Eventhub and Auth Rules

.github/workflows/master-100.yaml

@@ -104,8 +104,10 @@ jobs:
             "cosmos_db/100-simple-cosmos-db-table",
             "databricks/100-simple-databricks",
             "datalake/101-datalake-storage",
-            "eventhub_namespace/100-simple-evh",
-            "eventhub_namespace/101-evh-with-private-endpoint",
+            "eventhub/100-simple-eventhub-namespace",
+            "eventhub/101-evh-namespace-with-private-endpoint",
+            "eventhub/102-namespace-and-evh-with-auth-rules",
+            "eventhub/103-eventhub-consumer-groups",
             "keyvault/102-keyvault-cert-issuer",
             "machine_learning/100-aml",
             "machine_learning/101-aml-vnet",

.github/workflows/master-standalone.yaml

@@ -57,8 +57,10 @@ jobs:
             "cosmos_db/100-simple-cosmos-db-table",
             "databricks/100-simple-databricks",
             "datalake/101-datalake-storage",
-            "eventhub_namespace/100-simple-evh",
-            "eventhub_namespace/101-evh-with-private-endpoint",
+            "eventhub/100-simple-eventhub-namespace",
+            "eventhub/101-evh-namespace-with-private-endpoint",
+            "eventhub/102-namespace-and-evh-with-auth-rules",
+            "eventhub/103-eventhub-consumer-groups",
             "keyvault/101-keyvault-policies",
             "machine_learning/100-aml",
             "mariadb_server/100-simple-mariadb",

container_groups.tf

@@ -2,16 +2,16 @@ module container_groups {
   source   = "./modules/compute/container_group"
   for_each = local.compute.container_groups
 
-  base_tags                    = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].tags : {}
-  client_config                = local.client_config
-  combined_diagnostics         = local.combined_diagnostics
+  base_tags            = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].tags : {}
+  client_config        = local.client_config
+  combined_diagnostics = local.combined_diagnostics
   # combined_managed_identities  = local.combined_objects_managed_identities
   # combined_vnets               = local.combined_objects_networking
-  diagnostic_profiles          = try(each.value.diagnostic_profiles, {})
-  global_settings              = local.global_settings
-  location                     = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
-  resource_group_name          = local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].name
-  settings                     = each.value
+  diagnostic_profiles = try(each.value.diagnostic_profiles, {})
+  global_settings     = local.global_settings
+  location            = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
+  resource_group_name = local.combined_objects_resource_groups[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.resource_group_key].name
+  settings            = each.value
 
   combined_resources = {
     keyvaults          = local.combined_objects_keyvaults

diagnostics.tf

@@ -35,14 +35,15 @@ module diagnostic_storage_accounts {
 }
 
 module "diagnostic_event_hub_namespaces" {
-  source   = "./modules/event_hub_namespaces"
+  source   = "./modules/event_hubs/namespaces"
   for_each = local.diagnostics.diagnostic_event_hub_namespaces
 
-  global_settings = local.global_settings
-  settings        = each.value
-  resource_groups = module.resource_groups
-  client_config   = local.client_config
-  base_tags       = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
+  global_settings     = local.global_settings
+  settings            = each.value
+  resource_group_name = module.resource_groups[each.value.resource_group_key].name
+  location            = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
+  client_config       = local.client_config
+  base_tags           = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
 }
 
