnet: + contributors_extended: + azuread_service_principals: + keys: + - sp_LZContributors + + built_in_role_mapping: + resource_groups: + preparation: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + modeling: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + consumption: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + analytics: + Owner: + azuread_service_principals: + keys: + - sp_LZContributors + storage_containers: + {{landingzone_definition}}_{{scod}}_level3: + lz_key: {{landingzone_definition}}_subscriptions + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors + {{landingzone_definition}}_{{scod}}_level4: + lz_key: {{landingzone_definition}}_subscriptions + Storage Blob Data Contributor: + azuread_service_principals: + keys: + - sp_LZContributors diff --git a/templates/asvm/orion/subscriptions.asvm.yaml b/templates/asvm/orion/subscriptions.asvm.yaml new file mode 100644 index 000000000..4ed075b55 --- /dev/null +++ b/templates/asvm/orion/subscriptions.asvm.yaml @@ -0,0 +1,25 @@ +asvm_subscriptions: + gitops: + caf_landingzone_branch: aci_network + + relative_destination_folder: level3/{{landingzone_definition}}/subscriptions + + deployments: + landingzone: + global_settings_key: + platform: + asvm: + remote_tfstates: + platform: + asvm: + + resources: + asvm_subscriptions: + subscriptions: + {{landingzone_definition}}: +{% for scod in deployments.asvm['scale_out_domains'][landingzone_definition].keys() %} + {{scod}}: + name: {{landingzone_definition}}-{{scod}} + create_alias: {{subscriptions[scod].create_alias}} + subscription_id: {{subscriptions[scod].subscription_id}} +{% endfor %} diff --git a/templates/asvm/orion/tfstates.asvm.yaml b/templates/asvm/orion/tfstates.asvm.yaml new file mode 100644 index 000000000..c791c8e98 --- /dev/null +++ b/templates/asvm/orion/tfstates.asvm.yaml @@ -0,0 +1,20 @@ +# ### {{landingzone_definition}} ### +tfstates: + asvm: + asvm_subscriptions: + lz_key_name: {{landingzone_definition}}_subscriptions + tfstate: {{landingzone_definition}}_subscriptions.tfstate + workspace: tfstate + level: level3 + sub_template_folder: platform/level3/subscriptions + yaml: platform/level3/ansible.yaml + + {{landingzone_definition}}: +{% for scod in scale_out_domains %} + {{scod}}: + lz_key_name: {{landingzone_definition}}_{{scod}}_level3 + tfstate: {{landingzone_definition}}_{{scod}}_level3.tfstate + workspace: {{landingzone_definition | replace('_', '-')}}-{{scod}} + level: level3 + +{% endfor %} diff --git a/templates/asvm/readme.md b/templates/asvm/readme.md new file mode 100644 index 000000000..0efc05382 --- /dev/null +++ b/templates/asvm/readme.md @@ -0,0 +1,7 @@ + +## Template to generate the defitions for the Orion data and ai landingzones + +```bash +/tf/caf/landingzones/templates/asvm/orion/deploy_template.sh + +``` \ No newline at end of file diff --git a/templates/asvm/walk-through.yaml b/templates/asvm/walk-through.yaml new file mode 100644 index 000000000..2e45dd37c --- /dev/null +++ b/templates/asvm/walk-through.yaml @@ -0,0 +1,81 @@ +# +# Initial script to select a topology and create the base templates for the definition folder +# + + +- name: Deploy template to definition's folder + hosts: localhost + vars_prompt: + - name: landingzone_definition + prompt: Name of the landingzone group definition (no spaces) + private: no + + - name: scale_out_domains_input + prompt: List of the scale-out domains. Will create one landingzone per domain. + private: no + default: dev,prod + + - name: platform_domain_mapping_input + prompt: Mapping between the landingzones and platform scale-out domains. + private: no + default: + dev: non_prod + prod: prod + + - name: generate_new_subscriptions + prompt: Do you want to deploy in the current logged_in subscription (True) or create new one (False)? + private: no + default: True + + + tasks: + + - name: Get default subscription id + shell: az account show --query id -o tsv + register: subscription_id_cmd + when: generate_new_subscriptions + + - set_fact: + scale_out_domains: "{{scale_out_domains_input.split(',') }}" + platform_domain_mapping: "{{platform_domain_mapping_input}}" + subscription_id: "{{subscription_id_cmd.stdout}}" + + - name: Get template files + register: asvm_files + find: + paths: "{{topology_folder}}" + file_type: file + excludes: + - "readme_definition.md" + - "deploy_template.sh" + + - debug: + msg: + - "{{asvm_files}}" + - "{{playbook_dir}}" + verbosity: 1 + + - name: "Creates template_folder directory - {{template_folder}}" + file: + path: "{{template_folder}}" + state: directory + + - name: Deploy files + ansible.builtin.copy: + src: "{{item.path}}" + dest: "{{template_folder}}/{{ item.path | basename }}" + loop: "{{asvm_files.files}}" + + - name: Save parameters + ansible.builtin.template: + src: "{{playbook_dir}}/ignite.yaml" + dest: "{{template_folder}}/ignite.yaml" + + - name: readme + ansible.builtin.template: + src: "{{topology_folder}}/readme.md" + dest: "{{template_folder}}/readme.md" + + - debug: + msg: + - "next steps: {{template_folder}}/readme.md" \ No newline at end of file diff --git a/templates/platform/ansible/ansible.yaml b/templates/platform/ansible/ansible.yaml deleted file mode 100644 index d4756dd19..000000000 --- a/templates/platform/ansible/ansible.yaml +++ /dev/null @@ -1,99 +0,0 @@ -- name: Process deployment based on ignite.yaml - hosts: localhost - - tasks: - - - name: "load {{ config_folder }}/ignite.yaml" - include_vars: - name: bootstrap - dir: "{{ config_folder }}" - depth: 1 - ignore_unknown_extensions: true - files_matching: "ignite.yaml" - - - name: "Load variable for platform config" - include_vars: - name: resources - dir: "{{config_folder_platform | default(config_folder)}}" - depth: 0 - ignore_unknown_extensions: true - files_matching: ".yaml" - ignore_files: "ignite.yaml" - - - name: "Set variables" - set_fact: - job_cache_base_path: "/home/vscode/.terraform.cache" - destination_base_path: '{{ destination_folder }}' - - - name: "Creates destination directory - {{destination_base_path}}" - file: - path: "{{destination_base_path}}" - state: directory - - - - debug: - msg: - - "bootstrap: {{bootstrap}}" - - "resources: {{resources}}" - -# -# Generate the foundation services -# - - - name: Process core deployments - include_tasks: "process_stages.yaml" - loop: "{{bootstrap.deployments.root.keys()}}" - loop_control: - loop_var: tfstate - vars: - lz_type: platform - stage: root - - - name: Process eslz deployments - include_tasks: "process_stages.yaml" - loop: "{{bootstrap.deployments.eslz.keys()}}" - loop_control: - loop_var: tfstate - when: - - launchpad_tfstate_exists.rc == 0 - vars: - lz_type: platform - stage: eslz - -# -# Process the deployments folders -# - - - find: - paths: "{{config_folder}}/scale_out_domains" - recurse: yes - patterns: "*.yaml" - file_type: file - register: files_to_process - - - name: Process scale out domaines deployments - include_tasks: "process_stages.yaml" - loop: "{{bootstrap.deployments.scale_out_domains.keys()}}" - loop_control: - loop_var: tfstate - when: - - launchpad_tfstate_exists.rc == 0 - vars: - lz_type: platform - stage: scale_out_domains - -## Platform readme - - - name: "[{{ base_templates_folder }}] readme" - ansible.builtin.template: - src: "{{ base_templates_folder }}/readme.md" - dest: "{{ destination_base_path }}/readme.md" - force: yes - -# -# Formatting & Linters -# - - - name: Terraform Formatting - shell: | - terraform fmt -recursive {{ destination_base_path }} diff --git a/templates/platform/ansible/load_deployments.yaml b/templates/platform/ansible/load_deployments.yaml deleted file mode 100644 index f6b358be8..000000000 --- a/templates/platform/ansible/load_deployments.yaml +++ /dev/null @@ -1,44 +0,0 @@ - -- name: "Process 1 deployment file {{stage}}" - set_fact: - "{{stage}}_{{item}}_deployment__to_merge": "{{ lookup('template', '{{ config_folder_platform_templates + \"/services/\" + topology.deployments[stage][item]}}') | from_yaml }}" - loop: "{{topology.deployments[stage].keys()}}" - when: - - stage == 'root' or stage == 'eslz' - - topologies is not defined - -- name: "Copy file {{stage}} from {{config_folder_platform_templates}}/services/" - ansible.builtin.template: - src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][item]}}" - dest: "{{destination_path}}/{{topologies[item].tfstate.config_file}}" - loop: "{{topology.deployments[stage].keys()}}" - when: - - stage == 'root' - - topologies is defined - -- name: "Copy file {{stage}} from {{config_folder_platform_templates}}/services/" - ansible.builtin.template: - src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][item]}}" - dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}" - loop: "{{topology.deployments[stage].keys()}}" - when: - - stage == 'eslz' - - topologies is defined - - -- name: "Process 2 deployment file {{stage}}" - include_tasks: "load_deployments_eslz.yaml" - loop: "{{topology.deployments[stage].keys()}}" - loop_control: - loop_var: service - when: - - stage == 'eslz' - - topologies is defined - -- name: "Process 2 deployment file {{stage}}" - include_tasks: "load_deployments_env.yaml" - loop: "{{topology.deployments[stage].keys()}}" - loop_control: - loop_var: service - when: - - stage == 'scale_out_domains' diff --git a/templates/platform/ansible/load_deployments_eslz.yaml b/templates/platform/ansible/load_deployments_eslz.yaml deleted file mode 100644 index b0f35fdf4..000000000 --- a/templates/platform/ansible/load_deployments_eslz.yaml +++ /dev/null @@ -1,57 +0,0 @@ - -- name: "{{destination_eslz_path}} - Set tfstate_object" - set_fact: - tfstate_object: "{{topologies['eslz_' + service].tfstate}}" - -- name: "{{destination_path}}/{{stage}} - Set landingzone file_path" - set_fact: - destination_eslz_path: "{{destination_path}}/{{stage}}/{{service}}" - template_folder: "{{config_folder_platform_templates}}/{{ tfstate_object.template_lib_folder}}" - -- name: "{{destination_eslz_path}} - Set landingzone file_path" - set_fact: - template_lib_folder: "{{template_folder}}/lib/{{ tfstate_object.eslz_version }}" - -- name: "{{destination_eslz_path}} - Set landingzone file_path" - set_fact: - mg: "{{ lookup('template', '{{ template_lib_folder }}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" - mg_custom: "{{ lookup('template', '{{ template_lib_folder }}/custom_landing_zones.caf.platform.yaml') | from_yaml }}" - -- debug: - msg: "{{destination_eslz_path}}" - -- name: "Clean-up destination directory" - shell: | - rm -rf "{{ destination_eslz_path }}" - when: - - topology.enterprise_scale[service].clean_up_destination_folder - -- name: "Creates directory structure - {{template_lib_folder}}" - shell: mkdir -p "{{ destination_eslz_path }}/lib/{{ item.path }}" - with_filetree: "{{ template_lib_folder }}" - when: - - item.state == 'directory' - -- name: " Lib" - ansible.builtin.template: - src: "{{ item.src }}" - dest: "{{ destination_eslz_path }}/lib/{{ item.path }}" - force: yes - with_filetree: "{{ template_lib_folder }}" - when: - - item.state == 'file' - - item.path is not search(".j2") - - item.path is not search(".yaml") or item.path is search(".json") or item.path is search(".md") - - topologies.platform_core_setup.enterprise_scale[service].update_lib_folder - - -- name: " Lib" - ansible.builtin.template: - src: "{{ item.src }}" - dest: "{{ destination_eslz_path }}/{{ item.path }}" - force: yes - with_filetree: "{{ template_lib_folder }}" - when: - - item.state == 'file' - - item.path is search(".yaml") - - topologies.platform_core_setup.enterprise_scale[service].update_lib_folder diff --git a/templates/platform/ansible/process_deployments.yaml b/templates/platform/ansible/process_deployments.yaml deleted file mode 100644 index 529840455..000000000 --- a/templates/platform/ansible/process_deployments.yaml +++ /dev/null @@ -1,38 +0,0 @@ - -- debug: - msg: - - "env: {{env}}" - - "lz_type: {{lz_type}}" - - "tfstate: {{tfstate}}" - - -# - set_fact: -# lz_type: "{{resources.deployments.landingzone.tfstate.keys() | first}}" - -# - set_fact: -# # tfstate: "{{resources.deployments.landingzone.tfstate[lz_type].keys() | first}}" -# env: "{{resources.deployments.landingzone.tfstate[lz_type].values() | first | default('')}}" - -# - debug: -# msg: -# - "{{config}}" -# - "{{lz_type}}" -# - "{{tfstate}}" -# - "{{env}}" -# verbosity: 2 - - -- name: "Set tfstate_object" - set_fact: - tfstate_object: '{{resources.tfstates[lz_type][tfstate][env] }}' - - -- debug: - msg: - - "{{tfstate_object}}" - -- name: "Including tasks process_tfstate.yaml" - include_tasks: "process_tfstate.yaml" - loop: ["{{ tfstate }}"] - loop_control: - loop_var: deployment \ No newline at end of file diff --git a/templates/platform/ansible/process_foundations.yaml b/templates/platform/ansible/process_foundations.yaml deleted file mode 100644 index b5ade5c98..000000000 --- a/templates/platform/ansible/process_foundations.yaml +++ /dev/null @@ -1,11 +0,0 @@ - -- debug: - msg: "stage {{stage}} - {{bootstrap[step][stage]}}" - -- include_tasks: "process_stages.yaml" - loop: "{{bootstrap[step][stage].keys()}}" - loop_control: - loop_var: tfstate - vars: - tfstates: "{{bootstrap[step][stage]}}" - lz_type: platform \ No newline at end of file diff --git a/templates/platform/ansible/process_tfstate.yaml b/templates/platform/ansible/process_tfstate.yaml deleted file mode 100644 index 52a3d1314..000000000 --- a/templates/platform/ansible/process_tfstate.yaml +++ /dev/null @@ -1,24 +0,0 @@ -- debug: - msg: - - "{{lz_type}}" - - "{{deployment}}" - - "{{env}}" - -- name: "Verify {{deployment}} {{lz_type}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :" - debug: - msg: - - "{{resources.tfstates[lz_type]['eslz_' + tfstate] if stage == 'eslz' else resources.tfstates[lz_type][deployment] if env == '' else resources.tfstates[lz_type][deployment][env]}}" - -- name: "{{deployment}} - tfstate_object sub_template_folder- {{env}}" - debug: - msg: - - 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}' - - 'tfstate_object - {{tfstate_object}}' - -- name: "{{deployment}} - process subscription resources" - include_tasks: "process_subscription_resources.yaml" - loop: "{{resources['eslz_' + tfstate].subscriptions.keys() if stage == 'eslz' else resources[tfstate].subscriptions.keys() if env == '' else resources[tfstate + '_' + env].subscriptions.keys() }}" - loop_control: - loop_var: subscription_key - vars: - level: "{{tfstate_object.level}}" diff --git a/templates/platform/asvm/orion/config.asvm.yaml b/templates/platform/asvm/orion/config.asvm.yaml deleted file mode 100644 index b39312f88..000000000 --- a/templates/platform/asvm/orion/config.asvm.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# cleanup_destination - recommended to clean and recreated a clean state from template. -configuration_folders: - asvm: - cleanup_destination: true \ No newline at end of file diff --git a/templates/platform/asvm/orion/deployments/orion_dev.yaml b/templates/platform/asvm/orion/deployments/orion_dev.yaml deleted file mode 100644 index 5d411142e..000000000 --- a/templates/platform/asvm/orion/deployments/orion_dev.yaml +++ /dev/null @@ -1,511 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level3/asvm/orion/dev - -deployments: - landingzone: - tfstate: - asvm: - orion_dev: - global_settings_key: - platform: - virtual_hubs: non_prod - remote_tfstates: - asvm: - subscriptions: - platform: - virtual_hubs: non_prod - azurerm_firewalls: non_prod - identity_level2: non_prod - asvm: - -subscriptions: - orion_dev: - resource_groups: - rg: - name: orion-dev - backup: - name: orion-dev-backup - networking: - name: orion-dev-networking - preparation: - name: orion-dev-preparation - modeling: - name: orion-dev-modeling - consumption: - name: orion-dev-consumption - analytics: - name: orion-dev-analytics - - virtual_networks: - vnet: - name: orion-dev - resource_group_key: networking - region_key: region1 - dns_servers_keys: - fw_prod_plinks_01: - resource_type: azurerm_firewall - lz_key: connectivity_firewalls_non_prod - key: fw_non_prod_plinks_01 - address_space: - - 10.101.200.0/23 - subnets: - databricks_preparation_egress: - name: databricks-preparation-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.200.0/26 - databricks_preparation_private: - name: databricks-preparation-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.200.64/26 - databricks_modeling_egress: - name: databricks-modeling-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.201.0/26 - databricks_modeling_private: - name: databricks-modeling-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.201.64/26 - consumption: - name: consumption - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.200.128/25 - databricks_notebooks: - name: databricks-notebooks - service_endpoints: - - Microsoft.Storage - - Microsoft.KeyVault - nsg_key: databricks_notebooks - cidr: - - 10.101.201.128/27 - private_endpoints: - name: private-endpoints - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.201.192/27 - - network_security_group_definition: - databricks_egress: - version: 1 - resource_group_key: networking - name: databricks-egress - nsg: - Inbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 5557 - destination_address_prefix: "*" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 22 - destination_address_prefix: "*" - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - 405: - name: ICMP - access: Allow - protocol: icmp - source_port_range: "*" - source_address_prefix: "*" - destination_port_range: "*" - destination_address_prefix: "*" - databricks_private: - version: 1 - resource_group_key: networking - name: databricks-private - nsg: - Inbound: - 400: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 401: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - consumption: - version: 1 - resource_group_key: networking - name: consumption - databricks_notebooks: - version: 1 - resource_group_key: networking - name: databricks-notebook - nsg: - Inbound: - 500: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 501: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 500: - name: AzureActiveDirectory - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureActiveDirectory" - destination_port_ranges: - - 80 - - 443 - 501: - name: AzureMachineLearning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureMachineLearning" - destination_port_ranges: - - 443 - 502: - name: AzureResourceManager - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureResourceManager" - destination_port_ranges: - - 443 - 503: - name: Storage SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "Storage.SoutheastAsia" - destination_port_ranges: - - 443 - 504: - name: AzureFrontDoor Frontend - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.Frontend" - destination_port_ranges: - - 443 - 505: - name: Container Registry SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureContainerRegistry.SoutheastAsia" - destination_port_ranges: - - 443 - 506: - name: Microsoft Container Registry SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "MicrosoftContainerRegistry.SoutheastAsia" - destination_port_ranges: - - 443 - 507: - name: Keyvault SoutheastAsia - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureKeyVault.SoutheastAsia" - destination_port_ranges: - - 443 - 508: - name: AzureFrontDoor FirstParty - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.FirstParty" - destination_port_range: "*" - - virtual_hub_connections: - vnet_to_dev: - name: vnet-orion-dev-TO-non-prod - virtual_hub: - lz_key: connectivity_virtual_hub_non_prod - key: non_prod - vnet: - vnet_key: vnet - - recovery_vaults: - asr: - name: vault-orion-dev - resource_group_key: backup - backup_policies: - vms: - default: - name: vm-default-policy - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - - keyvaults: - kv_delegated_sp: - name: oriondev0001 - resource_group_key: rg - creation_policies: - logged_in_user: - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - landingzone_maintainers_non_prod: - lz_key: asvm - azuread_group_key: caf_ac_landingzone_maintainers_non_prod - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - kv_delegated_sp: - app_LZContributors: - azuread_service_principal_key: sp_LZContributors - secret_permissions: - - Get - - azuread_applications: - app_LZContributors: - application_name: app-asvm-orion-dev-Contributors - - azuread_service_principals: - sp_LZContributors: - azuread_application: - key: app_LZContributors - - azuread_credentials: - app_LZContributors: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - key: app_LZContributors - keyvaults: - kv_delegated_sp: - secret_prefix: sp - - azuread_credential_policies: - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 70 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - - custom_role_definitions: - contributors_extended: - name: lz-orion-dev-contributors-extended - useprefix: true - description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/virtualNetworks/join/action - - role_mapping: - custom_role_mapping: - networking: - vnet: - contributors_extended: - azuread_service_principals: - keys: - - sp_LZContributors - - built_in_role_mapping: - resource_groups: - preparation: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - modeling: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - consumption: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - analytics: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - storage_containers: - orion_prod_level3: - lz_key: orion_subscriptions - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - orion_dev_level4: - lz_key: orion_subscriptions - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - diff --git a/templates/platform/asvm/orion/deployments/orion_prod.yaml b/templates/platform/asvm/orion/deployments/orion_prod.yaml deleted file mode 100644 index f67c765e6..000000000 --- a/templates/platform/asvm/orion/deployments/orion_prod.yaml +++ /dev/null @@ -1,540 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level3/asvm/orion/prod - -deployments: - landingzone: - tfstate: - asvm: - orion_prod: - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - asvm: - subscriptions: - platform: - virtual_hubs: prod - azurerm_firewalls: prod - identity_level2: prod - asvm: - -subscriptions: - orion_prod: - resource_groups: - rg: - name: orion-prod - backup: - name: orion-prod-backup - networking: - name: orion-prod-networking - preparation: - name: orion-prod-preparation - modeling: - name: orion-prod-modeling - consumption: - name: orion-prod-consumption - analytics: - name: orion-prod-analytics - - virtual_networks: - vnet: - name: orion-prod - resource_group_key: networking - region_key: region1 - dns_servers_keys: - fw_prod_plinks_01: - resource_type: azurerm_firewall - lz_key: connectivity_firewalls_prod - key: fw_prod_plinks_01 - address_space: - - 10.101.8.0/23 - subnets: - databricks_preparation_egress: - name: databricks-preparation-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.8.0/26 - databricks_preparation_private: - name: databricks-preparation-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.8.64/26 - databricks_modeling_egress: - name: databricks-modeling-egress - nsg_key: databricks_egress - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.9.0/26 - databricks_modeling_private: - name: databricks-modeling-private - nsg_key: databricks_private - delegation: - name: databricks - service_delegation: Microsoft.Databricks/workspaces - actions: - - Microsoft.Network/virtualNetworks/subnets/join/action - - Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action - - Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action - cidr: - - 10.101.9.64/26 - consumption: - name: consumption - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.8.128/25 - databricks_notebooks: - name: databricks-notebooks - service_endpoints: - - Microsoft.Storage - - Microsoft.KeyVault - nsg_key: databricks_notebooks - cidr: - - 10.101.9.128/27 - private_endpoints: - name: private-endpoints - enforce_private_link_endpoint_network_policies: true - cidr: - - 10.101.9.192/27 - - network_security_group_definition: - databricks_egress: - version: 1 - resource_group_key: networking - name: databricks-egress - nsg: - Inbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 5557 - destination_address_prefix: "*" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureDatabricks" - destination_port_range: 22 - destination_address_prefix: "*" - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - 405: - name: ICMP - access: Allow - protocol: icmp - source_port_range: "*" - source_address_prefix: "*" - destination_port_range: "*" - destination_address_prefix: "*" - databricks_private: - version: 1 - resource_group_key: networking - name: databricks-private - nsg: - Inbound: - 400: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 401: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 400: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "AzureDatabricks" - 401: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 3306 - destination_address_prefix: "Sql" - 402: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 443 - destination_address_prefix: "Storage" - 403: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: "*" - destination_address_prefix: "VirtualNetwork" - 404: - name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "VirtualNetwork" - destination_port_range: 9093 - destination_address_prefix: "EventHub" - consumption: - version: 1 - resource_group_key: networking - name: consumption - databricks_notebooks: - version: 1 - resource_group_key: networking - name: databricks-notebooks - nsg: - Inbound: - 500: - name: Batch Node Management - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "BatchNodeManagement" - destination_address_prefix: "*" - destination_port_ranges: - - 29876 - - 29877 - 501: - name: Azure Machine Learning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "AzureMachineLearning" - destination_address_prefix: "*" - destination_port_ranges: - - 44224 - Outbound: - 500: - name: AzureActiveDirectory - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureActiveDirectory" - destination_port_ranges: - - 80 - - 443 - 501: - name: AzureMachineLearning - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureMachineLearning" - destination_port_ranges: - - 443 - 502: - name: AzureResourceManager - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureResourceManager" - destination_port_ranges: - - 443 - 503: - name: Storage - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "Storage" - destination_port_ranges: - - 443 - 504: - name: AzureFrontDoor Frontend - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.Frontend" - destination_port_ranges: - - 443 - 505: - name: Container Registry - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureContainerRegistry" - destination_port_ranges: - - 443 - 506: - name: Microsoft Container Registry - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "MicrosoftContainerRegistry" - destination_port_ranges: - - 443 - 507: - name: Keyvault - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureKeyVault" - destination_port_ranges: - - 443 - 508: - name: AzureFrontDoor FirstParty - access: Allow - protocol: tcp - source_port_range: "*" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.FirstParty" - destination_port_range: "*" - - virtual_hub_connections: - vnet_to_prod: - name: vnet-orion-prod-TO-prod - virtual_hub: - lz_key: connectivity_virtual_hub_prod - key: prod - vnet: - vnet_key: vnet - routing: - egress: - lz_key: route tables - propagated_route_table: - labels: - - egress-firewall-prod - static_vnet_route: - egress_internet: - name: egress internet - address_prefix: - - 0.0.0.0/0 - # netx_hop_ip_address: 10.101.61.4 - next_hop: - lz_key: caf_networking_firewall - key: - interface_index: 0 - - recovery_vaults: - asr: - name: vault-orion-prod - resource_group_key: backup - backup_policies: - vms: - default: - name: vm-default-policy - timezone: "SE Asia Standard Time" - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - - keyvaults: - kv_delegated_sp: - name: orionprod001 - resource_group_key: rg - creation_policies: - logged_in_user: - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - landingzone_maintainers_prod: - lz_key: asvm - azuread_group_key: caf_ac_landingzone_maintainers_prod - secret_permissions: - - Set - - Get - - List - - Delete - - Purge - - Recover - - keyvault_access_policies: - kv_delegated_sp: - app_LZContributors: - azuread_service_principal_key: sp_LZContributors - secret_permissions: - - Get - - azuread_applications: - app_LZContributors: - application_name: app-asvm-orion-prod-Contributors - - azuread_service_principals: - sp_LZContributors: - azuread_application: - key: app_LZContributors - - azuread_credentials: - app_LZContributors: - type: password - azuread_credential_policy_key: default_policy - azuread_application: - key: app_LZContributors - keyvaults: - kv_delegated_sp: - secret_prefix: sp - - azuread_credential_policies: - default_policy: - length: 250 - special: false - upper: true - number: true - expire_in_days: 70 - rotation_key0: - days: 33 - rotation_key1: - days: 58 - - azuread_groups_membership: - caf_prod_landingzones_dns_contributors: - azuread_service_principals: - sp_LZContributors: - group_lz_key: identity_level2 - keys: - - sp_LZContributors - caf_ac_landingzone_maintainers_prod: - azuread_service_principals: - sp_LZContributors: - group_lz_key: asvm - keys: - - sp_LZContributors - - custom_role_definitions: - contributors_extended: - name: lz-orion-prod-contributors-extended - useprefix: true - description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." - permissions: - actions: - - Microsoft.Network/privateDnsZones/join/action - - Microsoft.Network/virtualNetworks/join/action - - role_mapping: - custom_role_mapping: - networking: - vnet: - contributors_extended: - azuread_service_principals: - keys: - - sp_LZContributors - - built_in_role_mapping: - resource_groups: - preparation: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - modeling: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - consumption: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - analytics: - Owner: - azuread_service_principals: - keys: - - sp_LZContributors - storage_containers: - orion_prod_level3: - lz_key: orion_subscriptions - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors - orion_prod_level4: - lz_key: orion_subscriptions - Storage Blob Data Contributor: - azuread_service_principals: - keys: - - sp_LZContributors diff --git a/templates/platform/asvm/orion/deployments/subscriptions.yaml b/templates/platform/asvm/orion/deployments/subscriptions.yaml deleted file mode 100644 index 2715fced1..000000000 --- a/templates/platform/asvm/orion/deployments/subscriptions.yaml +++ /dev/null @@ -1,31 +0,0 @@ -gitops: - caf_landingzone_branch: aci_network - -relative_destination_folder: level3/asvm/orion/subscriptions - -deployments: - landingzone: - tfstate: - asvm: - subscriptions: - global_settings_key: - platform: - asvm: - remote_tfstates: - platform: - asvm: - -subscriptions: - launchpad: - subscriptions: - orion_dev: - name: orion-dev - create_alias: false - subscription_id: - - orion_prod: - name: orion-prod - create_alias: false - subscription_id: - - \ No newline at end of file diff --git a/templates/platform/asvm/orion/readme.md b/templates/platform/asvm/orion/readme.md deleted file mode 100644 index 71db174b6..000000000 --- a/templates/platform/asvm/orion/readme.md +++ /dev/null @@ -1,16 +0,0 @@ -# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM) - -## Generate the configuration files - -```bash - -rover ignite \ - --playbook /tf/caf/landingzones/templates/platform/ansible.yaml \ - -e base_templates_folder=/tf/caf/landingzones/templates/platform \ - -e resource_template_folder=/tf/caf/landingzones/templates/resources \ - -e config_folder=/tf/caf/definitions/asvm/orion-landingzone \ - -e config_folder_platform=/tf/caf/definitions \ - -e landingzones_folder=/tf/caf/landingzones - - -``` \ No newline at end of file diff --git a/templates/platform/asvm/orion/tfstates.asvm.yaml b/templates/platform/asvm/orion/tfstates.asvm.yaml deleted file mode 100644 index e745ac2f8..000000000 --- a/templates/platform/asvm/orion/tfstates.asvm.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# ### orion ### -tfstates: - asvm: - subscriptions: - lz_key_name: orion_subscriptions - tfstate: orion_subscriptions.tfstate - workspace: tfstate - level: level3 - sub_template_folder: level3 - yaml: level3/ansible.yaml - - orion_dev: - lz_key_name: orion_dev_level3 - tfstate: orion_dev_level3.tfstate - workspace: orion-dev - level: level3 - sub_template_folder: level3 - yaml: level3/ansible.yaml - - - orion_prod: - lz_key_name: orion_prod_level3 - tfstate: orion_prod_level3.tfstate - workspace: orion-prod - level: level3 - sub_template_folder: level3 - yaml: level3/ansible.yaml - diff --git a/templates/platform/asvm/walk-through.yaml b/templates/platform/asvm/walk-through.yaml deleted file mode 100644 index 837756b7c..000000000 --- a/templates/platform/asvm/walk-through.