From 708dbfff21e498a7da07cc3cba12b7858f76e09f Mon Sep 17 00:00:00 2001 From: hyperfocus1337 Date: Fri, 18 Mar 2022 11:16:29 +0100 Subject: [PATCH 1/7] Add deploy_identity_resources --- caf_solution/add-ons/caf_eslz/enterprise_scale.tf | 2 +- caf_solution/add-ons/caf_eslz/variables.tf | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf index d5e4237e6..6db0d3be4 100644 --- a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -23,4 +23,4 @@ module "enterprise_scale" { root_id = var.root_id root_name = var.root_name subscription_id_overrides = local.subscription_id_overrides -} \ No newline at end of file +} deploy_identity_resources = var.deploy_identity_resources diff --git a/caf_solution/add-ons/caf_eslz/variables.tf b/caf_solution/add-ons/caf_eslz/variables.tf index 1e3ce879c..6e9e16cba 100644 --- a/caf_solution/add-ons/caf_eslz/variables.tf +++ b/caf_solution/add-ons/caf_eslz/variables.tf @@ -233,4 +233,9 @@ variable "reconcile_vending_subscriptions" { type = bool default = false description = "Will reconcile the subrisciptions created outside of enterprise scale to prevent them to be revoved by the execution of this module." -} \ No newline at end of file +} + +variable "deploy_identity_resources" { + type = bool + default = false +} From e34bfcb66394becc527f38288fe34d7ea5df44a5 Mon Sep 17 00:00:00 2001 From: hyperfocus1337 Date: Fri, 18 Mar 2022 11:16:57 +0100 Subject: [PATCH 2/7] Add subscription_id_identity --- caf_solution/add-ons/caf_eslz/enterprise_scale.tf | 2 ++ caf_solution/add-ons/caf_eslz/variables.tf | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf index 6db0d3be4..2e87a95ce 100644 --- a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -24,3 +24,5 @@ module "enterprise_scale" { root_name = var.root_name subscription_id_overrides = local.subscription_id_overrides } deploy_identity_resources = var.deploy_identity_resources + subscription_id_identity = var.subscription_id_identity +} diff --git a/caf_solution/add-ons/caf_eslz/variables.tf b/caf_solution/add-ons/caf_eslz/variables.tf index 6e9e16cba..445699ddb 100644 --- a/caf_solution/add-ons/caf_eslz/variables.tf +++ b/caf_solution/add-ons/caf_eslz/variables.tf @@ -239,3 +239,7 @@ variable "deploy_identity_resources" { type = bool default = false } + +variable "subscription_id_identity" { + type = string +} From e8891b70a0e130e6c73fddbe293947e068c65e17 Mon Sep 17 00:00:00 2001 From: hyperfocus1337 Date: Fri, 18 Mar 2022 11:18:58 +0100 Subject: [PATCH 3/7] Remove } --- caf_solution/add-ons/caf_eslz/enterprise_scale.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf index 2e87a95ce..c014e5a84 100644 --- a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -23,6 +23,6 @@ module "enterprise_scale" { root_id = var.root_id root_name = var.root_name subscription_id_overrides = local.subscription_id_overrides -} deploy_identity_resources = var.deploy_identity_resources + deploy_identity_resources = var.deploy_identity_resources subscription_id_identity = var.subscription_id_identity } From c456d10e12ab4a17224a116e14ce28019fa18554 Mon Sep 17 00:00:00 2001 From: hyperfocus1337 Date: Fri, 25 Mar 2022 15:05:13 +0100 Subject: [PATCH 4/7] Add several missing module keys and fmt --- .../add-ons/caf_eslz/enterprise_scale.tf | 26 ++++++++++++------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf index c014e5a84..d1828c089 100644 --- a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -16,13 +16,21 @@ module "enterprise_scale" { default_location = local.global_settings.regions[local.global_settings.default_region] #path to the policies definition and assignment repo - library_path = var.library_path - archetype_config_overrides = local.archetype_config_overrides - custom_landing_zones = local.custom_landing_zones - deploy_core_landing_zones = var.deploy_core_landing_zones - root_id = var.root_id - root_name = var.root_name - subscription_id_overrides = local.subscription_id_overrides - deploy_identity_resources = var.deploy_identity_resources - subscription_id_identity = var.subscription_id_identity + library_path = var.library_path + archetype_config_overrides = local.archetype_config_overrides + custom_landing_zones = local.custom_landing_zones + deploy_core_landing_zones = var.deploy_core_landing_zones + root_id = var.root_id + root_name = var.root_name + subscription_id_overrides = local.subscription_id_overrides + subscription_id_identity = var.subscription_id_identity == null ? data.azurerm_client_config.core.subscription_id : var.subscription_id_identity + subscription_id_management = var.subscription_id_management == null ? data.azurerm_client_config.management.subscription_id : var.subscription_id_management + subscription_id_connectivity = var.subscription_id_connectivity == null ? data.azurerm_client_config.connectivity.subscription_id : var.subscription_id_connectivity + deploy_identity_resources = var.deploy_identity_resources + deploy_connectivity_resources = var.deploy_connectivity_resources + deploy_management_resources = var.deploy_management_resources + configure_identity_resources = var.configure_identity_resources + configure_management_resources = var.configure_management_resources + disable_base_module_tags = var.disable_base_module_tags + default_tags = coalesce(var.tags, var.default_tags, null) } From 89c9258d3e21c3081ee192e1c1fea95dbc5f0270 Mon Sep 17 00:00:00 2001 From: hyperfocus1337 Date: Fri, 25 Mar 2022 15:06:36 +0100 Subject: [PATCH 5/7] Add several missing module variables --- caf_solution/add-ons/caf_eslz/variables.tf | 154 +++++++++++++++++++++ 1 file changed, 154 insertions(+) diff --git a/caf_solution/add-ons/caf_eslz/variables.tf b/caf_solution/add-ons/caf_eslz/variables.tf index 445699ddb..9f80b4ea2 100644 --- a/caf_solution/add-ons/caf_eslz/variables.tf +++ b/caf_solution/add-ons/caf_eslz/variables.tf @@ -85,6 +85,12 @@ variable "root_name" { } } +variable "root_parent_id" { + type = string + description = "If specified, will deploy the Enterprise scale bellow the root_parent_id." + default = null +} + variable "deploy_core_landing_zones" { type = bool description = "If set to true, will include the core Enterprise-scale Management Group hierarchy." @@ -243,3 +249,151 @@ variable "deploy_identity_resources" { variable "subscription_id_identity" { type = string } + +variable "configure_identity_resources" { + type = object({ + settings = object({ + identity = object({ + enabled = bool + config = object({ + enable_deny_public_ip = bool + enable_deny_rdp_from_internet = bool + enable_deny_subnet_without_nsg = bool + enable_deploy_azure_backup_on_vms = bool + }) + }) + }) + }) + description = "If specified, will customize the \"Identity\" landing zone settings." + default = { + settings = { + identity = { + enabled = true + config = { + enable_deny_public_ip = true + enable_deny_rdp_from_internet = true + enable_deny_subnet_without_nsg = true + enable_deploy_azure_backup_on_vms = true + } + } + } + } +} + +variable "deploy_management_resources" { + type = bool + description = "If set to true, will enable the \"Management\" landing zone settings and add \"Management\" resources into the current Subscription context." + default = false +} + +variable "configure_management_resources" { + type = object({ + settings = object({ + log_analytics = object({ + enabled = bool + config = object({ + retention_in_days = number + enable_monitoring_for_arc = bool + enable_monitoring_for_vm = bool + enable_monitoring_for_vmss = bool + enable_solution_for_agent_health_assessment = bool + enable_solution_for_anti_malware = bool + enable_solution_for_azure_activity = bool + enable_solution_for_change_tracking = bool + enable_solution_for_service_map = bool + enable_solution_for_sql_assessment = bool + enable_solution_for_updates = bool + enable_solution_for_vm_insights = bool + enable_sentinel = bool + }) + }) + security_center = object({ + enabled = bool + config = object({ + email_security_contact = string + enable_defender_for_app_services = bool + enable_defender_for_arm = bool + enable_defender_for_containers = bool + enable_defender_for_dns = bool + enable_defender_for_key_vault = bool + enable_defender_for_oss_databases = bool + enable_defender_for_servers = bool + enable_defender_for_sql_servers = bool + enable_defender_for_sql_server_vms = bool + enable_defender_for_storage = bool + }) + }) + }) + location = any + tags = any + advanced = any + }) + description = "If specified, will customize the \"Management\" landing zone settings and resources." + default = { + settings = { + log_analytics = { + enabled = true + config = { + retention_in_days = 30 + enable_monitoring_for_arc = true + enable_monitoring_for_vm = true + enable_monitoring_for_vmss = true + enable_solution_for_agent_health_assessment = true + enable_solution_for_anti_malware = true + enable_solution_for_azure_activity = true + enable_solution_for_change_tracking = true + enable_solution_for_service_map = true + enable_solution_for_sql_assessment = true + enable_solution_for_updates = true + enable_solution_for_vm_insights = true + enable_sentinel = true + } + } + security_center = { + enabled = true + config = { + email_security_contact = "security_contact@replace_me" + enable_defender_for_app_services = true + enable_defender_for_arm = true + enable_defender_for_containers = true + enable_defender_for_dns = true + enable_defender_for_key_vault = true + enable_defender_for_oss_databases = true + enable_defender_for_servers = true + enable_defender_for_sql_servers = true + enable_defender_for_sql_server_vms = true + enable_defender_for_storage = true + } + } + } + location = null + tags = null + advanced = null + } +} + +variable "deploy_connectivity_resources" { + type = bool + description = "If set to true, will enable the \"Connectivity\" landing zone settings and add \"Connectivity\" resources into the current Subscription context." + default = false +} + +variable "subscription_id_management" { + type = string +} + +variable "subscription_id_connectivity" { + type = string +} + +variable "disable_base_module_tags" { + type = bool +} + +variable "tags" { + type = map(any) +} + +variable "default_tags" { + type = map(any) +} From e1b068fa5a9b3a01f827262f5a016d080f14c7e8 Mon Sep 17 00:00:00 2001 From: hyperfocus1337 Date: Fri, 25 Mar 2022 15:07:25 +0100 Subject: [PATCH 6/7] Add support for multiple providers --- caf_solution/add-ons/caf_eslz/main.tf | 35 +++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/caf_solution/add-ons/caf_eslz/main.tf b/caf_solution/add-ons/caf_eslz/main.tf index 1ee5a91e2..0e98fbc20 100644 --- a/caf_solution/add-ons/caf_eslz/main.tf +++ b/caf_solution/add-ons/caf_eslz/main.tf @@ -1,20 +1,45 @@ - terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.93.1" + version = "~> 2.96.0" } } required_version = ">= 0.14" experiments = [module_variable_optional_attrs] } - +# Core provider block provider "azurerm" { + # Partner identifier for CAF Terraform landing zones. partner_id = "ca4078f8-9bc4-471b-ab5b-3af6b86a42c8" - # partner identifier for CAF Terraform landing zones. features {} } -data "azurerm_client_config" "current" {} +# Declare an aliased provider block using your preferred configuration. +# This will be used for the deployment of all "Connectivity resources" to the specified `subscription_id`. +provider "azurerm" { + alias = "connectivity" + subscription_id = coalesce(var.subscription_id_connectivity, null) + features {} +} + +# Declare a standard provider block using your preferred configuration. +# This will be used for the deployment of all "Management resources" to the specified `subscription_id`. +provider "azurerm" { + alias = "management" + subscription_id = coalesce(var.subscription_id_management, null) + features {} +} + +data "azurerm_client_config" "core" { + provider = azurerm +} + +data "azurerm_client_config" "management" { + provider = azurerm.management +} + +data "azurerm_client_config" "connectivity" { + provider = azurerm.connectivity +} From 274e9ac1ed0d2981670fe9ee1e90c68deca27698 Mon Sep 17 00:00:00 2001 From: hyperfocus1337 Date: Fri, 25 Mar 2022 15:08:35 +0100 Subject: [PATCH 7/7] Change current to core --- caf_solution/add-ons/caf_eslz/enterprise_scale.tf | 2 +- caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf index d1828c089..5ea5a74c0 100644 --- a/caf_solution/add-ons/caf_eslz/enterprise_scale.tf +++ b/caf_solution/add-ons/caf_eslz/enterprise_scale.tf @@ -12,7 +12,7 @@ module "enterprise_scale" { azurerm.management = azurerm } - root_parent_id = data.azurerm_client_config.current.tenant_id + root_parent_id = data.azurerm_client_config.core.tenant_id default_location = local.global_settings.regions[local.global_settings.default_region] #path to the policies definition and assignment repo diff --git a/caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf b/caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf index 2e88cee3d..7fd97b9a5 100644 --- a/caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf +++ b/caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf @@ -29,7 +29,7 @@ locals { resource_group_name = try(value.resource_group_name, local.landingzone[try(value.level, "current")].resource_group_name) storage_account_name = try(value.storage_account_name, local.landingzone[try(value.level, "current")].storage_account_name) subscription_id = try(value.subscription_id, var.tfstate_subscription_id) - tenant_id = try(value.tenant_id, data.azurerm_client_config.current.tenant_id) + tenant_id = try(value.tenant_id, data.azurerm_client_config.core.tenant_id) } } }