This module creates basic Azure resources that are foundational to environment set up in a specific Azure region. It is the second step in deploying the Coalfire-Azure-RAMPpak FedRAMP Framework.
Learn more at Coalfire OpenSource.
- This module is dependent on the Coalfire-CF/terraform-azurerm-security-core module being deployed.
- Resource Groups
- Azure Monitor
- Network Watcher
- Azure Image Gallery
- Storage Account Blob and Container for terraform remote state lock
- Storage Account Blobs for
- backup
- flowlogs
- monitor logs
- installer files
- CloudShell
- Terraform remote state
tstate.tf Update to the appropriate version and storage accounts, see sample below:
terraform {
required_version = ">= 1.1.7"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.45.0"
}
}
backend "azurerm" {
resource_group_name = "prod-mp-core-rg"
storage_account_name = "prodmpsatfstate"
container_name = "tfstatecontainer"
environment = "usgovernment"
key = "setup.tfstate"
}
}Update the remote-data.tf file to add the setup security state key. Example remote data block:
data "terraform_remote_state" "usgv-region-setup" {
backend = "azurerm"
config = {
resource_group_name = "prod-mp-core-rg"
storage_account_name = "prodmpsatfstate"
container_name = "tfstatecontainer"
environment = "usgovernment"
key = "setup.tfstate"
}
}This module can be called as outlined below.
- Change directory to the
/coalfire-azure-pak/terraform/prod/us-va/region-setupfolder. - Run
terraform initto download modules and create initial local state file. - Run
terraform planto ensure no errors and validate plan is deploying expected resources. - If everything looks correct in the plan output, run
terraform apply.
Include example for how to call the module below with generic variables
provider "azurerm" {
features {}
}
module "setup" {
source = "github.com/Coalfire-CF/terraform-azurerm-region-setup"
subscription_id = var.subscription_id
location_abbreviation = var.location_abbreviation
location = var.location
resource_prefix = local.resource_prefix
app_abbreviation = var.app_abbreviation
tenant_id = var.tenant_id
regional_tags = var.regional_tags
global_tags = merge(var.global_tags, local.global_local_tags)
mgmt_rg_name = "${local.resource_prefix}-management-rg"
app_rg_name = "${local.resource_prefix}-application-rg"
key_vault_rg_name = "${local.resource_prefix}-keyvault-rg"
networking_rg_name = "${local.resource_prefix}-networking-rg"
sas_start_date = "2023-10-06" #Change to today's date
sas_end_date = "2023-11-06" #Change to one month from now
ip_for_remote_access = var.ip_for_remote_access
core_kv_id = data.terraform_remote_state.core.outputs.core_kv_id
diag_log_analytics_id = data.terraform_remote_state.core.outputs.core_la_id
admin_principal_ids = var.admin_principal_ids
# uncomment the following line when the mgmt-network is created
#firewall_vnet_subnet_ids = values(data.terraform_remote_state.usgv_mgmt_vnet.outputs.usgv_mgmt_vnet_subnet_ids) #Uncomment and rerun terraform apply after the mgmt-network is created
additional_resource_groups = [
"${local.resource_prefix}-identity-rg"
]
}
No requirements.
| Name | Version |
|---|---|
| azurerm | n/a |
| Name | Source | Version |
|---|---|---|
| ars_sa | github.com/Coalfire-CF/terraform-azurerm-storage-account | n/a |
| diag_cloudshell_sa | github.com/Coalfire-CF/terraform-azurerm-diagnostics | n/a |
| docs_sa | github.com/Coalfire-CF/terraform-azurerm-storage-account | n/a |
| flowlogs_sa | github.com/Coalfire-CF/terraform-azurerm-storage-account | n/a |
| installs_sa | github.com/Coalfire-CF/terraform-azurerm-storage-account | n/a |
| vm_diag | github.com/Coalfire-CF/terraform-azurerm-storage-account | n/a |
| Name | Type |
|---|---|
| azurerm_network_watcher.fr_network_watcher | resource |
| azurerm_resource_group.additional_resource_groups | resource |
| azurerm_resource_group.application | resource |
| azurerm_resource_group.key_vault | resource |
| azurerm_resource_group.management | resource |
| azurerm_resource_group.network | resource |
| azurerm_role_assignment.tstate_kv_crypto_user_cloudshell | resource |
| azurerm_shared_image_gallery.marketplaceimages | resource |
| azurerm_storage_account.cloudShell | resource |
| azurerm_storage_account_customer_managed_key.enable_cloudShell_cmk | resource |
| azurerm_storage_account_sas.vm_diag_sas | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_resource_groups | Additional resource groups to create | list(string) |
[] |
no |
| admin_principal_ids | List of principal ID's for all admins | set(string) |
n/a | yes |
| app_abbreviation | The prefix for the blob storage account names | string |
n/a | yes |
| app_rg_name | Application plane resource group name | string |
"application-rg-1" |
no |
| core_kv_id | n/a | string |
n/a | yes |
| diag_log_analytics_id | ID of the Log Analytics Workspace diagnostic logs should be sent to | string |
n/a | yes |
| firewall_vnet_subnet_ids | Subnet ID's that should be allowed for the firewall | list(string) |
[] |
no |
| fw_virtual_network_subnet_ids | List of subnet ids for the firewall | list(string) |
[] |
no |
| global_tags | Global level tags | map(string) |
n/a | yes |
| ip_for_remote_access | This is the same as 'cidrs_for_remote_access' but without the /32 on each of the files. The 'ip_rules' in the storage account will not accept a '/32' address and I gave up trying to strip and convert the values over | list(any) |
n/a | yes |
| key_vault_rg_name | Key Vault resource group name | string |
"keyvault-rg-01" |
no |
| location | The Azure location/region to create resources in | string |
n/a | yes |
| location_abbreviation | The Azure location/region in 4 letter code | string |
n/a | yes |
| mgmt_rg_name | Management plane resource group name | string |
"management-rg-1" |
no |
| networking_rg_name | Networking resource group name | string |
"networking-rg-01" |
no |
| regional_tags | Regional level tags | map(string) |
n/a | yes |
| resource_prefix | Name prefix used for resources | string |
n/a | yes |
| sas_end_date | value | string |
n/a | yes |
| sas_start_date | value | string |
n/a | yes |
| subscription_id | The Azure subscription ID where resources are being deployed into | string |
n/a | yes |
| tenant_id | The Azure tenant ID that owns the deployed resources | string |
n/a | yes |
| Name | Description |
|---|---|
| additional_resource_groups | n/a |
| application_rg_name | n/a |
| installs_container_id | n/a |
| installs_container_name | n/a |
| key_vault_rg_id | n/a |
| key_vault_rg_name | n/a |
| management_rg_name | n/a |
| network_rg_name | n/a |
| network_watcher_name | n/a |
| shellscripts_container_id | n/a |
| storage_account_ars_id | n/a |
| storage_account_ars_name | n/a |
| storage_account_docs_id | n/a |
| storage_account_docs_name | n/a |
| storage_account_flowlogs_id | n/a |
| storage_account_flowlogs_name | n/a |
| storage_account_install_id | n/a |
| storage_account_install_name | n/a |
| storage_account_vm_diag_sas | n/a |
| storage_account_vmdiag_id | n/a |
| storage_account_vmdiag_name | n/a |
| vmdiag_endpoint | n/a |
Copyright © 2023 Coalfire Systems Inc.