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# -# Initial script to select a topology and create the base templates for the definitions folder -# -# ansible-playbook /tf/caf/landingzones/templates/platform/asvm/walk-through.yaml \ -# -e topology_folder=/tf/caf/landingzones/templates/platform/asvm/orion \ -# -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \ -# -e landingzones_folder=/tf/caf/landingzones \ -# -e destination_folder=/tf/caf/definitions/asvm/orion - -- name: Deploy template to definition's folder - hosts: localhost - - tasks: - - - name: Get template files - register: asvm_files - find: - paths: {{topology_file}} - file_type: file - - - debug: - - msg: "{{asvm_files}}" - - - name: Deploy files - ansible.builtin.template: - src: "{{topology_folder}}/{{item}}" - dest: "{{destination_folder}}/{{item}}" - loop: \ No newline at end of file diff --git a/templates/platform/deploy_platform.sh b/templates/platform/deploy_platform.sh new file mode 100755 index 000000000..853a96326 --- /dev/null +++ b/templates/platform/deploy_platform.sh @@ -0,0 +1,12 @@ +#! /bin/bash + +export ANSIBLE_DISPLAY_SKIPPED_HOSTS=False + +ansible-playbook /tf/caf/landingzones/templates/ansible/walk-through-single.yaml \ + -e topology_file=/tf/caf/landingzones/templates/platform/single_subscription.yaml \ + -e public_templates_folder=/tf/caf/landingzones/templates \ + -e landingzones_folder=/tf/caf/landingzones \ + -e platform_configuration_folder=/tf/caf/configuration \ + -e platform_definition_folder=/tf/caf/platform/definition \ + -e platform_template_folder=/tf/caf/platform/template \ + --extra-vars "@/tf/caf/landingzones/templates/platform/template_topology.yaml" diff --git a/templates/platform/generic/readme.md b/templates/platform/generic/readme.md index 9c9e84e37..d68332d2d 100644 --- a/templates/platform/generic/readme.md +++ b/templates/platform/generic/readme.md @@ -4,24 +4,24 @@ rover logout # login a with a user member of the caf-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[ tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz /tf/caf/landingzones/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details[resources.subscriptions.keys() | first].subscription_id }} \ {% elif subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id is defined %} -target_subscription {{ subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ tfstate_object.tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -w {{ tfstate_object.workspace | default('tfstate') }} \ -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ diff --git a/templates/platform/level0/README.md b/templates/platform/level0/README.md index ab7f0421c..ea9085fca 100644 --- a/templates/platform/level0/README.md +++ b/templates/platform/level0/README.md @@ -15,7 +15,7 @@ Platform- Subscriptions | Deploys platform subscriptions such as managemen management | Foundation resources to management subscription such as service health alerts, log analytics gitops | This directory hosts the Azure DevOps configurations such as Azure DevOps projects, pipelines variable groups Identity | This hosts the identities for the pipelines and identies are pushed to vault after created -Enterprise scale - Platform | Deploys eslz resources suych as management groups, custom roles, policies, and map that to management groups +Enterprise scale - Platform | Deploys alz resources suych as management groups, custom roles, policies, and map that to management groups ### Level 2 diff --git a/templates/platform/level0/billing_subscription_role_delegations/ansible.yaml b/templates/platform/level0/billing_subscription_role_delegations/ansible.yaml index 8ddd78a86..e63cc182d 100644 --- a/templates/platform/level0/billing_subscription_role_delegations/ansible.yaml +++ b/templates/platform/level0/billing_subscription_role_delegations/ansible.yaml @@ -5,14 +5,14 @@ when: resources.configuration_folders.platform.cleanup_destination | bool - name: "[{{ level }}-{{ base_folder }}] Creates directory" - when: resources.caf_terraform.billing_subscription_role_delegations.enable == true + when: resources.billing_subscription_role_delegations.enable == true register: level0_billing_subscription_role_delegations file: path: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}" state: directory - name: "[{{ level }}-{{ base_folder }}] subscription role delegation" - when: resources.caf_terraform.billing_subscription_role_delegations.enable == true + when: resources.billing_subscription_role_delegations.enable == true ansible.builtin.template: src: "{{ item }}" dest: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}" diff --git a/templates/platform/level0/billing_subscription_role_delegations/readme.md b/templates/platform/level0/billing_subscription_role_delegations/readme.md index ff67da8f1..478e1ff46 100644 --- a/templates/platform/level0/billing_subscription_role_delegations/readme.md +++ b/templates/platform/level0/billing_subscription_role_delegations/readme.md @@ -3,17 +3,17 @@ Set-up the subscription delegations for platform and landingzone subscriptions ```bash -# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} -rover login -t {{ resources.platform_identity.tenant_name }} +# Login to the subscription {{ resources.caf_launchpad.subscription_name }} with the user {{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} rover \ -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/level0/billing_subscription_role_delegations \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ -tfstate {{ resources.tfstates.platform.billing_subscription_role_delegations.tfstate }} \ - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ -launchpad \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.billing_subscription_role_delegations.tfstate }}.tfplan \ -a plan @@ -25,13 +25,13 @@ rover logout # Run rover ignite to generate the next level configuration files To execute this step you need to login with on of the CAF maintainers: -{% for maintainer in resources.platform_identity.caf_platform_maintainers %} +{% for maintainer in resources.azure_landing_zones.identity.caf_platform_maintainers %} - {{ maintainer }} {% endfor %} ```bash -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} rover ignite \ --playbook {{ landingzones_folder }}/ansible.yaml \ diff --git a/templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2 b/templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2 index 2e8521165..ec1470b08 100644 --- a/templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2 +++ b/templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2 @@ -2,8 +2,8 @@ subscription_billing_role_assignments = { # Delegated accounts who can create subscriptions. # Used by Gitops pipelines subscription_creators = { - billing_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" - enrollment_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" + billing_account_name = "{{ resources.billing_subscription_role_delegations.billing_account_name }}" + enrollment_account_name = "{{ resources.billing_subscription_role_delegations.enrollment_account_name }}" billing_role_definition_name = "Enrollment account subscription creator" principals = { diff --git a/templates/platform/level0/credentials/dynamic_secrets.tfvars.j2 b/templates/platform/level0/credentials/dynamic_secrets.tfvars.j2 index 0e87a4c76..0966415cb 100644 --- a/templates/platform/level0/credentials/dynamic_secrets.tfvars.j2 +++ b/templates/platform/level0/credentials/dynamic_secrets.tfvars.j2 @@ -14,7 +14,7 @@ dynamic_keyvault_secrets = { } tenant_id = { secret_name = "tenant-id" - value = "{{ resources.caf_terraform.launchpad.tenant_id }}" # {{ resources.platform_identity.tenant_name }} Tenant + value = "{{ resources.caf_launchpad.tenant_id }}" # {{ resources.azure_landing_zones.identity.tenant_name }} Tenant } } diff --git a/templates/platform/level0/credentials/readme.md b/templates/platform/level0/credentials/readme.md index 8311aa48c..00a8ac9fc 100644 --- a/templates/platform/level0/credentials/readme.md +++ b/templates/platform/level0/credentials/readme.md @@ -3,43 +3,43 @@ ```bash # For manual bootstrap: -# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} -rover login -t {{ resources.platform_identity.tenant_name }} +# Login to the subscription {{ resources.caf_launchpad.subscription_name }} with the user {{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ -tfstate {{ resources.tfstates.platform.launchpad_credentials.tfstate }} \ -launchpad \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \ -a plan ``` -If the plan is not successfull you need to come back to the yaml {{resources.customer_name}}.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan. +If the plan is not successfull you need to come back to the yaml {{customer_name}}.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan. ```bash # On success plan, execute rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ -tfstate {{ resources.tfstates.platform.launchpad_credentials.tfstate }} \ -launchpad \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \ -a apply @@ -49,13 +49,8 @@ rover \ ```bash # On success, re-execute the rover ignite -rover ignite \ - --playbook {{ base_templates_folder }}/ansible/ansible.yaml \ - -e base_templates_folder={{ base_templates_folder }} \ - -e resource_template_folder={{resource_template_folder}} \ - -e config_folder={{ config_folder }} \ - -e landingzones_folder={{ landingzones_folder }} \ - -e destination_folder={{destination_folder}} +ansible-playbook {{public_templates_folder}}/ansible/ansible.yaml \ + --extra-vars "@{{platform_definition_folder}}/ignite.yaml" ``` @@ -67,7 +62,7 @@ Just re-execute the plan/apply command as above and you will notice the rover wi When you have successfully deployed the launchpad you can move to the next step. -{% if resources.caf_terraform.billing_subscription_role_delegations.enable %} +{% if resources.billing_subscription_role_delegations.enable %} [[Deploy the billing subscription role delegation](../billing_subscription_role_delegations/readme.md) {% else %} [Deploy the subscription services](../../level1/subscriptions/readme.md) diff --git a/templates/platform/level0/credentials/role_mappings.tfvars.j2 b/templates/platform/level0/credentials/role_mappings.tfvars.j2 index b6ea33f21..cb7c67a3e 100644 --- a/templates/platform/level0/credentials/role_mappings.tfvars.j2 +++ b/templates/platform/level0/credentials/role_mappings.tfvars.j2 @@ -6,7 +6,7 @@ role_mapping = { built_in_role_mapping = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} resource_groups = { sp_credentials = { "Contributor" = { diff --git a/templates/platform/level0/launchpad/ansible.yaml b/templates/platform/level0/launchpad/ansible.yaml index 45f884293..096b68067 100644 --- a/templates/platform/level0/launchpad/ansible.yaml +++ b/templates/platform/level0/launchpad/ansible.yaml @@ -10,8 +10,8 @@ register: launchpad_storage_account shell: | az storage account list \ - --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ tfstate_object.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + --subscription {{ resources.caf_launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ tfstate_object.level }}' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - debug: msg: "{{launchpad_storage_account}}" @@ -33,21 +33,21 @@ - name: "[{{resources[tfstate].relative_destination_folder}}] Get subscription_creation_landingzones details" when: - launchpad_tfstate_exists.rc == 0 - - resources.platform_core_setup.enable_azure_subscription_vending_machine + - resources.enable_azure_subscription_vending_machine shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" register: launchpad_tfstate - name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad json data" when: - launchpad_tfstate_exists.rc == 0 - - resources.platform_core_setup.enable_azure_subscription_vending_machine + - resources.enable_azure_subscription_vending_machine set_fact: scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" - name: "[{{resources[tfstate].relative_destination_folder}}] set launchpad_azuread_groups" when: - launchpad_tfstate_exists.rc == 0 - - resources.platform_core_setup.enable_azure_subscription_vending_machine + - resources.enable_azure_subscription_vending_machine set_fact: launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" vars: diff --git a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 index 562e5c141..0779f818d 100644 --- a/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 +++ b/templates/platform/level0/launchpad/azuread_group_members.tfvars.j2 @@ -1,20 +1,20 @@ -{% if resources.platform_identity.enable_azuread_groups %} +{% if bootstrap.enable_azuread_groups %} azuread_groups_membership = { caf_platform_maintainers = { -{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %} object_ids = { logged_in = { keys = ["user"] } } {% endif %} -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} members = { -{% if resources.platform_identity.caf_platform_maintainers.user_principal_names is defined %} +{% if bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names is defined %} user_principal_names = [ - "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}", -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and resources.platform_identity.caf_platform_maintainers.user_principal_names is mapping%} -{% for user in resources.platform_identity.caf_platform_maintainers.user_principal_names %} + "{{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }}", +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names is mapping%} +{% for user in bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names %} "{{ user }}", {% endfor %} {% endif %} @@ -25,14 +25,14 @@ azuread_groups_membership = { } caf_platform_contributors = { members = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} -{% if resources.platform_identity.caf_platform_maintainers.user_principal_names is mapping %} - user_principal_names = {{ resources.platform_identity.caf_platform_maintainers.user_principal_names | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} +{% if bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names is mapping %} + user_principal_names = {{ bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% endif %} {% endif %} } } } {% else %} -# Azure AD Groups in resources.platform_identity.enable_azuread_groups is not set to true +# Azure AD Groups in bootstrap.enable_azuread_groups is not set to true {% endif %} \ No newline at end of file diff --git a/templates/platform/level0/launchpad/global_settings.tfvars.j2 b/templates/platform/level0/launchpad/global_settings.tfvars.j2 index 11a1feaa8..4818ef650 100644 --- a/templates/platform/level0/launchpad/global_settings.tfvars.j2 +++ b/templates/platform/level0/launchpad/global_settings.tfvars.j2 @@ -3,25 +3,25 @@ # # passthrough means the default CAF naming convention is not applied and you are responsible # of the unicity of the names you are giving. the CAF provider will clear out -passthrough = {{ resources.caf_terraform.naming_convention.passthrough | string | lower }} +passthrough = {{ bootstrap.naming_convention.passthrough | string | lower }} # adds random chars at the end of the names produced by the provider # Do not change the following values once the launchpad deployed. # Enable tag inheritance (can be changed) -inherit_tags = {{ resources.caf_terraform.naming_convention.inherit_tags | string | lower }} +inherit_tags = {{ bootstrap.naming_convention.inherit_tags | string | lower }} # When passthrough is set to false, define the number of random characters to add to the names -random_length = {{ resources.caf_terraform.naming_convention.random_length }} +random_length = {{ bootstrap.naming_convention.random_length }} # Set the prefix that will be added to all azure resources. # if not set and passthrough=false, the CAF module generates a random one. -{% if resources.caf_terraform.naming_convention.prefix is defined %} -prefix = "{{ resources.caf_terraform.naming_convention.prefix }}" +{% if bootstrap.naming_convention.prefix is defined %} +prefix = "{{ bootstrap.naming_convention.prefix }}" {% endif %} # Default region. When not set to a resource it will use that value -default_region = "{{ resources.caf_terraform.launchpad.default_region_key }}" +default_region = "{{ bootstrap.default_region_key }}" # You can reference the regions by using region1, region2 or set your own keys regions = { -{% for key, value in resources.caf_terraform.launchpad.regions.items() %} +{% for key, value in bootstrap.caf_regions.items() %} {{ key }} = "{{ value }}" {% endfor %} } @@ -36,10 +36,10 @@ launchpad_key_names = { ] } -{% if resources.caf_terraform.launchpad.tags is defined %} +{% if bootstrap.launchpad.tags is defined %} # Global tags tags = { -{% for tag_key, tag_value in resources.caf_terraform.launchpad.tags.items() %} +{% for tag_key, tag_value in bootstrap.launchpad.tags.items() %} {{ tag_key }} = "{{ tag_value }}" {% endfor %} } diff --git a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 index 320ccb59e..6f9e6600f 100644 --- a/templates/platform/level0/launchpad/keyvaults.tfvars.j2 +++ b/templates/platform/level0/launchpad/keyvaults.tfvars.j2 @@ -1,21 +1,21 @@ keyvaults = { level0 = { - name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level0.name }}" - resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level0.resource_group_key }}" - sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" + name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level0.name }}" + resource_group_key = "{{ resources[tfstate].resources[subscription_key].keyvaults.level0.resource_group_key }}" + sku_name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level0" - caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ bootstrap.caf_environment }}" } creation_policies = { - // {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} + // {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }} bootstrap_user = { - object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" + object_id = "{{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if resources.platform_identity.enable_azuread_groups %} +{% if bootstrap.azure_landing_zones.identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -25,7 +25,7 @@ keyvaults = { secret_permissions = ["Get"] } {% endif %} -{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault @@ -37,21 +37,21 @@ keyvaults = { } level1 = { - name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.name }}" - resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.resource_group_key }}" - sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" + name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.name }}" + resource_group_key = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.resource_group_key }}" + sku_name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level1" - caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ bootstrap.caf_environment }}" } creation_policies = { - // {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} + // {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }} bootstrap_user = { - object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" + object_id = "{{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if resources.platform_identity.enable_azuread_groups %} +{% if bootstrap.azure_landing_zones.identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -61,7 +61,7 @@ keyvaults = { secret_permissions = ["Get"] } {% endif %} -{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault @@ -73,21 +73,21 @@ keyvaults = { } level2 = { - name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level2.name }}" - resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level2.resource_group_key }}" - sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" + name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level2.name }}" + resource_group_key = "{{ resources[tfstate].resources[subscription_key].keyvaults.level2.resource_group_key }}" + sku_name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level2" - caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ bootstrap.caf_environment }}" } creation_policies = { - // {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} + // {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }} bootstrap_user = { - object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" + object_id = "{{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } -{% if resources.platform_identity.enable_azuread_groups %} +{% if bootstrap.azure_landing_zones.identity.enable_azuread_groups %} caf_platform_maintainers = { azuread_group_key = "caf_platform_maintainers" secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] @@ -97,7 +97,7 @@ keyvaults = { secret_permissions = ["Get"] } {% endif %} -{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index bf86fb2b7..89b81fd41 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -1,4 +1,4 @@ -# Launchpad - {{ resources.caf_terraform.launchpad.caf_environment }} +# Launchpad - {{ bootstrap.caf_environment }} ## Pre-requisites @@ -11,19 +11,19 @@ This scenario requires the following privileges: ## Deployment -{% if resources.caf_terraform.billing_subscription_role_delegations is defined %} +{% if bootstrap.billing_subscription_role_delegations is defined %} ### Pre-requisite Elevate your credentials to the tenant root level to have enough privileges to create the management group hierarchy. ```bash -{% if resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} -# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +{% if bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} +# Login to the subscription {{ bootstrap.caf_launchpad.subscription_name }} with the user {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }} {% else %} -# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with an account owner. +# Login to the subscription {{ bootstrap.caf_launchpad.subscription_name }} with an account owner. {% endif %} -rover login -t {{ resources.platform_identity.tenant_name }} -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +rover login -t {{ bootstrap.azure_landing_zones.identity.tenant_name }} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" {% endif %} @@ -33,33 +33,33 @@ az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?ap ### Launchpad ```bash -{% if resources.caf_terraform.billing_subscription_role_delegations is defined %} -{% if resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} -# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +{% if bootstrap.billing_subscription_role_delegations is defined %} +{% if bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %} +# Login to the subscription {{ bootstrap.caf_launchpad.subscription_name }} with the user {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }} {% else %} -# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with an account owner. +# Login to the subscription {{ bootstrap.caf_launchpad.subscription_name }} with an account owner. {% endif %} {% endif %} -rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} +rover login -t {{ bootstrap.azure_landing_zones.identity.tenant_name }} -s {{ bootstrap.caf_launchpad.subscription_id }} cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.caf_landingzone_branch }} +git checkout {{ bootstrap.caf_landingzone_branch }} git pull rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_launchpad \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \ + -tfstate_subscription_id {{ bootstrap.caf_launchpad.subscription_id }} \ + -target_subscription {{ bootstrap.caf_launchpad.subscription_id }} \ + -tfstate {{ tfstate_object.tfstate }} \ -launchpad \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ bootstrap.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan ``` @@ -71,18 +71,18 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla # On success plan, execute rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_launchpad \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \ + -tfstate_subscription_id {{ bootstrap.caf_launchpad.subscription_id }} \ + -target_subscription {{ bootstrap.caf_launchpad.subscription_id }} \ + -tfstate {{ tfstate_object.tfstate }} \ -launchpad \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ bootstrap.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a apply ``` @@ -92,17 +92,12 @@ Execute a rover logout and rover login in order to make sure your azure sessions ```bash rover logout -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ bootstrap.azure_landing_zones.identity.tenant_name }} # On success, re-execute the rover ignite -rover ignite \ - --playbook {{ base_templates_folder }}/ansible/ansible.yaml \ - -e base_templates_folder={{ base_templates_folder }} \ - -e resource_template_folder={{resource_template_folder}} \ - -e config_folder={{ config_folder }} \ - -e landingzones_folder={{ landingzones_folder }} \ - -e destination_folder={{destination_folder}} +ansible-playbook {{public_templates_folder}}/ansible/ansible.yaml \ + --extra-vars "@{{platform_definition_folder}}/ignite.yaml" ``` @@ -110,7 +105,7 @@ rover ignite \ When you have successfully deployed the launchpad you can move to the next step. -{% if resources.platform_identity.azuread_identity_mode == 'service_principal' %} +{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'service_principal' %} [Deploy the credentials landing zone](../credentials/readme.md) {% else %} [Deploy the management services](../../level1/management/readme.md) @@ -126,13 +121,13 @@ Destroying the launchpad is a specific opertion that requires the tfstate to be rover \ -lz {{ landingzones_folder }}/caf_launchpad \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - -tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \ + -tfstate_subscription_id {{ bootstrap.caf_launchpad.subscription_id }} \ + -target_subscription {{ bootstrap.caf_launchpad.subscription_id }} \ + -tfstate {{ tfstate_object.tfstate }} \ -launchpad \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ bootstrap.caf_environment }} \ -level {{ level }} \ - -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \ + -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a destroy ``` \ No newline at end of file diff --git a/templates/platform/level1/eslz/ansible.yaml b/templates/platform/level1/alz/ansible.yaml similarity index 53% rename from templates/platform/level1/eslz/ansible.yaml rename to templates/platform/level1/alz/ansible.yaml index c0b842c41..b3cc416c6 100644 --- a/templates/platform/level1/eslz/ansible.yaml +++ b/templates/platform/level1/alz/ansible.yaml @@ -1,28 +1,27 @@ -- name: "{{level }}-{{ deployment}} - Set landingzone file_path" +- name: "{{level }}-{{ tfstate}} - Set landingzone file_path" set_fact: - # destination_path: "{{destination_base_path}}/{{ resources['eslz_' + deployment].relative_destination_folder }}" - mg: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" - mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/custom_landing_zones.caf.platform.yaml') | from_yaml }}" + mg: "{{ lookup('file', '{{ platform_definition_folder }}/alz/{{tfstate}}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}" + mg_custom: "{{ lookup('file', '{{ platform_definition_folder }}/alz/{{tfstate}}/custom_landing_zones.caf.platform.yaml') | from_yaml }}" level: "{{tfstate_object.level}}" - definition_source_folder: "{{config_folder}}/eslz/{{ deployment}}" - template_source_folder: "{{base_templates_folder}}/{{tfstate_object.template_lib_folder}}" + definition_source_folder: "{{platform_definition_folder}}/alz/{{ tfstate}}" + template_source_folder: "{{public_templates_folder}}/{{tfstate_object.template_lib_folder}}" verbosity: 2 - debug: msg: "{{destination_path}}" -- name: "{{ level }}-{{ deployment }} | Clean-up base directory" +- name: "{{ level }}-{{ tfstate }} | Clean-up base directory" shell: | rm -rf "{{ destination_path }}" when: - - resources.platform_core_setup.enterprise_scale[deployment].clean_up_destination_folder + - bootstrap.management_groups[region][tfstate].clean_up_destination_folder -- name: "{{ level }}-{{ deployment }} | Creates directory structure" +- name: "{{ level }}-{{ tfstate }} | Creates directory structure" shell: mkdir -p "{{ destination_path }}/{{ item.path }}" with_filetree: "{{ definition_source_folder }}" when: item.state == 'directory' -- name: "{{ level }}-{{ deployment }} | Tfvars" +- name: "{{ level }}-{{ tfstate }} | Tfvars" ansible.builtin.template: src: "{{ item }}" dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" @@ -31,45 +30,45 @@ - "{{ template_source_folder }}/*.j2" - "{{ template_source_folder }}/*.md" -- name: "{{ level }}-{{ deployment }} | Lib - archetypes - built-in" +- name: "{{ level }}-{{ tfstate }} | Lib - archetypes - built-in" ansible.builtin.template: - src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/archetype_definitions/archetype_definition_template.json.j2" + src: "{{ template_source_folder }}/lib/{{tfstate_object.alz_version}}/archetype_definitions/archetype_definition_template.json.j2" dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg.archetype_definitions[item].archetype_id }}.json" force: yes loop: "{{ mg.archetype_definitions.keys() }}" loop_control: loop_var: item -- name: "{{ level }}-{{ deployment }} | Lib - archetypes - custom" +- name: "{{ level }}-{{ tfstate }} | Lib - archetypes - custom" when: - mg_custom.archetype_definitions is defined ansible.builtin.template: - src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/archetype_definitions/custom_landing_zone_template.json.j2" + src: "{{ template_source_folder }}/lib/{{tfstate_object.alz_version}}/archetype_definitions/custom_landing_zone_template.json.j2" dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg_custom.archetype_definitions[item].archetype_id }}.json" force: yes loop: "{{ mg_custom.archetype_definitions.keys() }}" loop_control: loop_var: item -- name: "{{ level }}-{{ deployment }} | archetypes" +- name: "{{ level }}-{{ tfstate }} | archetypes" ansible.builtin.template: - src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/{{item}}" + src: "{{ template_source_folder }}/lib/{{tfstate_object.alz_version}}/{{item}}" dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}" force: yes loop: - archetype_config_overrides.tfvars.j2 - custom_landing_zones.tfvars.j2 -- name: "{{ level }}-{{ deployment }} | Lib" +- name: "{{ level }}-{{ tfstate }} | Lib" ansible.builtin.template: src: "{{ item.src }}" dest: "{{ destination_path }}/{{ item.path }}" force: yes with_filetree: "{{ definition_source_folder }}" when: - - item.state == 'file' and resources.platform_core_setup.enterprise_scale[deployment].update_lib_folder + - item.state == 'file' and bootstrap.management_groups[region][tfstate].update_lib_folder -- name: "{{ level }}-{{ deployment }} | overrides" +- name: "{{ level }}-{{ tfstate }} | overrides" when: - mg_custom.archetype_definitions is defined ansible.builtin.template: diff --git a/templates/platform/level1/alz/enterprise_scale.tfvars.j2 b/templates/platform/level1/alz/enterprise_scale.tfvars.j2 new file mode 100644 index 000000000..6f5844106 --- /dev/null +++ b/templates/platform/level1/alz/enterprise_scale.tfvars.j2 @@ -0,0 +1,11 @@ +# relative path to {{ landingzones_folder }}/caf_solution/add-ons/caf_alz +library_path = "{{ destination_base_path }}/{{tfstate_object.level}}/{{stage}}/{{tfstate}}/lib" +{% if bootstrap.management_groups[region][tfstate].root_parent_id is defined %} +root_parent_id = "{{ bootstrap.management_groups[region][tfstate].root_parent_id }}" +{% endif %} +root_id = "{{ bootstrap.management_groups[region][tfstate].management_group_prefix }}" +root_name = "{{ bootstrap.management_groups[region][tfstate].management_group_name }}" +deploy_core_landing_zones = {{ bootstrap.management_groups[region][tfstate].deploy_core_landing_zones | string | lower }} +{% if (bootstrap.enable_azure_subscription_vending_machine | default(false)) and bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} +reconcile_vending_subscriptions = true +{% endif %} \ No newline at end of file diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 b/templates/platform/level1/alz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 similarity index 86% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 rename to templates/platform/level1/alz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 index d97605f1a..dfb37b052 100644 --- a/templates/platform/level1/eslz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 +++ b/templates/platform/level1/alz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 @@ -6,16 +6,16 @@ archetype_config_overrides = { "Deny-Resource-Locations" = { "listOfAllowedLocations" = { value = [ - "{{ resources.caf_terraform.launchpad.regions.region1.name }}", - "{{ resources.caf_terraform.launchpad.regions.region2.name }}" + "{{ resources.caf_regions.region1.name }}", + "{{ resources.caf_regions.region2.name }}" ] } } "Deny-RSG-Locations" = { "listOfAllowedLocations" = { value = [ - "{{ resources.caf_terraform.launchpad.regions.region1.name }}", - "{{ resources.caf_terraform.launchpad.regions.region2.name }}" + "{{ resources.caf_regions.region1.name }}", + "{{ resources.caf_regions.region2.name }}" ] } } @@ -28,7 +28,7 @@ archetype_config_overrides = { attribute_key = "id" } "profileName" = { - value = "eslz-diagnostic-log" + value = "alz-diagnostic-log" } } "Deploy-VM-Monitoring" = { diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/README.md b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/README.md rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone.json b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone.json rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_corp.json b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_corp.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_corp.json rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_corp.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_online.json b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_online.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_online.json rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_online.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform.json b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform.json rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_connectivity.json b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_connectivity.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_connectivity.json rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_connectivity.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_identity.json b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_identity.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_identity.json rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_identity.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_management.json b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_management.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_management.json rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_management.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_root.json b/templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_root.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_root.json rename to templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_root.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/custom_landing_zones.tfvars.j2 b/templates/platform/level1/alz/lib/v0.1.x/custom_landing_zones.tfvars.j2 similarity index 66% rename from templates/platform/level1/eslz/lib/v0.1.x/custom_landing_zones.tfvars.j2 rename to templates/platform/level1/alz/lib/v0.1.x/custom_landing_zones.tfvars.j2 index 75955e0df..d2ee49784 100644 --- a/templates/platform/level1/eslz/lib/v0.1.x/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/alz/lib/v0.1.x/custom_landing_zones.tfvars.j2 @@ -1,7 +1,7 @@ custom_landing_zones = { - {{ resources.eslz.root_id }}-corp = { + {{ resources.alz.root_id }}-corp = { display_name = "Corp" - parent_management_group_id = "{{ resources.eslz.root_id }}-landing-zones" + parent_management_group_id = "{{ resources.alz.root_id }}-landing-zones" archetype_config = { archetype_id = "landingzone_corp" parameters = {} @@ -10,9 +10,9 @@ custom_landing_zones = { subscriptions = {} subscription_ids = [] } - {{ resources.eslz.root_id }}-online = { + {{ resources.alz.root_id }}-online = { display_name = "Online" - parent_management_group_id = "{{ resources.eslz.root_id }}-landing-zones" + parent_management_group_id = "{{ resources.alz.root_id }}-landing-zones" archetype_config = { archetype_id = "landingzone_online" parameters = {} diff --git a/templates/platform/level1/eslz/lib/v0.1.x/policy_assignments/README.md b/templates/platform/level1/alz/lib/v0.1.x/policy_assignments/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/policy_assignments/README.md rename to templates/platform/level1/alz/lib/v0.1.x/policy_assignments/README.md diff --git a/templates/platform/level1/eslz/lib/v0.1.x/policy_assignments/policy_assignment_pru_apply_security_benchmark.tmpl.json b/templates/platform/level1/alz/lib/v0.1.x/policy_assignments/policy_assignment_pru_apply_security_benchmark.tmpl.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/policy_assignments/policy_assignment_pru_apply_security_benchmark.tmpl.json rename to templates/platform/level1/alz/lib/v0.1.x/policy_assignments/policy_assignment_pru_apply_security_benchmark.tmpl.json diff --git a/templates/platform/level1/eslz/lib/v0.1.x/policy_definitions/README.md b/templates/platform/level1/alz/lib/v0.1.x/policy_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/policy_definitions/README.md rename to templates/platform/level1/alz/lib/v0.1.x/policy_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v0.1.x/policy_set_definitions/README.md b/templates/platform/level1/alz/lib/v0.1.x/policy_set_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/policy_set_definitions/README.md rename to templates/platform/level1/alz/lib/v0.1.x/policy_set_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v0.1.x/role_definitions/README.md b/templates/platform/level1/alz/lib/v0.1.x/role_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.1.x/role_definitions/README.md rename to templates/platform/level1/alz/lib/v0.1.x/role_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.old b/templates/platform/level1/alz/lib/v0.3.3/archetype_config_overrides.old similarity index 74% rename from templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.old rename to templates/platform/level1/alz/lib/v0.3.3/archetype_config_overrides.old index 4b36919b8..59661f5b8 100644 --- a/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.old +++ b/templates/platform/level1/alz/lib/v0.3.3/archetype_config_overrides.old @@ -6,8 +6,8 @@ archetype_config_overrides = { "Allowed-Locations" = { "listOfAllowedLocations" = { values = [ -{% for key in resources.caf_terraform.launchpad.regions.keys() %} - "{{ resources.caf_terraform.launchpad.regions[key].name }}", +{% for key in resources.caf_regions.keys() %} + "{{ resources.caf_regions[key].name }}", {% endfor %} ] } @@ -15,8 +15,8 @@ archetype_config_overrides = { "Deny-RSG-Locations" = { "listOfAllowedLocations" = { values = [ -{% for key in resources.caf_terraform.launchpad.regions.keys() %} - "{{ resources.caf_terraform.launchpad.regions[key].name }}", +{% for key in resources.caf_regions.keys() %} + "{{ resources.caf_regions[key].name }}", {% endfor %} ] } @@ -26,11 +26,11 @@ archetype_config_overrides = { lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" attribute_key = "id" } "profileName" = { - value = "eslz-diagnostic-log" + value = "alz-diagnostic-log" } } "Deploy-AzActivity-Log" = { @@ -38,7 +38,7 @@ archetype_config_overrides = { lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" attribute_key = "id" } } @@ -48,7 +48,7 @@ archetype_config_overrides = { lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" attribute_key = "id" } } @@ -59,7 +59,7 @@ archetype_config_overrides = { lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" attribute_key = "id" } } @@ -70,7 +70,7 @@ archetype_config_overrides = { lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" attribute_key = "id" } } @@ -79,7 +79,7 @@ archetype_config_overrides = { lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" attribute_key = "id" } } @@ -92,7 +92,7 @@ archetype_config_overrides = { lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}" output_key = "diagnostics" resource_type = "log_analytics" - resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" attribute_key = "id" } {% for parameter_key in mg.archetype_definitions.root.policy_assignments["Deploy-ASC-Defender"].keys() %} @@ -109,7 +109,7 @@ archetype_config_overrides = { archetype_id = "landingzone" parameters = {} access_control = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { "azuread_groups" = { lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" @@ -133,7 +133,7 @@ archetype_config_overrides = { archetype_id = "platform_connectivity" parameters = {} access_control = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { "azuread_groups" = { lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" @@ -143,8 +143,8 @@ archetype_config_overrides = { ] } } -{% if resources.