 module diagnostic_event_hub_namespaces_diagnostics {

event_hubs.tf

@@ -0,0 +1,131 @@
+
+module "event_hub_namespaces" {
+  source   = "./modules/event_hubs/namespaces"
+  for_each = var.event_hub_namespaces
+
+  global_settings     = local.global_settings
+  settings            = each.value
+  storage_accounts    = local.combined_objects_storage_accounts
+  resource_group_name = module.resource_groups[each.value.resource_group_key].name
+  location            = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
+  client_config       = local.client_config
+  base_tags           = try(local.global_settings.inherit_tags, false) ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].tags : {}
+}
+
+module event_hub_namespace_auth_rules {
+  source   = "./modules/event_hubs/namespaces/auth_rules"
+  for_each = try(var.event_hub_namespace_auth_rules, {})
+
+  resource_group_name = module.resource_groups[each.value.resource_group_key].name
+  client_config       = local.client_config
+  global_settings     = local.global_settings
+  settings            = each.value
+  namespace_name      = module.event_hub_namespaces[each.value.event_hub_namespace_key].name
+
+  depends_on = [
+    module.event_hub_namespaces
+  ]
+}
+
+module event_hub_namespaces_diagnostics {
+  source   = "./modules/diagnostics"
+  for_each = var.event_hub_namespaces
+
+  resource_id       = module.event_hub_namespaces[each.key].id
+  resource_location = module.event_hub_namespaces[each.key].location
+  diagnostics       = local.combined_diagnostics
+  profiles          = try(each.value.diagnostic_profiles, {})
+}
+
+#
+# Event_hub_namespace is one of the three diagnostics destination objects and for that reason requires the
+# private endpoint to be done at the root module to prevent circular references
+#
+
+module event_hub_namespaces_private_endpoints {
+  depends_on = [module.event_hub_namespaces]
+  source     = "./modules/networking/private_endpoint"
+  for_each   = local.event_hub_namespaces_private_endpoints
+
+  resource_id         = each.value.id
+  name                = each.value.settings.name
+  location            = each.value.location
+  resource_group_name = each.value.resource_group_name
+  subnet_id           = each.value.subnet_id
+  settings            = each.value.settings
+  global_settings     = local.global_settings
+  base_tags           = each.value.base_tags
+  private_dns         = local.combined_objects_private_dns
+  client_config       = local.client_config
+}
+
+locals {
+  event_hub_namespaces_private_endpoints = {
+    for private_endpoint in
+    flatten(
+      [
+        for eh_ns_key, eh_ns in var.event_hub_namespaces : [
+          for pe_key, pe in try(eh_ns.private_endpoints, {}) : {
+            eh_ns_key           = eh_ns_key
+            pe_key              = pe_key
+            id                  = module.event_hub_namespaces[eh_ns_key].id
+            settings            = pe
+            location            = module.resource_groups[pe.resource_group_key].location
+            resource_group_name = module.resource_groups[pe.resource_group_key].name
+            subnet_id           = try(pe.vnet_key, null) == null ? null : try(local.combined_objects_networking[local.client_config.landingzone_key][pe.vnet_key].subnets[pe.subnet_key].id, local.combined_objects_networking[pe.lz_key][pe.vnet_key].subnets[pe.subnet_key].id)
+            base_tags           = try(local.global_settings.inherit_tags, false) ? module.resource_groups[pe.resource_group_key].tags : {}
+          }
+        ]
+      ]
+    ) : format("%s-%s", private_endpoint.eh_ns_key, private_endpoint.pe_key) => private_endpoint
+  }
+}
+
+
+module event_hubs {
+  source     = "./modules/event_hubs/hubs"
+  depends_on = [module.event_hub_namespaces]
+  for_each   = try(var.event_hubs, {})
+
+  resource_group_name = module.resource_groups[each.value.resource_group_key].name
+  client_config       = local.client_config
+  global_settings     = local.global_settings
+  settings            = each.value
+  namespace_name      = module.event_hub_namespaces[each.value.event_hub_namespace_key].name
+  storage_account_id  = try(module.storage_accounts[each.value.storage_account_key].id, null)
+  base_tags           = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
+}
+
+module event_hub_auth_rules {
+  source   = "./modules/event_hubs/hubs/auth_rules"
+  for_each = try(var.event_hub_auth_rules, {})
+
+  resource_group_name = module.resource_groups[each.value.resource_group_key].name
+  client_config       = local.client_config
+  global_settings     = local.global_settings
+  settings            = each.value
+  namespace_name      = module.event_hub_namespaces[each.value.event_hub_namespace_key].name
+  eventhub_name       = module.event_hubs[each.value.event_hub_name_key].name
+
+  depends_on = [
+    module.event_hub_namespaces,
+    module.event_hubs
+  ]
+}
+
+module event_hub_consumer_groups {
+  source   = "./modules/event_hubs/consumer_groups"
+  for_each = try(var.event_hub_consumer_groups, {})
+
+  resource_group_name = module.resource_groups[each.value.resource_group_key].name
+  client_config       = local.client_config
+  global_settings     = local.global_settings
+  settings            = each.value
+  namespace_name      = module.event_hub_namespaces[each.value.event_hub_namespace_key].name
+  eventhub_name       = module.event_hubs[each.value.event_hub_name_key].name
+
+  depends_on = [
+    module.event_hub_namespaces,
+    module.event_hubs
+  ]
+}

examples/azure_ad/201-groups-and-roles/configuration.tfvars

@@ -34,7 +34,7 @@ azuread_apps = {
     application_name             = "app1"
     app_role_assignment_required = true
     keyvaults = {
-      test_kv= {
+      test_kv = {
         secret_prefix = "app1"
       }
     }

examples/compute/container_groups/101-aci-rover/container_groups.tfvars

@@ -28,10 +28,10 @@ container_groups = {
 
         # for demo purposes
         environment_variables = {
-          URL="https://www.microsoft.com"
+          URL = "https://www.microsoft.com"
         }
         secure_environment_variables = {
-          TOKEN="token from tfvars"
+          TOKEN = "token from tfvars"
         }
         environment_variables_from_resources = {
           AGENT_KEYVAULT_NAME = {
@@ -47,7 +47,7 @@ container_groups = {
         }
       }
 
-    }   //containers
+    } //containers
 
     tags = {
       environment = "testing"
@@ -71,7 +71,7 @@ container_groups = {
     restart_policy     = "Never" // Possible values are 'Always'(default) 'Never' 'OnFailure'
 
     containers = {
-      
+
       # You can also deploy the name container multiple times based on the count number
       httpd = {
         name   = "httpd"
@@ -87,7 +87,7 @@ container_groups = {
         }
       }
 
-    }   //containers
+    } //containers
 
     tags = {
       environment = "testing"

examples/compute/container_groups/101-aci-rover/keyvaults.tfvars

@@ -12,8 +12,8 @@ keyvaults = {
         secret_permissions      = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
       }
       nginx = {
-        managed_identity_key    = "nginx"
-        secret_permissions      = ["Get"]
+        managed_identity_key = "nginx"
+        secret_permissions   = ["Get"]
       }
     }
   }

examples/eventhub_namespace/100-simple-evh/standalone/readme.md → examples/eventhub/100-simple-eventhub-namespace/standalone/readme.md

@@ -1,7 +1,7 @@
 You can test this module outside of a landingzone using
 
 ```bash
-cd /tf/caf/examples/eventhub_namespace/100-simple-evh/standalone
+cd /tf/caf/examples/eventhub/100-simple-eventhub-namespace/standalone
 
 terraform init
 
@@ -17,7 +17,7 @@ To test this deployment in the example landingzone. Make sure the launchpad has
 
 rover \
   -lz /tf/caf/aztfmod/examples \
-  -var-folder  /tf/caf/examples/eventhub_namespace/100-simple-evh/ \
+  -var-folder  /tf/caf/examples/eventhub/100-simple-eventhub-namespace/ \
   -level level1 \
   -a plan