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %} - "[{{ resources.platform_core_setup.enterprise_scale.management_group_prefix | upper }}-CONNECTIVITY] CAF-network-vhub-peering" = { +{% if resources.azure_landing_zones.enterprise_scale.enable_azure_subscription_vending_machine %} + "[{{ resources.azure_landing_zones.enterprise_scale.management_group_prefix | upper }}-CONNECTIVITY] CAF-network-vhub-peering" = { "azuread_groups" = { lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" attribute_key = "id" @@ -162,7 +162,7 @@ archetype_config_overrides = { archetype_id = "platform_identity" parameters = {} access_control = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { "azuread_groups" = { lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" @@ -180,7 +180,7 @@ archetype_config_overrides = { archetype_id = "platform_management" parameters = {} access_control = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} "Owner" = { "azuread_groups" = { lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}" diff --git a/templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 b/templates/platform/level1/alz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 rename to templates/platform/level1/alz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 diff --git a/templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/README.md b/templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/README.md rename to templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/archetype_definition_template.json.j2 b/templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/archetype_definition_template.json.j2 similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/archetype_definition_template.json.j2 rename to templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/archetype_definition_template.json.j2 diff --git a/templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/custom_landing_zone_template.json.j2 b/templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/custom_landing_zone_template.json.j2 similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/custom_landing_zone_template.json.j2 rename to templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/custom_landing_zone_template.json.j2 diff --git a/templates/platform/level1/eslz/lib/v0.3.3/custom_landing_zones.tfvars.j2 b/templates/platform/level1/alz/lib/v0.3.3/custom_landing_zones.tfvars.j2 similarity index 91% rename from templates/platform/level1/eslz/lib/v0.3.3/custom_landing_zones.tfvars.j2 rename to templates/platform/level1/alz/lib/v0.3.3/custom_landing_zones.tfvars.j2 index d6b3890d7..e2119656e 100644 --- a/templates/platform/level1/eslz/lib/v0.3.3/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/alz/lib/v0.3.3/custom_landing_zones.tfvars.j2 @@ -1,8 +1,8 @@ custom_landing_zones = { {% for key, level in mg_custom.archetype_definitions.items() %} - {{ resources.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ key }} = { + {{ resources.azure_landing_zones.enterprise_scale.management_group_prefix }}-{{ key }} = { display_name = "{{ mg_custom.archetype_definitions[key].display_name }}" - parent_management_group_id = "{{ resources.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ mg_custom.archetype_definitions[key].parent_management_group_id }}" + parent_management_group_id = "{{ resources.azure_landing_zones.enterprise_scale.management_group_prefix }}-{{ mg_custom.archetype_definitions[key].parent_management_group_id }}" archetype_config = { archetype_id = "{{mg_custom.archetype_definitions[key].archetype_id }}" {% if mg_custom.archetype_definitions[key].policy_assignments is defined %} diff --git a/templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/README.md b/templates/platform/level1/alz/lib/v0.3.3/policy_assignments/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/README.md rename to templates/platform/level1/alz/lib/v0.3.3/policy_assignments/README.md diff --git a/templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/platform/level1/alz/lib/v0.3.3/policy_assignments/policy_assignment_caf_aks_capability.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/policy_assignment_caf_aks_capability.json rename to templates/platform/level1/alz/lib/v0.3.3/policy_assignments/policy_assignment_caf_aks_capability.json diff --git a/templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/platform/level1/alz/lib/v0.3.3/policy_assignments/policy_assignment_es_allowed_locations.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/policy_assignment_es_allowed_locations.json rename to templates/platform/level1/alz/lib/v0.3.3/policy_assignments/policy_assignment_es_allowed_locations.json diff --git a/templates/platform/level1/eslz/lib/v0.3.3/policy_definitions/README.md b/templates/platform/level1/alz/lib/v0.3.3/policy_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/policy_definitions/README.md rename to templates/platform/level1/alz/lib/v0.3.3/policy_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v0.3.3/policy_set_definitions/README.md b/templates/platform/level1/alz/lib/v0.3.3/policy_set_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/policy_set_definitions/README.md rename to templates/platform/level1/alz/lib/v0.3.3/policy_set_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v0.3.3/role_definitions/README.md b/templates/platform/level1/alz/lib/v0.3.3/role_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/role_definitions/README.md rename to templates/platform/level1/alz/lib/v0.3.3/role_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v0.3.3/role_definitions/role_definition_caf_vhub_peering.json b/templates/platform/level1/alz/lib/v0.3.3/role_definitions/role_definition_caf_vhub_peering.json similarity index 100% rename from templates/platform/level1/eslz/lib/v0.3.3/role_definitions/role_definition_caf_vhub_peering.json rename to templates/platform/level1/alz/lib/v0.3.3/role_definitions/role_definition_caf_vhub_peering.json diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml b/templates/platform/level1/alz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml similarity index 99% rename from templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml rename to templates/platform/level1/alz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml index f36891f30..3740933ce 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml +++ b/templates/platform/level1/alz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml @@ -71,7 +71,7 @@ archetype_definitions: attribute_key: id Deploy-LX-Arc-Monitoring: Deploy-Resource-Diag: - profileName: eslz-diagnostic-log + profileName: alz-diagnostic-log logAnalytics: lz_key: management output_key: diagnostics diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 b/templates/platform/level1/alz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 similarity index 89% rename from templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 rename to templates/platform/level1/alz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 index b63fcab3a..4ad74b76e 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 +++ b/templates/platform/level1/alz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 @@ -35,7 +35,7 @@ archetype_config_overrides = { {% endif %} {% if level.archetype_resources.access_control is mapping %} access_control = { -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} {% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} @@ -49,7 +49,7 @@ archetype_config_overrides = { {% endfor %} {% else %} "Owner" = { - "principal_ids" = ["{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] + "principal_ids" = ["{{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] } {% endif %} } diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/README.md b/templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/README.md rename to templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 b/templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 rename to templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 diff --git a/templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 b/templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 rename to templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.caf.platform.yaml b/templates/platform/level1/alz/lib/v1.1.1/custom_landing_zones.caf.platform.yaml similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.caf.platform.yaml rename to templates/platform/level1/alz/lib/v1.1.1/custom_landing_zones.caf.platform.yaml diff --git a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 b/templates/platform/level1/alz/lib/v1.1.1/custom_landing_zones.tfvars.j2 similarity index 81% rename from templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 rename to templates/platform/level1/alz/lib/v1.1.1/custom_landing_zones.tfvars.j2 index 0ceba9780..570a7c7b0 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 +++ b/templates/platform/level1/alz/lib/v1.1.1/custom_landing_zones.tfvars.j2 @@ -1,8 +1,8 @@ custom_landing_zones = { {% for key, level in mg_custom.archetype_definitions.items() %} - {{ resources.platform_core_setup.enterprise_scale[deployment].management_group_prefix }}-{{ key }} = { + {{ bootstrap.management_groups[region][tfstate].management_group_prefix }}-{{ key }} = { display_name = "{{ level.display_name }}" - parent_management_group_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].management_group_prefix }}-{{ level.parent_management_group_id }}" + parent_management_group_id = "{{ bootstrap.management_groups[region][tfstate].management_group_prefix }}-{{ level.parent_management_group_id }}" archetype_config = { archetype_id = "{{ level.archetype_id }}" {% if level.policy_assignments is defined %} @@ -38,7 +38,7 @@ custom_landing_zones = { {% endif %} {% if level.archetype_resources.access_control is defined %} access_control = { -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} {% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %} "{{level_ac_key}}" = { {% for level_role_key, level_role in level_ac.items() %} @@ -52,7 +52,7 @@ custom_landing_zones = { {% endfor %} {% else %} "Owner" = { - "principal_ids" = ["{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] + "principal_ids" = ["{{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] } {% endif %} } diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/README.md b/templates/platform/level1/alz/lib/v1.1.1/policy_assignments/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/README.md rename to templates/platform/level1/alz/lib/v1.1.1/policy_assignments/README.md diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/platform/level1/alz/lib/v1.1.1/policy_assignments/policy_assignment_caf_aks_capability.json similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_aks_capability.json rename to templates/platform/level1/alz/lib/v1.1.1/policy_assignments/policy_assignment_caf_aks_capability.json diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json b/templates/platform/level1/alz/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json rename to templates/platform/level1/alz/lib/v1.1.1/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/platform/level1/alz/lib/v1.1.1/policy_assignments/policy_assignment_es_allowed_locations.json similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_es_allowed_locations.json rename to templates/platform/level1/alz/lib/v1.1.1/policy_assignments/policy_assignment_es_allowed_locations.json diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/README.md b/templates/platform/level1/alz/lib/v1.1.1/policy_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/README.md rename to templates/platform/level1/alz/lib/v1.1.1/policy_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json b/templates/platform/level1/alz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json similarity index 96% rename from templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json rename to templates/platform/level1/alz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json index cddfc581a..daf0fa3df 100644 --- a/templates/platform/level1/eslz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json +++ b/templates/platform/level1/alz/lib/v1.1.1/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json @@ -24,7 +24,7 @@ "type": "String", "metadata": { "displayName": "Enable Traffic Analytics", - "description": null + "description": "Enable Traffic Analytics" }, "defaultValue": "true" }, @@ -32,7 +32,7 @@ "type": "String", "metadata": { "displayName": "Traffic Analytics processing interval mins (10/60)", - "description": null + "description": "Traffic Analytics processing interval mins (10/60)" }, "defaultValue": "60" }, @@ -40,7 +40,7 @@ "type": "String", "metadata": { "displayName": "Retention days in storage account. If you want to retain data forever and do not want to apply any retention policy, set retention (days) to 0.", - "description": null + "description": "Retention days in storage account. If you want to retain data forever and do not want to apply any retention policy, set retention (days) to 0." }, "defaultValue": "2" }, @@ -57,7 +57,7 @@ "type": "String", "metadata": { "displayName": "Storage Account Resource Id", - "description": null, + "description": "Storage Account Resource Id", "strongType": "Microsoft.Storage/storageAccounts" }, "defaultValue": "" diff --git a/templates/platform/level1/eslz/lib/v1.1.1/policy_set_definitions/README.md b/templates/platform/level1/alz/lib/v1.1.1/policy_set_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/policy_set_definitions/README.md rename to templates/platform/level1/alz/lib/v1.1.1/policy_set_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v1.1.1/role_definitions/README.md b/templates/platform/level1/alz/lib/v1.1.1/role_definitions/README.md similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/role_definitions/README.md rename to templates/platform/level1/alz/lib/v1.1.1/role_definitions/README.md diff --git a/templates/platform/level1/eslz/lib/v1.1.1/role_definitions/role_definition_caf_vhub_peering.json b/templates/platform/level1/alz/lib/v1.1.1/role_definitions/role_definition_caf_vhub_peering.json similarity index 100% rename from templates/platform/level1/eslz/lib/v1.1.1/role_definitions/role_definition_caf_vhub_peering.json rename to templates/platform/level1/alz/lib/v1.1.1/role_definitions/role_definition_caf_vhub_peering.json diff --git a/templates/platform/level1/alz/lib/v1.1.3/archetype_config_overrides.caf.platform.yaml b/templates/platform/level1/alz/lib/v1.1.3/archetype_config_overrides.caf.platform.yaml new file mode 100644 index 000000000..3740933ce --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/archetype_config_overrides.caf.platform.yaml @@ -0,0 +1,374 @@ +archetype_definitions: + root: + archetype_id: root + policy_assignments: + Allowed-Locations: + listOfAllowedLocations: +{% for region in topology.resources_allowed_regions %} + - {{topology.caf_regions[region]}} +{% endfor %} + Deny-RSG-Locations: + listOfAllowedLocations: +{% for region in topology.resource_groups_allowed_regions %} + - {{topology.caf_regions[region]}} +{% endfor %} + # Set to Audit as Terraform cannot combine both in one operation yet. + Deny-Subnet-Without-Nsg: + effect: Audit + # Set to Audit as Terraform cannot combine both in one operation yet. + Deny-Subnet-Without-Udr: + effect: Audit + # More details on in the parameters in the Azure Policy definition (Azure Security Benchmark) 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 + # Change the attributes values as they are not the same. Some are DeployIfNotExist, Some Disabled, Enabled... + Deploy-ASC-Monitoring: + aadAuthenticationInSqlServerMonitoringEffect: Disabled + diskEncryptionMonitoringEffect: Disabled + encryptionOfAutomationAccountMonitoringEffect: Disabled + identityDesignateLessThanOwnersMonitoringEffect: Disabled + identityDesignateMoreThanOneOwnerMonitoringEffect: Disabled + identityEnableMFAForWritePermissionsMonitoringEffect: Disabled + identityRemoveDeprecatedAccountMonitoringEffect: Disabled + identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithReadPermissionsMonitoringEffect: Disabled + identityRemoveExternalAccountWithWritePermissionsMonitoringEffect: Disabled + jitNetworkAccessMonitoringEffect: Disabled + networkSecurityGroupsOnSubnetsMonitoringEffect: Disabled + sqlDbEncryptionMonitoringEffect: Disabled + sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled + sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled + sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled + sqlServerAdvancedDataSecurityMonitoringEffect: Disabled + systemUpdatesMonitoringEffect: AuditIfNotExists + useRbacRulesMonitoringEffect: Disabled + vmssSystemUpdatesMonitoringEffect: Disabled + windowsDefenderExploitGuardMonitoringEffect: Disabled + Deploy-ASCDF-Config: + emailSecurityContact: {{topology.notifications.azure_defender.emailSecurityContact}} + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + enableAscForKubernetes: DeployIfNotExists + enableAscForSql: DeployIfNotExists + enableAscForSqlOnVm: DeployIfNotExists + enableAscForDns: DeployIfNotExists + enableAscForArm: DeployIfNotExists + enableAscForOssDb: DeployIfNotExists + enableAscForAppServices: DeployIfNotExists + enableAscForRegistries: DeployIfNotExists + enableAscForKeyVault: DeployIfNotExists + enableAscForStorage: DeployIfNotExists + enableAscForServers: DeployIfNotExists + Deploy-AzActivity-Log: + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-LX-Arc-Monitoring: + Deploy-Resource-Diag: + profileName: alz-diagnostic-log + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-WS-Arc-Monitoring: + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-VM-Monitoring: + logAnalytics_1: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deploy-VMSS-Monitoring: + logAnalytics_1: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + policy_definitions: + Append-AppService-httpsonly: + Append-AppService-latestTLS: + Append-KV-SoftDelete: + Append-Redis-disableNonSslPort: + Append-Redis-sslEnforcement: + Audit-MachineLearning-PrivateEndpointId: + CAF-Deploy-Nsg-FlowLogs: + Deny-AA-child-resources: + Deny-AppGW-Without-WAF: + Deny-AppServiceApiApp-http: + Deny-AppServiceFunctionApp-http: + Deny-AppServiceWebApp-http: + Deny-Databricks-NoPublicIp: + Deny-Databricks-Sku: + Deny-Databricks-VirtualNetwork: + Deny-MachineLearning-Aks: + Deny-MachineLearning-Compute-SubnetId: + Deny-MachineLearning-Compute-VmSize: + Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess: + Deny-MachineLearning-ComputeCluster-Scale: + Deny-MachineLearning-HbiWorkspace: + Deny-MachineLearning-PublicAccessWhenBehindVnet: + Deny-MachineLearning-PublicNetworkAccess: + Deny-MySql-http: + Deny-PostgreSql-http: + Deny-Private-DNS-Zones: + Deny-PublicEndpoint-MariaDB: + Deny-PublicIP: + Deny-RDP-From-Internet: + Deny-Redis-http: + Deny-Sql-minTLS: + Deny-SqlMi-minTLS: + Deny-Storage-minTLS: + Deny-Subnet-Without-Nsg: + Deny-Subnet-Without-Udr: + Deny-VNET-Peer-Cross-Sub: + Deny-VNet-Peering: + Deploy-ASC-SecurityContacts: + Deploy-Budget: + Deploy-Custom-Route-Table: + Deploy-DDoSProtection: + Deploy-Diagnostics-AA: + Deploy-Diagnostics-ACI: + Deploy-Diagnostics-ACR: + Deploy-Diagnostics-AnalysisService: + Deploy-Diagnostics-ApiForFHIR: + Deploy-Diagnostics-APIMgmt: + Deploy-Diagnostics-ApplicationGateway: + Deploy-Diagnostics-CDNEndpoints: + Deploy-Diagnostics-CognitiveServices: + Deploy-Diagnostics-CosmosDB: + Deploy-Diagnostics-Databricks: + Deploy-Diagnostics-DataExplorerCluster: + Deploy-Diagnostics-DataFactory: + Deploy-Diagnostics-DLAnalytics: + Deploy-Diagnostics-EventGridSub: + Deploy-Diagnostics-EventGridSystemTopic: + Deploy-Diagnostics-EventGridTopic: + Deploy-Diagnostics-ExpressRoute: + Deploy-Diagnostics-Firewall: + Deploy-Diagnostics-FrontDoor: + Deploy-Diagnostics-Function: + Deploy-Diagnostics-HDInsight: + Deploy-Diagnostics-iotHub: + Deploy-Diagnostics-LoadBalancer: + Deploy-Diagnostics-LogicAppsISE: + Deploy-Diagnostics-MariaDB: + Deploy-Diagnostics-MediaService: + Deploy-Diagnostics-MlWorkspace: + Deploy-Diagnostics-MySQL: + Deploy-Diagnostics-NetworkSecurityGroups: + Deploy-Diagnostics-NIC: + Deploy-Diagnostics-PostgreSQL: + Deploy-Diagnostics-PowerBIEmbedded: + Deploy-Diagnostics-RedisCache: + Deploy-Diagnostics-Relay: + Deploy-Diagnostics-SignalR: + Deploy-Diagnostics-SQLElasticPools: + Deploy-Diagnostics-SQLMI: + Deploy-Diagnostics-TimeSeriesInsights: + Deploy-Diagnostics-TrafficManager: + Deploy-Diagnostics-VirtualNetwork: + Deploy-Diagnostics-VM: + Deploy-Diagnostics-VMSS: + Deploy-Diagnostics-VNetGW: + Deploy-Diagnostics-WebServerFarm: + Deploy-Diagnostics-Website: + Deploy-Diagnostics-WVDAppGroup: + Deploy-Diagnostics-WVDHostPools: + Deploy-Diagnostics-WVDWorkspace: + Deploy-FirewallPolicy: + Deploy-MySQL-sslEnforcement: + Deploy-Nsg-FlowLogs-to-LA: + Deploy-Nsg-FlowLogs: + Deploy-PostgreSQL-sslEnforcement: + Deploy-Sql-AuditingSettings: + Deploy-SQL-minTLS: + Deploy-Sql-SecurityAlertPolicies: + Deploy-Sql-Tde: + Deploy-Sql-vulnerabilityAssessments: + Deploy-SqlMi-minTLS: + Deploy-Storage-sslEnforcement: + Deploy-Windows-DomainJoin: + policy_set_definitions: + Deny-PublicPaaSEndpoints: + Deploy-ASCDF-Config: + Deploy-Diagnostics-LogAnalytics: + Deploy-Sql-Security: + Enforce-Encryption-CMK: + Enforce-EncryptTransit: + remediation: + policy: + policy_set_definitions: + # policyDefinitionReferenceId = https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/c7958266bd227e52dc1a3468e8c881633bc1b373/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json#L766 + # /providers/microsoft.management/managementgroups/contlle/providers/microsoft.authorization/policyassignments/deploy-resource-diag + Deploy-Diagnostics-LogAnalytics: + - ExpressRouteDeployDiagnosticLogDeployLogAnalytics + - FirewallDeployDiagnosticLogDeployLogAnalytics + - KeyVaultDeployDiagnosticLogDeployLogAnalytics + - LoadBalancerDeployDiagnosticLogDeployLogAnalytics + - NetworkNICDeployDiagnosticLogDeployLogAnalytics + - NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics + - NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics + - RecoveryVaultDeployDiagnosticLogDeployLogAnalytics + - storageaccountdeploydiagnosticlogdeployloganalytics + - VirtualNetworkDeployDiagnosticLogDeployLogAnalytics + - VNetGWDeployDiagnosticLogDeployLogAnalytics + Deploy-ASCDF-Config: + - defenderForOssDb + - defenderForVM + - defenderForSqlServerVirtualMachines + - defenderForAppServices + - defenderForStorageAccounts + - defenderForKubernetesService + - defenderForContainerRegistry + - defenderForKeyVaults + - defenderForDns + - defenderForArm + - defenderForSqlPaas + - securityEmailContact + - ascExport + landing-zones: + archetype_id: landing-zones + policy_assignments: + Deny-IP-Forwarding: + Deny-Priv-Containers-AKS: + Deny-Priv-Escalation-AKS: + Deny-Private-DNS-Zones: + Deny-RDP-From-Internet: + Deny-Storage-http: + Deploy-AKS-Policy: + Deploy-SQL-DB-Auditing: + Deploy-SQL-Threat: + Enable-DDoS-VNET: + Enforce-AKS-HTTPS: + Enforce-TLS-SSL: + CAF-Deploy-Nsg-FlowLogs: + effect: DeployIfNotExists + retention: 5 + storageAccountResourceId: + lz_key: management + output_key: objects + resource_type: storage_accounts + resource_key: nsgflogs + attribute_key: id + interval: 60 + flowAnalyticsEnabled: true + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + Deny-Public-Endpoints: + ACRPublicIpDenyEffect: Audit + AFSPublicIpDenyEffect: Audit + AKSPublicIpDenyEffect: Audit + BatchPublicIpDenyEffect: Audit + CosmosPublicIpDenyEffect: Audit + KeyVaultPublicIpDenyEffect: Audit + MySQLFlexPublicIpDenyEffect: Audit + PostgreSQLFlexPublicIpDenyEffect: Audit + SqlServerPublicIpDenyEffect: Audit + StoragePublicIpDenyEffect: Audit + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - subscription_creation_landingzones + connectivity: + archetype_id: platform_connectivity + policy_assignments: + Enable-DDoS-VNET: + role_definitions: + CAF-network-vhub-peering: + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - connectivity + # Make sure you replace with the Management Group ID in UPPER CASE + '[{{topology.caf_environment | upper}}-CONNECTIVITY] CAF-network-vhub-peering': + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - subscription_creation_landingzones + - identity + - management + management: + archetype_id: platform_management + policy_assignments: + Deny-Private-DNS-Zones: + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - management + identity: + archetype_id: platform_identity + policy_assignments: + Deny-RDP-From-Internet: + Deny-Public-IP: + Deny-Private-DNS-Zones: + Deny-IP-Forwarding: + archetype_config: + access_control: + Owner: + azuread_groups: + lz_key: launchpad + attribute_key: id + resource_keys: + - identity + decommissioned: + archetype_id: platform_decommissioned + policy_assignments: + Deny-IP-Forwarding: + Deny-Private-DNS-Zones: + platform: + archetype_id: platform + policy_assignments: + CAF-Deploy-Nsg-FlowLogs: + effect: DeployIfNotExists + retention: 5 + storageAccountResourceId: + lz_key: management + output_key: objects + resource_type: storage_accounts + resource_key: nsgflogs + attribute_key: id + interval: 60 + flowAnalyticsEnabled: true + logAnalytics: + lz_key: management + output_key: diagnostics + resource_type: log_analytics + resource_key: region1 + attribute_key: id + sandboxes: + archetype_id: platform_sandboxes + policy_assignments: + Deny-IP-Forwarding: + Deny-Private-DNS-Zones: \ No newline at end of file diff --git a/templates/platform/level1/alz/lib/v1.1.3/archetype_config_overrides.tfvars.j2 b/templates/platform/level1/alz/lib/v1.1.3/archetype_config_overrides.tfvars.j2 new file mode 100644 index 000000000..4ad74b76e --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/archetype_config_overrides.tfvars.j2 @@ -0,0 +1,62 @@ +archetype_config_overrides = { +{% for key, level in mg.archetype_definitions.items() %} + {{ key }} = { + archetype_id = "{{mg.archetype_definitions[key].archetype_id }}" +{% if mg.archetype_definitions[key].policy_assignments is mapping %} + parameters = { +{% for pa_key, pa_value in mg.archetype_definitions[key].policy_assignments.items() %} +{% if pa_value is mapping %} + "{{ pa_key }}" = { +{% for attribute, attribute_value in pa_value.items() %} + "{{attribute}}" = { +{% if attribute_value is string %} + value = "{{ attribute_value }}" +{% elif attribute_value is boolean %} + value = {{ attribute_value | string | lower }} +{% elif attribute_value is number %} + value = {{ attribute_value }} +{% else %} +{% if attribute_value is mapping %} +{% for caf_key, caf_value in attribute_value.items() %} + {{ caf_key }} = "{{ caf_value }}" +{% endfor %} +{% else %} + values = {{ attribute_value | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% endif %} + } +{% endfor %} + } +{% endif %} +{% endfor %} + } +{% else %} + parameters = {} +{% endif %} +{% if level.archetype_resources.access_control is mapping %} + access_control = { +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} +{% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %} + "{{level_ac_key}}" = { +{% for level_role_key, level_role in level_ac.items() %} + "{{ level_role_key }}" = { + lz_key = "{{ level_role.lz_key }}" + attribute_key = "{{ level_role.attribute_key }}" + resource_keys = {{ level_role.resource_keys | replace('None','[]') | replace('\'','\"') }} + } +{% endfor %} + } +{% endfor %} +{% else %} + "Owner" = { + "principal_ids" = ["{{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] + } +{% endif %} + } +{% else %} + access_control = {} +{% endif %} + } + +{% endfor %} +} \ No newline at end of file diff --git a/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/README.md b/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/README.md new file mode 100644 index 000000000..519e9f330 --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/README.md @@ -0,0 +1,11 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default archetypes + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/archetype_definitions + diff --git a/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/archetype_definition_template.json.j2 b/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/archetype_definition_template.json.j2 new file mode 100644 index 000000000..8eb4f14ea --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/archetype_definition_template.json.j2 @@ -0,0 +1,90 @@ +{ + "{{ mg.archetype_definitions[item].archetype_id }}": { + "policy_assignments": [ +{% if mg.archetype_definitions[item].policy_assignments is mapping %} +{% for key in mg.archetype_definitions[item].policy_assignments.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} +{% if mg_custom.archetype_definitions[item].policy_assignments is mapping %} +{% for key in mg_custom.archetype_definitions[item].policy_assignments.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} + ], + "policy_definitions": [ +{% if mg.archetype_definitions[item].policy_definitions is mapping %} +{% for key in mg.archetype_definitions[item].policy_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} +{% if mg_custom.archetype_definitions[item].policy_definitions is mapping %} +{% for key in mg_custom.archetype_definitions[item].policy_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} + ], + "policy_set_definitions": [ +{% if mg.archetype_definitions[item].policy_set_definitions is mapping %} +{% for key in mg.archetype_definitions[item].policy_set_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} +{% if mg_custom.archetype_definitions[item].policy_set_definitions is mapping %} +{% for key in mg_custom.archetype_definitions[item].policy_set_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} + ], + "role_definitions": [ +{% if mg.archetype_definitions[item].role_definitions is mapping %} +{% for key in mg.archetype_definitions[item].role_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} +{% if mg_custom.archetype_definitions[item].role_definitions is mapping %} +{% for key in mg_custom.archetype_definitions[item].role_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} + ], + "archetype_config": { + "parameters": { + }, + "access_control": { + } + } + } +} diff --git a/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/custom_landing_zone_template.json.j2 b/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/custom_landing_zone_template.json.j2 new file mode 100644 index 000000000..04df5040a --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/archetype_definitions/custom_landing_zone_template.json.j2 @@ -0,0 +1,90 @@ +{ + "{{ mg_custom.archetype_definitions[item].archetype_id }}": { + "policy_assignments": [ +{% if mg.archetype_definitions[item].policy_assignments is mapping %} +{% for key in mg.archetype_definitions[item].policy_assignments.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} +{% if mg_custom.archetype_definitions[item].policy_assignments is mapping %} +{% for key in mg_custom.archetype_definitions[item].policy_assignments.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} + ], + "policy_definitions": [ +{% if mg.archetype_definitions[item].policy_definitions is mapping %} +{% for key in mg.archetype_definitions[item].policy_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} +{% if mg_custom.archetype_definitions[item].policy_definitions is mapping %} +{% for key in mg_custom.archetype_definitions[item].policy_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} + ], + "policy_set_definitions": [ +{% if mg.archetype_definitions[item].policy_set_definitions is mapping %} +{% for key in mg.archetype_definitions[item].policy_set_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} +{% if mg_custom.archetype_definitions[item].policy_set_definitions is mapping %} +{% for key in mg_custom.archetype_definitions[item].policy_set_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} + ], + "role_definitions": [ +{% if mg.archetype_definitions[item].role_definitions is mapping %} +{% for key in mg.archetype_definitions[item].role_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} +{% if mg_custom.archetype_definitions[item].role_definitions is mapping %} +{% for key in mg_custom.archetype_definitions[item].role_definitions.keys() %} +{% if loop.last %} + "{{ key }}" +{% else %} + "{{ key }}", +{% endif %} +{% endfor %} +{% endif %} + ], + "archetype_config": { + "parameters": { + }, + "access_control": { + } + } + } +} diff --git a/templates/platform/level1/alz/lib/v1.1.3/custom_landing_zones.caf.platform.yaml b/templates/platform/level1/alz/lib/v1.1.3/custom_landing_zones.caf.platform.yaml new file mode 100644 index 000000000..6ae8db0c4 --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/custom_landing_zones.caf.platform.yaml @@ -0,0 +1,26 @@ +archetype_definitions: + corp: + display_name: Corp + archetype_id: landingzone_corp + parent_management_group_id: landing-zones + subscription_ids: + online: + display_name: Online + archetype_id: landingzone_online + parent_management_group_id: landing-zones + subscription_ids: + corp-prod: + display_name: Production + archetype_id: landingzone_prod + parent_management_group_id: corp + subscription_ids: + corp-non-prod: + display_name: Non Production + archetype_id: landingzone_non_prod + parent_management_group_id: corp + subscription_ids: + online-web: + display_name: Non Production + archetype_id: landingzone_online_web + parent_management_group_id: online + subscription_ids: \ No newline at end of file diff --git a/templates/platform/level1/alz/lib/v1.1.3/custom_landing_zones.tfvars.j2 b/templates/platform/level1/alz/lib/v1.1.3/custom_landing_zones.tfvars.j2 new file mode 100644 index 000000000..570a7c7b0 --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/custom_landing_zones.tfvars.j2 @@ -0,0 +1,72 @@ +custom_landing_zones = { +{% for key, level in mg_custom.archetype_definitions.items() %} + {{ bootstrap.management_groups[region][tfstate].management_group_prefix }}-{{ key }} = { + display_name = "{{ level.display_name }}" + parent_management_group_id = "{{ bootstrap.management_groups[region][tfstate].management_group_prefix }}-{{ level.parent_management_group_id }}" + archetype_config = { + archetype_id = "{{ level.archetype_id }}" +{% if level.policy_assignments is defined %} + parameters = { +{% for pa_key, pa_value in level.policy_assignments.items() %} +{% if pa_value is mapping %} + "{{ pa_key }}" = { +{% for attribute, attribute_value in pa_value.items() %} + "{{attribute}}" = { +{% if attribute_value is string %} + value = "{{ attribute_value }}" +{% elif attribute_value is boolean %} + value = {{ attribute_value | string | lower }} +{% elif attribute_value is number %} + value = {{ attribute_value }} +{% else %} +{% if attribute_value is mapping %} +{% for caf_key, caf_value in attribute_value.items() %} + {{ caf_key }} = "{{ caf_value }}" +{% endfor %} +{% else %} + values = {{ attribute_value | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% endif %} + } +{% endfor %} + } +{% endif %} +{% endfor %} + } +{% else %} + parameters = {} +{% endif %} +{% if level.archetype_resources.access_control is defined %} + access_control = { +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} +{% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %} + "{{level_ac_key}}" = { +{% for level_role_key, level_role in level_ac.items() %} + "{{ level_role_key }}" = { + lz_key = "{{ level_role.lz_key }}" + attribute_key = "{{ level_role.attribute_key }}" + resource_keys = {{ level_role.resource_keys | replace('None','[]') | replace('\'','\"') }} + } +{% endfor %} + } +{% endfor %} +{% else %} + "Owner" = { + "principal_ids" = ["{{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] + } +{% endif %} + } +{% else %} + access_control = {} +{% endif %} + } + subscriptions = {} +{% if level.subscription_ids is defined %} + subscription_ids = {{ level.subscription_ids | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% else %} + subscription_ids = [] +{% endif %} + } + +{% endfor %} +} \ No newline at end of file diff --git a/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/README.md b/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/README.md new file mode 100644 index 000000000..def2a5a6d --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy assignments + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments diff --git a/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_caf_aks_capability.json b/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_caf_aks_capability.json new file mode 100644 index 000000000..789acde60 --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_caf_aks_capability.json @@ -0,0 +1,18 @@ +{ + "name": "aks-capability", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)", + "displayName": "Kubernetes cluster containers should only use allowed capabilities.", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "scope": "${current_scope_resource_id}", + "enforcementMode": true + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json b/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json new file mode 100644 index 000000000..575e6f450 --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_caf_deploy_nsg_flowlogs.json @@ -0,0 +1,18 @@ +{ + "name": "CAF-Deploy-Nsg-FlowLogs", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy if not exists nsg flowlogs and traffic analytics on network security groups. Define also the retention days.", + "displayName": "CAF - Enable Nsg flowlogs and traffic analytics.", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/CAF-Deploy-Nsg-FlowLogs", + "scope": "${current_scope_resource_id}", + "enforcementMode": true + }, + "location": "${default_location}", + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_es_allowed_locations.json b/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_es_allowed_locations.json new file mode 100644 index 000000000..bce0689ad --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/policy_assignments/policy_assignment_es_allowed_locations.json @@ -0,0 +1,18 @@ +{ + "name": "Allowed-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "displayName": "Limit allowed locations for Resources", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "scope": "${current_scope_resource_id}", + "enforcementMode": null + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/templates/platform/level1/alz/lib/v1.1.3/policy_definitions/README.md b/templates/platform/level1/alz/lib/v1.1.3/policy_definitions/README.md new file mode 100644 index 000000000..e47f922fd --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/policy_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions diff --git a/templates/platform/level1/alz/lib/v1.1.3/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json b/templates/platform/level1/alz/lib/v1.1.3/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json new file mode 100644 index 000000000..daf0fa3df --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/policy_definitions/policy_definition_caf_deploy_nsg_flowlogs.json @@ -0,0 +1,228 @@ +{ + "name": "CAF-Deploy-Nsg-FlowLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "CAF - Enable Nsg flowlogs and traffic analytics.", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "flowAnalyticsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Traffic Analytics", + "description": "Enable Traffic Analytics" + }, + "defaultValue": "true" + }, + "interval": { + "type": "String", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)", + "description": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": "60" + }, + "retention": { + "type": "String", + "metadata": { + "displayName": "Retention days in storage account. If you want to retain data forever and do not want to apply any retention policy, set retention (days) to 0.", + "description": "Retention days in storage account. If you want to retain data forever and do not want to apply any retention policy, set retention (days) to 0." + }, + "defaultValue": "2" + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + }, + "defaultValue": "" + }, + "storageAccountResourceId": { + "type": "String", + "metadata": { + "displayName": "Storage Account Resource Id", + "description": "Storage Account Resource Id", + "strongType": "Microsoft.Storage/storageAccounts" + }, + "defaultValue": "" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "equals": "Microsoft.Network/networkSecurityGroups", + "field": "type" + } + ] + }, + "then": { + "details": { + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "flowAnalyticsEnabled": { + "value": "[bool(parameters('flowAnalyticsEnabled'))]" + }, + "interval": { + "value": "[int(parameters('interval'))]" + }, + "location": { + "value": "[field('location')]" + }, + "networkSecurityGroup": { + "value": "[field('id')]" + }, + "retention": { + "value": "[int(parameters('retention'))]" + }, + "storageAccountResourceId": { + "value": "[parameters('storageAccountResourceId')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "location": "[parameters('location')]", + "outputs": {}, + "parameters": { + "flowAnalyticsEnabled": { + "type": "bool" + }, + "interval": { + "type": "int" + }, + "location": { + "type": "String" + }, + "networkSecurityGroup": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "storageAccountResourceId": { + "type": "String" + }, + "time": { + "defaultValue": "[utcNow()]", + "type": "String" + }, + "logAnalytics": { + "type": "String" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "[take(concat('NetworkWatcherRG', '.', variables('securityGroupName')), 64)]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "2020-05-01", + "name": "[concat('NetworkWatcher_', toLower(parameters('location')))]", + "location": "[parameters('location')]", + "properties": {}, + "resources": [ + { + "apiVersion": "2019-11-01", + "dependsOn": [ + "[concat('NetworkWatcher_', toLower(parameters('location')))]" + ], + "name": "[concat(variables('securityGroupName'), '-Network-flowlog')]", + "location": "[parameters('location')]", + "properties": { + "enabled": true, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[bool(parameters('flowAnalyticsEnabled'))]", + "trafficAnalyticsInterval": "[parameters('interval')]", + "workspaceRegion": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]", + "workspaceResourceId": "[parameters('logAnalytics')]" + } + }, + "format": { + "type": "JSON", + "version": 2 + }, + "retentionPolicy": { + "days": "[parameters('retention')]", + "enabled": true + }, + "storageId": "[parameters('storageAccountResourceId')]", + "targetResourceId": "[parameters('networkSecurityGroup')]" + }, + "type": "flowLogs" + } + ], + "type": "Microsoft.Network/networkWatchers" + } + ] + } + }, + "resourceGroup": "NetworkWatcherRG", + "type": "Microsoft.Resources/deployments" + } + ], + "variables": { + "securityGroupName": "[split(parameters('networkSecurityGroup'), '/')[8]]" + } + } + } + }, + "existenceCondition": { + "allof": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled", + "equals": "[bool(parameters('flowAnalyticsEnabled'))]" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.trafficAnalyticsInterval", + "equals": "[parameters('interval')]" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/retentionPolicy.days", + "equals": "[parameters('retention')]" + } + ] + }, + "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]", + "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "type": "Microsoft.Network/networkWatchers/flowLogs" + }, + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/templates/platform/level1/alz/lib/v1.1.3/policy_set_definitions/README.md b/templates/platform/level1/alz/lib/v1.1.3/policy_set_definitions/README.md new file mode 100644 index 000000000..c09d2c016 --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/policy_set_definitions/README.md @@ -0,0 +1,10 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + +# List of the default policy set definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions diff --git a/templates/platform/level1/alz/lib/v1.1.3/role_definitions/README.md b/templates/platform/level1/alz/lib/v1.1.3/role_definitions/README.md new file mode 100644 index 000000000..2230928aa --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/role_definitions/README.md @@ -0,0 +1,11 @@ + +# Public documentation of the custom landingzones + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes + + +# List of the default role defitions + +https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions diff --git a/templates/platform/level1/alz/lib/v1.1.3/role_definitions/role_definition_caf_vhub_peering.json b/templates/platform/level1/alz/lib/v1.1.3/role_definitions/role_definition_caf_vhub_peering.json new file mode 100644 index 000000000..db51f3c40 --- /dev/null +++ b/templates/platform/level1/alz/lib/v1.1.3/role_definitions/role_definition_caf_vhub_peering.json @@ -0,0 +1,26 @@ +{ + "name": "48ec94a9-9a14-488d-928d-5e73f96b335c", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "CAF-network-vhub-peering", + "description": "Authorize vnet peerings to the vhub.", + "type": "customRole", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Network/virtualHubs/read", + "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*" + ], + "notActions": [ + ], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [ + "${current_scope_resource_id}" + ] + } +} \ No newline at end of file diff --git a/templates/platform/level1/eslz/readme.md b/templates/platform/level1/alz/readme.md similarity index 55% rename from templates/platform/level1/eslz/readme.md rename to templates/platform/level1/alz/readme.md index 305c963f7..c1c1029a0 100644 --- a/templates/platform/level1/eslz/readme.md +++ b/templates/platform/level1/alz/readme.md @@ -2,26 +2,26 @@ ## Deploy Enterprise Scale -Note you need to adjust the branch to deploy Enterprise Scale to {{ resources.platform_core_setup.private_lib[tfstate_object.eslz_version].caf_landingzone_branch }} +Note you need to adjust the branch to deploy Enterprise Scale to {{ resources.variables_azure_landing_zones.private_lib[tfstate_object.alz_version].caf_landingzone_branch }} ```bash az account clear # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.platform_core_setup.private_lib[tfstate_object.eslz_version].caf_landingzone_branch }} +git checkout {{ resources.variables_azure_landing_zones.private_lib[tfstate_object.alz_version].caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ -tfstate {{ tfstate_object.tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ tfstate_object.level }} \ -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan @@ -31,8 +31,8 @@ rover \ # Next steps [Deploy asvm](../../level2/asvm/readme.md) -{% if bootstrap.deployments.scale_out_domains.identity_level2 is defined %} -{% for key in bootstrap.deployments.scale_out_domains.identity_level2.keys() %} +{% if resources.deployments[stage].scale_out_domains[region].identity_level2 is defined %} +{% for key in resources.deployments[stage].scale_out_domains[region].identity_level2.keys() %} [Deploy identity_level2 - {{key}}](../../{{resources['identity_level2_' + key].relative_destination_folder}}/readme.md) {% endfor %} {% endif %} diff --git a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 b/templates/platform/level1/alz/subscription_id_overrides.tfvars.j2 similarity index 69% rename from templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 rename to templates/platform/level1/alz/subscription_id_overrides.tfvars.j2 index 101b1279f..46ac32559 100644 --- a/templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2 +++ b/templates/platform/level1/alz/subscription_id_overrides.tfvars.j2 @@ -1,51 +1,51 @@ subscription_id_overrides = { -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.root is defined %} - root = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides is defined %} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.root is defined %} + root = {{ resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.root | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} root = [] {% endif %} {% endif %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %} - decommissioned = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides is defined %} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.decommissioned is defined %} + decommissioned = {{ resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.decommissioned | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} decommissioned = [] {% endif %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes is defined %} - sandboxes = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.sandboxes is defined %} + sandboxes = {{ resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.sandboxes | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} sandboxes = [] {% endif %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] is defined %} - landing-zones = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides['landing-zones'] is defined %} + landing-zones = {{ resources.azure_landing_zones.enterprise_scale.subscription_id_overrides['landing-zones'] | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} landing-zones = [] {% endif %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.platform is defined %} - platform = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.platform is defined %} + platform = {{ resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.platform | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} platform = [] {% endif %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity is defined %} - connectivity = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.connectivity is defined %} + connectivity = {{ resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.connectivity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} connectivity = [] {% endif %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.management is defined %} - management = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.management is defined %} + management = {{ resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.management | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} management = [] {% endif %} -{% if resources.platform_core_setup.enterprise_scale.subscription_id_overrides.identity is defined %} - identity = {{ resources.platform_core_setup.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} +{% if resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.identity is defined %} + identity = {{ resources.azure_landing_zones.enterprise_scale.subscription_id_overrides.identity | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }} {% else %} identity = [] {% endif %} {% else %} {% if resources.subscription_deployment_mode == 'single_reuse' %} root = [ - "{{ resources.caf_terraform.launchpad.subscription_id }}" + "{{ resources.caf_launchpad.subscription_id }}" ] {% else %} root = [] @@ -60,7 +60,7 @@ subscription_id_overrides = { {% endif %} } -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and resources.subscription_deployment_mode != 'single_reuse' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and resources.subscription_deployment_mode != 'single_reuse' %} subscription_id_overrides_by_keys = { connectivity = { connectivity = { diff --git a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 b/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 deleted file mode 100644 index 9074f6b76..000000000 --- a/templates/platform/level1/eslz/enterprise_scale.tfvars.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# relative path to {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz -library_path = "{{ destination_base_path }}/{{tfstate_object.level}}/{{stage}}/{{deployment}}/lib" -{% if resources.platform_core_setup.enterprise_scale[deployment].root_parent_id is defined %} -root_parent_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].root_parent_id }}" -{% endif %} -root_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].management_group_prefix }}" -root_name = "{{ resources.platform_core_setup.enterprise_scale[deployment].management_group_name }}" -deploy_core_landing_zones = {{ resources.platform_core_setup.enterprise_scale[deployment].deploy_core_landing_zones | string | lower }} -{% if (resources.platform_core_setup.enable_azure_subscription_vending_machine | default(false)) and resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} -reconcile_vending_subscriptions = true -{% endif %} \ No newline at end of file diff --git a/templates/platform/level1/identity/readme.md b/templates/platform/level1/identity/readme.md index 466fbab9f..817fb8673 100644 --- a/templates/platform/level1/identity/readme.md +++ b/templates/platform/level1/identity/readme.md @@ -8,29 +8,29 @@ rover logout # login a with a user member of the caf-maintainers group {% if platform_subscriptions_details is defined %} -rover login -t {{ resources.platform_identity.tenant_name }} -s {{ platform_subscriptions_details.identity.subscription_id }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} -s {{ platform_subscriptions_details.identity.subscription_id }} {% elif subscriptions.platform_subscriptions.identity.subscription_id is defined %} -rover login -t {{ resources.platform_identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.identity.subscription_id }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.identity.subscription_id }} {% else %} -rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} -s {{ resources.caf_launchpad.subscription_id }} {% endif %} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ {% elif subscriptions.platform_subscriptions.identity.subscription_id is defined %} -target_subscription {{ subscriptions.platform_subscriptions.identity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.identity.tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.identity.tfstate }}.tfplan \ -a plan @@ -40,6 +40,6 @@ rover \ # Next steps -{% for key in bootstrap.deployments.eslz.keys() %} -[Deploy Enterprise Scale - {{key}}](../../level1/eslz/{{key}}/readme.md) +{% for key in bootstrap.deployments[deployment_mode].alz.keys() %} +[Deploy Enterprise Scale - {{key}}](../../level1/alz/{{key}}/readme.md) {% endfor %} diff --git a/templates/platform/level1/management/readme.md b/templates/platform/level1/management/readme.md index 6756496f6..ff43722b5 100644 --- a/templates/platform/level1/management/readme.md +++ b/templates/platform/level1/management/readme.md @@ -8,29 +8,29 @@ rover logout # login a with a user member of the caf-maintainers group {% if platform_subscriptions_details is defined %} -rover login -t {{ resources.platform_identity.tenant_name }} -s {{ platform_subscriptions_details.management.subscription_id }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} -s {{ platform_subscriptions_details.management.subscription_id }} {% elif subscriptions.platform_subscriptions.management.subscription_id is defined %} -rover login -t {{ resources.platform_identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.management.subscription_id }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.management.subscription_id }} {% else %} -rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} -s {{ resources.caf_launchpad.subscription_id }} {% endif %} rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.management.subscription_id }} \ {% elif subscriptions.platform_subscriptions.management.subscription_id is defined %} -target_subscription {{ subscriptions.platform_subscriptions.management.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.management.tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.management.tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level1/subscriptions/readme.md b/templates/platform/level1/subscriptions/readme.md index 6688fcd8d..cdb27dc3d 100644 --- a/templates/platform/level1/subscriptions/readme.md +++ b/templates/platform/level1/subscriptions/readme.md @@ -4,18 +4,18 @@ Set-up the subscription delegations for platform and landingzone subscriptions ```bash # For manual bootstrap: -# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }} -rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }} +# Login to the subscription {{ resources.caf_launchpad.subscription_name }} with the user {{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} -s {{ resources.caf_launchpad.subscription_id }} rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ -tfstate {{ tfstate_object.tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ tfstate_object.level }} \ -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/asvm/ansible.yaml b/templates/platform/level2/asvm/ansible.yaml index 01f4214e9..99739caac 100644 --- a/templates/platform/level2/asvm/ansible.yaml +++ b/templates/platform/level2/asvm/ansible.yaml @@ -1,15 +1,15 @@ -- name: "[{{resources.configuration_folders.platform.destination_relative_path}}] Get tfstate account name" +- name: "[{{deployment_mode}}/{{stage}}] Get tfstate account name" register: launchpad_storage_account shell: | az storage account list \ - --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + --subscription {{ resources.caf_launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.launchpad.level }}' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - debug: msg: "{{launchpad_storage_account}}" -- name: "[{{deployment}} - {{resources.configuration_folders.platform.destination_relative_path}}] - Get launchpad tfstate details" +- name: "[{{deployment_mode}}/{{stage}}] - Get launchpad tfstate details" register: launchpad_tfstate_exists ignore_errors: true shell: | @@ -20,47 +20,47 @@ --auth-mode "login" \ --file "~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" -- name: "[{{deployment}} - {{resources.configuration_folders.platform.destination_relative_path}}] - Get subscription_creation_landingzones details" +- name: "[{{deployment_mode}}/{{stage}}] - Get subscription_creation_landingzones details" when: - launchpad_tfstate_exists.rc == 0 - - resources.platform_core_setup.enable_azure_subscription_vending_machine + - resources.enable_azure_subscription_vending_machine shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}" register: launchpad_tfstate -- name: "[{{deployment}} - {{v}}] - Get launchpad json data" +- name: "[{{deployment_mode}}/{{stage}}] - Get launchpad json data" when: - launchpad_tfstate_exists.rc == 0 - - resources.platform_core_setup.enable_azure_subscription_vending_machine + - resources.enable_azure_subscription_vending_machine set_fact: scljsondata: "{{ launchpad_tfstate.stdout | from_json }}" -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - set launchpad_azuread_groups" +- name: "[{{deployment_mode}}/{{stage}}] - set launchpad_azuread_groups" when: - launchpad_tfstate_exists.rc == 0 - - resources.platform_core_setup.enable_azure_subscription_vending_machine + - resources.enable_azure_subscription_vending_machine set_fact: launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}" vars: path: 'outputs.objects.value.launchpad.azuread_groups' -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get level2 tfstate account name" +- name: "[{{deployment_mode}}/{{stage}}] - Get level2 tfstate account name" register: level2_storage_account shell: | az storage account list \ - --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.asvm.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name + --subscription {{ resources.caf_launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.asvm.level }}' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name}[0]" -o json | jq -r .name - debug: msg: "{{level2_storage_account}}" verbosity: 2 -- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - Get level2 tfstate account name" +- name: "[{{deployment_mode}}/{{stage}}] - Get level2 tfstate account name" register: level2_storage_rg shell: | az storage account list \ - --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.asvm.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{resourceGroup:resourceGroup}[0]" -o json | jq -r .resourceGroup + --subscription {{ resources.caf_launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='{{ resources.tfstates.platform.asvm.level }}' && tags.caf_environment=='{{ resources.caf_environment }}'].{resourceGroup:resourceGroup}[0]" -o json | jq -r .resourceGroup - debug: msg: "{{level2_storage_account}}" diff --git a/templates/platform/level2/asvm/keyvaults.tfvars.j2 b/templates/platform/level2/asvm/keyvaults.tfvars.j2 index 9cfefb0e6..2feaae7a9 100644 --- a/templates/platform/level2/asvm/keyvaults.tfvars.j2 +++ b/templates/platform/level2/asvm/keyvaults.tfvars.j2 @@ -1,16 +1,16 @@ keyvaults = { level3 = { - name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level3.name }}" - resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level3.resource_group_key }}" - sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level3.sku_name | default('standard') }}" + name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level3.name }}" + resource_group_key = "{{ resources[tfstate].resources[subscription_key].keyvaults.level3.resource_group_key }}" + sku_name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level3.sku_name | default('standard') }}" tags = { caf_tfstate = "level3" - caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ resources.caf_environment }}" } creation_policies = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} subscription_creation_landingzones = { object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" secret_permissions = ["Get"] @@ -24,7 +24,7 @@ keyvaults = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } {% endif %} -{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault @@ -36,16 +36,16 @@ keyvaults = { } level4 = { - name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level4.name }}" - resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level4.resource_group_key }}" - sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}" + name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level4.name }}" + resource_group_key = "{{ resources[tfstate].resources[subscription_key].keyvaults.level4.resource_group_key }}" + sku_name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.sku_name | default('standard') }}" tags = { caf_tfstate = "level4" - caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}" + caf_environment = "{{ resources.caf_environment }}" } creation_policies = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %} {% if launchpad_azuread_groups is defined %} subscription_creation_landingzones = { object_id = "{{launchpad_azuread_groups.subscription_creation_landingzones.id}}" @@ -71,7 +71,7 @@ keyvaults = { } {% endif %} {% endif %} -{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { # if the key is set to "logged_in_user" add the user running terraform in the keyvault policy # More examples in /examples/keyvault diff --git a/templates/platform/level2/asvm/readme.md b/templates/platform/level2/asvm/readme.md index 629fdbe83..8935bcd28 100644 --- a/templates/platform/level2/asvm/readme.md +++ b/templates/platform/level2/asvm/readme.md @@ -2,22 +2,22 @@ ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin -git checkout {{ resources.gitops.caf_landingzone_branch }} +git checkout {{ resources[deployment].gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ -tfstate {{ resources.tfstates.platform.asvm.tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.asvm.tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/asvm/role_mappings.tfvars.j2 b/templates/platform/level2/asvm/role_mappings.tfvars.j2 index 8dba28ebe..ba81356c3 100644 --- a/templates/platform/level2/asvm/role_mappings.tfvars.j2 +++ b/templates/platform/level2/asvm/role_mappings.tfvars.j2 @@ -9,7 +9,7 @@ role_mapping = { resource_groups = { level3 = { "Reader" = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -31,7 +31,7 @@ role_mapping = { } level4 = { "Reader" = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -56,7 +56,7 @@ role_mapping = { storage_accounts = { level3 = { "Storage Blob Data Contributor" = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -69,7 +69,7 @@ role_mapping = { } {% endif %} } -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} "Owner" = { object_ids = { keys = [ @@ -82,7 +82,7 @@ role_mapping = { level4 = { "Storage Blob Data Contributor" = { -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} object_ids = { keys = [ "{{launchpad_azuread_groups.caf_platform_maintainers.id}}", // caf_platform_maintainers @@ -95,7 +95,7 @@ role_mapping = { } {% endif %} } -{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and launchpad_azuread_groups is defined %} "Owner" = { object_ids = { keys = [ diff --git a/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md b/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md index b44cf7c05..e9e3fa1c7 100644 --- a/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md +++ b/templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md @@ -9,26 +9,26 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.azurerm_firewall_policies[deployment].tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.azurerm_firewall_policies[deployment].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/connectivity/azurerm_firewalls/readme.md b/templates/platform/level2/connectivity/azurerm_firewalls/readme.md index 6028a8453..b53eda4ed 100644 --- a/templates/platform/level2/connectivity/azurerm_firewalls/readme.md +++ b/templates/platform/level2/connectivity/azurerm_firewalls/readme.md @@ -9,26 +9,26 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.azurerm_firewalls[deployment].tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.azurerm_firewalls[deployment].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/connectivity/express_route_circuit/readme.md b/templates/platform/level2/connectivity/express_route_circuit/readme.md index d1e25a127..106ade681 100644 --- a/templates/platform/level2/connectivity/express_route_circuit/readme.md +++ b/templates/platform/level2/connectivity/express_route_circuit/readme.md @@ -9,26 +9,26 @@ Note you need to adjust the branch {{ connectivity_express_routes.gitops.caf_lan ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.express_route_circuits[circuit].tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.express_route_circuits[circuit].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md b/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md index 4fc49b432..02d439b49 100644 --- a/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md +++ b/templates/platform/level2/connectivity/express_route_circuit_peering/readme.md @@ -3,26 +3,26 @@ ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.express_route_circuit_peerings[circuit].tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.express_route_circuit_peerings[circuit].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/connectivity/private_dns/readme.md b/templates/platform/level2/connectivity/private_dns/readme.md index 7d6a5b7cc..4c1c69851 100644 --- a/templates/platform/level2/connectivity/private_dns/readme.md +++ b/templates/platform/level2/connectivity/private_dns/readme.md @@ -9,26 +9,26 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.private_dns[deployment].tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.private_dns[deployment].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/connectivity/virtual_hubs/readme.md b/templates/platform/level2/connectivity/virtual_hubs/readme.md index 6b66dfdf7..02fa7f59c 100644 --- a/templates/platform/level2/connectivity/virtual_hubs/readme.md +++ b/templates/platform/level2/connectivity/virtual_hubs/readme.md @@ -8,27 +8,27 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.virtual_hubs[deployment].tfstate }} \ -log-severity ERROR \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.virtual_hubs[deployment].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/connectivity/virtual_wans/readme.md b/templates/platform/level2/connectivity/virtual_wans/readme.md index a0c28ceb2..5cee956b8 100644 --- a/templates/platform/level2/connectivity/virtual_wans/readme.md +++ b/templates/platform/level2/connectivity/virtual_wans/readme.md @@ -2,26 +2,26 @@ ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.virtual_wans[deployment].tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.virtual_wans[deployment].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/identity/identity_level2/readme.md b/templates/platform/level2/identity/identity_level2/readme.md index 06b3e7d8a..ce718d42d 100644 --- a/templates/platform/level2/identity/identity_level2/readme.md +++ b/templates/platform/level2/identity/identity_level2/readme.md @@ -7,19 +7,19 @@ Deploy the identity services rover logout # login a with a user member of the caf-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ -tfstate {{ resources.tfstates.platform.identity_level2[deployment].tfstate }} \ -log-severity {{ resources.gitops.rover_log_error }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.identity_level2[deployment].tfstate }}.tfplan \ -a plan @@ -29,4 +29,4 @@ rover \ # Next steps - [Deploy Enterprise Scale](../../level1/eslz/readme.md) + [Deploy Enterprise Scale](../../level1/alz/readme.md) diff --git a/templates/platform/level2/identity/identity_level2_aadds/readme.md b/templates/platform/level2/identity/identity_level2_aadds/readme.md index a28da5dd7..d0d09bad1 100644 --- a/templates/platform/level2/identity/identity_level2_aadds/readme.md +++ b/templates/platform/level2/identity/identity_level2_aadds/readme.md @@ -9,26 +9,26 @@ Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} ```bash # login a with a user member of the caf-platform-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.identity_level2_aadds[deployment].tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.identity_level2_aadds[deployment].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level2/identity/identity_level2_adds/readme.md b/templates/platform/level2/identity/identity_level2_adds/readme.md index 63e164cdf..7112493b0 100644 --- a/templates/platform/level2/identity/identity_level2_adds/readme.md +++ b/templates/platform/level2/identity/identity_level2_adds/readme.md @@ -5,26 +5,26 @@ Deploy 2 domain controllers in the primary region ```bash # login a with a user member of the caf-maintainers group -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{ landingzones_folder }} git fetch origin git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if keyvaults is defined and resources.platform_identity.azuread_identity_mode != "logged_in_user" %} +{% if keyvaults is defined and resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %} --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \ {% endif %} -lz {{ landingzones_folder }}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if platform_subscriptions_details is defined %} -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \ {% else %} - -target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ + -target_subscription {{ resources.caf_launchpad.subscription_id }} \ {% endif %} -tfstate {{ resources.tfstates.platform.identity_level2_adds[deployment].tfstate }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ resources.tfstates.platform.identity_level2_adds[deployment].tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level3/ansible.yaml b/templates/platform/level3/ansible.yaml index 1838d0712..5d0d7f39b 100644 --- a/templates/platform/level3/ansible.yaml +++ b/templates/platform/level3/ansible.yaml @@ -1,10 +1,10 @@ -- name: "[{{ level }}-{{ subscription_key }}] Get asvm keyvault credentials name" +- name: "[{{ level }}-asvm] Get asvm keyvault credentials name" register: keyvault_scl shell: | az keyvault list \ - --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_identity_aad_key=='cred_subscription_creation_landingzones' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r --arg http "https://" --arg suffix ".vault.azure.net/" '$http + (.name) + $suffix' + --subscription {{ resources.launchpad.subscription_id }} \ + --query "[?tags.caf_identity_aad_key=='cred_subscription_creation_landingzones' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name}[0]" -o json | jq -r --arg http "https://" --arg suffix ".vault.azure.net/" '$http + (.name) + $suffix' - debug: msg: "{{keyvault_scl.stdout}}" @@ -13,49 +13,75 @@ # Get landingzones subscriptions # -- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - launchpad level3" +- name: "[{{ level }}-asvm] - get keyvault credentials" + register: keyvault_scl + shell: | + az keyvault list \ + --query "[?tags.caf_identity_aad_key=='cred_subscription_creation_landingzones'].{name:name}[0]" | \ + jq -r --arg http "https://" --arg suffix ".vault.azure.net/" '$http + (.name) + $suffix' + +- name: "[{{ level }}-asvm] - storage_containers - launchpad level3" register: storage_account_level3 shell: | az storage account list \ - --subscription {{ resources.caf_terraform.launchpad.subscription_id }} \ - --query "[?tags.caf_tfstate=='level3' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r + --subscription {{ resources.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='level3' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r + +- name: "[{{ level }}-asvm] - storage_containers - launchpad level4" + register: storage_account_level4 + shell: | + az storage account list \ + --subscription {{ resources.launchpad.subscription_id }} \ + --query "[?tags.caf_tfstate=='level4' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r - debug: - msg: "{{storage_account_level3.stdout}}" + msg: + - "{{storage_account_level3.stdout}}" + - "{{storage_account_level4.stdout}}" -- name: "[{{ level }}-{{ subscription_key }}] Get credentials tfstate details" +- name: "[{{ level }}-asvm] Get credentials tfstate details" register: landingzones_subscriptions ignore_errors: true shell: | az storage blob download \ - --name "{{ resources.tfstates.asvm.subscriptions.tfstate }}" \ + --name "{{ resources.tfstates[lz_type][tfstate_resource].tfstate }}" \ --account-name "{{ storage_account_level3.stdout|from_json|json_query('name') }}" \ - --container-name "{{ resources.tfstates.asvm.subscriptions.workspace | default('tfstate') }}" \ + --container-name "{{ resources.tfstates[lz_type][tfstate_resource].workspace | default('tfstate') }}" \ --auth-mode "login" \ - --file "~/.terraform.cache/launchpad/{{ resources.tfstates.asvm.subscriptions.tfstate }}" + --file "~/.terraform.cache/launchpad/{{ resources.tfstates[lz_type][tfstate_resource].tfstate }}" -- name: "[{{ level }}-{{ subscription_key }}] Get subscription_creation_landingzones details" +- debug: + msg: "{{landingzones_subscriptions}}" + verbosity: 1 + +- name: "[{{ level }}-asvm] Get subscription_creation_landingzones details" when: - landingzones_subscriptions.rc == 0 - shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.asvm.subscriptions.tfstate }}" + shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates[lz_type][tfstate_resource].tfstate }}" register: landingzones_tfstate - debug: msg: "{{landingzones_tfstate.stdout | from_json }}" + verbosity: 1 + when: + - landingzones_subscriptions.rc == 0 -- name: "[{{ level }}-{{ subscription_key }}] Get landingzone json data" +- name: "[{{ level }}-asvm] Get landingzone json data" when: - landingzones_subscriptions.rc == 0 set_fact: scljsondata: "{{ landingzones_tfstate.stdout | from_json }}" -- name: "[{{ level }}-{{ subscription_key }}] Get landingzone subscription ids" +- name: "[{{ level }}-asvm] Get landingzone subscription ids" when: - landingzones_subscriptions.rc == 0 set_fact: asvm_subscriptions_details: "{{ scljsondata | json_query(path) }}" vars: - path: 'outputs.objects.value.{{resources.tfstates.asvm.subscriptions.lz_key_name}}.subscriptions' + path: 'outputs.objects.value.{{resources.tfstates[lz_type][tfstate_resource].lz_key_name}}.subscriptions' - debug: - msg: "{{asvm_subscriptions_details}}" \ No newline at end of file + msg: "{{asvm_subscriptions_details}}" + verbosity: 1 + when: + - landingzones_subscriptions.rc == 0 \ No newline at end of file diff --git a/templates/platform/level3/readme.md b/templates/platform/level3/readme.md index 2b2232a61..e368cf716 100644 --- a/templates/platform/level3/readme.md +++ b/templates/platform/level3/readme.md @@ -1,6 +1,6 @@ ```bash -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} unset ARM_SKIP_PROVIDER_REGISTRATION @@ -9,18 +9,18 @@ git pull git checkout {{ resources.gitops.caf_landingzone_branch }} rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \ {% endif %} -lz {{landingzones_folder}}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ {% if asvm_subscriptions_details[subscription_key].subscription_id is defined %} -target_subscription {{ asvm_subscriptions_details[subscription_key].subscription_id }} \ {% endif %} -tfstate {{ tfstate_object.tfstate }} \ --workspace {{ tfstate_object.workspace }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level3/subscriptions/readme.md b/templates/platform/level3/subscriptions/readme.md index f88b0746d..62071d6ea 100644 --- a/templates/platform/level3/subscriptions/readme.md +++ b/templates/platform/level3/subscriptions/readme.md @@ -2,23 +2,23 @@ ### Create storage containers for the landingzone ```bash -rover login -t {{ resources.platform_identity.tenant_name }} +rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} cd {{landingzones_folder}} git pull -git checkout {{ resources.gitops.caf_landingzone_branch }} +git checkout {{ resources[deployment].gitops.caf_landingzone_branch }} rover \ -{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \ {% endif %} -lz {{landingzones_folder}}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \ - -target_subscription {{resources.caf_terraform.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.launchpad.subscription_id }} \ + -target_subscription {{resources.launchpad.subscription_id }} \ -tfstate {{ tfstate_object.tfstate }} \ --workspace {{ tfstate_object.workspace | default('tfstate') }} \ - -env {{ resources.caf_terraform.launchpad.caf_environment }} \ + -env {{ resources.caf_environment }} \ -level {{ level }} \ -p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \ -a plan diff --git a/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 b/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 index 05ee1e366..254806c08 100644 --- a/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 +++ b/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 @@ -1,16 +1,18 @@ storage_containers = { -{% for key in resources.subscriptions[subscription_key].subscriptions.keys() %} - {{ key }}_level3 = { - name = "{{ resources.tfstates.asvm[key].workspace }}" +{% for app_key, app_value in resources[tfstate_resource].resources[subscription_key].subscriptions.items() %} +{% for scod_key in app_value.keys() %} + {{app_key}}_{{ scod_key }}_level3 = { + name = "{{ resources.tfstates[lz_type][app_key][scod_key].workspace }}" storage_account = { name = "{{storage_account_level3.stdout|from_json|json_query('name')}}" } } - {{ key }}_level4 = { - name = "{{ resources.tfstates.asvm[key].workspace }}" + {{app_key}}_{{ scod_key }}_level4 = { + name = "{{ resources.tfstates[lz_type][app_key][scod_key].workspace }}" storage_account = { name = "{{storage_account_level4.stdout|from_json|json_query('name')}}" } } {% endfor %} +{% endfor %} } \ No newline at end of file diff --git a/templates/platform/pipelines/README.md b/templates/platform/pipelines/README.md index 5d45470d2..6773e82c4 100644 --- a/templates/platform/pipelines/README.md +++ b/templates/platform/pipelines/README.md @@ -22,7 +22,7 @@ ansible-playbook e2e.yaml \ ## Prerequisites ```bash -branch={{ resources.eslz.private_lib[resources.eslz.private_lib.version_to_deploy].caf_landingzone_branch }} +branch={{ resources.alz.private_lib[resources.alz.private_lib.version_to_deploy].caf_landingzone_branch }} cd {{ destination_base_path }} git clone --branch ${branch} https://github.com/Azure/caf-terraform-landingzones.git landingzones diff --git a/templates/platform/pipelines/symphony_e2e.yaml b/templates/platform/pipelines/symphony_e2e.yaml index 44053ff52..f3774b388 100644 --- a/templates/platform/pipelines/symphony_e2e.yaml +++ b/templates/platform/pipelines/symphony_e2e.yaml @@ -24,12 +24,12 @@ levels: configurationPath: "{{ resources.configuration_folders.destination_relative_path }}/{{ resources.tfstates.platform.management.level }}/{{ resources.tfstates.platform.management.base_config_path }}" tfState: {{ resources.tfstates.platform.management.tfstate }} repository: landingzones - - stack: eslz - landingZonePath: landingzones/caf_solution/add-ons/caf_eslz - configurationPath: "{{ resources.configuration_folders.destination_relative_path }}/{{ resources.tfstates.platform.eslz.level }}/{{ resources.tfstates.platform.eslz.base_config_path }}" - tfState: {{ resources.tfstates.platform.eslz.tfstate }} + - stack: alz + landingZonePath: landingzones/caf_solution/add-ons/caf_alz + configurationPath: "{{ resources.configuration_folders.destination_relative_path }}/{{ resources.tfstates.platform.alz.level }}/{{ resources.tfstates.platform.alz.base_config_path }}" + tfState: {{ resources.tfstates.platform.alz.tfstate }} repository: landingzones - branch: "{{ resources.eslz.private_lib[resources.eslz.private_lib.version_to_deploy].caf_landingzone_branch }}" + branch: "{{ resources.alz.private_lib[resources.alz.private_lib.version_to_deploy].caf_landingzone_branch }}" - level: level2 type: platform diff --git a/templates/platform/readme.md b/templates/platform/readme.md index 88cbc8a20..b745d1cd6 100644 --- a/templates/platform/readme.md +++ b/templates/platform/readme.md @@ -1,16 +1,18 @@ # Generate the terraform configuration files -## Deploy in a single subscription +## Deploy into a single subscription ``` -ansible-playbook /tf/caf/landingzones/templates/platform/walk-through-single.yaml \ +ansible-playbook /tf/caf/landingzones/templates/ansible/walk-through-single.yaml \ -e topology_file=/tf/caf/landingzones/templates/platform/single_subscription.yaml \ -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \ -e platform_service_folder=/tf/caf/landingzones/templates/platform/services \ + -e public_templates_folder=/tf/caf/landingzones/templates \ + -e resource_template_folder=/tf/caf/landingzones/templates/resources \ -e landingzones_folder=/tf/caf/landingzones \ - -e configuration_folder=/tf/caf/configuration/platform \ - -e destination_folder=/tf/caf/definition/platform + -e platform_configuration_folder=/tf/caf/configuration \ + -e platform_definition_folder=/tf/caf/platform/definition ``` diff --git a/templates/platform/services/README.md b/templates/platform/services/README.md index da1b26a5d..324ae733c 100644 --- a/templates/platform/services/README.md +++ b/templates/platform/services/README.md @@ -24,13 +24,8 @@ Rover ignite creates the tfvars and also the documentation. ```bash rover login -t {{tenant_name.stdout}} -s {{subscription_id.stdout}} -rover ignite \ - --playbook {{ config_folder_platform_templates }}/ansible/ansible.yaml \ - -e base_templates_folder={{ config_folder_platform_templates }} \ - -e resource_template_folder={{landingzones_folder}}/templates/resources \ - -e config_folder={{destination_path}} \ - -e landingzones_folder={{landingzones_folder}} \ - -e destination_folder={{configuration_folder}} +ansible-playbook {{public_templates_folder}}/ansible/ansible.yaml \ + --extra-vars "@{{platform_definition_folder}}/ignite.yaml" ``` @@ -43,13 +38,7 @@ Get started with the [launchpad]({{destination_path}}/{{topologies.launchpad.rel ### Regenerate the definition folder ```bash -ansible-playbook {{config_folder_platform_templates}}/walk-through-single.yaml \ - -e topology_file={{destination_folder}}/ignite.yaml \ - -e config_folder_platform_templates={{config_folder_platform_templates}} \ - -e platform_service_folder={{platform_service_folder}} \ - -e landingzones_folder={{landingzones_folder}} \ - -e destination_folder={{destination_folder}} \ - -e configuration_folder={{configuration_folder}} \ - --extra-vars "@{{destination_folder}}/ignite_input.yaml" +ansible-playbook {{public_templates_folder}}/ansible/walk-through-single.yaml \ + --extra-vars "@{{platform_definition_folder}}/ignite.yaml" ``` \ No newline at end of file diff --git a/templates/platform/services/alz.yaml b/templates/platform/services/alz.yaml new file mode 100644 index 000000000..def573cb5 --- /dev/null +++ b/templates/platform/services/alz.yaml @@ -0,0 +1,35 @@ +alz_{{item}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} + + relative_destination_folder: level1/alz/{{item}} + + + tfstate: + lz_key_name: alz_{{item}} + tfstate: alz_{{item}}.tfstate + level: level1 + identity_aad_key: cred_alz + config_file: alz_{{item}}.yaml + template_lib_folder: platform/level1/alz + sub_template_folder: platform/level1/alz + alz_version: {{topology.management_groups[region][item].version_to_deploy | default('v1.1.3')}} + yaml: platform/level1/alz/ansible.yaml + # Do not rename the item_key_name + tfstate_key_name: alz_{{item}} + + deployments: + landingzone: + global_settings_key: + platform: + launchpad: + remote_tfstates: + platform: + launchpad: + identity: + management: + subscriptions: + + # Keep the following to allow rover ignite to process the deployment. + resources: + launchpad: \ No newline at end of file diff --git a/templates/platform/services/asvm.yaml b/templates/platform/services/asvm.yaml index 8a9d56df6..d451f1817 100644 --- a/templates/platform/services/asvm.yaml +++ b/templates/platform/services/asvm.yaml @@ -10,16 +10,13 @@ asvm: level: level2 config_file: asvm.yaml identity_aad_key: cred_level0 - sub_template_folder: level2/asvm - yaml: level2/asvm/ansible.yaml + sub_template_folder: platform/level2/asvm + yaml: platform/level2/asvm/ansible.yaml # Do not rename the tfstate_key_name tfstate_key_name: asvm deployments: landingzone: - tfstate: - platform: - asvm: global_settings_key: platform: management: @@ -27,7 +24,7 @@ asvm: platform: management: - subscriptions: + resources: launchpad: resource_groups: level3: @@ -60,7 +57,7 @@ asvm: tags: ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. # Only adjust the environment value at creation time - caf_environment: contosolle + caf_environment: {{topology.caf_environment}} caf_launchpad: launchpad caf_tfstate: level3 level4: @@ -80,7 +77,7 @@ asvm: tags: ## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates. # Only adjust the environment value at creation time - caf_environment: contosolle + caf_environment: {{topology.caf_environment}} caf_launchpad: launchpad caf_tfstate: level4 diff --git a/templates/platform/services/connectivity_express_routes.yaml b/templates/platform/services/connectivity_express_routes.yaml index 8e87480a2..2671c39b5 100644 --- a/templates/platform/services/connectivity_express_routes.yaml +++ b/templates/platform/services/connectivity_express_routes.yaml @@ -1,5 +1,5 @@ gitops: - caf_landingzone_branch: AL-azurerm2931 + caf_landingzone_branch: int.2202 express_route_circuits: {{env}}: diff --git a/templates/platform/services/connectivity_firewall_policies.yaml b/templates/platform/services/connectivity_firewall_policies.yaml index e294e266a..32c6172b7 100644 --- a/templates/platform/services/connectivity_firewall_policies.yaml +++ b/templates/platform/services/connectivity_firewall_policies.yaml @@ -15,9 +15,6 @@ azurerm_firewall_policies_{{env}}: deployments: landingzone: - tfstate: - platform: - azurerm_firewall_policies: {{env}} global_settings_key: platform: virtual_wans: prod @@ -26,7 +23,7 @@ azurerm_firewall_policies_{{env}}: virtual_wans: prod - subscriptions: + resources: connectivity: resource_groups: firewall_policies: @@ -39,14 +36,5 @@ azurerm_firewall_policies_{{env}}: region_key: region1 resource_group: key: firewall_policies - dns: - proxy_enabled: true - threat_intelligence_mode: "Alert" - dns_root: - name: "dns-root-policy-{{env}}" - region_key: region1 - resource_group: - key: firewall_policies - dns: - proxy_enabled: true threat_intelligence_mode: "Alert" + diff --git a/templates/platform/services/connectivity_private_dns.yaml b/templates/platform/services/connectivity_private_dns.yaml index c28789439..27e739666 100644 --- a/templates/platform/services/connectivity_private_dns.yaml +++ b/templates/platform/services/connectivity_private_dns.yaml @@ -15,9 +15,6 @@ private_dns_{{env}}: deployments: landingzone: - tfstate: - platform: - private_dns: {{env}} global_settings_key: platform: private_dns_firewalls: {{env}} @@ -26,9 +23,8 @@ private_dns_{{env}}: private_dns_firewalls: {{env}} identity_level2: {{env}} - subscriptions: + resources: connectivity: - role_mapping: custom_role_mapping: resource_groups: @@ -63,26 +59,26 @@ private_dns_{{env}}: name: dns-connectivity-{{env}} private_dns: -{% for key in topology.connectivity.private_dns_zones.zones %} +{% for key in variables.variables_private_dns_zones.zones.keys() %} {{key}}: name: {{key}} resource_group_key: dns_connectivity_{{env}} vnet_links: - fw_{{env}}_plinks_01: - name: fw-plinks-01 + fw_{{env}}_01: + name: fw-{{env}}-01 vnet_key: vnet - lz_key: connectivity_firewalls_{{env}} + lz_key: connectivity_private_dns_firewalls_{{env}} {% endfor %} {% for region in topology.resources_allowed_regions %} -{% for z_key in topology.connectivity.private_dns_zones.regional_zones %} +{% for z_key in variables.variables_private_dns_zones.regional_zones %} {{z_key | replace('region', region)}}: name: {{z_key | replace('region', region)}} resource_group_key: dns_connectivity_{{env}} vnet_links: - fw_{{env}}_plinks_01: - name: fw-plinks-01 + fw_{{env}}_01: + name: fw-{{env}}-01 vnet_key: vnet - lz_key: connectivity_firewalls_{{env}} + lz_key: connectivity_private_dns_firewalls_{{env}} {% endfor %} {% endfor %} \ No newline at end of file diff --git a/templates/platform/services/connectivity_private_dns_firewalls.yaml b/templates/platform/services/connectivity_private_dns_firewalls.yaml index 6bb260dab..ef28f11fb 100644 --- a/templates/platform/services/connectivity_private_dns_firewalls.yaml +++ b/templates/platform/services/connectivity_private_dns_firewalls.yaml @@ -15,9 +15,6 @@ private_dns_firewalls_{{env}}: deployments: landingzone: - tfstate: - platform: - private_dns_firewalls: {{env}} global_settings_key: platform: virtual_hubs: {{env}} @@ -27,7 +24,7 @@ private_dns_firewalls_{{env}}: azurerm_firewall_policies: {{env}} - subscriptions: + resources: connectivity: resource_groups: firewall: @@ -40,13 +37,13 @@ private_dns_firewalls_{{env}}: name: vnet-connectivity-{{env}}-fw-plinks resource_group_key: firewall region_key: region1 - address_space: - - 10.101.61.0/24 + address_space: + {{variables.variables_cidr[deployment_mode][service]['region1'][env].address_prefixes}} specialsubnets: AzureFirewallSubnet: name: AzureFirewallSubnet cidr: - - 10.101.61.0/26 + {{variables.variables_cidr[deployment_mode][service]['region1'][env].address_prefixes}} public_ip_addresses: fw_pip1: @@ -64,8 +61,7 @@ private_dns_firewalls_{{env}}: vnet_key: vnet sku_tier: Standard firewall_policy: - key: root - lz_key: connectivity_firewall_policies_{{env}} + key: private_links zones: - 1 - 2 @@ -76,7 +72,16 @@ private_dns_firewalls_{{env}}: public_ip_key: fw_pip1 vnet_key: vnet subnet_key: AzureFirewallSubnet - + + azurerm_firewall_policies: + private_links: + name: "private-links-{{env}}" + region_key: region1 + resource_group: + key: firewall + dns: + proxy_enabled: true + threat_intelligence_mode: "Alert" virtual_hub_connections: vnet_to_hub: diff --git a/templates/platform/services/connectivity_secure_firewalls.yaml b/templates/platform/services/connectivity_secure_firewalls.yaml index 1d4185d6b..70ebc339e 100644 --- a/templates/platform/services/connectivity_secure_firewalls.yaml +++ b/templates/platform/services/connectivity_secure_firewalls.yaml @@ -15,9 +15,6 @@ secure_firewalls_{{env}}: deployments: landingzone: - tfstate: - platform: - secure_firewalls: {{env}} global_settings_key: platform: virtual_hubs: {{env}} @@ -27,7 +24,7 @@ secure_firewalls_{{env}}: azurerm_firewall_policies: {{env}} - subscriptions: + resources: connectivity: resource_groups: firewall: diff --git a/templates/platform/services/connectivity_virtual_hubs.yaml b/templates/platform/services/connectivity_virtual_hubs.yaml index b5676dd46..9e213e25b 100644 --- a/templates/platform/services/connectivity_virtual_hubs.yaml +++ b/templates/platform/services/connectivity_virtual_hubs.yaml @@ -16,9 +16,6 @@ virtual_hubs_{{env}}: deployments: landingzone: - tfstate: - platform: - virtual_hubs: {{env}} global_settings_key: platform: virtual_wans: prod @@ -29,16 +26,16 @@ virtual_hubs_{{env}}: virtual_hub_lz_key: connectivity_virtual_hubs_{{env}} # ddos_protection_plan_id: - subscriptions: + resources: connectivity: virtual_hubs: {{env}}: - name: Production + name: {{env | replace('_', '-')}} virtual_wan: - lz_key: connectivity_virtual_wans_{{env}} + lz_key: connectivity_virtual_wans_prod key: global_wan region_key: region1 - hub_address_prefix: 10.101.51.0/24 + hub_address_prefix: {{variables.variables_cidr[deployment_mode][service]['region1'][env].address_prefix}} deploy_s2s: false s2s_config: name: {{env}} diff --git a/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml b/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml index 187b67a94..842bdb6cc 100644 --- a/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml +++ b/templates/platform/services/connectivity_virtual_hubs_route_tables.yaml @@ -16,9 +16,6 @@ virtual_hubs_route_tables_{{env}}: deployments: landingzone: - tfstate: - platform: - virtual_hubs_route_tables: {{env}} global_settings_key: platform: virtual_hubs: {{env}} @@ -28,7 +25,7 @@ virtual_hubs_route_tables_{{env}}: secure_firewalls: {{env}} private_dns_firewalls: {{env}} - subscriptions: + resources: connectivity: virtual_hub_route_tables: egress_internet: diff --git a/templates/platform/services/connectivity_virtual_wans.yaml b/templates/platform/services/connectivity_virtual_wans.yaml index a35271216..dda25ab55 100644 --- a/templates/platform/services/connectivity_virtual_wans.yaml +++ b/templates/platform/services/connectivity_virtual_wans.yaml @@ -15,9 +15,6 @@ virtual_wans_{{env}}: deployments: landingzone: - tfstate: - platform: - virtual_wans: {{env}} global_settings_key: platform: management: @@ -25,7 +22,7 @@ virtual_wans_{{env}}: platform: management: - subscriptions: + resources: connectivity: virtual_wans: global_wan: diff --git a/templates/platform/services/eslz.yaml b/templates/platform/services/eslz.yaml deleted file mode 100644 index 914c76404..000000000 --- a/templates/platform/services/eslz.yaml +++ /dev/null @@ -1,38 +0,0 @@ -eslz_{{item}}: - gitops: - caf_landingzone_branch: {{topology.caf_landingzone_branch}} - - relative_destination_folder: level1/eslz/{{item}} - - - tfstate: - lz_key_name: eslz_{{item}} - tfstate: eslz_{{item}}.tfstate - level: level1 - identity_aad_key: cred_eslz - config_file: eslz_{{item}}.yaml - template_lib_folder: level1/eslz - sub_template_folder: level1/eslz - eslz_version: {{topology.enterprise_scale[item].version_to_deploy}} - yaml: level1/eslz/ansible.yaml - # Do not rename the tfstate_key_name - tfstate_key_name: eslz_{{item}} - - deployments: - landingzone: - tfstate: - platform: - eslz_contoso: - global_settings_key: - platform: - launchpad: - remote_tfstates: - platform: - launchpad: - identity: - management: - subscriptions: - - # Keep the following to allow rover ignite to process the deployment. - subscriptions: - launchpad: \ No newline at end of file diff --git a/templates/platform/services/identity.yaml b/templates/platform/services/identity.yaml index 33fa5a962..08a4c97a6 100644 --- a/templates/platform/services/identity.yaml +++ b/templates/platform/services/identity.yaml @@ -10,15 +10,12 @@ identity: level: level1 identity_aad_key: cred_identity config_file: identity.yaml - sub_template_folder: level1/identity + sub_template_folder: platform/level1/identity # Do not rename the tfstate_key_name tfstate_key_name: identity deployments: landingzone: - tfstate: - platform: - identity: global_settings_key: platform: launchpad: @@ -26,7 +23,7 @@ identity: platform: launchpad: - subscriptions: + resources: identity: resource_groups: management: diff --git a/templates/platform/services/identity_level2.yaml b/templates/platform/services/identity_level2.yaml index e75711948..70b036ce7 100644 --- a/templates/platform/services/identity_level2.yaml +++ b/templates/platform/services/identity_level2.yaml @@ -16,9 +16,6 @@ identity_level2_{{env}}: deployments: landingzone: - tfstate: - platform: - identity_level2: {{env}} global_settings_key: platform: identity: @@ -26,7 +23,7 @@ identity_level2_{{env}}: platform: identity: - subscriptions: + resources: identity: azuread_groups: caf_{{env}}_landingzones_dns_contributors: diff --git a/templates/platform/services/identity_level2_aadds.yaml b/templates/platform/services/identity_level2_aadds.yaml index 52f41c611..e39413ba1 100644 --- a/templates/platform/services/identity_level2_aadds.yaml +++ b/templates/platform/services/identity_level2_aadds.yaml @@ -1,171 +1,178 @@ -gitops: - landingzones: AL-azurerm2931 +identity_level2_aadds_{{env}}: + gitops: + caf_landingzone_branch: {{topology.caf_landingzone_branch}} -deployments: - identity: - prod: - landingzone: - key: - platform: - identity_aadds: prod - global_settings_key: - platform: - virtual_hubs: prod - remote_tfstates: - platform: - management: - virtual_hubs: prod - identity_level2: prod - -subscriptions: - identity: - resource_groups: - rg: - name: identity-prod-aadds - region_key: region1 + relative_destination_folder: level2/identity/aadds + tfstate: + lz_key_name: connectivity_virtual_wans_{{env}} + tfstate: connectivity_virtual_wans_{{env}}.tfstate + level: level2 + config_file: virtual_wans.yaml + identity_aad_key: cred_connectivity + # Do not rename the tfstate_key_name + tfstate_key_name: virtual_wans - virtual_networks: - vnet: - name: vnet-identity-prod-aadds - resource_group_key: rg - region_key: region1 - address_space: - - 10.10.100.0/27 - dns_servers: - - 10.10.100.4 - - 10.10.100.5 - subnets: - aadds: - name: snet-aadds - cidr: - - 10.10.100.0/28 - nsg_key: aadds_re1 + deployments: + landingzone: + global_settings_key: + platform: + virtual_hubs: {{env}} + remote_tfstates: + platform: management: - name: snet-aadds-management - cidr: - - 10.10.100.16/28 + virtual_hubs: {{env}} + identity_level2: {{env}} - virtual_hub_connections: - vnet_to_hub: - name: vnet-identity-prod-aadds-TO-vhub-prod - virtual_hub: - lz_key: connectivity_virtual_hub_prod - key: prod + resources: + identity: + resource_groups: + rg: + name: identity-{{env}}-aadds + region_key: region1 + + + virtual_networks: vnet: - vnet_key: vnet + name: vnet-identity-{{env}}-aadds + resource_group_key: rg + region_key: region1 + address_space: + - 10.10.100.0/27 + dns_servers: + - 10.10.100.4 + - 10.10.100.5 + subnets: + aadds: + name: snet-aadds + cidr: + - 10.10.100.0/28 + nsg_key: aadds_re1 + management: + name: snet-aadds-management + cidr: + - 10.10.100.16/28 - active_directory_domain_service: - aadds: - name: aadds - region: region1 - resource_group: - key: rg - domain_name: aadds-contoso.net - sku: Standard - filtered_sync_enabled: false - initial_replica_set: - region: region1 - subnet: + virtual_hub_connections: + vnet_to_hub: + name: vnet-identity-{{env}}-aadds-TO-vhub-{{env}} + virtual_hub: + lz_key: connectivity_virtual_hub_{{env}} + key: {{env}} + vnet: vnet_key: vnet - key: aadds - notifications: - additional_recipients: - - notifyA@example.net - - notifyB@example.net - notify_dc_admins: true - notify_global_admins: false - security: - ntlm_v1_enabled: false - sync_kerberos_passwords: true - sync_ntlm_passwords: false - sync_on_prem_passwords: true - tls_v1_enabled: false - azuread_groups: - aad_dc_administrators: - name: AAD DC Administrators - prevent_duplicate_name: true + active_directory_domain_service: + aadds: + name: aadds + region: region1 + resource_group: + key: rg + domain_name: aadds-contoso.net + sku: Standard + filtered_sync_enabled: false + initial_replica_set: + region: region1 + subnet: + vnet_key: vnet + key: aadds + notifications: + additional_recipients: + - notifyA@example.net + - notifyB@example.net + notify_dc_admins: true + notify_global_admins: false + security: + ntlm_v1_enabled: false + sync_kerberos_passwords: true + sync_ntlm_passwords: false + sync_on_prem_passwords: true + tls_v1_enabled: false - network_security_group_definition: - aadds_re1: - version: 1 - resource_group_key: rg - region: region1 - name: nsg-aadds-re1 - nsg: - Inbound: - 400: - name: Debugging for support. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "3389" - source_address_prefix: CorpNetSaw - destination_address_prefix: "*" - 401: - name: Powershell remoting. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "5986" - source_address_prefix: AzureActiveDirectoryDomainServices - destination_address_prefix: "*" - Outbound: - 400: - name: Communication with the Azure AD Domain Services management service. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "443" - source_address_prefix: "*" - destination_address_prefix: "AzureActiveDirectoryDomainServices" - 401: - name: Monitoring of the virtual machines. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "443" - source_address_prefix: "*" - destination_address_prefix: "AzureMonitor" - 402: - name: Communication with Azure Storage. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "443" - source_address_prefix: "*" - destination_address_prefix: "Storage" - 403: - name: Communication with Azure Active Directory. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "443" - source_address_prefix: "*" - destination_address_prefix: "AzureActiveDirectory" - 404: - name: Communication with Windows Update. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "443" - source_address_prefix: "*" - destination_address_prefix: "AzureUpdateDelivery" - 405: - name: Download of patches from Windows Update. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "443" - source_address_prefix: "*" - destination_address_prefix: "AzureFrontDoor.FirstParty" - 406: - name: Automated management of security patches. - access: Allow - protocol: tcp - source_port_range: "*" - destination_port_range: "443" - source_address_prefix: "*" - destination_address_prefix: "GuestAndHybridManagement" + azuread_groups: + aad_dc_administrators: + name: AAD DC Administrators + prevent_duplicate_name: true + + network_security_group_definition: + aadds_re1: + version: 1 + resource_group_key: rg + region: region1 + name: nsg-aadds-re1 + nsg: + Inbound: + 400: + name: Debugging for support. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "3389" + source_address_prefix: CorpNetSaw + destination_address_prefix: "*" + 401: + name: Powershell remoting. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "5986" + source_address_prefix: AzureActiveDirectoryDomainServices + destination_address_prefix: "*" + Outbound: + 400: + name: Communication with the Azure AD Domain Services management service. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "443" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectoryDomainServices" + 401: + name: Monitoring of the virtual machines. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "443" + source_address_prefix: "*" + destination_address_prefix: "AzureMonitor" + 402: + name: Communication with Azure Storage. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "443" + source_address_prefix: "*" + destination_address_prefix: "Storage" + 403: + name: Communication with Azure Active Directory. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "443" + source_address_prefix: "*" + destination_address_prefix: "AzureActiveDirectory" + 404: + name: Communication with Windows Update. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "443" + source_address_prefix: "*" + destination_address_prefix: "AzureUpdateDelivery" + 405: + name: Download of patches from Windows Update. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "443" + source_address_prefix: "*" + destination_address_prefix: "AzureFrontDoor.FirstParty" + 406: + name: Automated management of security patches. + access: Allow + protocol: tcp + source_port_range: "*" + destination_port_range: "443" + source_address_prefix: "*" + destination_address_prefix: "GuestAndHybridManagement" diff --git a/templates/platform/services/identity_level2_adds.yaml b/templates/platform/services/identity_level2_adds.yaml index 527ef8c31..4db290b64 100644 --- a/templates/platform/services/identity_level2_adds.yaml +++ b/templates/platform/services/identity_level2_adds.yaml @@ -5,29 +5,26 @@ identity_level2_adds_{{env}}: relative_destination_folder: level2/identity/adds/{{env}} deployments: - identity: - landingzone: - tfstate: - platform: - identity_level2_adds: {{env}} - global_settings_key: - platform: - virtual_hubs: {{env}} - remote_tfstates: - platform: - management: - virtual_hubs: {{env}} - identity: + landingzone: + global_settings_key: + platform: + virtual_hubs: {{env}} + remote_tfstates: + platform: + management: + virtual_hubs: {{env}} + identity: tfstate: lz_key_name: identity_level2_adds_{{env}} tfstate: identity_level2_adds_{{env}}.tfstate level: level2 + config_file: identity_level2_adds.yaml identity_aad_key: cred_identity # Do not rename the tfstate_key_name - tfstate_key_name: identity_level2 + tfstate_key_name: identity_level2_adds - subscriptions: + resources: identity: resource_groups: rg: diff --git a/templates/platform/services/ignite_input.yaml b/templates/platform/services/ignite_input.yaml deleted file mode 100644 index ac48d3f2d..000000000 --- a/templates/platform/services/ignite_input.yaml +++ /dev/null @@ -1,7 +0,0 @@ -customer_name: {{customer_name}} -caf_environment: {{caf_environment}} -default_email_address: {{default_email_address}} -default_region_key: {{default_region_key}} -eslz_mg_prefix: {{eslz_mg_prefix}} -eslz_mg_name: {{eslz_mg_name}} -azure_regions: {{azure_regions}} \ No newline at end of file diff --git a/templates/platform/services/launchpad_azuread_sp_single_subscription.yaml b/templates/platform/services/launchpad_azuread_sp_single_subscription.yaml index 04dc47b71..46b2a0bd4 100644 --- a/templates/platform/services/launchpad_azuread_sp_single_subscription.yaml +++ b/templates/platform/services/launchpad_azuread_sp_single_subscription.yaml @@ -11,18 +11,15 @@ launchpad: level: level0 identity_aad_key: cred_level0 config_file: launchpad.yaml - sub_template_folder: level0/launchpad - yaml: level0/launchpad/ansible.yaml + sub_template_folder: platform/level0/launchpad + yaml: platform/level0/launchpad/ansible.yaml # Do not rename the tfstate_key_name tfstate_key_name: launchpad deployments: landingzone: - tfstate: - platform: - launchpad: - subscriptions: + resources: launchpad: resource_groups: level0: @@ -115,12 +112,12 @@ launchpad: Management Group Contributor: azuread_groups: keys: - - eslz + - alz - caf_platform_maintainers Owner: azuread_groups: keys: - - eslz + - alz - caf_platform_maintainers - connectivity # only when deploying in single subscription - identity # only when deploying in single subscription @@ -156,7 +153,7 @@ launchpad: keys: - identity - management - - eslz + - alz - subscription_creation_platform - caf_platform_contributors level2: @@ -181,7 +178,7 @@ launchpad: azuread_groups: keys: - management - - eslz + - alz - subscription_creation_platform - caf_platform_contributors level1: @@ -191,7 +188,7 @@ launchpad: - caf_platform_maintainers - identity - management - - eslz + - alz - subscription_creation_platform Storage Blob Data Reader: azuread_groups: @@ -261,8 +258,8 @@ launchpad: azuread_group_key: management secret_permissions: - Get - eslz: - azuread_group_key: eslz + alz: + azuread_group_key: alz secret_permissions: - Get subscription_creation_platform: @@ -303,8 +300,8 @@ launchpad: application_name: sp-caf-identity management: application_name: sp-caf-management - eslz: - application_name: sp-caf-eslz + alz: + application_name: sp-caf-alz connectivity: application_name: sp-caf-connectivity subscription_creation_platform: @@ -318,9 +315,9 @@ launchpad: azuread_application: key: level0 # Manage the deployment of Enterprise Scale - eslz: + alz: azuread_application: - key: eslz + key: alz # Manage the deployment of the connectivity services connectivity: azuread_application: @@ -469,14 +466,14 @@ launchpad: members: azuread_service_principal_keys: - level0 - eslz: - name: caf-eslz + alz: + name: caf-alz prevent_duplicate_name: true owners: - {{topology.ea_owner_object_id}} members: azuread_service_principal_keys: - - eslz + - alz identity: name: caf-identity prevent_duplicate_name: true diff --git a/templates/platform/services/launchpad_credentials_azuread_sp.yaml b/templates/platform/services/launchpad_credentials_azuread_sp.yaml index 140104390..16c596780 100644 --- a/templates/platform/services/launchpad_credentials_azuread_sp.yaml +++ b/templates/platform/services/launchpad_credentials_azuread_sp.yaml @@ -10,15 +10,12 @@ launchpad_credentials: level: level0 identity_aad_key: cred_identity config_file: credentials.yaml - sub_template_folder: level0/credentials + sub_template_folder: platform/level0/credentials # Do not rename the tfstate_key_name tfstate_key_name: launchpad_credentials deployments: landingzone: - tfstate: - platform: - launchpad_credentials: global_settings_key: platform: launchpad: @@ -27,7 +24,7 @@ launchpad_credentials: launchpad: - subscriptions: + resources: launchpad_credentials: resource_groups: sp_credentials: @@ -156,13 +153,13 @@ launchpad_credentials: azuread_group_key: management secret_permissions: - Get - cred_eslz: + cred_alz: name: es resource_group_key: sp_credentials purge_protection_enabled: false tags: caf_environment: {{topology.caf_environment}} - caf_identity_aad_key: cred_eslz + caf_identity_aad_key: cred_alz creation_policies: caf_platform_maintainers: lz_key: launchpad @@ -184,9 +181,9 @@ launchpad_credentials: - Delete - Purge - Recover - eslz_azuread_group: + alz_azuread_group: lz_key: launchpad - azuread_group_key: eslz + azuread_group_key: alz secret_permissions: - Get cred_connectivity: @@ -338,7 +335,7 @@ launchpad_credentials: azuread_service_principal_key: gitops secret_permissions: - Get - cred_eslz: + cred_alz: gitops: azuread_service_principal_key: gitops secret_permissions: @@ -409,14 +406,14 @@ launchpad_credentials: keyvaults: cred_management: secret_prefix: sp - eslz: + alz: type: password azuread_credential_policy_key: default_policy azuread_application: lz_key: launchpad - key: eslz + key: alz keyvaults: - cred_eslz: + cred_alz: secret_prefix: sp connectivity: type: password diff --git a/templates/platform/services/management.yaml b/templates/platform/services/management.yaml index 80b38accf..4dad1440e 100644 --- a/templates/platform/services/management.yaml +++ b/templates/platform/services/management.yaml @@ -10,15 +10,12 @@ management: level: level1 identity_aad_key: cred_management config_file: management.yaml - sub_template_folder: level1/management + sub_template_folder: platform/level1/management # Do not rename the tfstate_key_name tfstate_key_name: management deployments: landingzone: - tfstate: - platform: - management: global_settings_key: platform: launchpad: @@ -26,7 +23,7 @@ management: platform: launchpad: - subscriptions: + resources: management: resource_groups: management: @@ -44,13 +41,36 @@ management: account_replication_type: LRS diagnostic_log_analytics: - # if you change this key you also need to change it in the ESLZ deployment - # eslz/archetype_config_overrides.caf.platform.yaml - # eslz/custom_landing_zones.caf.platform.yaml + # if you change this key you also need to change it in the alz deployment + # alz/archetype_config_overrides.caf.platform.yaml + # alz/custom_landing_zones.caf.platform.yaml region1: name: logre1 resource_group_key: management + solutions_maps: + NetworkMonitoring: + publisher: Microsoft + product: OMSGallery/NetworkMonitoring + ADAssessment: + publisher: Microsoft + product: OMSGallery/ADAssessment + ADReplication: + publisher: Microsoft + product: OMSGallery/ADReplication + AgentHealthAssessment: + publisher: Microsoft + product: OMSGallery/AgentHealthAssessment + DnsAnalytics: + publisher: Microsoft + product: OMSGallery/DnsAnalytics + ContainerInsights: + publisher: Microsoft + product: OMSGallery/ContainerInsights + KeyVaultAnalytics: + publisher: Microsoft + product: OMSGallery/KeyVaultAnalytics + monitor_action_groups: networking_operations: action_group_name: Networking Operations diff --git a/templates/platform/services/subscriptions.yaml b/templates/platform/services/subscriptions.yaml index d5cace057..289130852 100644 --- a/templates/platform/services/subscriptions.yaml +++ b/templates/platform/services/subscriptions.yaml @@ -10,15 +10,12 @@ subscriptions: level: level1 identity_aad_key: cred_subscription_creation_platform config_file: subscriptions.yaml - sub_template_folder: level1/subscriptions + sub_template_folder: platform/level1/subscriptions # Do not rename the tfstate_key_name tfstate_key_name: subscriptions - deployments: + resources: landingzone: - tfstate: - platform: - subscriptions: subscriptions: launchpad: diff --git a/templates/platform/services/template.caf.platform.yaml b/templates/platform/services/template.caf.platform.yaml.old similarity index 98% rename from templates/platform/services/template.caf.platform.yaml rename to templates/platform/services/template.caf.platform.yaml.old index 0e26ef5a6..2afe2f453 100644 --- a/templates/platform/services/template.caf.platform.yaml +++ b/templates/platform/services/template.caf.platform.yaml.old @@ -13,7 +13,7 @@ caf_terraform: inherit_tags: false # set: define the prefix to add to all resource names # unset: if passthrough is set to false, generate a random prefix - prefix: cont + prefix: {{prefix}} # if passthrough is set to false, add random suffix to name, up to the random_lenght value. random_length: 3 launchpad: @@ -58,7 +58,7 @@ platform_core_setup: v0.3.3: caf_landingzone_branch: "patch.5.4.4" v1.1.1: - caf_landingzone_branch: "AL-azurerm2931" + caf_landingzone_branch: "int.2202" enterprise_scale: {% for key, value in topology.enterprise_scale.items() %} {{key}}: diff --git a/templates/platform/services/tfstates.yaml b/templates/platform/services/tfstates.yaml index ac785d7c2..204ec3dcf 100644 --- a/templates/platform/services/tfstates.yaml +++ b/templates/platform/services/tfstates.yaml @@ -1,28 +1,35 @@ tfstates: - platform: -{% for key in topology.deployments.root.keys() %} + {{deployment_mode}}: +{% for a_key, value in topology.deployments[deployment_mode].root.items() %} +{% for key in value.keys() %} {{topologies[key].tfstate.tfstate_key_name}}: {% for l_key, l_value in topologies[key].tfstate.items() %} {{l_key}}: {{l_value}} {% endfor %} +{% endfor %} {% endfor %} -{% for key in topology.deployments.eslz.keys() %} - {{topologies['eslz_' + key].tfstate.tfstate_key_name}}: -{% for l_key, l_value in topologies['eslz_' + key].tfstate.items() %} +{% for a_key, value in topology.deployments[deployment_mode].alz.items() %} +{% for key in value.keys() %} + {{topologies['alz_' + key].tfstate.tfstate_key_name}}: +{% for l_key, l_value in topologies['alz_' + key].tfstate.items() %} {{l_key}}: {{l_value}} {% endfor %} {% endfor %} +{% endfor %} + -{% for key in topology.deployments.scale_out_domains.keys() %} +{% for a_key, a_value in topology.deployments[deployment_mode].scale_out_domains.items() %} +{% for key, value in a_value.items() %} {{key}}: -{% for a_key in topology.deployments.scale_out_domains[key].keys() %} - {{a_key}}: -{% for l_key, l_value in topologies[key + '_' + a_key].tfstate.items() %} +{% for b_key in value.keys() %} + {{b_key}}: +{% for l_key, l_value in topologies[key + '_' + b_key].tfstate.items() %} {{l_key}}: {{l_value}} {% endfor %} {% endfor %} {% endfor %} +{% endfor %} \ No newline at end of file diff --git a/templates/platform/single_subscription.yaml b/templates/platform/single_subscription.yaml index e9580247b..72eddd8ba 100644 --- a/templates/platform/single_subscription.yaml +++ b/templates/platform/single_subscription.yaml @@ -1,6 +1,22 @@ customer_name: {{customer_name}} caf_environment: {{caf_environment}} -caf_landingzone_branch: AL-azurerm2931 +default_email_address: {{default_email_address}} +alz_mg_prefix: {{alz_mg_prefix}} +alz_mg_name: {{alz_mg_name}} +azure_regions: {{azure_regions}} +prefix: {{prefix}} + +# folder parameters +topology_file: {{platform_definition_folder}}/ignite.yaml +landingzones_folder: {{landingzones_folder}} +public_templates_folder: {{public_templates_folder}} +platform_configuration_folder: {{platform_configuration_folder}} +platform_definition_folder: {{platform_definition_folder}} +platform_template_folder: {{platform_template_folder}} + +deployment_mode: {{deployment_mode}} + +caf_landingzone_branch: int.2202 caf_regions: {% for region, location in regions.items() %} @@ -20,6 +36,27 @@ resource_groups_allowed_regions: default_region_key: {{default_region_key}} +naming_convention: + # When set to false use the CAF provider to generate names aligned to CAF guidance + # true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace. + passthrough: false + inherit_tags: false + # set: define the prefix to add to all resource names + # unset: if passthrough is set to false, generate a random prefix + prefix: {{prefix}} + # if passthrough is set to false, add random suffix to name, up to the random_lenght value. + random_length: 3 + +caf_launchpad: + # Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd. + subscription_id: {{subscription_id.stdout}} + subscription_name: {{subscription_name.stdout}} + tenant_id: {{tenant_id.stdout}} + global_tags_propagated: yes + tags: + caf_deployment_mode: demo_single_subscription + + azuread_user_ea_account_owner: {{upn.stdout}} ea_owner_object_id: {{object_id.stdout}} @@ -27,20 +64,47 @@ azuread_identity_mode: service_principal enable_azuread_groups: True enable_azuread_applications: True -enable_azure_subscription_vending_machine: True - -enterprise_scale: - {{eslz_mg_prefix}}: - version_to_deploy: "v1.1.1" - management_group_prefix: {{eslz_mg_prefix}} - management_group_name: "{{eslz_mg_name}}" - deploy_core_landing_zones: True - clean_up_destination_folder: True - update_lib_folder: True - +enable_azure_subscription_vending_machine: {{topology.enable_azure_subscription_vending_machine | default(bootstrap.enable_azure_subscription_vending_machine)}} + +management_groups: +{% for region, a_value in topology.deployments.platform.alz.items() %} + {{region}}: +{% for key in a_value.keys() %} + {{key}}: + management_group_prefix: "{{ topology.management_groups[region][key].management_group_prefix | default(alz_mg_prefix)}}" + management_group_name: "{{ topology.management_groups[region][key].management_group_name | default(alz_mg_name)}}" + deploy_core_landing_zones: {{topology.management_groups[region][key].deploy_core_landing_zones | default(True)}} + clean_up_destination_folder: {{topology.management_groups[region][key].clean_up_destination_folder | default(True)}} + update_lib_folder: {{topology.management_groups[region][key].update_lib_folder | default(True)}} + version_to_deploy: "{{topology.management_groups[region][key].version_to_deploy | default('v1.1.3')}}" +{% if topology.management_groups[region][key].root_parent_id is defined %} + root_parent_id: "{{topology.management_groups[region][key].root_parent_id}}" +{% endif %} +{% endfor %} +{% endfor %} subscription_deployment_mode: single_reuse +billing_subscription_role_delegations: + # true: enable this deployment. The remaining attributes are required. + # false: disable this deployment. + # azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform + # azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running: + # az ad signed-in-user show --query objectId -o tsv + # The remaining attributes are ignored: [billing_account_name, enrollment_account_name] + enable: false + # Azure Active Directory User (UPN) that is Account Owner in the EA portal + # if enable=false, set the upn of the user doing the manual deployment + azuread_user_ea_account_owner: {{topology.azuread_user_ea_account_owner | default(upn.stdout)}} + # see comments above to get the object_id + # + # Also set this GUID to the owner of the launchpad azuread_groups + # + azuread_user_ea_account_owner_object_id: {{topology.ea_owner_object_id | default(object_id.stdout)}} + # Only set the following two attributes when enable=true + billing_account_name: + enrollment_account_name: + subscriptions: launchpad: # Do not rename the key name: {{subscription_name.stdout}} @@ -60,39 +124,43 @@ subscriptions: subscription_id: {{subscription_id.stdout}} deployments: - root: - launchpad: launchpad_azuread_sp_single_subscription.yaml - launchpad_credentials: launchpad_credentials_azuread_sp.yaml - subscriptions: subscriptions.yaml - identity: identity.yaml - management: management.yaml - asvm: asvm.yaml - eslz: - {{eslz_mg_prefix}}: eslz.yaml - scale_out_domains: - identity_level2: - prod: identity_level2.yaml - non_prod: identity_level2.yaml - virtual_wans: - prod: connectivity_virtual_wans.yaml - virtual_hubs: - prod: connectivity_virtual_hubs.yaml - non_prod: connectivity_virtual_hubs.yaml - virtual_hubs_route_tables: - prod: connectivity_virtual_hubs_route_tables.yaml - non_prod: connectivity_virtual_hubs_route_tables.yaml - azurerm_firewall_policies: - prod: connectivity_firewall_policies.yaml - non_prod: connectivity_firewall_policies.yaml - secure_firewalls: - prod: connectivity_secure_firewalls.yaml - non_prod: connectivity_secure_firewalls.yaml - private_dns_firewalls: - prod: connectivity_private_dns_firewalls.yaml - non_prod: connectivity_private_dns_firewalls.yaml - private_dns: - prod: connectivity_private_dns.yaml - non_prod: connectivity_private_dns.yaml + platform: + root: + {{default_region_key}}: + launchpad: launchpad_azuread_sp_single_subscription.yaml + launchpad_credentials: launchpad_credentials_azuread_sp.yaml + subscriptions: subscriptions.yaml + identity: identity.yaml + management: management.yaml + asvm: asvm.yaml + alz: + {{default_region_key}}: + {{alz_mg_prefix}}: alz.yaml + scale_out_domains: + {{default_region_key}}: + identity_level2: + prod: identity_level2.yaml + non_prod: identity_level2.yaml + virtual_wans: + prod: connectivity_virtual_wans.yaml + virtual_hubs: + prod: connectivity_virtual_hubs.yaml + non_prod: connectivity_virtual_hubs.yaml + virtual_hubs_route_tables: + prod: connectivity_virtual_hubs_route_tables.yaml + non_prod: connectivity_virtual_hubs_route_tables.yaml + azurerm_firewall_policies: + prod: connectivity_firewall_policies.yaml + non_prod: connectivity_firewall_policies.yaml + secure_firewalls: + prod: connectivity_secure_firewalls.yaml + non_prod: connectivity_secure_firewalls.yaml + private_dns_firewalls: + prod: connectivity_private_dns_firewalls.yaml + non_prod: connectivity_private_dns_firewalls.yaml + private_dns: + prod: connectivity_private_dns.yaml + non_prod: connectivity_private_dns.yaml # # Advanced settings @@ -137,38 +205,45 @@ backup_policies: weekdays: - Sunday +azure_landing_zones: + identity: + # Set the Azure Active Directory tenant name (primary domain name) + # has to be the default domain name (custom dns name or tenantname.onmicrosoft.com) + # check the AAD property + tenant_name: {{tenant_name.stdout}} + # only service_principal supported with rover ignite at the moment + azuread_identity_mode: {{topology.azuread_identity_mode}} + enable_azuread_groups: {{topology.enable_azuread_groups}} + enable_azuread_applications: {{topology.enable_azuread_applications}} + # UPNs you want to add in the caf_platform_maintainers Azure AD group + # Can use user or guest accounts + # Those users will have full permissions on platform. + # Once setup, you can remove them from here or add them from + # Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts. + caf_platform_maintainers: + user_principal_names: + # - + caf_platform_contributors: + user_principal_names: + # - + backup_policy: + vms: default + + management: + backup_policy: + vms: default + + connectivity: + networking_topology: + deployment_option: virtual_wan + backup_policy: + vms: default + +# cleanup_destination - recommended to clean and recreated a clean state from template. +configuration_folders: + platform: + # true: force the destination folder to be deleted and re-created before the files are created. + # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. + cleanup_destination: true + -identity: - backup_policy: - vms: default - -management: - backup_policy: - vms: default - -connectivity: - backup_policy: - vms: default - - private_dns_zones: - zones: - privatelink.adf.azure.com: - privatelink.datafactory.azure.net: - privatelink.blob.core.windows.net: - privatelink.file.core.windows.net: - privatelink.notebooks.azure.net: - privatelink.dfs.core.windows.net: - privatelink.vaultcore.azure.net: - privatelink.azurecr.io: - privatelink.siterecovery.windowsazure.com: - privatelink.servicebus.windows.net: - privatelink.api.azureml.ms: - privatelink.monitor.azure.com: - privatelink.oms.opinsights.azure.com: - privatelink.ods.opinsights.azure.com: - privatelink.agentsvc.azure-automation.net: - - # region will be de-tokenized by the values set in resources_allowed_regions - regional_zones: - privatelink.region.azmk8s.io: - privatelink.region.backup.windowsazure.com: diff --git a/templates/platform/single_subscription_ao.yaml b/templates/platform/single_subscription_ao.yaml deleted file mode 100644 index 3c380b048..000000000 --- a/templates/platform/single_subscription_ao.yaml +++ /dev/null @@ -1,184 +0,0 @@ -# -# Always-on template builing: -# - 1 Enterprise Scale -# - 1 global Virtual Wan with a Secure Firewall in Virtual Hub for egress internet traffic -# - 1 Azure Firewall in spoke vnet for private DNS resolution per region -# - -customer_name: {{customer_name}} -caf_environment: {{caf_environment}} -caf_landingzone_branch: AL-azurerm2931 - -caf_regions: -{% for region, location in regions.items() %} - {{region}}: {{location}} -{% endfor %} - -# Use the lower-case region's name, short version with no space -resources_allowed_regions: -{% for region in regions.keys() %} - - {{region}} -{% endfor %} - -resource_groups_allowed_regions: -{% for region in regions.keys() %} - - {{region}} -{% endfor %} - -default_region_key: {{default_region_key}} - -azuread_user_ea_account_owner: {{upn.stdout}} -ea_owner_object_id: {{object_id.stdout}} - -azuread_identity_mode: service_principal -enable_azuread_groups: True -enable_azuread_applications: True - -enable_azure_subscription_vending_machine: True - -enterprise_scale: - {{eslz_mg_prefix}}: - version_to_deploy: "v1.1.1" - management_group_prefix: {{eslz_mg_prefix}} - management_group_name: "{{eslz_mg_name}}" - deploy_core_landing_zones: True - clean_up_destination_folder: True - update_lib_folder: True - - -subscription_deployment_mode: single_reuse - -subscriptions: - launchpad: # Do not rename the key - name: {{subscription_name.stdout}} - create_alias: false - subscription_id: {{subscription_id.stdout}} - identity: # Do not rename the key - name: {{subscription_name.stdout}} - create_alias: false - subscription_id: {{subscription_id.stdout}} - connectivity: # Do not rename the key - name: {{subscription_name.stdout}} - create_alias: false - subscription_id: {{subscription_id.stdout}} - management: # Do not rename the key - name: {{subscription_name.stdout}} - create_alias: false - subscription_id: {{subscription_id.stdout}} - -deployments: - root: - launchpad: launchpad_azuread_sp_single_subscription.yaml - launchpad_credentials: launchpad_credentials_azuread_sp.yaml - subscriptions: subscriptions.yaml - identity: identity.yaml - management: management.yaml - asvm: asvm.yaml - eslz: - {{eslz_mg_prefix}}: eslz.yaml - scale_out_domains: - identity_level2: - prod: identity_level2.yaml - non_prod: identity_level2.yaml - virtual_wans: - prod: connectivity_virtual_wans.yaml - virtual_hubs: -{% for region, location in regions.items() %} - {{region}}: connectivity_virtual_hubs.yaml -{% endfor %} - virtual_hubs_route_tables: -{% for region, location in regions.items() %} - {{region}}: connectivity_virtual_hubs_route_tables.yaml -{% endfor %} - azurerm_firewall_policies: - prod: connectivity_firewall_policies.yaml - secure_firewalls: -{% for region, location in regions.items() %} - {{region}}: connectivity_secure_firewalls.yaml -{% endfor %} - private_dns_firewalls: -{% for region, location in regions.items() %} - {{region}}: connectivity_private_dns_firewalls.yaml -{% endfor %} - private_dns: - prod: connectivity_private_dns.yaml - non_prod: connectivity_private_dns.yaml - -# -# Advanced settings -# - -notifications: - monitor_action_groups: - networking_operations: {{default_email_address}} - service_health_alerts: {{default_email_address}} - azure_defender: - emailSecurityContact: {{default_email_address}} - - -backup_policies: - vms: - default: - name: vm-default-policy - # Default to UTC - # possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/ - timezone: SE Asia Standard Time - backup: - frequency: Daily - time: "23:00" - retention_daily: - count: 7 - retention_weekly: - count: 2 - weekdays: - - Sunday - retention_monthly: - count: 2 - weeks: - - First - weekdays: - - Sunday - retention_yearly: - count: 1 - weeks: - - First - months: - - January - weekdays: - - Sunday - - -identity: - backup_policy: - vms: default - -management: - backup_policy: - vms: default - -connectivity: - backup_policy: - vms: default - - private_dns_zones: - zones: - privatelink.adf.azure.com: - privatelink.datafactory.azure.net: - privatelink.blob.core.windows.net: - privatelink.file.core.windows.net: - privatelink.notebooks.azure.net: - privatelink.dfs.core.windows.net: - privatelink.vaultcore.azure.net: - privatelink.azurecr.io: - privatelink.siterecovery.windowsazure.com: - privatelink.servicebus.windows.net: - privatelink.api.azureml.ms: - privatelink.monitor.azure.com: - privatelink.oms.opinsights.azure.com: - privatelink.ods.opinsights.azure.com: - privatelink.agentsvc.azure-automation.net: - - # region will be de-tokenized by the values set in resources_allowed_regions - regional_zones: - privatelink.region.azmk8s.io: - privatelink.region.backup.windowsazure.com: diff --git a/templates/platform/template_topology.yaml b/templates/platform/template_topology.yaml new file mode 100644 index 000000000..99d1e08f6 --- /dev/null +++ b/templates/platform/template_topology.yaml @@ -0,0 +1,59 @@ +bootstrap: + azuread_identity_mode: service_principal + enable_azuread_groups: True + enable_azuread_applications: True + + enable_azure_subscription_vending_machine: True + + management_groups: + region1: + es: + management_group_prefix: "es" + management_group_name: "Contoso" + deploy_core_landing_zones: True + clean_up_destination_folder: True + update_lib_folder: True + version_to_deploy: "v1.1.1" + + subscription_deployment_mode: single_reuse + + caf_landingzone_branch: int.2202 + + deployments: + platform: + root: + region1: + launchpad: launchpad_azuread_sp_single_subscription.yaml + launchpad_credentials: launchpad_credentials_azuread_sp.yaml + subscriptions: subscriptions.yaml + identity: identity.yaml + management: management.yaml + asvm: asvm.yaml + alz: + region1: + es: alz.yaml + scale_out_domains: + region1: + identity_level2: + prod: identity_level2.yaml + non_prod: identity_level2.yaml + virtual_wans: + prod: connectivity_virtual_wans.yaml + virtual_hubs: + prod: connectivity_virtual_hubs.yaml + non_prod: connectivity_virtual_hubs.yaml + virtual_hubs_route_tables: + prod: connectivity_virtual_hubs_route_tables.yaml + non_prod: connectivity_virtual_hubs_route_tables.yaml + azurerm_firewall_policies: + prod: connectivity_firewall_policies.yaml + non_prod: connectivity_firewall_policies.yaml + secure_firewalls: + prod: connectivity_secure_firewalls.yaml + non_prod: connectivity_secure_firewalls.yaml + private_dns_firewalls: + prod: connectivity_private_dns_firewalls.yaml + non_prod: connectivity_private_dns_firewalls.yaml + private_dns: + prod: connectivity_private_dns.yaml + non_prod: connectivity_private_dns.yaml diff --git a/templates/resources/active_directory_domain_service.tfvars.j2 b/templates/resources/active_directory_domain_service.tfvars.j2 index 9b1df748b..fbb8d44a0 100644 --- a/templates/resources/active_directory_domain_service.tfvars.j2 +++ b/templates/resources/active_directory_domain_service.tfvars.j2 @@ -1,5 +1,5 @@ active_directory_domain_service = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].active_directory_domain_service.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].active_directory_domain_service.items() %} {{ key }} = { name = "{{ value.name }}" region = "{{ value.region }}" diff --git a/templates/resources/active_directory_domain_service_replica_set.tfvars.j2 b/templates/resources/active_directory_domain_service_replica_set.tfvars.j2 index 75f07c367..b58a2952d 100644 --- a/templates/resources/active_directory_domain_service_replica_set.tfvars.j2 +++ b/templates/resources/active_directory_domain_service_replica_set.tfvars.j2 @@ -1,5 +1,5 @@ active_directory_domain_service_replica_set = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].active_directory_domain_service_replica_set.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].active_directory_domain_service_replica_set.items() %} {{ key }} = { region = "{{ value.region }}" active_directory_domain_service = { diff --git a/templates/resources/automation_accounts.tfvars.j2 b/templates/resources/automation_accounts.tfvars.j2 index e83e1afa4..3c3fd5824 100644 --- a/templates/resources/automation_accounts.tfvars.j2 +++ b/templates/resources/automation_accounts.tfvars.j2 @@ -1,5 +1,5 @@ automations = { -{% for key, automation in resources[tfstate_resource].subscriptions[subscription_key].automation_accounts.items() %} +{% for key, automation in resources[tfstate_resource].resources[subscription_key].automation_accounts.items() %} {{ key }} = { name = "{{ automation.name }}" sku = "{{ automation.sku | default('Basic') }}" diff --git a/templates/resources/azuread_api_permissions.tfvars.j2 b/templates/resources/azuread_api_permissions.tfvars.j2 index 1c4026711..348cf32a6 100644 --- a/templates/resources/azuread_api_permissions.tfvars.j2 +++ b/templates/resources/azuread_api_permissions.tfvars.j2 @@ -1,5 +1,5 @@ azuread_api_permissions = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azuread_api_permissions.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].azuread_api_permissions.items() %} {{ key }} = { {% if value.microsoft_graph is defined %} microsoft_graph = { diff --git a/templates/resources/azuread_applications.tfvars.j2 b/templates/resources/azuread_applications.tfvars.j2 index c13b364fa..5138b99dd 100644 --- a/templates/resources/azuread_applications.tfvars.j2 +++ b/templates/resources/azuread_applications.tfvars.j2 @@ -1,5 +1,5 @@ azuread_applications = { -{% for key, app in resources[tfstate_resource].subscriptions[subscription_key].azuread_applications.items() %} +{% for key, app in resources[tfstate_resource].resources[subscription_key].azuread_applications.items() %} {{ key }} = { application_name = "{{ app.application_name }}" } diff --git a/templates/resources/azuread_credential_policies.tfvars.j2 b/templates/resources/azuread_credential_policies.tfvars.j2 index 58e9776d2..e16107501 100644 --- a/templates/resources/azuread_credential_policies.tfvars.j2 +++ b/templates/resources/azuread_credential_policies.tfvars.j2 @@ -1,5 +1,5 @@ azuread_credential_policies = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azuread_credential_policies.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].azuread_credential_policies.items() %} {{ key }} = { # Length of the password length = {{ value.length }} diff --git a/templates/resources/azuread_credentials.tfvars.j2 b/templates/resources/azuread_credentials.tfvars.j2 index f2ef07681..7f1e9d690 100644 --- a/templates/resources/azuread_credentials.tfvars.j2 +++ b/templates/resources/azuread_credentials.tfvars.j2 @@ -1,5 +1,5 @@ azuread_credentials = { -{% for key, cred in resources[tfstate_resource].subscriptions[subscription_key].azuread_credentials.items() %} +{% for key, cred in resources[tfstate_resource].resources[subscription_key].azuread_credentials.items() %} {{ key }} = { type = "{{ cred.type | default('password') }}" azuread_credential_policy_key = "{{ cred.azuread_credential_policy_key }}" diff --git a/templates/resources/azuread_groups.tfvars.j2 b/templates/resources/azuread_groups.tfvars.j2 index 314755678..0b33712cc 100644 --- a/templates/resources/azuread_groups.tfvars.j2 +++ b/templates/resources/azuread_groups.tfvars.j2 @@ -1,5 +1,5 @@ azuread_groups = { -{% for key, ad_group in resources[tfstate_resource].subscriptions[subscription_key].azuread_groups.items() %} +{% for key, ad_group in resources[tfstate_resource].resources[subscription_key].azuread_groups.items() %} {{ key }} = { name = "{{ ad_group.name }}" {% if ad_group.description is defined %} diff --git a/templates/resources/azuread_groups_membership.tfvars.j2 b/templates/resources/azuread_groups_membership.tfvars.j2 index 70bce2c45..cebf2e2a1 100644 --- a/templates/resources/azuread_groups_membership.tfvars.j2 +++ b/templates/resources/azuread_groups_membership.tfvars.j2 @@ -1,5 +1,5 @@ azuread_groups_membership = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azuread_groups_membership.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].azuread_groups_membership.items() %} {{ key }} = { {% for l1_key , l1_value in value.items() %} {{l1_key}} = { diff --git a/templates/resources/azuread_roles.tfvars.j2 b/templates/resources/azuread_roles.tfvars.j2 index 1badc9bdb..6ace90376 100644 --- a/templates/resources/azuread_roles.tfvars.j2 +++ b/templates/resources/azuread_roles.tfvars.j2 @@ -3,7 +3,7 @@ # az rest --method Get --uri https://graph.microsoft.com/v1.0/directoryRoleTemplates -o json | jq -r .value[].displayName # azuread_roles = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azuread_roles.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].azuread_roles.items() %} {{ key }} = { {% for l_key, l_value in value.items() %} {{l_key}} = { diff --git a/templates/resources/azuread_service_principals.tfvars.j2 b/templates/resources/azuread_service_principals.tfvars.j2 index 839316d61..ffbc4fdf6 100644 --- a/templates/resources/azuread_service_principals.tfvars.j2 +++ b/templates/resources/azuread_service_principals.tfvars.j2 @@ -1,6 +1,6 @@ azuread_service_principals = { -{% for key, sp in resources[tfstate_resource].subscriptions[subscription_key].azuread_service_principals.items() %} +{% for key, sp in resources[tfstate_resource].resources[subscription_key].azuread_service_principals.items() %} {{ key }} = { azuread_application = { key = "{{ sp.azuread_application.key }}" diff --git a/templates/resources/azurerm_firewall_policies.tfvars.j2 b/templates/resources/azurerm_firewall_policies.tfvars.j2 index d9fff5cb8..f50514b50 100644 --- a/templates/resources/azurerm_firewall_policies.tfvars.j2 +++ b/templates/resources/azurerm_firewall_policies.tfvars.j2 @@ -1,5 +1,5 @@ azurerm_firewall_policies = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azurerm_firewall_policies.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].azurerm_firewall_policies.items() %} {{ key }} = { name = "{{ value.name }}" {% if value.region_key is defined %} diff --git a/templates/resources/azurerm_firewalls.tfvars.j2 b/templates/resources/azurerm_firewalls.tfvars.j2 index ba8c96fbd..bc524b83d 100644 --- a/templates/resources/azurerm_firewalls.tfvars.j2 +++ b/templates/resources/azurerm_firewalls.tfvars.j2 @@ -1,5 +1,5 @@ azurerm_firewalls = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].azurerm_firewalls.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].azurerm_firewalls.items() %} {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/container_groups.tfvars.j2 b/templates/resources/container_groups.tfvars.j2 index c57245c6f..460b122f8 100644 --- a/templates/resources/container_groups.tfvars.j2 +++ b/templates/resources/container_groups.tfvars.j2 @@ -1,5 +1,5 @@ container_groups = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].container_groups.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].container_groups.items() %} {{ key }} = { name = "{{ value.name }}" {% if value.region is defined %} diff --git a/templates/resources/custom_role_definitions.tfvars.j2 b/templates/resources/custom_role_definitions.tfvars.j2 index a807d3e83..d1e1bcc51 100644 --- a/templates/resources/custom_role_definitions.tfvars.j2 +++ b/templates/resources/custom_role_definitions.tfvars.j2 @@ -1,5 +1,5 @@ custom_role_definitions = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].custom_role_definitions.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].custom_role_definitions.items() %} {{ key }} = { name = "{{ value.name }}" {% if value.useprefix is defined %} diff --git a/templates/resources/ddos_services.tfvars.j2 b/templates/resources/ddos_services.tfvars.j2 index eaf9a5ad4..7e7b608b3 100644 --- a/templates/resources/ddos_services.tfvars.j2 +++ b/templates/resources/ddos_services.tfvars.j2 @@ -1,5 +1,5 @@ ddos_services = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].ddos_services.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].ddos_services.items() %} "{{key}}" = { resource_group_key = "{{ value.resource_group_key }}" name = "{{ value.name }}" diff --git a/templates/resources/diagnostic_log_analytics.tfvars.j2 b/templates/resources/diagnostic_log_analytics.tfvars.j2 index 73783d880..aa208500b 100644 --- a/templates/resources/diagnostic_log_analytics.tfvars.j2 +++ b/templates/resources/diagnostic_log_analytics.tfvars.j2 @@ -3,16 +3,29 @@ # diagnostic_log_analytics = { -{% for key, dla in resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics.items() %} +{% for key, dla in resources[tfstate_resource].resources[subscription_key].diagnostic_log_analytics.items() %} {{ key }} = { - region = "{{ dla.region | default(resources.caf_terraform.launchpad.default_region_key)}}" + region = "{{ dla.region | default(resources.default_region_key)}}" name = "{{ dla.name }}" resource_group_key = "{{ dla.resource_group_key }}" +{% if dla.sku is defined %} + sku = "{{ dla.sku }}" +{% endif %} +{% if dla.retention_in_days is defined %} + retention_in_days = {{ dla.retention_in_days }} +{% endif %} +{% if dla.tags is defined %} + tags = { +{% for tag_key, tag_value in dla.tags.items() %} + {{ tag_key }} = "{{ tag_value }}" +{% endfor %} + } +{% endif %} -{% if resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics[key].diagnostic_profiles is defined %} +{% if dla.diagnostic_profiles is defined %} # you can setup up to 5 key diagnostic_profiles = { -{% for dp_key, dp_value in resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics[key].diagnostic_profiles.items() %} +{% for dp_key, dp_value in dla.diagnostic_profiles.items() %} {{ dp_key }} = { definition_key = "{{ dp_value.definition_key }}" destination_type = "{{ dp_value.destination_type }}" @@ -21,12 +34,15 @@ diagnostic_log_analytics = { {% endfor %} } {% endif %} -{% if resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics[key].solutions is defined %} - solutions = { -{% for sol_key, sol_value in resources[tfstate_resource].subscriptions[subscription_key].diagnostic_log_analytics[key].solutions.items() %} +{% if dla.solutions_maps is defined %} + solutions_maps = { +{% for sol_key, sol_value in dla.solutions_maps.items() %} {{ sol_key }} = { "publisher" = "{{ sol_value.publisher }}" "product" = "{{ sol_value.product }}" +{% if sol_value.promotion_code is defined %} + promotion_code = "{{ sol_value.promotion_code }}" +{% endif %} } {% endfor %} diff --git a/templates/resources/diagnostic_storage_accounts.tfvars.j2 b/templates/resources/diagnostic_storage_accounts.tfvars.j2 index 55e1498b3..3916d115e 100644 --- a/templates/resources/diagnostic_storage_accounts.tfvars.j2 +++ b/templates/resources/diagnostic_storage_accounts.tfvars.j2 @@ -2,40 +2,40 @@ # Storage accounts, log analytics, event hubs diagnostic_storage_accounts = { -{% for key in resources.caf_terraform.launchpad.regions.keys() %} +{% for key in resources.caf_regions.keys() %} # Stores diagnostic logging for {{key}} - diaglogs_{{resources.caf_terraform.launchpad.regions[key].slug}} = { - name = "diaglogs{{ resources.caf_terraform.launchpad.regions[key].slug }}" + diaglogs_{{resources.caf_regions[key].slug}} = { + name = "diaglogs{{ resources.caf_regions[key].slug }}" region = "{{key}}" - resource_group_key = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.resource_group_key }}" - account_kind = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.account_kind }}" - account_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.account_tier }}" - account_replication_type = "{{ resources.caf_terraform.launchpad.account_replication_type }}" - access_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.diagnostics.access_tier }}" + resource_group_key = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.diagnostics.resource_group_key }}" + account_kind = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.diagnostics.account_kind }}" + account_tier = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.diagnostics.account_tier }}" + account_replication_type = "{{ resources.launchpad.account_replication_type }}" + access_tier = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.diagnostics.access_tier }}" } {% endfor %} -{% for key in resources.caf_terraform.launchpad.regions.keys() %} +{% for key in resources.caf_regions.keys() %} # Stores security logs for siem for {{key}} - diagsiem_{{resources.caf_terraform.launchpad.regions[key].slug}} = { - name = "siem{{ resources.caf_terraform.launchpad.regions[key].slug }}" + diagsiem_{{resources.caf_regions[key].slug}} = { + name = "siem{{ resources.caf_regions[key].slug }}" region = "{{key}}" - resource_group_key = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.siem.resource_group_key }}" - account_kind = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.siem.account_kind }}" - account_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.siem.account_tier }}" - account_replication_type = "{{ resources.caf_terraform.launchpad.account_replication_type }}" - access_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.siem.access_tier }}" + resource_group_key = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.siem.resource_group_key }}" + account_kind = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.siem.account_kind }}" + account_tier = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.siem.account_tier }}" + account_replication_type = "{{ resources.launchpad.account_replication_type }}" + access_tier = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.siem.access_tier }}" } {% endfor %} -{% for key in resources.caf_terraform.launchpad.regions.keys() %} +{% for key in resources.caf_regions.keys() %} # Stores boot diagnostic for {{key}} - bootdiag_{{resources.caf_terraform.launchpad.regions[key].slug}} = { - name = "boot{{ resources.caf_terraform.launchpad.regions[key].slug }}" + bootdiag_{{resources.caf_regions[key].slug}} = { + name = "boot{{ resources.caf_regions[key].slug }}" region = "{{key}}" - resource_group_key = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.resource_group_key }}" - account_kind = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.account_kind }}" - account_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.account_tier }}" - account_replication_type = "{{ resources.caf_terraform.launchpad.account_replication_type }}" - access_tier = "{{ resources[tfstate_resource].subscriptions[subscription_key].diagnostic_storage_accounts.bootdiagnostics.access_tier }}" + resource_group_key = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.bootdiagnostics.resource_group_key }}" + account_kind = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.bootdiagnostics.account_kind }}" + account_tier = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.bootdiagnostics.account_tier }}" + account_replication_type = "{{ resources.launchpad.account_replication_type }}" + access_tier = "{{ resources[tfstate_resource].resources[subscription_key].diagnostic_storage_accounts.bootdiagnostics.access_tier }}" } {% endfor %} } \ No newline at end of file diff --git a/templates/resources/diagnostics_destinations.tfvars.j2 b/templates/resources/diagnostics_destinations.tfvars.j2 index d74490db6..cbf8abdb5 100644 --- a/templates/resources/diagnostics_destinations.tfvars.j2 +++ b/templates/resources/diagnostics_destinations.tfvars.j2 @@ -7,9 +7,9 @@ diagnostics_destinations = { # in the region of the deployment storage = { all_regions = { -{% for key in resources.caf_terraform.launchpad.regions.keys() %} - "{{ resources.caf_terraform.launchpad.regions[key].name }}" = { - storage_account_key = "diagsiem_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" +{% for key in resources.caf_regions.keys() %} + "{{ resources.caf_regions[key].name }}" = { + storage_account_key = "diagsiem_{{resources.caf_regions[resources.default_region_key].slug}}" } {% endfor %} } @@ -17,14 +17,14 @@ diagnostics_destinations = { log_analytics = { central_logs = { - log_analytics_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + log_analytics_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" log_analytics_destination_type = "Dedicated" } } event_hub_namespaces = { central_logs = { - event_hub_namespace_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}" + event_hub_namespace_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}" } } } diff --git a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 index 9a2d4460d..edccb1955 100644 --- a/templates/resources/dynamic_keyvault_secrets.tfvars.j2 +++ b/templates/resources/dynamic_keyvault_secrets.tfvars.j2 @@ -1,5 +1,5 @@ dynamic_keyvault_secrets = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].dynamic_keyvault_secrets.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].dynamic_keyvault_secrets.items() %} {{ key }} = { {% for l1_key, l1_value in value.items() %} {{l1_key}} = { diff --git a/templates/resources/express_route_connections.tfvars.j2 b/templates/resources/express_route_connections.tfvars.j2 index f5c89e688..7ca3b4574 100644 --- a/templates/resources/express_route_connections.tfvars.j2 +++ b/templates/resources/express_route_connections.tfvars.j2 @@ -1,5 +1,5 @@ express_route_connections = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].express_route_connections.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].express_route_connections.items() %} {% if value.enable_er_connections %} {{ key }} = { name = "{{ value.name }}" diff --git a/templates/resources/global_settings.tfvars.j2 b/templates/resources/global_settings.tfvars.j2 index 2eb59063d..c7774c050 100644 --- a/templates/resources/global_settings.tfvars.j2 +++ b/templates/resources/global_settings.tfvars.j2 @@ -1,21 +1,21 @@ -{% if resources[tfstate_resource].subscriptions[subscription_key].global_settings is defined %} +{% if resources[tfstate_resource].resources[subscription_key].global_settings is defined %} global_settings = { - passthrough = {{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.passthrough | string | lower }} - prefix = "{{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.prefix }}" - use_slug = {{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.use_slug | string | lower }} - inherit_tags = {{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.inherit_tags | string | lower }} - random_length = {{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.random_length }} -{% if resources[tfstate_resource].subscriptions[subscription_key].global_settings.tags is defined %} + passthrough = {{ resources[tfstate_resource].resources[subscription_key].global_settings.passthrough | string | lower }} + prefix = "{{ resources[tfstate_resource].resources[subscription_key].global_settings.prefix }}" + use_slug = {{ resources[tfstate_resource].resources[subscription_key].global_settings.use_slug | string | lower }} + inherit_tags = {{ resources[tfstate_resource].resources[subscription_key].global_settings.inherit_tags | string | lower }} + random_length = {{ resources[tfstate_resource].resources[subscription_key].global_settings.random_length }} +{% if resources[tfstate_resource].resources[subscription_key].global_settings.tags is defined %} tags = { -{% for tag, value in resources[tfstate_resource].subscriptions[subscription_key].global_settings.tags.items() %} +{% for tag, value in resources[tfstate_resource].resources[subscription_key].global_settings.tags.items() %} "{{ tag }}" = "{{value}}" {% endfor %} } {% endif %} - default_region = "{{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.default_region_key }}" + default_region = "{{ resources[tfstate_resource].resources[subscription_key].global_settings.default_region_key }}" regions = { -{% for key in resources[tfstate_resource].subscriptions[subscription_key].global_settings.regions.keys() %} - {{ key }} = "{{ resources[tfstate_resource].subscriptions[subscription_key].global_settings.regions[key].name }}" +{% for key in resources[tfstate_resource].resources[subscription_key].global_settings.regions.keys() %} + {{ key }} = "{{ resources[tfstate_resource].resources[subscription_key].global_settings.regions[key].name }}" {% endfor %} } } diff --git a/templates/resources/keyvault_access_policies.tfvars.j2 b/templates/resources/keyvault_access_policies.tfvars.j2 index 002960211..e81fadd16 100644 --- a/templates/resources/keyvault_access_policies.tfvars.j2 +++ b/templates/resources/keyvault_access_policies.tfvars.j2 @@ -1,5 +1,5 @@ keyvault_access_policies = { - {% for key, policy in resources[tfstate_resource].subscriptions[subscription_key].keyvault_access_policies.items() %} + {% for key, policy in resources[tfstate_resource].resources[subscription_key].keyvault_access_policies.items() %} {{ key }} = { {% for s_key, s_policy in policy.items() %} {{ s_key }} = { diff --git a/templates/resources/keyvaults.tfvars.j2 b/templates/resources/keyvaults.tfvars.j2 index c2d44386f..79f0561ec 100644 --- a/templates/resources/keyvaults.tfvars.j2 +++ b/templates/resources/keyvaults.tfvars.j2 @@ -1,9 +1,9 @@ keyvaults = { -{% for key, keyvault in resources[tfstate_resource].subscriptions[subscription_key].keyvaults.items() %} +{% for key, keyvault in resources[tfstate_resource].resources[subscription_key].keyvaults.items() %} {{ key }} = { - name = "{{ resources[tfstate_resource].subscriptions[subscription_key].keyvaults[key].name }}" - resource_group_key = "{{ resources[tfstate_resource].subscriptions[subscription_key].keyvaults[key].resource_group_key }}" - sku_name = "{{ resources[tfstate_resource].subscriptions[subscription_key].keyvaults[key].sku_name | default('standard')}}" + name = "{{ resources[tfstate_resource].resources[subscription_key].keyvaults[key].name }}" + resource_group_key = "{{ resources[tfstate_resource].resources[subscription_key].keyvaults[key].resource_group_key }}" + sku_name = "{{ resources[tfstate_resource].resources[subscription_key].keyvaults[key].sku_name | default('standard')}}" {% if keyvault.enabled_for_deployment is defined %} enabled_for_deployment = "{{ keyvault.enabled_for_deployment | string | lower }}" {% endif %} @@ -31,7 +31,7 @@ keyvaults = { {% endif %} creation_policies = { {% if resources.platform_identity is defined %} -{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %} +{% if resources.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %} logged_in_user = { secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"] } diff --git a/templates/resources/managed_identities.tfvars.j2 b/templates/resources/managed_identities.tfvars.j2 index fe2acaa41..4618d6f6e 100644 --- a/templates/resources/managed_identities.tfvars.j2 +++ b/templates/resources/managed_identities.tfvars.j2 @@ -1,5 +1,5 @@ managed_identities = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].managed_identities.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].managed_identities.items() %} {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/monitor_action_groups.tfvars.j2 b/templates/resources/monitor_action_groups.tfvars.j2 index 97851181d..40f5479f0 100644 --- a/templates/resources/monitor_action_groups.tfvars.j2 +++ b/templates/resources/monitor_action_groups.tfvars.j2 @@ -1,5 +1,5 @@ monitor_action_groups = { -{% for key, mag in resources[tfstate_resource].subscriptions[subscription_key].monitor_action_groups.items() %} +{% for key, mag in resources[tfstate_resource].resources[subscription_key].monitor_action_groups.items() %} {{ key }} = { action_group_name = "{{ mag.action_group_name }}" shortname = "{{ mag.shortname }}" diff --git a/templates/resources/network_profiles.tfvars.j2 b/templates/resources/network_profiles.tfvars.j2 index 9c19c438e..d1792ee28 100644 --- a/templates/resources/network_profiles.tfvars.j2 +++ b/templates/resources/network_profiles.tfvars.j2 @@ -1,5 +1,5 @@ network_profiles = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].network_profiles.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].network_profiles.items() %} {{ key }} = { name = "{{ value.name }}" resource_group = { diff --git a/templates/resources/network_security_group_definition.tfvars.j2 b/templates/resources/network_security_group_definition.tfvars.j2 index 75dc71e57..e5949d1de 100644 --- a/templates/resources/network_security_group_definition.tfvars.j2 +++ b/templates/resources/network_security_group_definition.tfvars.j2 @@ -1,5 +1,5 @@ network_security_group_definition = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].network_security_group_definition.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].network_security_group_definition.items() %} {{ key }} = { version = {{ value.version }} resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/private_dns.tfvars.j2 b/templates/resources/private_dns.tfvars.j2 index 57be0eee5..cbc93b2d7 100644 --- a/templates/resources/private_dns.tfvars.j2 +++ b/templates/resources/private_dns.tfvars.j2 @@ -1,5 +1,5 @@ private_dns = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].private_dns.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].private_dns.items() %} "{{ key }}" = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/public_ip_addresses.tfvars.j2 b/templates/resources/public_ip_addresses.tfvars.j2 index 65dab5bd3..aee729c64 100644 --- a/templates/resources/public_ip_addresses.tfvars.j2 +++ b/templates/resources/public_ip_addresses.tfvars.j2 @@ -1,5 +1,5 @@ public_ip_addresses = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].public_ip_addresses.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].public_ip_addresses.items() %} {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/recovery_vaults.tfvars.j2 b/templates/resources/recovery_vaults.tfvars.j2 index 48c059738..0d53d2e53 100644 --- a/templates/resources/recovery_vaults.tfvars.j2 +++ b/templates/resources/recovery_vaults.tfvars.j2 @@ -1,10 +1,10 @@ recovery_vaults = { -{% for key, asr in resources[tfstate_resource].subscriptions[subscription_key].recovery_vaults.items() %} +{% for key, asr in resources[tfstate_resource].resources[subscription_key].recovery_vaults.items() %} {{ key }} = { name = "{{ asr.name }}" resource_group_key = "{{ asr.resource_group_key }}" - region = "{{ asr.region | default(resources.caf_terraform.launchpad.default_region_key) }}" + region = "{{ asr.region | default(resources.default_region_key) }}" soft_delete_enabled = {{ asr.soft_delete_enabled | default(true) | string | lower }} {% if asr.backup_policies is defined %} backup_policies = { diff --git a/templates/resources/resource_groups.tfvars.j2 b/templates/resources/resource_groups.tfvars.j2 index e612d6b64..700fc9c8f 100644 --- a/templates/resources/resource_groups.tfvars.j2 +++ b/templates/resources/resource_groups.tfvars.j2 @@ -1,8 +1,8 @@ resource_groups = { -{% for key, resource_group in resources[tfstate_resource].subscriptions[subscription_key].resource_groups.items() %} +{% for key, resource_group in resources[tfstate_resource].resources[subscription_key].resource_groups.items() %} {{ key }} = { name = "{{ resource_group.name }}" - region = "{{ resource_group.region_key | default(resources.caf_terraform.launchpad.default_region_key) }}" + region = "{{ resource_group.region_key | default(resources.default_region_key) }}" {% if resource_group.tags is defined %} tags = { {% for tag_key, tag_value in resource_group.tags.items() %} diff --git a/templates/resources/role_mapping.tfvars.j2 b/templates/resources/role_mapping.tfvars.j2 index c9f28abd7..0b21b8458 100644 --- a/templates/resources/role_mapping.tfvars.j2 +++ b/templates/resources/role_mapping.tfvars.j2 @@ -1,5 +1,5 @@ role_mapping = { -{% for top_key, mappings in resources[tfstate_resource].subscriptions[subscription_key].role_mapping.items() %} +{% for top_key, mappings in resources[tfstate_resource].resources[subscription_key].role_mapping.items() %} {{ top_key }} = { {% for key, role_mappings in mappings.items() %} {{ key }} = { diff --git a/templates/resources/servicehealth.tfvars.j2 b/templates/resources/servicehealth.tfvars.j2 index ace2397e3..763189d5d 100644 --- a/templates/resources/servicehealth.tfvars.j2 +++ b/templates/resources/servicehealth.tfvars.j2 @@ -1,14 +1,14 @@ monitoring = { -{% if resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts is defined %} +{% if resources[tfstate_resource].resources[subscription_key].service_health_alerts is defined %} service_health_alerts = { - enable_service_health_alerts = {{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.enable_service_health_alerts | lower | default(true)}} - name = "{{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.name}}" - action_group_name = "{{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.action_group_name}}" - shortname = "{{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.shortname}}" - resource_group_key = "{{resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.resource_group_key}}" -{% if resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.email_alert_settings is defined %} + enable_service_health_alerts = {{resources[tfstate_resource].resources[subscription_key].service_health_alerts.enable_service_health_alerts | lower | default(true)}} + name = "{{resources[tfstate_resource].resources[subscription_key].service_health_alerts.name}}" + action_group_name = "{{resources[tfstate_resource].resources[subscription_key].service_health_alerts.action_group_name}}" + shortname = "{{resources[tfstate_resource].resources[subscription_key].service_health_alerts.shortname}}" + resource_group_key = "{{resources[tfstate_resource].resources[subscription_key].service_health_alerts.resource_group_key}}" +{% if resources[tfstate_resource].resources[subscription_key].service_health_alerts.email_alert_settings is defined %} email_alert_settings = { -{% for key, sha in resources[tfstate_resource].subscriptions[subscription_key].service_health_alerts.email_alert_settings.items() %} +{% for key, sha in resources[tfstate_resource].resources[subscription_key].service_health_alerts.email_alert_settings.items() %} {{ key }} = { name = "{{ sha.name }}" email_address = "{{ sha.email_address }}" diff --git a/templates/resources/storage_accounts.tfvars.j2 b/templates/resources/storage_accounts.tfvars.j2 index dc975b713..c6c255d04 100644 --- a/templates/resources/storage_accounts.tfvars.j2 +++ b/templates/resources/storage_accounts.tfvars.j2 @@ -1,5 +1,5 @@ storage_accounts = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].storage_accounts.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].storage_accounts.items() %} {{ key }} = { name = "{{ value.name }}" resource_group_key = "{{ value.resource_group_key }}" diff --git a/templates/resources/subscriptions.tfvars.j2 b/templates/resources/subscriptions.tfvars.j2 index f4fe59fea..28b563d7a 100644 --- a/templates/resources/subscriptions.tfvars.j2 +++ b/templates/resources/subscriptions.tfvars.j2 @@ -11,31 +11,17 @@ # subscriptions = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].subscriptions.items() %} - {{ key }} = { - name = "{{ value.name }}" -{% if value.create_alias is defined %} - create_alias = {{ value.create_alias | lower}} -{% endif %} -{% if value.subscription_id is not defined %} - billing_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" - enrollment_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" -{% if value.management_group_suffix is defined %} - management_group_id = "{{ resources.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ value.management_group_suffix }}" +{% if deployments[lz_type]['scale_out_domains'] is defined %} +{% for app_key, app_value in resources[tfstate_resource].resources[subscription_key].subscriptions.items() %} +{% for scod_key, value in app_value.items() %} +{% set key = app_key + '_' + scod_key %} +{% include 'subscriptions_tpl.j2' %} +{% endfor %} +{% endfor %} {% else %} - management_group_id = "{{ value.management_group_id }}" -{% endif %} - workload = "{{ value.workload | default('Production') }}" -{% if value.tags is defined %} - tags = { -{% for tag_key in value.tags %} - {{ tag_key }} = "{{ value.tags[tag_key] }}" -{% endfor %} - } +{% for key, value in resources[tfstate_resource].resources[subscription_key].subscriptions.items() %} +{% include 'subscriptions_tpl.j2' %} +{% endfor %} {% endif %} -{% else %} - subscription_id = "{{value.subscription_id}}" -{% endif %} - } -{% endfor %} + } \ No newline at end of file diff --git a/templates/resources/subscriptions_tpl.j2 b/templates/resources/subscriptions_tpl.j2 new file mode 100644 index 000000000..3c9d4351a --- /dev/null +++ b/templates/resources/subscriptions_tpl.j2 @@ -0,0 +1,26 @@ + +{{ key }} = { + name = "{{ value.name }}" +{% if value.create_alias is defined %} + create_alias = {{ value.create_alias | lower}} +{% endif %} +{% if value.subscription_id is not defined %} + billing_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.billing_account_name }}" + enrollment_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}" +{% if value.management_group_suffix is defined %} + management_group_id = "{{ resources.azure_landing_zones.enterprise_scale.management_group_prefix }}-{{ value.management_group_suffix }}" +{% else %} + management_group_id = "{{ value.management_group_id }}" +{% endif %} + workload = "{{ value.workload | default('Production') }}" +{% if value.tags is defined %} + tags = { +{% for tag_key in value.tags %} + {{ tag_key }} = "{{ value.tags[tag_key] }}" +{% endfor %} + } +{% endif %} +{% else %} + subscription_id = "{{value.subscription_id}}" +{% endif %} +} diff --git a/templates/resources/virtual_hub_connections.tfvars.j2 b/templates/resources/virtual_hub_connections.tfvars.j2 index a50e10095..997bb2915 100644 --- a/templates/resources/virtual_hub_connections.tfvars.j2 +++ b/templates/resources/virtual_hub_connections.tfvars.j2 @@ -1,5 +1,5 @@ virtual_hub_connections = { -{% for key, vhc in resources[tfstate_resource].subscriptions[subscription_key].virtual_hub_connections.items() %} +{% for key, vhc in resources[tfstate_resource].resources[subscription_key].virtual_hub_connections.items() %} {{ key }} = { name = "{{ vhc.name }}" virtual_hub = { diff --git a/templates/resources/virtual_hub_route_tables.tfvars.j2 b/templates/resources/virtual_hub_route_tables.tfvars.j2 index e385ed3f4..b287670ca 100644 --- a/templates/resources/virtual_hub_route_tables.tfvars.j2 +++ b/templates/resources/virtual_hub_route_tables.tfvars.j2 @@ -1,5 +1,5 @@ virtual_hub_route_tables = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].virtual_hub_route_tables.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].virtual_hub_route_tables.items() %} {{ key }} = { name = "{{ value.name }}" virtual_hub = { diff --git a/templates/resources/virtual_hubs.tfvars.j2 b/templates/resources/virtual_hubs.tfvars.j2 index 21394f3e0..a6efb9510 100644 --- a/templates/resources/virtual_hubs.tfvars.j2 +++ b/templates/resources/virtual_hubs.tfvars.j2 @@ -1,5 +1,5 @@ virtual_hubs = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].virtual_hubs.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].virtual_hubs.items() %} {{ key }} = { virtual_wan = { {% if value.virtual_wan.lz_key is defined %} diff --git a/templates/resources/virtual_machines.tfvars.j2 b/templates/resources/virtual_machines.tfvars.j2 index a213322a7..5177141d9 100644 --- a/templates/resources/virtual_machines.tfvars.j2 +++ b/templates/resources/virtual_machines.tfvars.j2 @@ -1,5 +1,5 @@ virtual_machines = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].virtual_machines.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].virtual_machines.items() %} {{ key }} = { resource_group = { {% if value.resource_group.lz_key is defined %} diff --git a/templates/resources/virtual_networks.tfvars.j2 b/templates/resources/virtual_networks.tfvars.j2 index 854b0e704..5eee716cb 100644 --- a/templates/resources/virtual_networks.tfvars.j2 +++ b/templates/resources/virtual_networks.tfvars.j2 @@ -1,5 +1,5 @@ vnets = { -{% for key, vnet in resources[tfstate_resource].subscriptions[subscription_key].virtual_networks.items() %} +{% for key, vnet in resources[tfstate_resource].resources[subscription_key].virtual_networks.items() %} {{ key }} = { resource_group_key = "{{vnet.resource_group_key}}" vnet = { diff --git a/templates/resources/virtual_wans.tfvars.j2 b/templates/resources/virtual_wans.tfvars.j2 index 2f4fd1ae9..606048e53 100644 --- a/templates/resources/virtual_wans.tfvars.j2 +++ b/templates/resources/virtual_wans.tfvars.j2 @@ -1,5 +1,5 @@ virtual_wans = { -{% for key, vwan in resources[tfstate_resource].subscriptions[subscription_key].virtual_wans.items() %} +{% for key, vwan in resources[tfstate_resource].resources[subscription_key].virtual_wans.items() %} "{{key}}" = { resource_group_key = "{{ vwan.resource_group_key }}" name = "{{ vwan.name }}" diff --git a/templates/resources/vpn_gateway_connections.tfvars.j2 b/templates/resources/vpn_gateway_connections.tfvars.j2 index 9c7a2eea8..c7e0d8c44 100644 --- a/templates/resources/vpn_gateway_connections.tfvars.j2 +++ b/templates/resources/vpn_gateway_connections.tfvars.j2 @@ -1,5 +1,5 @@ vpn_gateway_connections = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].vpn_gateway_connections.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].vpn_gateway_connections.items() %} {{ key }} = { name = "{{ value.name }}" internet_security_enabled = {{ value.internet_security_enabled | default(true) | string | lower }} // propagate to default route table diff --git a/templates/resources/vpn_sites.tfvars.j2 b/templates/resources/vpn_sites.tfvars.j2 index 604b98695..c13da8d02 100644 --- a/templates/resources/vpn_sites.tfvars.j2 +++ b/templates/resources/vpn_sites.tfvars.j2 @@ -1,5 +1,5 @@ vpn_sites = { -{% for key, value in resources[tfstate_resource].subscriptions[subscription_key].vpn_sites.items() %} +{% for key, value in resources[tfstate_resource].resources[subscription_key].vpn_sites.items() %} {{ key }} = { name = "{{ value.name }}" resource_group = { diff --git a/templates/variables/_variables_azure_landing_zones.yaml b/templates/variables/_variables_azure_landing_zones.yaml new file mode 100644 index 000000000..49285ab9a --- /dev/null +++ b/templates/variables/_variables_azure_landing_zones.yaml @@ -0,0 +1,6 @@ +variables_azure_landing_zones: + private_lib: + v1.1.3: + caf_landingzone_branch: aci_network + v1.1.1: + caf_landingzone_branch: 2201.0 \ No newline at end of file diff --git a/templates/variables/_variables_networking_cidr.yaml b/templates/variables/_variables_networking_cidr.yaml new file mode 100644 index 000000000..148260cb6 --- /dev/null +++ b/templates/variables/_variables_networking_cidr.yaml @@ -0,0 +1,85 @@ +variables_cidr: + platform: + # + # launchpad landingzone + # + launchpad: + region1: + prod: + address_prefixes: + - 10.101.10.0/24 + subnets: + available_cidr: + - 10.101.10.32/28 + - 10.101.10.128/26 + gitops_agents: + - 10.101.10.0/27 + jumpbox: + - 10.101.10.48/28 + bastion: + - 10.101.10.64/26 + private_endpoints: + - 10.101.10.192/26 + region2: + prod: + address_prefixes: + - 10.102.10.0/24 + subnets: + available_cidr: + - 10.102.10.32/28 + - 10.102.10.128/26 + gitops_agents: + - 10.102.10.0/27 + jumpbox: + - 10.102.10.48/28 + bastion: + - 10.102.10.64/26 + private_endpoints: + - 10.102.10.192/26 + + # + # connectivity landingzone + # + virtual_hubs: + region1: + prod: + address_prefix: 10.101.51.0/24 + non_prod: + address_prefix: 10.101.52.0/24 + region2: + prod: + address_prefix: 10.102.51.0/24 + non_prod: + address_prefix: 10.102.52.0/24 + + + # + # private_dns_firewalls landingzone + # + private_dns_firewalls: + region1: + prod: + address_prefixes: + - 10.101.61.0/24 + subnets: + AzureFirewallSubnet: + - 10.101.61.0/26 + non_prod: + address_prefixes: + - 10.101.62.0/24 + subnets: + AzureFirewallSubnet: + - 10.101.62.0/26 + region2: + prod: + address_prefixes: + - 10.102.61.0/24 + subnets: + AzureFirewallSubnet: + - 10.101.62.0/26 + non_prod: + address_prefixes: + - 10.102.62.0/24 + subnets: + AzureFirewallSubnet: + - 10.101.62.0/26 diff --git a/templates/variables/_variables_private_dns_zones.yaml b/templates/variables/_variables_private_dns_zones.yaml new file mode 100644 index 000000000..3e5a36964 --- /dev/null +++ b/templates/variables/_variables_private_dns_zones.yaml @@ -0,0 +1,57 @@ +variables_private_dns_zones: + zones: + privatelink.adf.azure.com: + privatelink.afs.azure.net: + privatelink.agentsvc.azure-automation.net: + privatelink.api.azureml.ms: + privatelink.azconfig.io: + privatelink.azure-automation.net: + privatelink.azure-devices.net: + privatelink.azurecr.io: + privatelink.azurehdinsight.net: + privatelink.azuresynapse.net: + privatelink.azurewebsites.net: + privatelink.blob.core.windows.net: + privatelink.cassandra.cosmos.azure.com: + privatelink.cognitiveservices.azure.com: + privatelink.database.windows.net: + privatelink.datafactory.azure.net: + privatelink.dev.azuresynapse.net: + privatelink.dfs.core.windows.net: + privatelink.digitaltwins.azure.net: + privatelink.documents.azure.com: + privatelink.eventgrid.azure.net: + privatelink.file.core.windows.net: + privatelink.gremlin.cosmos.azure.com: + privatelink.guestconfiguration.azure.com: + privatelink.his.arc.azure.com: + privatelink.managedhsm.azure.net: + privatelink.mariadb.database.azure.com: + privatelink.media.azure.net: + privatelink.mongo.cosmos.azure.com: + privatelink.monitor.azure.com: + privatelink.mysql.database.azure.com: + privatelink.notebooks.azure.net: + privatelink.ods.opinsights.azure.com: + privatelink.oms.opinsights.azure.com: + privatelink.postgres.database.azure.com: + privatelink.purview.azure.com: + privatelink.purviewstudio.azure.com: + privatelink.queue.core.windows.net: + privatelink.redis.cache.windows.net: + privatelink.redisenterprise.cache.azure.net: + privatelink.search.windows.net: + privatelink.service.signalr.net: + privatelink.servicebus.windows.net: + privatelink.siterecovery.windowsazure.com: + privatelink.sql.azuresynapse.net: + privatelink.table.core.windows.net: + privatelink.table.cosmos.azure.com: + privatelink.vaultcore.azure.net: + privatelink.web.core.windows.net: + + # region will be de-tokenized by the values set in resources_allowed_regions + regional_zones: + privatelink.region.azmk8s.io: + privatelink.region.backup.windowsazure.com: + privatelink.region.batch.azure.com: \ No newline at end of file diff --git a/templates/variables/service_regions.yaml b/templates/variables/service_regions.yaml new file mode 100644 index 000000000..8b5c38e38 --- /dev/null +++ b/templates/variables/service_regions.yaml @@ -0,0 +1,139 @@ +defaults: + firewall_premium_regions: + - australiacentral + - australiacentral2 + - australiaeast + - australiasoutheast + - brazilsouth + - brazilsoutheast + - canadacentral + - canadaeast + - centralindia + - centralus + - centraluseuap + - chinanorth2 + - chinaeast2 + - eastasia + - eastus + - eastus2 + - francecentral + - francesouth + - germanywestcentral + - japaneast + - japanwest + - koreacentral + - koreasouth + - northcentralus + - northeurope + - norwayeast + - southafricanorth + - southcentralus + - southindia + - southeastasia + - swedencentral + - switzerlandnorth + - uaecentral + - uaenorth + - uksouth + - ukwest + - usgovarizona + - usgovtexas + - usgovvirginia + - westcentralus + - westeurope + - westindia + - westus + - westus2 + - westus3 + + availability_zone_regions: + - australiaeast + - brazilsouth + - canadacentral + - centralus + - centralindia + - eastasia + - eastus + - eastus2 + - francecentral + - germanywestcentral + - japaneast + - koreacentral + - northeurope + - norwayeast + - uksouth + - southeastasia + - southcentralus + - swedencentral + - usgovvirginia + - westeurope + - westus2 + - westus3 + + synapse_privatelink_hub_regions: + - westus2 + - eastus + - northeurope + - westeurope + - southeastasia + - australiaeast + - westcentralus + - southcentralus + - eastus2 + - uksouth + - westus + - australiasoutheast + - eastasia + - brazilsouth + - centralus + - centralindia + - japaneast + - northcentralus + - canadacentral + - canadaeast + - koreacentral + - southafricanorth + - ukwest + - japanwest + - francecentral + - switzerlandnorth + - germanywestcentral + - norwayeast + - uaenorth + - westus3 + - jioindiawest + + storage_zrs_regions: + # Africa + - southafricanorth + + # Asia + - australiaeast + - centralindia + - eastasia + - japaneast + - koreacentral + - southeastasia + + # Canada + - canadacentral + + # Europe + - francecentral + - germanywestcentral + - northeurope + - norwayeast + - swedencentral + - uksouth + - westeurope + + # South America + - brazilsouth + + # US + - centralus + - eastus + - eastus2 + - southcentralus + - westus2 + - westus3 \ No newline at end of file From 01921996fa911a07fc6115c9c539848a5351ba6e Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 14 Mar 2022 01:04:21 +0000 Subject: [PATCH 63/67] Update asvm template generator --- templates/ansible/ansible.yaml | 1 + templates/asvm/ignite.yaml | 7 ++----- templates/asvm/orion/readme.md | 6 +++--- templates/asvm/orion/subscriptions.asvm.yaml | 13 +++++++------ templates/asvm/orion/tfstates.asvm.yaml | 17 +++++++++-------- templates/platform/generic/readme.md | 2 ++ templates/platform/level3/ansible.yaml | 6 +++--- .../platform/level3/subscriptions/readme.md | 4 ++-- .../subscriptions/storage_containers.tfvars.j2 | 12 +++++------- templates/resources/subscriptions.tfvars.j2 | 9 --------- 10 files changed, 34 insertions(+), 43 deletions(-) diff --git a/templates/ansible/ansible.yaml b/templates/ansible/ansible.yaml index 84a325524..b3d70eb01 100644 --- a/templates/ansible/ansible.yaml +++ b/templates/ansible/ansible.yaml @@ -121,6 +121,7 @@ loop_control: loop_var: region when: + - bootstrap.deployments[deployment_mode].scale_out_domains is defined - (launchpad_tfstate_exists is defined and launchpad_tfstate_exists.rc == 0) or (storage_account_level3 is defined and storage_account_level3.rc == 0) vars: lz_type: "{{deployment_mode}}" diff --git a/templates/asvm/ignite.yaml b/templates/asvm/ignite.yaml index b4dbe8210..a511b0918 100644 --- a/templates/asvm/ignite.yaml +++ b/templates/asvm/ignite.yaml @@ -3,13 +3,11 @@ landingzone_definition: {{landingzone_definition}} subscriptions: {% for scod in scale_out_domains %} - {{scod}}: + {{landingzone_definition}}_{{scod}}: name: {{landingzone_definition}}-{{scod}} -{% if generate_new_subscriptions %} # Set to false if you do not have permissions to create an alias create_alias: false subscription_id: {{subscription_id}} -{% endif %} {% endfor %} # @@ -23,9 +21,8 @@ deployments: asvm_subscriptions: subscriptions.asvm.yaml scale_out_domains: region1: - {{landingzone_definition}}: {% for scod in scale_out_domains %} - {{scod}}: {{landingzone_definition}}_{{scod}}.asvm.yaml + {{landingzone_definition}}_{{scod}}: subscriptions.asvm.yaml {% endfor %} platform_mappings: diff --git a/templates/asvm/orion/readme.md b/templates/asvm/orion/readme.md index 0fe298a03..f89da5114 100644 --- a/templates/asvm/orion/readme.md +++ b/templates/asvm/orion/readme.md @@ -1,6 +1,6 @@ # Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM) -## Generate the configuration files +## Generate the definition files ```bash @@ -9,12 +9,12 @@ ansible-playbook {{public_templates_folder}}/ansible/asvm_definition.yaml \ ``` -## Regenerate the template +### Regenerate the template Note: This playbook will override the customization you have performed in your {{platform_configuration_folder}} folder. ```bash -ansible-playbook {{public_templates_folder}}/walk-through.yaml \ +ansible-playbook {{public_templates_folder}}/asvm/walk-through.yaml \ --extra-vars "@{{template_folder}}/ignite.yaml" ``` \ No newline at end of file diff --git a/templates/asvm/orion/subscriptions.asvm.yaml b/templates/asvm/orion/subscriptions.asvm.yaml index 4ed075b55..429bb485e 100644 --- a/templates/asvm/orion/subscriptions.asvm.yaml +++ b/templates/asvm/orion/subscriptions.asvm.yaml @@ -16,10 +16,11 @@ asvm_subscriptions: resources: asvm_subscriptions: subscriptions: - {{landingzone_definition}}: -{% for scod in deployments.asvm['scale_out_domains'][landingzone_definition].keys() %} - {{scod}}: - name: {{landingzone_definition}}-{{scod}} - create_alias: {{subscriptions[scod].create_alias}} - subscription_id: {{subscriptions[scod].subscription_id}} +{% for region, value in deployments.asvm['scale_out_domains'].items() %} +{% for scod, scod_value in value.subscriptions.items() %} + {{scod}}: +{% for key, kv in subscriptions[scod].items() %} + {{key}}: {{kv}} {% endfor %} +{% endfor %} +{% endfor %} \ No newline at end of file diff --git a/templates/asvm/orion/tfstates.asvm.yaml b/templates/asvm/orion/tfstates.asvm.yaml index c791c8e98..815ec74f5 100644 --- a/templates/asvm/orion/tfstates.asvm.yaml +++ b/templates/asvm/orion/tfstates.asvm.yaml @@ -1,4 +1,4 @@ -# ### {{landingzone_definition}} ### + tfstates: asvm: asvm_subscriptions: @@ -9,12 +9,13 @@ tfstates: sub_template_folder: platform/level3/subscriptions yaml: platform/level3/ansible.yaml - {{landingzone_definition}}: -{% for scod in scale_out_domains %} - {{scod}}: - lz_key_name: {{landingzone_definition}}_{{scod}}_level3 - tfstate: {{landingzone_definition}}_{{scod}}_level3.tfstate - workspace: {{landingzone_definition | replace('_', '-')}}-{{scod}} - level: level3 +{% for region, value in deployments.asvm['scale_out_domains'].items() %} +{% for scod in value.subscriptions.keys() %} + {{scod}}: + lz_key_name: {{scod}}_level3 + tfstate: {{scod}}_level3.tfstate + workspace: {{scod | replace('_', '-')}} + level: level3 {% endfor %} +{% endfor %} diff --git a/templates/platform/generic/readme.md b/templates/platform/generic/readme.md index d68332d2d..175e52d88 100644 --- a/templates/platform/generic/readme.md +++ b/templates/platform/generic/readme.md @@ -9,6 +9,8 @@ rover login -t {{ resources.azure_landing_zones.identity.tenant_name }} rover \ {% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %} --impersonate-sp-from-keyvault-url {{ keyvaults[ tfstate_object.identity_aad_key].vault_uri }} \ +{% elif resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvault_scl is defined %} + --impersonate-sp-from-keyvault-url {{ keyvault_scl.stdout }} \ {% endif %} -lz /tf/caf/landingzones/caf_solution \ -var-folder {{ destination_path }} \ diff --git a/templates/platform/level3/ansible.yaml b/templates/platform/level3/ansible.yaml index 5d0d7f39b..33f6ac533 100644 --- a/templates/platform/level3/ansible.yaml +++ b/templates/platform/level3/ansible.yaml @@ -3,7 +3,7 @@ register: keyvault_scl shell: | az keyvault list \ - --subscription {{ resources.launchpad.subscription_id }} \ + --subscription {{ resources.caf_launchpad.subscription_id }} \ --query "[?tags.caf_identity_aad_key=='cred_subscription_creation_landingzones' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name}[0]" -o json | jq -r --arg http "https://" --arg suffix ".vault.azure.net/" '$http + (.name) + $suffix' - debug: @@ -24,14 +24,14 @@ register: storage_account_level3 shell: | az storage account list \ - --subscription {{ resources.launchpad.subscription_id }} \ + --subscription {{ resources.caf_launchpad.subscription_id }} \ --query "[?tags.caf_tfstate=='level3' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r - name: "[{{ level }}-asvm] - storage_containers - launchpad level4" register: storage_account_level4 shell: | az storage account list \ - --subscription {{ resources.launchpad.subscription_id }} \ + --subscription {{ resources.caf_launchpad.subscription_id }} \ --query "[?tags.caf_tfstate=='level4' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r - debug: diff --git a/templates/platform/level3/subscriptions/readme.md b/templates/platform/level3/subscriptions/readme.md index 62071d6ea..3eb493d31 100644 --- a/templates/platform/level3/subscriptions/readme.md +++ b/templates/platform/level3/subscriptions/readme.md @@ -14,8 +14,8 @@ rover \ {% endif %} -lz {{landingzones_folder}}/caf_solution \ -var-folder {{ destination_path }} \ - -tfstate_subscription_id {{ resources.launchpad.subscription_id }} \ - -target_subscription {{resources.launchpad.subscription_id }} \ + -tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \ + -target_subscription {{resources.caf_launchpad.subscription_id }} \ -tfstate {{ tfstate_object.tfstate }} \ --workspace {{ tfstate_object.workspace | default('tfstate') }} \ -env {{ resources.caf_environment }} \ diff --git a/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 b/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 index 254806c08..6d06023b9 100644 --- a/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 +++ b/templates/platform/level3/subscriptions/storage_containers.tfvars.j2 @@ -1,18 +1,16 @@ storage_containers = { -{% for app_key, app_value in resources[tfstate_resource].resources[subscription_key].subscriptions.items() %} -{% for scod_key in app_value.keys() %} - {{app_key}}_{{ scod_key }}_level3 = { - name = "{{ resources.tfstates[lz_type][app_key][scod_key].workspace }}" +{% for key, value in resources[tfstate_resource].resources[subscription_key].subscriptions.items() %} + {{key }}_level3 = { + name = "{{ resources.tfstates[lz_type][key].workspace }}" storage_account = { name = "{{storage_account_level3.stdout|from_json|json_query('name')}}" } } - {{app_key}}_{{ scod_key }}_level4 = { - name = "{{ resources.tfstates[lz_type][app_key][scod_key].workspace }}" + {{key }}_level4 = { + name = "{{ resources.tfstates[lz_type][key].workspace }}" storage_account = { name = "{{storage_account_level4.stdout|from_json|json_query('name')}}" } } {% endfor %} -{% endfor %} } \ No newline at end of file diff --git a/templates/resources/subscriptions.tfvars.j2 b/templates/resources/subscriptions.tfvars.j2 index 28b563d7a..0bbac20da 100644 --- a/templates/resources/subscriptions.tfvars.j2 +++ b/templates/resources/subscriptions.tfvars.j2 @@ -11,17 +11,8 @@ # subscriptions = { -{% if deployments[lz_type]['scale_out_domains'] is defined %} -{% for app_key, app_value in resources[tfstate_resource].resources[subscription_key].subscriptions.items() %} -{% for scod_key, value in app_value.items() %} -{% set key = app_key + '_' + scod_key %} -{% include 'subscriptions_tpl.j2' %} -{% endfor %} -{% endfor %} -{% else %} {% for key, value in resources[tfstate_resource].resources[subscription_key].subscriptions.items() %} {% include 'subscriptions_tpl.j2' %} {% endfor %} -{% endif %} } \ No newline at end of file From bab0e0b9157b34b8772212176ff4c0ec56c1d3e7 Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 14 Mar 2022 05:50:24 +0000 Subject: [PATCH 64/67] update orion --- templates/asvm/orion/deploy_template.sh | 2 +- templates/asvm/{ => orion}/ignite.yaml | 2 -- templates/asvm/orion/readme.md | 2 +- templates/asvm/orion/subscriptions.asvm.yaml | 6 ++++-- templates/asvm/orion/tfstates.asvm.yaml | 6 ++++-- templates/asvm/{ => orion}/walk-through.yaml | 2 +- templates/platform/level0/credentials/readme.md | 2 +- templates/platform/level0/launchpad/readme.md | 2 +- 8 files changed, 13 insertions(+), 11 deletions(-) rename templates/asvm/{ => orion}/ignite.yaml (94%) rename templates/asvm/{ => orion}/walk-through.yaml (95%) diff --git a/templates/asvm/orion/deploy_template.sh b/templates/asvm/orion/deploy_template.sh index caa2a3e44..ba8ae633c 100755 --- a/templates/asvm/orion/deploy_template.sh +++ b/templates/asvm/orion/deploy_template.sh @@ -5,7 +5,7 @@ read -r landingzone_definition export ANSIBLE_DISPLAY_SKIPPED_HOSTS=False -ansible-playbook /tf/caf/landingzones/templates/asvm/walk-through.yaml \ +ansible-playbook /tf/caf/landingzones/templates/asvm/orion/walk-through.yaml \ -e topology_folder=/tf/caf/landingzones/templates/asvm/orion \ -e public_templates_folder=/tf/caf/landingzones/templates \ -e landingzones_folder=/tf/caf/landingzones \ diff --git a/templates/asvm/ignite.yaml b/templates/asvm/orion/ignite.yaml similarity index 94% rename from templates/asvm/ignite.yaml rename to templates/asvm/orion/ignite.yaml index a511b0918..64f13ace2 100644 --- a/templates/asvm/ignite.yaml +++ b/templates/asvm/orion/ignite.yaml @@ -19,8 +19,6 @@ deployments: root: region1: asvm_subscriptions: subscriptions.asvm.yaml - scale_out_domains: - region1: {% for scod in scale_out_domains %} {{landingzone_definition}}_{{scod}}: subscriptions.asvm.yaml {% endfor %} diff --git a/templates/asvm/orion/readme.md b/templates/asvm/orion/readme.md index f89da5114..af29014eb 100644 --- a/templates/asvm/orion/readme.md +++ b/templates/asvm/orion/readme.md @@ -14,7 +14,7 @@ ansible-playbook {{public_templates_folder}}/ansible/asvm_definition.yaml \ Note: This playbook will override the customization you have performed in your {{platform_configuration_folder}} folder. ```bash -ansible-playbook {{public_templates_folder}}/asvm/walk-through.yaml \ +ansible-playbook {{public_templates_folder}}/asvm/orion/walk-through.yaml \ --extra-vars "@{{template_folder}}/ignite.yaml" ``` \ No newline at end of file diff --git a/templates/asvm/orion/subscriptions.asvm.yaml b/templates/asvm/orion/subscriptions.asvm.yaml index 429bb485e..66922eba7 100644 --- a/templates/asvm/orion/subscriptions.asvm.yaml +++ b/templates/asvm/orion/subscriptions.asvm.yaml @@ -16,11 +16,13 @@ asvm_subscriptions: resources: asvm_subscriptions: subscriptions: -{% for region, value in deployments.asvm['scale_out_domains'].items() %} -{% for scod, scod_value in value.subscriptions.items() %} +{% for region, value in deployments.asvm['root'].items() %} +{% for scod, scod_value in value.items() %} +{% if scod != "asvm_subscriptions" %} {{scod}}: {% for key, kv in subscriptions[scod].items() %} {{key}}: {{kv}} {% endfor %} +{% endif %} {% endfor %} {% endfor %} \ No newline at end of file diff --git a/templates/asvm/orion/tfstates.asvm.yaml b/templates/asvm/orion/tfstates.asvm.yaml index 815ec74f5..d418eab67 100644 --- a/templates/asvm/orion/tfstates.asvm.yaml +++ b/templates/asvm/orion/tfstates.asvm.yaml @@ -9,13 +9,15 @@ tfstates: sub_template_folder: platform/level3/subscriptions yaml: platform/level3/ansible.yaml -{% for region, value in deployments.asvm['scale_out_domains'].items() %} -{% for scod in value.subscriptions.keys() %} +{% for region, value in deployments.asvm['root'].items() %} +{% for scod in value.keys() %} +{% if scod != "asvm_subscriptions" %} {{scod}}: lz_key_name: {{scod}}_level3 tfstate: {{scod}}_level3.tfstate workspace: {{scod | replace('_', '-')}} level: level3 +{% endif %} {% endfor %} {% endfor %} diff --git a/templates/asvm/walk-through.yaml b/templates/asvm/orion/walk-through.yaml similarity index 95% rename from templates/asvm/walk-through.yaml rename to templates/asvm/orion/walk-through.yaml index 2e45dd37c..1de97aa31 100644 --- a/templates/asvm/walk-through.yaml +++ b/templates/asvm/orion/walk-through.yaml @@ -68,7 +68,7 @@ - name: Save parameters ansible.builtin.template: - src: "{{playbook_dir}}/ignite.yaml" + src: "{{topology_folder}}/ignite.yaml" dest: "{{template_folder}}/ignite.yaml" - name: readme diff --git a/templates/platform/level0/credentials/readme.md b/templates/platform/level0/credentials/readme.md index 00a8ac9fc..1f88a380e 100644 --- a/templates/platform/level0/credentials/readme.md +++ b/templates/platform/level0/credentials/readme.md @@ -23,7 +23,7 @@ rover \ ``` -If the plan is not successfull you need to come back to the yaml {{customer_name}}.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan. +If the plan is not successfull you need to come back to the yaml ignite.yaml, fix the values, re-execute the rover ignite and then rover plan. ```bash diff --git a/templates/platform/level0/launchpad/readme.md b/templates/platform/level0/launchpad/readme.md index 89b81fd41..830a781b8 100644 --- a/templates/platform/level0/launchpad/readme.md +++ b/templates/platform/level0/launchpad/readme.md @@ -64,7 +64,7 @@ rover \ ``` -If the plan is not successfull you need to come back to the yaml contoso.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan. +If the plan is not successfull you need to come back to the yaml ignite.yaml, fix the values, re-execute the rover ignite and then rover plan. ```bash From a4159c70f383d2fbac63fc29167fa43ad8f4665c Mon Sep 17 00:00:00 2001 From: LaurentLesle Date: Mon, 14 Mar 2022 10:35:07 +0000 Subject: [PATCH 65/67] Update landingzone tag --- caf_launchpad/landingzone.tf | 2 +- caf_solution/landingzone.tf | 2 +- templates/ansible/asvm_definition.yaml | 14 +-- templates/asvm/orion/ignite.yaml | 10 +- templates/asvm/orion/resources.asvm.yaml | 72 ++++++------ templates/asvm/orion/subscriptions.asvm.yaml | 10 +- templates/asvm/orion/tfstates.asvm.yaml | 12 +- .../services/connectivity_express_routes.yaml | 2 +- .../connectivity_secure_firewalls.yaml | 2 +- .../services/template.caf.platform.yaml.old | 107 ------------------ templates/platform/single_subscription.yaml | 2 +- templates/platform/template_topology.yaml | 2 +- .../resources/storage_accounts.tfvars.j2 | 69 ++++++++++- .../_variables_azure_landing_zones.yaml | 2 +- 14 files changed, 131 insertions(+), 177 deletions(-) delete mode 100644 templates/platform/services/template.caf.platform.yaml.old diff --git a/caf_launchpad/landingzone.tf b/caf_launchpad/landingzone.tf index 21162063c..d92b18c09 100644 --- a/caf_launchpad/landingzone.tf +++ b/caf_launchpad/landingzone.tf @@ -1,6 +1,6 @@ module "launchpad" { source = "aztfmod/caf/azurerm" - version = "~> 5.5.4" + version = "5.5.4" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=patch.5.5.4" # source = "../../aztfmod" diff --git a/caf_solution/landingzone.tf b/caf_solution/landingzone.tf index 32458b5c2..ba802449e 100644 --- a/caf_solution/landingzone.tf +++ b/caf_solution/landingzone.tf @@ -1,6 +1,6 @@ module "solution" { source = "aztfmod/caf/azurerm" - version = "~> 5.5.4" + version = "5.5.4" # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=patch.5.5.4" # source = "../../aztfmod" diff --git a/templates/ansible/asvm_definition.yaml b/templates/ansible/asvm_definition.yaml index 531533aee..2c84d92e0 100644 --- a/templates/ansible/asvm_definition.yaml +++ b/templates/ansible/asvm_definition.yaml @@ -16,10 +16,10 @@ - name: Load resources template set_fact: - resources_{{scod}}: "{{ lookup('template', '{{ template_folder }}/resources.asvm.yaml') }}" + resources_{{env}}: "{{ lookup('template', '{{ template_folder }}/resources.asvm.yaml') }}" loop: "{{scale_out_domains}}" loop_control: - loop_var: scod + loop_var: env - debug: msg: @@ -28,10 +28,10 @@ - debug: msg: - - "{{'resources_' + scod}}: {{lookup('vars', 'resources_' + scod)}}" + - "{{'resources_' + env}}: {{lookup('vars', 'resources_' + env)}}" loop: "{{scale_out_domains}}" loop_control: - loop_var: scod + loop_var: env # # Create definition folder structure @@ -54,11 +54,11 @@ - name: "definition - resources" copy: - content: "{{lookup('vars', 'resources_' + scod)}}" - dest: "{{ definition_folder }}/{{landingzone_definition}}_{{scod}}.asvm.yaml" + content: "{{lookup('vars', 'resources_' + env)}}" + dest: "{{ definition_folder }}/{{landingzone_definition}}_{{env}}.asvm.yaml" loop: "{{scale_out_domains}}" loop_control: - loop_var: scod + loop_var: env - name: "definition - readme" ansible.builtin.template: diff --git a/templates/asvm/orion/ignite.yaml b/templates/asvm/orion/ignite.yaml index 64f13ace2..05c3a2745 100644 --- a/templates/asvm/orion/ignite.yaml +++ b/templates/asvm/orion/ignite.yaml @@ -2,9 +2,9 @@ landingzone_definition: {{landingzone_definition}} subscriptions: -{% for scod in scale_out_domains %} - {{landingzone_definition}}_{{scod}}: - name: {{landingzone_definition}}-{{scod}} +{% for env in scale_out_domains %} + {{landingzone_definition}}_{{env}}: + name: {{landingzone_definition}}-{{env}} # Set to false if you do not have permissions to create an alias create_alias: false subscription_id: {{subscription_id}} @@ -19,8 +19,8 @@ deployments: root: region1: asvm_subscriptions: subscriptions.asvm.yaml -{% for scod in scale_out_domains %} - {{landingzone_definition}}_{{scod}}: subscriptions.asvm.yaml +{% for env in scale_out_domains %} + {{landingzone_definition}}_{{env}}: subscriptions.asvm.yaml {% endfor %} platform_mappings: diff --git a/templates/asvm/orion/resources.asvm.yaml b/templates/asvm/orion/resources.asvm.yaml index 5234a7fff..95ca63066 100644 --- a/templates/asvm/orion/resources.asvm.yaml +++ b/templates/asvm/orion/resources.asvm.yaml @@ -1,52 +1,52 @@ -{{landingzone_definition}}_{{scod}}: +{{landingzone_definition}}_{{env}}: gitops: - caf_landingzone_branch: aci_network + caf_landingzone_branch: 2203.0 - relative_destination_folder: level3/{{landingzone_definition}}/{{scod}} + relative_destination_folder: level3/{{landingzone_definition}}/{{env}} deployments: landingzone: global_settings_key: platform: - virtual_hubs: {{platform_mappings[scod]}} + virtual_hubs: {{platform_mappings[env]}} remote_tfstates: asvm: asvm_subscriptions: platform: - virtual_hubs: {{platform_mappings[scod]}} - virtual_hubs_route_tables: {{platform_mappings[scod]}} - secure_firewalls: {{platform_mappings[scod]}} - identity_level2: {{platform_mappings[scod]}} + virtual_hubs: {{platform_mappings[env]}} + virtual_hubs_route_tables: {{platform_mappings[env]}} + secure_firewalls: {{platform_mappings[env]}} + identity_level2: {{platform_mappings[env]}} asvm: resources: - {{landingzone_definition}}_{{scod}}: + {{landingzone_definition}}_{{env}}: resource_groups: rg: - name: {{landingzone_definition}}-{{scod}} + name: {{landingzone_definition}}-{{env}} backup: - name: {{landingzone_definition}}-{{scod}}-backup + name: {{landingzone_definition}}-{{env}}-backup networking: - name: {{landingzone_definition}}-{{scod}}-networking + name: {{landingzone_definition}}-{{env}}-networking preparation: - name: {{landingzone_definition}}-{{scod}}-preparation + name: {{landingzone_definition}}-{{env}}-preparation modeling: - name: {{landingzone_definition}}-{{scod}}-modeling + name: {{landingzone_definition}}-{{env}}-modeling consumption: - name: {{landingzone_definition}}-{{scod}}-consumption + name: {{landingzone_definition}}-{{env}}-consumption analytics: - name: {{landingzone_definition}}-{{scod}}-analytics + name: {{landingzone_definition}}-{{env}}-analytics virtual_networks: vnet: - name: {{landingzone_definition}}-{{scod}} + name: {{landingzone_definition}}-{{env}} resource_group_key: networking region_key: region1 dns_servers_keys: - fw_secure_{{platform_mappings[scod]}}: + fw_secure_{{platform_mappings[env]}}: resource_type: azurerm_firewall - lz_key: connectivity_secure_firewalls_{{platform_mappings[scod]}} - key: fw_secure_{{platform_mappings[scod]}} + lz_key: connectivity_secure_firewalls_{{platform_mappings[env]}} + key: fw_secure_{{platform_mappings[env]}} address_space: - 10.101.8.0/23 subnets: @@ -368,20 +368,20 @@ destination_port_range: "*" virtual_hub_connections: - vnet_to_{{platform_mappings[scod]}}: - name: vnet-{{landingzone_definition}}-{{scod}}-TO-{{platform_mappings[scod]}} + vnet_to_{{platform_mappings[env]}}: + name: vnet-{{landingzone_definition}}-{{env}}-TO-{{platform_mappings[env]}} virtual_hub: - lz_key: connectivity_virtual_hubs_{{platform_mappings[scod]}} - key: {{platform_mappings[scod]}} + lz_key: connectivity_virtual_hubs_{{platform_mappings[env]}} + key: {{platform_mappings[env]}} vnet: vnet_key: vnet routing: egress: - lz_key: virtual_hubs_route_tables_{{platform_mappings[scod]}} + lz_key: virtual_hubs_route_tables_{{platform_mappings[env]}} recovery_vaults: asr: - name: vault-{{landingzone_definition}}-{{scod}} + name: vault-{{landingzone_definition}}-{{env}} resource_group_key: backup backup_policies: vms: @@ -396,7 +396,7 @@ keyvaults: kv_delegated_sp: - name: {{landingzone_definition}}{{scod}}001 + name: {{landingzone_definition}}{{env}}001 resource_group_key: rg creation_policies: logged_in_user: @@ -407,9 +407,9 @@ - Delete - Purge - Recover - landingzone_maintainers_{{platform_mappings[scod]}}: + landingzone_maintainers_{{platform_mappings[env]}}: lz_key: asvm - azuread_group_key: caf_ac_landingzone_maintainers_{{platform_mappings[scod]}} + azuread_group_key: caf_ac_landingzone_maintainers_{{platform_mappings[env]}} secret_permissions: - Set - Get @@ -427,7 +427,7 @@ azuread_applications: app_LZContributors: - application_name: app-asvm-{{landingzone_definition}}-{{scod}}-Contributors + application_name: app-asvm-{{landingzone_definition}}-{{env}}-Contributors azuread_service_principals: sp_LZContributors: @@ -457,13 +457,13 @@ days: 58 azuread_groups_membership: - caf_{{platform_mappings[scod]}}_landingzones_dns_contributors: + caf_{{platform_mappings[env]}}_landingzones_dns_contributors: azuread_service_principals: sp_LZContributors: - group_lz_key: identity_level2_{{platform_mappings[scod]}} + group_lz_key: identity_level2_{{platform_mappings[env]}} keys: - sp_LZContributors - caf_ac_landingzone_maintainers_{{platform_mappings[scod]}}: + caf_ac_landingzone_maintainers_{{platform_mappings[env]}}: azuread_service_principals: sp_LZContributors: group_lz_key: asvm @@ -472,7 +472,7 @@ custom_role_definitions: contributors_extended: - name: lz-{{landingzone_definition}}-{{scod}}-contributors-extended + name: lz-{{landingzone_definition}}-{{env}}-contributors-extended useprefix: true description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services." permissions: @@ -512,13 +512,13 @@ keys: - sp_LZContributors storage_containers: - {{landingzone_definition}}_{{scod}}_level3: + {{landingzone_definition}}_{{env}}_level3: lz_key: {{landingzone_definition}}_subscriptions Storage Blob Data Contributor: azuread_service_principals: keys: - sp_LZContributors - {{landingzone_definition}}_{{scod}}_level4: + {{landingzone_definition}}_{{env}}_level4: lz_key: {{landingzone_definition}}_subscriptions Storage Blob Data Contributor: azuread_service_principals: diff --git a/templates/asvm/orion/subscriptions.asvm.yaml b/templates/asvm/orion/subscriptions.asvm.yaml index 66922eba7..c0e2cb134 100644 --- a/templates/asvm/orion/subscriptions.asvm.yaml +++ b/templates/asvm/orion/subscriptions.asvm.yaml @@ -1,6 +1,6 @@ asvm_subscriptions: gitops: - caf_landingzone_branch: aci_network + caf_landingzone_branch: 2203.0 relative_destination_folder: level3/{{landingzone_definition}}/subscriptions @@ -17,10 +17,10 @@ asvm_subscriptions: asvm_subscriptions: subscriptions: {% for region, value in deployments.asvm['root'].items() %} -{% for scod, scod_value in value.items() %} -{% if scod != "asvm_subscriptions" %} - {{scod}}: -{% for key, kv in subscriptions[scod].items() %} +{% for env, env_value in value.items() %} +{% if env != "asvm_subscriptions" %} + {{env}}: +{% for key, kv in subscriptions[env].items() %} {{key}}: {{kv}} {% endfor %} {% endif %} diff --git a/templates/asvm/orion/tfstates.asvm.yaml b/templates/asvm/orion/tfstates.asvm.yaml index d418eab67..3033ddc66 100644 --- a/templates/asvm/orion/tfstates.asvm.yaml +++ b/templates/asvm/orion/tfstates.asvm.yaml @@ -10,12 +10,12 @@ tfstates: yaml: platform/level3/ansible.yaml {% for region, value in deployments.asvm['root'].items() %} -{% for scod in value.keys() %} -{% if scod != "asvm_subscriptions" %} - {{scod}}: - lz_key_name: {{scod}}_level3 - tfstate: {{scod}}_level3.tfstate - workspace: {{scod | replace('_', '-')}} +{% for env in value.keys() %} +{% if env != "asvm_subscriptions" %} + {{env}}: + lz_key_name: {{env}}_level3 + tfstate: {{env}}_level3.tfstate + workspace: {{env | replace('_', '-')}} level: level3 {% endif %} diff --git a/templates/platform/services/connectivity_express_routes.yaml b/templates/platform/services/connectivity_express_routes.yaml index 2671c39b5..d99aed61a 100644 --- a/templates/platform/services/connectivity_express_routes.yaml +++ b/templates/platform/services/connectivity_express_routes.yaml @@ -1,5 +1,5 @@ gitops: - caf_landingzone_branch: int.2202 + caf_landingzone_branch: 2203.0 express_route_circuits: {{env}}: diff --git a/templates/platform/services/connectivity_secure_firewalls.yaml b/templates/platform/services/connectivity_secure_firewalls.yaml index 70ebc339e..07658a20c 100644 --- a/templates/platform/services/connectivity_secure_firewalls.yaml +++ b/templates/platform/services/connectivity_secure_firewalls.yaml @@ -42,7 +42,7 @@ secure_firewalls_{{env}}: virtual_hub_key: {{env}} public_ip_count: 1 firewall_policy: - key: root + key: secure_root lz_key: connectivity_firewall_policies_{{env}} zones: - 1 diff --git a/templates/platform/services/template.caf.platform.yaml.old b/templates/platform/services/template.caf.platform.yaml.old deleted file mode 100644 index 2afe2f453..000000000 --- a/templates/platform/services/template.caf.platform.yaml.old +++ /dev/null @@ -1,107 +0,0 @@ -# cleanup_destination - recommended to clean and recreated a clean state from template. -configuration_folders: - platform: - # true: force the destination folder to be deleted and re-created before the files are created. - # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is. - cleanup_destination: true - -caf_terraform: - naming_convention: - # When set to false use the CAF provider to generate names aligned to CAF guidance - # true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace. - passthrough: false - inherit_tags: false - # set: define the prefix to add to all resource names - # unset: if passthrough is set to false, generate a random prefix - prefix: {{prefix}} - # if passthrough is set to false, add random suffix to name, up to the random_lenght value. - random_length: 3 - launchpad: - caf_environment: {{topology.caf_environment}} - regions: -{% for region, location in regions.items() %} - {{region}}: {{location}} -{% endfor %} - default_region_key: {{topology.default_region_key}} - # Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd. - subscription_id: {{subscription_id.stdout}} - subscription_name: {{subscription_name.stdout}} - tenant_id: {{tenant_id.stdout}} - global_tags_propagated: yes - tags: - caf_deployment_mode: demo_single_subscription - - billing_subscription_role_delegations: - # true: enable this deployment. The remaining attributes are required. - # false: disable this deployment. - # azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform - # azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running: - # az ad signed-in-user show --query objectId -o tsv - # The remaining attributes are ignored: [billing_account_name, enrollment_account_name] - enable: false - # Azure Active Directory User (UPN) that is Account Owner in the EA portal - # if enable=false, set the upn of the user doing the manual deployment - azuread_user_ea_account_owner: {{topology.azuread_user_ea_account_owner}} - # see comments above to get the object_id - # - # Also set this GUID to the owner of the launchpad azuread_groups - # - azuread_user_ea_account_owner_object_id: {{topology.ea_owner_object_id}} - # Only set the following two attributes when enable=true - billing_account_name: - enrollment_account_name: - - -platform_core_setup: - enable_azure_subscription_vending_machine: {{topology.enable_azure_subscription_vending_machine | lower}} - private_lib: - v0.3.3: - caf_landingzone_branch: "patch.5.4.4" - v1.1.1: - caf_landingzone_branch: "int.2202" - enterprise_scale: -{% for key, value in topology.enterprise_scale.items() %} - {{key}}: - management_group_prefix: "{{value.management_group_prefix}}" - management_group_name: "{{value.management_group_name}}" - deploy_core_landing_zones: {{value.deploy_core_landing_zones | lower}} - clean_up_destination_folder: {{value.clean_up_destination_folder | lower}} - update_lib_folder: {{value.update_lib_folder | lower}} - version_to_deploy: "{{value.version_to_deploy}}" -{% if value.root_parent_id is defined %} - root_parent_id: "{{value.root_parent_id}}" -{% endif %} -{% endfor %} - -subscription_deployment_mode: single_reuse - -networking_topology: - deployment_option: virtual_wan - - - -platform_identity: - # Set the Azure Active Directory tenant name (primary domain name) - # has to be the default domain name (custom dns name or tenantname.onmicrosoft.com) - # check the AAD property - tenant_name: {{tenant_name.stdout}} - # only service_principal supported with rover ignite at the moment - azuread_identity_mode: {{topology.azuread_identity_mode}} - enable_azuread_groups: {{topology.enable_azuread_groups}} - enable_azuread_applications: {{topology.enable_azuread_applications}} - # UPNs you want to add in the caf_platform_maintainers Azure AD group - # Can use user or guest accounts - # Those users will have full permissions on platform. - # Once setup, you can remove them from here or add them from - # Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts. - caf_platform_maintainers: - user_principal_names: - # - - caf_platform_contributors: - user_principal_names: - # - - -gitops: - caf_landingzone_branch: {{topology.caf_landingzone_branch}} - deployment_mode: interactive - rover_log_error: ERROR diff --git a/templates/platform/single_subscription.yaml b/templates/platform/single_subscription.yaml index 72eddd8ba..4d6697e86 100644 --- a/templates/platform/single_subscription.yaml +++ b/templates/platform/single_subscription.yaml @@ -16,7 +16,7 @@ platform_template_folder: {{platform_template_folder}} deployment_mode: {{deployment_mode}} -caf_landingzone_branch: int.2202 +caf_landingzone_branch: 2203.0 caf_regions: {% for region, location in regions.items() %} diff --git a/templates/platform/template_topology.yaml b/templates/platform/template_topology.yaml index 99d1e08f6..75361fe04 100644 --- a/templates/platform/template_topology.yaml +++ b/templates/platform/template_topology.yaml @@ -17,7 +17,7 @@ bootstrap: subscription_deployment_mode: single_reuse - caf_landingzone_branch: int.2202 + caf_landingzone_branch: 2203.0 deployments: platform: diff --git a/templates/resources/storage_accounts.tfvars.j2 b/templates/resources/storage_accounts.tfvars.j2 index c6c255d04..827293ac6 100644 --- a/templates/resources/storage_accounts.tfvars.j2 +++ b/templates/resources/storage_accounts.tfvars.j2 @@ -5,7 +5,9 @@ storage_accounts = { resource_group_key = "{{ value.resource_group_key }}" account_kind = "{{ value.account_kind | default('BlobStorage') }}" account_tier = "{{ value.account_tier | default('Standard') }}" +{% if value.shared_access_key_enabled is defined %} shared_access_key_enabled = {{ value.shared_access_key_enabled | lower | default('false') }} +{% endif %} account_replication_type = "{{ value.account_replication_type }}" {% if value.access_tier is defined %} access_tier = "{{ value.access_tier }}" @@ -28,7 +30,6 @@ storage_accounts = { {% if value.enable_system_msi is defined %} enable_system_msi = {{ value.enable_system_msi | lower }} {% endif %} - {% if value.blob_properties is defined %} blob_properties = { {% if value.blob_properties.versioning_enabled is defined %} @@ -55,11 +56,10 @@ storage_accounts = { {% endif %} } {% endif %} - {% if value.network is defined %} network = { {% if value.network.default_action is defined %} - default_action = {{ value.network.default_action | lower }} + default_action = "{{ value.network.default_action }}" {% endif %} {% if value.network.bypass is defined %} bypass = {{ value.network.bypass | replace('None','[]') | replace('\'','\"') }} @@ -87,6 +87,68 @@ storage_accounts = { } {% endif %} + +{% if value.management_policies is defined %} + management_policies = { +{% for mp_key, mp_value in value.management_policies.items() %} + {{ mp_key }} = { + enabled = {{mp_value.enabled | default(True) | lower}} + name = "{{mp_value.name}}" + filters = { +{% for mpf_key, mpf_value in mp_value.filters.items() %} + {{mpf_key}} = { +{% if mpf_value.prefix_match is defined %} + prefix_match = {{ mpf_value.prefix_match | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if mpf_value.blob_types is defined %} + blob_types = {{ mpf_value.blob_types | replace('None','[]') | replace('\'','\"') }} +{% endif %} +{% if mpf_value.match_blob_index_tag is defined %} + match_blob_index_tag = { + {{ mpf_value.match_blob_index_tag.0.keys() }} = { + name = "{{ mpf_value.match_blob_index_tag.0.name }}" + operation = "{{ mpf_value.match_blob_index_tag.0.operation }}" + value = "{{ mpf_value.match_blob_index_tag.0.value }}" + } + } +{% endif %} + } +{% endfor %} + } + actions = { + base_blob = { +{% for aa_key, aa_value in mp_value.actions.base_blob.items() %} + {{ aa_key }} = { +{% for ab_key, ab_value in aa_value.items() %} + {{ ab_key }} = {{ ab_value }} +{% endfor %} + } +{% endfor %} + } + snapshot = { +{% for aa_key, aa_value in mp_value.actions.snapshot.items() %} + {{ aa_key }} = { +{% for ab_key, ab_value in aa_value.items() %} + {{ ab_key }} = {{ ab_value }} +{% endfor %} + } +{% endfor %} + } + version = { +{% for aa_key, aa_value in mp_value.actions.version.items() %} + {{ aa_key }} = { +{% for ab_key, ab_value in aa_value.items() %} + {{ ab_key }} = {{ ab_value }} +{% endfor %} + } +{% endfor %} + } + } + } +{% endfor %} + } +{% endif %} + {% if value.containers is defined %} containers = { {% for c_key, c_value in value.containers.items() %} @@ -96,7 +158,6 @@ storage_accounts = { {% endfor %} } {% endif %} - {% if value.tags is defined %} tags = { {% for tag_key, tag_value in value.tags.items() %} diff --git a/templates/variables/_variables_azure_landing_zones.yaml b/templates/variables/_variables_azure_landing_zones.yaml index 49285ab9a..ac4b231c4 100644 --- a/templates/variables/_variables_azure_landing_zones.yaml +++ b/templates/variables/_variables_azure_landing_zones.yaml @@ -1,6 +1,6 @@ variables_azure_landing_zones: private_lib: v1.1.3: - caf_landingzone_branch: aci_network + caf_landingzone_branch: 2203.0 v1.1.1: caf_landingzone_branch: 2201.0 \ No newline at end of file From 1efe835f8e4fc0aed1bf946cc5b47e3d6c6974a4 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Mon, 14 Mar 2022 12:53:30 +0000 Subject: [PATCH 66/67] Update readme --- templates/platform/services/README.md | 32 +++++++++++++++++++-------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/templates/platform/services/README.md b/templates/platform/services/README.md index 324ae733c..5c99b1c20 100644 --- a/templates/platform/services/README.md +++ b/templates/platform/services/README.md @@ -8,18 +8,15 @@ For further executions or command, you can refer to the following sections ## Commands -### Clone the landingzone project (Terraform base code) -```bash -git clone https://github.com/Azure/caf-terraform-landingzones.git {{landingzones_folder}} -cd {{landingzones_folder}} && git pull -git checkout {{topology.caf_landingzone_branch}} +### Rover ignite the platform -``` +Rover ignite will process the YAML files and start building the configuration structure of the TFVARS. -### Rover ignite the platform -Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps. Just follow the readme and next steps. +Please note that during the creation of the platform landingones you will have to run rover ignite multiple times as some deployments are required to be completed before you can perform the next steps. + +The best course of actions is to follow the readme files generated within each landing zones, as rover ignite creates the tfvars and also the documentation. -Rover ignite creates the tfvars and also the documentation. +Once you are ready to ingite, just run: ```bash rover login -t {{tenant_name.stdout}} -s {{subscription_id.stdout}} @@ -35,8 +32,25 @@ Once the rover ignite command has been executed, go to your configuration folder Get started with the [launchpad]({{destination_path}}/{{topologies.launchpad.relative_destination_folder}}) + + +## References + +Whenever needed, or under a profesional supervision you can use the following commands + +### Clone the landingzone project (Terraform base code) + +```bash +git clone https://github.com/Azure/caf-terraform-landingzones.git {{landingzones_folder}} +cd {{landingzones_folder}} && git pull +git checkout {{topology.caf_landingzone_branch}} + +``` + ### Regenerate the definition folder +For your reference, if you need to re-generate the YAML definition files later, you can run the following command: + ```bash ansible-playbook {{public_templates_folder}}/ansible/walk-through-single.yaml \ --extra-vars "@{{platform_definition_folder}}/ignite.yaml" From 37bf0d4415c0aa89b134bf7f869f868b92b4a5f3 Mon Sep 17 00:00:00 2001 From: lolorol Date: Tue, 15 Mar 2022 08:44:46 +0800 Subject: [PATCH 67/67] Update README.md --- templates/platform/level0/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/platform/level0/README.md b/templates/platform/level0/README.md index ea9085fca..29aea9e3e 100644 --- a/templates/platform/level0/README.md +++ b/templates/platform/level0/README.md @@ -15,7 +15,7 @@ Platform- Subscriptions | Deploys platform subscriptions such as managemen management | Foundation resources to management subscription such as service health alerts, log analytics gitops | This directory hosts the Azure DevOps configurations such as Azure DevOps projects, pipelines variable groups Identity | This hosts the identities for the pipelines and identies are pushed to vault after created -Enterprise scale - Platform | Deploys alz resources suych as management groups, custom roles, policies, and map that to management groups +Azure Landing zone - Platform | Deploys Azure landing zone resources such as management groups, custom roles, policies, and map that to management groups ### Level 2